Amazon Config examples using Amazon CLI - Amazon Command Line Interface
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.

Amazon Config examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon Config.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.

Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.

Topics

Actions

The following code example shows how to use delete-config-rule.

Amazon CLI

To delete an Amazon Config rule

The following command deletes an Amazon Config rule named MyConfigRule:

aws configservice delete-config-rule --config-rule-name MyConfigRule

The following code example shows how to use delete-delivery-channel.

Amazon CLI

To delete a delivery channel

The following command deletes the default delivery channel:

aws configservice delete-delivery-channel --delivery-channel-name default

The following code example shows how to use delete-evaluation-results.

Amazon CLI

To manually delete evaluation results

The following command deletes the current evaluation results for the Amazon managed rule s3-bucket-versioning-enabled:

aws configservice delete-evaluation-results --config-rule-name s3-bucket-versioning-enabled

The following code example shows how to use deliver-config-snapshot.

Amazon CLI

To deliver a configuration snapshot

The following command delivers a configuration snapshot to the Amazon S3 bucket that belongs to the default delivery channel:

aws configservice deliver-config-snapshot --delivery-channel-name default

Output:

{ "configSnapshotId": "d0333b00-a683-44af-921e-examplefb794" }

The following code example shows how to use describe-compliance-by-config-rule.

Amazon CLI

To get compliance information for your Amazon Config rules

The following command returns compliance information for each Amazon Config rule that is violated by one or more Amazon resources:

aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT

In the output, the value for each CappedCount attribute indicates how many resources do not comply with the related rule. For example, the following output indicates that 3 resources do not comply with the rule named InstanceTypesAreT2micro.

Output:

{ "ComplianceByConfigRules": [ { "Compliance": { "ComplianceContributorCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" }, "ConfigRuleName": "InstanceTypesAreT2micro" }, { "Compliance": { "ComplianceContributorCount": { "CappedCount": 10, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" }, "ConfigRuleName": "RequiredTagsForVolumes" } ] }

The following code example shows how to use describe-compliance-by-resource.

Amazon CLI

To get compliance information for your Amazon resources

The following command returns compliance information for each EC2 instance that is recorded by Amazon Config and that violates one or more rules:

aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT

In the output, the value for each CappedCount attribute indicates how many rules the resource violates. For example, the following output indicates that instance i-1a2b3c4d violates 2 rules.

Output:

{ "ComplianceByResources": [ { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "Compliance": { "ComplianceContributorCount": { "CappedCount": 2, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" } }, { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-2a2b3c4d ", "Compliance": { "ComplianceContributorCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" } } ] }

The following code example shows how to use describe-config-rule-evaluation-status.

Amazon CLI

To get status information for an Amazon Config rule

The following command returns the status information for an Amazon Config rule named MyConfigRule:

aws configservice describe-config-rule-evaluation-status --config-rule-names MyConfigRule

Output:

{ "ConfigRulesEvaluationStatus": [ { "ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef", "FirstActivatedTime": 1450311703.844, "ConfigRuleId": "config-rule-abcdef", "LastSuccessfulInvocationTime": 1450314643.156, "ConfigRuleName": "MyConfigRule" } ] }

The following code example shows how to use describe-config-rules.

Amazon CLI

To get details for an Amazon Config rule

The following command returns details for an Amazon Config rule named InstanceTypesAreT2micro:

aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro

Output:

{ "ConfigRules": [ { "ConfigRuleState": "ACTIVE", "Description": "Evaluates whether EC2 instances are the t2.micro type.", "ConfigRuleName": "InstanceTypesAreT2micro", "ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef", "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "ConfigRuleId": "config-rule-abcdef" } ] }

The following code example shows how to use describe-configuration-recorder-status.

Amazon CLI

To get status information for the configuration recorder

The following command returns the status of the default configuration recorder:

aws configservice describe-configuration-recorder-status

Output:

{ "ConfigurationRecordersStatus": [ { "name": "default", "lastStatus": "SUCCESS", "recording": true, "lastStatusChangeTime": 1452193834.344, "lastStartTime": 1441039997.819, "lastStopTime": 1441039992.835 } ] }

The following code example shows how to use describe-configuration-recorders.

Amazon CLI

To get details about the configuration recorder

The following command returns details about the default configuration recorder:

aws configservice describe-configuration-recorders

Output:

{ "ConfigurationRecorders": [ { "recordingGroup": { "allSupported": true, "resourceTypes": [], "includeGlobalResourceTypes": true }, "roleARN": "arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6", "name": "default" } ] }

The following code example shows how to use describe-delivery-channel-status.

Amazon CLI

To get status information for the delivery channel

The following command returns the status of the delivery channel:

aws configservice describe-delivery-channel-status

Output:

{ "DeliveryChannelsStatus": [ { "configStreamDeliveryInfo": { "lastStatusChangeTime": 1452193834.381, "lastStatus": "SUCCESS" }, "configHistoryDeliveryInfo": { "lastSuccessfulTime": 1450317838.412, "lastStatus": "SUCCESS", "lastAttemptTime": 1450317838.412 }, "configSnapshotDeliveryInfo": { "lastSuccessfulTime": 1452185597.094, "lastStatus": "SUCCESS", "lastAttemptTime": 1452185597.094 }, "name": "default" } ] }

The following code example shows how to use describe-delivery-channels.

Amazon CLI

To get details about the delivery channel

The following command returns details about the delivery channel:

aws configservice describe-delivery-channels

Output:

{ "DeliveryChannels": [ { "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ] }

The following code example shows how to use get-compliance-details-by-config-rule.

Amazon CLI

To get the evaluation results for an Amazon Config rule

The following command returns the evaluation results for all of the resources that don't comply with an Amazon Config rule named InstanceTypesAreT2micro:

aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT

Output:

{ "EvaluationResults": [ { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "ConfigRuleName": "InstanceTypesAreT2micro" } }, "ResultRecordedTime": 1450314645.261, "ConfigRuleInvokedTime": 1450314642.948, "ComplianceType": "NON_COMPLIANT" }, { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-2a2b3c4d", "ConfigRuleName": "InstanceTypesAreT2micro" } }, "ResultRecordedTime": 1450314645.18, "ConfigRuleInvokedTime": 1450314642.902, "ComplianceType": "NON_COMPLIANT" }, { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-3a2b3c4d", "ConfigRuleName": "InstanceTypesAreT2micro" } }, "ResultRecordedTime": 1450314643.346, "ConfigRuleInvokedTime": 1450314643.124, "ComplianceType": "NON_COMPLIANT" } ] }

The following code example shows how to use get-compliance-details-by-resource.

Amazon CLI

To get the evaluation results for an Amazon resource

The following command returns the evaluation results for each rule with which the EC2 instance i-1a2b3c4d does not comply:

aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT

Output:

{ "EvaluationResults": [ { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "ConfigRuleName": "InstanceTypesAreT2micro" } }, "ResultRecordedTime": 1450314643.288, "ConfigRuleInvokedTime": 1450314643.034, "ComplianceType": "NON_COMPLIANT" }, { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "ConfigRuleName": "RequiredTagForEC2Instances" } }, "ResultRecordedTime": 1450314645.261, "ConfigRuleInvokedTime": 1450314642.948, "ComplianceType": "NON_COMPLIANT" } ] }

The following code example shows how to use get-compliance-summary-by-config-rule.

Amazon CLI

To get the compliance summary for your Amazon Config rules

The following command returns the number of rules that are compliant and the number that are noncompliant:

aws configservice get-compliance-summary-by-config-rule

In the output, the value for each CappedCount attribute indicates how many rules are compliant or noncompliant.

Output:

{ "ComplianceSummary": { "NonCompliantResourceCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceSummaryTimestamp": 1452204131.493, "CompliantResourceCount": { "CappedCount": 2, "CapExceeded": false } } }

The following code example shows how to use get-compliance-summary-by-resource-type.

Amazon CLI

To get the compliance summary for all resource types

The following command returns the number of Amazon resources that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{ "ComplianceSummariesByResourceType": [ { "ComplianceSummary": { "NonCompliantResourceCount": { "CappedCount": 16, "CapExceeded": false }, "ComplianceSummaryTimestamp": 1453237464.543, "CompliantResourceCount": { "CappedCount": 10, "CapExceeded": false } } } ] }

To get the compliance summary for a specific resource type

The following command returns the number of EC2 instances that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{ "ComplianceSummariesByResourceType": [ { "ResourceType": "AWS::EC2::Instance", "ComplianceSummary": { "NonCompliantResourceCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceSummaryTimestamp": 1452204923.518, "CompliantResourceCount": { "CappedCount": 7, "CapExceeded": false } } } ] }

The following code example shows how to use get-resource-config-history.

Amazon CLI

To get the configuration history of an Amazon resource

The following command returns a list of configuration items for an EC2 instance with an ID of i-1a2b3c4d:

aws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d

The following code example shows how to use get-status.

Amazon CLI

To get the status for Amazon Config

The following command returns the status of the delivery channel and configuration recorder:

aws configservice get-status

Output:

Configuration Recorders: name: default recorder: ON last status: SUCCESS Delivery Channels: name: default last stream delivery status: SUCCESS last history delivery status: SUCCESS last snapshot delivery status: SUCCESS
  • For API details, see GetStatus in Amazon CLI Command Reference.

The following code example shows how to use list-discovered-resources.

Amazon CLI

To list resources that Amazon Config has discovered

The following command lists the EC2 instances that Amazon Config has discovered:

aws configservice list-discovered-resources --resource-type AWS::EC2::Instance

Output:

{ "resourceIdentifiers": [ { "resourceType": "AWS::EC2::Instance", "resourceId": "i-1a2b3c4d" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-2a2b3c4d" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-3a2b3c4d" } ] }

The following code example shows how to use put-config-rule.

Amazon CLI

To add an Amazon managed Config rule

The following command provides JSON code to add an Amazon managed Config rule:

aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json

RequiredTagsForEC2Instances.json is a JSON file that contains the rule configuration:

{ "ConfigRuleName": "RequiredTagsForEC2Instances", "Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "AWS", "SourceIdentifier": "REQUIRED_TAGS" }, "InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}" }

For the ComplianceResourceTypes attribute, this JSON code limits the scope to resources of the AWS::EC2::Instance type, so Amazon Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the Owner attribute is set to AWS, and the SourceIdentifier attribute is set to the rule identifier, REQUIRED_TAGS. For the InputParameters attribute, the tag keys that the rule requires, CostCenter and Owner, are specified.

If the command succeeds, Amazon Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.

To add a customer managed Config rule

The following command provides JSON code to add a customer managed Config rule:

aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json

InstanceTypesAreT2micro.json is a JSON file that contains the rule configuration:

{ "ConfigRuleName": "InstanceTypesAreT2micro", "Description": "Evaluates whether EC2 instances are the t2.micro type.", "Scope": { "ComplianceResourceTypes": [ "AWS::EC2::Instance" ] }, "Source": { "Owner": "CUSTOM_LAMBDA", "SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck", "SourceDetails": [ { "EventSource": "aws.config", "MessageType": "ConfigurationItemChangeNotification" } ] }, "InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}" }

For the ComplianceResourceTypes attribute, this JSON code limits the scope to resources of the AWS::EC2::Instance type, so Amazon Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the Owner attribute is set to CUSTOM_LAMBDA, and the SourceIdentifier attribute is set to the ARN of the Amazon Lambda function. The SourceDetails object is required. The parameters that are specified for the InputParameters attribute are passed to the Amazon Lambda function when Amazon Config invokes it to evaluate resources against the rule.

If the command succeeds, Amazon Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.

  • For API details, see PutConfigRule in Amazon CLI Command Reference.

The following code example shows how to use put-configuration-recorder.

Amazon CLI

Example 1: To record all supported resources

The following command creates a configuration recorder that tracks changes to all supported resource types, including global resource types:

aws configservice put-configuration-recorder \ --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role \ --recording-group allSupported=true,includeGlobalResourceTypes=true

If the command succeeds, Amazon Config returns no output. To verify the settings of your configuration recorder, run the describe-configuration-recorders command.

Example 2: To record specific types of resources

The following command creates a configuration recorder that tracks changes to only those types of resources that are specified in the JSON file for the --recording-group option:

aws configservice put-configuration-recorder \ --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role \ --recording-group file://recordingGroup.json

recordingGroup.json is a JSON file that specifies the types of resources that Amazon Config will record:

{ "allSupported": false, "includeGlobalResourceTypes": false, "resourceTypes": [ "AWS::EC2::EIP", "AWS::EC2::Instance", "AWS::EC2::NetworkAcl", "AWS::EC2::SecurityGroup", "AWS::CloudTrail::Trail", "AWS::EC2::Volume", "AWS::EC2::VPC", "AWS::IAM::User", "AWS::IAM::Policy" ] }

Before you can specify resource types for the resourceTypes key, you must set the allSupported and includeGlobalResourceTypes options to false or omit them.

If the command succeeds, Amazon Config returns no output. To verify the settings of your configuration recorder, run the describe-configuration-recorders command.

Example 3: To select all supported resources excluding specific types of resources

The following command creates a configuration recorder that tracks changes to all current and future supported resource types excluding those types of resources that are specified in the JSON file for the --recording-group option:

aws configservice put-configuration-recorder \ --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role \ --recording-group file://recordingGroup.json

recordingGroup.json is a JSON file that specifies the types of resources that Amazon Config will record:

{ "allSupported": false, "exclusionByResourceTypes": { "resourceTypes": [ "AWS::Redshift::ClusterSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::CloudFront::StreamingDistribution" ] }, "includeGlobalResourceTypes": false, "recordingStrategy": { "useOnly": "EXCLUSION_BY_RESOURCE_TYPES" }, }

Before you can specify resource types to excluding from recording: 1) You must set the allSupported and includeGlobalResourceTypes options to false or omit them, and 2) You must set the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES.

If the command succeeds, Amazon Config returns no output. To verify the settings of your configuration recorder, run the describe-configuration-recorders command.

The following code example shows how to use put-delivery-channel.

Amazon CLI

To create a delivery channel

The following command provides the settings for the delivery channel as JSON code:

aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json

The deliveryChannel.json file specifies the delivery channel attributes:

{ "name": "default", "s3BucketName": "config-bucket-123456789012", "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Twelve_Hours" } }

This example sets the following attributes:

name - The name of the delivery channel. By default, Amazon Config assigns the name default to a new delivery channel.You cannot update the delivery channel name with the put-delivery-channel command. For the steps to change the name, see Renaming the Delivery Channel.s3BucketName - The name of the Amazon S3 bucket to which Amazon Config delivers configuration snapshots and configuration history files.If you specify a bucket that belongs to another Amazon account, that bucket must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon S3 Bucket.

snsTopicARN - The Amazon Resource Name (ARN) of the Amazon SNS topic to which Amazon Config sends notifications about configuration changes.If you choose a topic from another account, the topic must have policies that grant access permissions to Amazon Config. For more information, see Permissions for the Amazon SNS Topic.

configSnapshotDeliveryProperties - Contains the deliveryFrequency attribute, which sets how often Amazon Config delivers configuration snapshots and how often it invokes evaluations for periodic Config rules.

If the command succeeds, Amazon Config returns no output. To verify the settings of your delivery channel, run the describe-delivery-channels command.

The following code example shows how to use start-config-rules-evaluation.

Amazon CLI

To run an on-demand evaluation for Amazon Config rules

The following command starts an evaluation for two Amazon managed rules:

aws configservice start-config-rules-evaluation --config-rule-names s3-bucket-versioning-enabled cloudtrail-enabled

The following code example shows how to use start-configuration-recorder.

Amazon CLI

To start the configuration recorder

The following command starts the default configuration recorder:

aws configservice start-configuration-recorder --configuration-recorder-name default

If the command succeeds, Amazon Config returns no output. To verify that Amazon Config is recording your resources, run the get-status command.

The following code example shows how to use stop-configuration-recorder.

Amazon CLI

To stop the configuration recorder

The following command stops the default configuration recorder:

aws configservice stop-configuration-recorder --configuration-recorder-name default

If the command succeeds, Amazon Config returns no output. To verify that Amazon Config is not recording your resources, run the get-status command.

The following code example shows how to use subscribe.

Amazon CLI

To subscribe to Amazon Config

The following command creates the default delivery channel and configuration recorder. The command also specifies the Amazon S3 bucket and Amazon SNS topic to which Amazon Config will deliver configuration information:

aws configservice subscribe --s3-bucket config-bucket-123456789012 --sns-topic arn:aws:sns:us-east-1:123456789012:config-topic --iam-role arn:aws:iam::123456789012:role/ConfigRole-A1B2C3D4E5F6

Output:

Using existing S3 bucket: config-bucket-123456789012 Using existing SNS topic: arn:aws:sns:us-east-1:123456789012:config-topic Subscribe succeeded: Configuration Recorders: [ { "recordingGroup": { "allSupported": true, "resourceTypes": [], "includeGlobalResourceTypes": false }, "roleARN": "arn:aws:iam::123456789012:role/ConfigRole-A1B2C3D4E5F6", "name": "default" } ] Delivery Channels: [ { "snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic", "name": "default", "s3BucketName": "config-bucket-123456789012" } ]
  • For API details, see Subscribe in Amazon CLI Command Reference.