Viewing Compliance Information and Evaluation Results for your Amazon Resources - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing Compliance Information and Evaluation Results for your Amazon Resources

Important

For accurate reporting on the compliance status, you must record the AWS::Config::ResourceCompliance resource type. For more information, see Recording Amazon Resources.

You can use the Amazon Config console or Amazon SDKs to view the compliance information and the evaluation results of your resources.

Viewing compliance (Console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.

  4. Choose a resource from the resource identifier column.

  5. Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

    Note

    Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

You can also view the compliance of your resources by looking them up on the Resource inventory page. For more information, see Looking Up Resources That Are Discovered by Amazon Config.

Viewing compliance (Amazon SDKs)

The following code examples show how to use DescribeComplianceByResource.

CLI
Amazon CLI

To get compliance information for your Amazon resources

The following command returns compliance information for each EC2 instance that is recorded by Amazon Config and that violates one or more rules:

aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT

In the output, the value for each CappedCount attribute indicates how many rules the resource violates. For example, the following output indicates that instance i-1a2b3c4d violates 2 rules.

Output:

{ "ComplianceByResources": [ { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "Compliance": { "ComplianceContributorCount": { "CappedCount": 2, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" } }, { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-2a2b3c4d ", "Compliance": { "ComplianceContributorCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceType": "NON_COMPLIANT" } } ] }
PowerShell
Tools for PowerShell

Example 1: This example checks the AWS::SSM::ManagedInstanceInventory resource type for 'COMPLIANT' compliance type.

Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory

Output:

Compliance ResourceId ResourceType ---------- ---------- ------------ Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory

The following code examples show how to use GetComplianceSummaryByResourceType.

CLI
Amazon CLI

To get the compliance summary for all resource types

The following command returns the number of Amazon resources that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{ "ComplianceSummariesByResourceType": [ { "ComplianceSummary": { "NonCompliantResourceCount": { "CappedCount": 16, "CapExceeded": false }, "ComplianceSummaryTimestamp": 1453237464.543, "CompliantResourceCount": { "CappedCount": 10, "CapExceeded": false } } } ] }

To get the compliance summary for a specific resource type

The following command returns the number of EC2 instances that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{ "ComplianceSummariesByResourceType": [ { "ResourceType": "AWS::EC2::Instance", "ComplianceSummary": { "NonCompliantResourceCount": { "CappedCount": 3, "CapExceeded": false }, "ComplianceSummaryTimestamp": 1452204923.518, "CompliantResourceCount": { "CappedCount": 7, "CapExceeded": false } } } ] }
PowerShell
Tools for PowerShell

Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.

Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json { "ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z", "CompliantResourceCount": { "CapExceeded": false, "CappedCount": 2 }, "NonCompliantResourceCount": { "CapExceeded": true, "CappedCount": 100 } }

The following code examples show how to use GetComplianceDetailsByResource.

CLI
Amazon CLI

To get the evaluation results for an Amazon resource

The following command returns the evaluation results for each rule with which the EC2 instance i-1a2b3c4d does not comply:

aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT

Output:

{ "EvaluationResults": [ { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "ConfigRuleName": "InstanceTypesAreT2micro" } }, "ResultRecordedTime": 1450314643.288, "ConfigRuleInvokedTime": 1450314643.034, "ComplianceType": "NON_COMPLIANT" }, { "EvaluationResultIdentifier": { "OrderingTimestamp": 1450314635.065, "EvaluationResultQualifier": { "ResourceType": "AWS::EC2::Instance", "ResourceId": "i-1a2b3c4d", "ConfigRuleName": "RequiredTagForEC2Instances" } }, "ResultRecordedTime": 1450314645.261, "ConfigRuleInvokedTime": 1450314642.948, "ComplianceType": "NON_COMPLIANT" } ] }
PowerShell
Tools for PowerShell

Example 1: This example evaulation results for the given resource.

Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'

Output:

Annotation : ComplianceType : COMPLIANT ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier ResultRecordedTime : 8/25/2019 11:34:56 PM ResultToken :