Viewing Configuration Compliance - Amazon Config
Viewing compliance (Console)Viewing compliance (CLI)Viewing compliance (API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing Configuration Compliance

You can use the Amazon Config console, Amazon CLI, or Amazon Config API to view the compliance state of your rules and resources.

Viewing compliance (Console)

To view compliance

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.

  4. Choose a resource from the resource identifier column.

  5. Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

    Note

    Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

You can also view the compliance of your resources by looking them up on the Resource inventory page. For more information, see Looking Up Resources That Are Discovered by Amazon Config.

Viewing compliance (CLI)

Example to view compliance

To view compliance, use any of the following CLI commands:

  • To see the compliance state of each of your rules, use the describe-compliance-by-config-rule command, as shown in the following example:

    $ aws configservice describe-compliance-by-config-rule
{
    "ComplianceByConfigRules": [
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 2,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "instances-in-vpc"
        },
        {
            "Compliance": {
                "ComplianceType": "COMPLIANT"
            },
            "ConfigRuleName": "restricted-common-ports"
        },
...

    For each rule that has a compliance type of NON_COMPLIANT, Amazon Config returns the number of noncompliant resources for the CappedCount parameter.

  • To see the compliance state of each resource that Amazon Config evaluates for a specific rule, use the get-compliance-details-by-config-rule command, as shown in the following example:

    $ aws configservice get-compliance-details-by-config-rule --config-rule-name ConfigRuleName{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "ConfigRuleName"
                }
            },
            "ResultRecordedTime": 1443751424.969,
            "ConfigRuleInvokedTime": 1443751421.208,
            "ComplianceType": "COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "ConfigRuleName"
                }
            },
            "ResultRecordedTime": 1443751425.083,
            "ConfigRuleInvokedTime": 1443751421.301,
            "ComplianceType": "NON_COMPLIANT"
        },
...

  • To see the compliance state for each Amazon resource of a specific type, use the describe-compliance-by-resource command, as shown in the following example:

    $ aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance
{
    "ComplianceByResources": [
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-nnnnnnnn",
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 1,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            }
        },
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-nnnnnnnn",
            "Compliance": {
                "ComplianceType": "COMPLIANT"
            }
        },
...

  • To see the compliance details of an individual Amazon resource, use the get-compliance-details-by-resource command.

    $ aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-nnnnnnnn
{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "instances-in-vpc"
                }
            },
            "ResultRecordedTime": 1443751425.083,
            "ConfigRuleInvokedTime": 1443751421.301,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}

Viewing compliance (API)

Example to view compliance

To view compliance, use any of the following API actions:

  • To see the compliance state of each of your rules, use the DescribeComplianceByConfigRule action.

  • To see the compliance state of each resource that Amazon Config evaluates for a specific rule, use the GetComplianceDetailsByConfigRule action.

  • To see the compliance state for each Amazon resource of a specific type, use the DescribeComplianceByResource action.

  • To see the compliance details of an individual Amazon resource, use the GetComplianceDetailsByResource action. The details include which Amazon Config rules evaluated the resource, when each rule last evaluated it, and whether the resource complies with each rule.