Viewing Compliance Information and Evaluation Results - Amazon Config
Viewing compliance (Console)Viewing compliance (Amazon SDKs)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing Compliance Information and Evaluation Results

Important

For accurate reporting on the compliance status, you must record the AWS::Config::ResourceCompliance resource type. For more information, see Recoding Amazon Resources.

You can use the Amazon Config console or Amazon SDKs to view the compliance information and the evaluation results of your rules and resources.

Viewing compliance (Console)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.

  3. In the navigation pane, choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.

  4. Choose a resource from the resource identifier column.

  5. Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

    Note

    Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

You can also view the compliance of your resources by looking them up on the Resource inventory page. For more information, see Looking Up Resources That Are Discovered by Amazon Config.

Viewing compliance (Amazon SDKs)

The following code examples show how to use DescribeComplianceByConfigRule.

CLI
Amazon CLI

To get compliance information for your Amazon Config rules

The following command returns compliance information for each Amazon Config rule that is violated by one or more Amazon resources:

aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT

In the output, the value for each CappedCount attribute indicates how many resources do not comply with the related rule. For example, the following output indicates that 3 resources do not comply with the rule named InstanceTypesAreT2micro.

Output:

{
    "ComplianceByConfigRules": [
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 3,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "InstanceTypesAreT2micro"
        },
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 10,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "RequiredTagsForVolumes"
        }
    ]
}
PowerShell
Tools for PowerShell

Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT_DATA

(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance

Output:

ComplianceContributorCount ComplianceType
-------------------------- --------------
                           INSUFFICIENT_DATA

Example 2: This example returns the number of non-compliant resources for the rule ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK.

(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount

Output:

CapExceeded CappedCount
----------- -----------
False       2

The following code examples show how to use DescribeComplianceByResource.

CLI
Amazon CLI

To get compliance information for your Amazon resources

The following command returns compliance information for each EC2 instance that is recorded by Amazon Config and that violates one or more rules:

aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT

In the output, the value for each CappedCount attribute indicates how many rules the resource violates. For example, the following output indicates that instance i-1a2b3c4d violates 2 rules.

Output:

{
    "ComplianceByResources": [
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-1a2b3c4d",
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 2,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            }
        },
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-2a2b3c4d ",
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 3,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            }
        }
    ]
}
PowerShell
Tools for PowerShell

Example 1: This example checks the AWS::SSM::ManagedInstanceInventory resource type for 'COMPLIANT' compliance type.

Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory

Output:

Compliance                            ResourceId          ResourceType
----------                            ----------          ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory

The following code examples show how to use GetComplianceSummaryByConfigRule.

CLI
Amazon CLI

To get the compliance summary for your Amazon Config rules

The following command returns the number of rules that are compliant and the number that are noncompliant:

aws configservice get-compliance-summary-by-config-rule

In the output, the value for each CappedCount attribute indicates how many rules are compliant or noncompliant.

Output:

{
    "ComplianceSummary": {
        "NonCompliantResourceCount": {
            "CappedCount": 3,
            "CapExceeded": false
        },
        "ComplianceSummaryTimestamp": 1452204131.493,
        "CompliantResourceCount": {
            "CappedCount": 2,
            "CapExceeded": false
        }
    }
}
PowerShell
Tools for PowerShell

Example 1: This sample returns the number of Config rules that are non-compliant.

Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount

Output:

CapExceeded CappedCount
----------- -----------
False       9

The following code examples show how to use GetComplianceSummaryByResourceType.

CLI
Amazon CLI

To get the compliance summary for all resource types

The following command returns the number of Amazon resources that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{
    "ComplianceSummariesByResourceType": [
        {
            "ComplianceSummary": {
                "NonCompliantResourceCount": {
                    "CappedCount": 16,
                    "CapExceeded": false
                },
                "ComplianceSummaryTimestamp": 1453237464.543,
                "CompliantResourceCount": {
                    "CappedCount": 10,
                    "CapExceeded": false
                }
            }
        }
    ]
}

To get the compliance summary for a specific resource type

The following command returns the number of EC2 instances that are noncompliant and the number that are compliant:

aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance

In the output, the value for each CappedCount attribute indicates how many resources are compliant or noncompliant.

Output:

{
    "ComplianceSummariesByResourceType": [
        {
            "ResourceType": "AWS::EC2::Instance",
            "ComplianceSummary": {
                "NonCompliantResourceCount": {
                    "CappedCount": 3,
                    "CapExceeded": false
                },
                "ComplianceSummaryTimestamp": 1452204923.518,
                "CompliantResourceCount": {
                    "CappedCount": 7,
                    "CapExceeded": false
                }
            }
        }
    ]
}
PowerShell
Tools for PowerShell

Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.

Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
  "ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
  "CompliantResourceCount": {
    "CapExceeded": false,
    "CappedCount": 2
  },
  "NonCompliantResourceCount": {
    "CapExceeded": true,
    "CappedCount": 100
  }
}

The following code examples show how to use GetComplianceDetailsByConfigRule.

CLI
Amazon CLI

To get the evaluation results for an Amazon Config rule

The following command returns the evaluation results for all of the resources that don't comply with an Amazon Config rule named InstanceTypesAreT2micro:

aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT

Output:

{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-1a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314645.261,
            "ConfigRuleInvokedTime": 1450314642.948,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-2a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314645.18,
            "ConfigRuleInvokedTime": 1450314642.902,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-3a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314643.346,
            "ConfigRuleInvokedTime": 1450314643.124,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}
PowerShell
Tools for PowerShell

Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type

Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType

Output:

Count Name                      Group
----- ----                      -----
    2 COMPLIANT                 {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
    5 NON_COMPLIANT             {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...

Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.

Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}

Output:

ConfigRuleName      ResourceId            ResourceType
--------------      ----------            ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User

The following code examples show how to use GetComplianceDetailsByResource.

CLI
Amazon CLI

To get the evaluation results for an Amazon resource

The following command returns the evaluation results for each rule with which the EC2 instance i-1a2b3c4d does not comply:

aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT

Output:

{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-1a2b3c4d",
                    "ConfigRuleName": "InstanceTypesAreT2micro"
                }
            },
            "ResultRecordedTime": 1450314643.288,
            "ConfigRuleInvokedTime": 1450314643.034,
            "ComplianceType": "NON_COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1450314635.065,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-1a2b3c4d",
                    "ConfigRuleName": "RequiredTagForEC2Instances"
                }
            },
            "ResultRecordedTime": 1450314645.261,
            "ConfigRuleInvokedTime": 1450314642.948,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}
PowerShell
Tools for PowerShell

Example 1: This example evaulation results for the given resource.

Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'

Output:

Annotation                 :
ComplianceType             : COMPLIANT
ConfigRuleInvokedTime      : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime         : 8/25/2019 11:34:56 PM
ResultToken                :