Viewing compliance (Console)Viewing compliance (Amazon CLI)Viewing compliance (API)

Viewing Configuration Compliance

Important

For accurate reporting on the compliance status, you must record the AWS::Config::ResourceCompliance resource type. For more information, see Selecting Which Resources Amazon Config Records.

You can use the Amazon Config console, Amazon CLI, or Amazon Config API to view the compliance state of your rules and resources.

Viewing compliance (Console)

Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.
In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints in the Amazon Web Services General Reference.
In the navigation pane, choose Resources. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.
Choose a resource from the resource identifier column.
Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

Note
Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

You can also view the compliance of your resources by looking them up on the Resource inventory page. For more information, see Looking Up Resources That Are Discovered by Amazon Config.

Viewing compliance (Amazon CLI)

To view compliance, use any of the following CLI commands:

To see the compliance state of each of your rules

To see the compliance state of each of your rules, use the describe-compliance-by-config-rule command, as shown in the following example:


$ aws configservice describe-compliance-by-config-rule
{
    "ComplianceByConfigRules": [
        {
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 2,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            },
            "ConfigRuleName": "instances-in-vpc"
        },
        {
            "Compliance": {
                "ComplianceType": "COMPLIANT"
            },
            "ConfigRuleName": "restricted-common-ports"
        },
...

For each rule that has a compliance type of NON_COMPLIANT, Amazon Config returns the number of noncompliant resources for the CappedCount parameter.

To see the compliance state of each resource that Amazon Config evaluates for a specific rule

To see the compliance state of each resource that Amazon Config evaluates for a specific rule, use the get-compliance-details-by-config-rule command, as shown in the following example:


$ aws configservice get-compliance-details-by-config-rule --config-rule-name ConfigRuleName{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "ConfigRuleName"
                }
            },
            "ResultRecordedTime": 1443751424.969,
            "ConfigRuleInvokedTime": 1443751421.208,
            "ComplianceType": "COMPLIANT"
        },
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "ConfigRuleName"
                }
            },
            "ResultRecordedTime": 1443751425.083,
            "ConfigRuleInvokedTime": 1443751421.301,
            "ComplianceType": "NON_COMPLIANT"
        },
...

To see the compliance state for each Amazon resource of a specific type

To see the compliance state for each Amazon resource of a specific type, use the describe-compliance-by-resource command, as shown in the following example:


$ aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance
{
    "ComplianceByResources": [
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-nnnnnnnn",
            "Compliance": {
                "ComplianceContributorCount": {
                    "CappedCount": 1,
                    "CapExceeded": false
                },
                "ComplianceType": "NON_COMPLIANT"
            }
        },
        {
            "ResourceType": "AWS::EC2::Instance",
            "ResourceId": "i-nnnnnnnn",
            "Compliance": {
                "ComplianceType": "COMPLIANT"
            }
        },
...

To see the compliance details of an individual Amazon resource

To see the compliance details of an individual Amazon resource, use the get-compliance-details-by-resource command.


$ aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-nnnnnnnn
{
    "EvaluationResults": [
        {
            "EvaluationResultIdentifier": {
                "OrderingTimestamp": 1443610576.349,
                "EvaluationResultQualifier": {
                    "ResourceType": "AWS::EC2::Instance",
                    "ResourceId": "i-nnnnnnnn",
                    "ConfigRuleName": "instances-in-vpc"
                }
            },
            "ResultRecordedTime": 1443751425.083,
            "ConfigRuleInvokedTime": 1443751421.301,
            "ComplianceType": "NON_COMPLIANT"
        }
    ]
}

Viewing compliance (API)

To view compliance, use any of the following API actions:

To see the compliance state of each of your rules, use the DescribeComplianceByConfigRule action.
To see the compliance state of each resource that Amazon Config evaluates for a specific rule, use the GetComplianceDetailsByConfigRule action.
To see the compliance state for each Amazon resource of a specific type, use the DescribeComplianceByResource action.
To see the compliance details of an individual Amazon resource, use the GetComplianceDetailsByResource action. The details include which Amazon Config rules evaluated the resource, when each rule last evaluated it, and whether the resource complies with each rule.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Viewing Configuration Details

Viewing Compliance History

Viewing Configuration Compliance

Important

Contents

Viewing compliance (Console)

Note

Viewing compliance (Amazon CLI)

Viewing compliance (API)