Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Viewing Details and Compliance Information for your Amazon Config Rules
For accurate reporting on the compliance status, you must record the AWS::Config::ResourceCompliance
resource type.
For more information, see Recording Amazon Resources.
You can use the Amazon Config console or the Amazon SDKs to view your
rules.
Viewing Rules (Console)
The Rules page shows your rules and their current compliance
results in a table. The result for each rule is Evaluating...
until Amazon Config finishes evaluating your resources against the rule. You can update the
results with the refresh button. When Amazon Config finishes evaluations, you can see the
rules and resource types that are compliant or noncompliant. For more information,
see Viewing Compliance Information and Evaluation Results for your Amazon Resources.
Amazon Config evaluates only the resource types that it is recording. For example, if you add
the cloudtrail-enabled rule but don't record the CloudTrail trail
resource type, Amazon Config can't evaluate whether the trails in your account are compliant or
noncompliant. For more information, see Recording Amazon Resources.
To view your rules
Sign in to the Amazon Web Services Management Console and open the Amazon Config console at
https://console.amazonaws.cn/config/.
-
In the Amazon Web Services Management Console menu, verify that the region selector is set to a region that
supports Amazon Config rules. For the list of supported regions, see Amazon Config Regions and Endpoints
in the Amazon Web Services General Reference.
-
In the left navigation, choose Rules.
-
The Rules page shows
all the rule that are currently in your Amazon Web Services account. It lists the name,
associated remediation action, and compliance status of each rule.
-
Choose Add rule to get started with creating a
rule.
-
Choose a rule to see its settings, or choose a rule and View
details.
-
See the compliance status of the rule when it evaluates your
resources.
-
Choose a rule and Edit rule to change the
configuration settings of the rule and set a remediation action for a
noncompliant rule.
Viewing Rules
(Amazon SDKs)
The following code examples show how to use DescribeConfigRules
.
- CLI
-
- Amazon CLI
-
To get details for an Amazon Config rule
The following command returns details for an Amazon Config rule named InstanceTypesAreT2micro
:
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
Output:
{
"ConfigRules": [
{
"ConfigRuleState": "ACTIVE",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"ConfigRuleName": "InstanceTypesAreT2micro",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"ConfigRuleId": "config-rule-abcdef"
}
]
}
- PowerShell
-
- Tools for PowerShell
-
Example 1: This sample lists config rules for the account, with selected properties.
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
Output:
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
- Python
-
- SDK for Python (Boto3)
-
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def describe_config_rule(self, rule_name):
"""
Gets data for the specified rule.
:param rule_name: The name of the rule to retrieve.
:return: The rule data.
"""
try:
response = self.config_client.describe_config_rules(
ConfigRuleNames=[rule_name]
)
rule = response["ConfigRules"]
logger.info("Got data for rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't get data for rule %s.", rule_name)
raise
else:
return rule
The following code examples show how to use DescribeComplianceByConfigRule
.
- CLI
-
- Amazon CLI
-
To get compliance information for your Amazon Config rules
The following command returns compliance information for each Amazon Config rule that is violated by one or more Amazon resources:
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
In the output, the value for each CappedCount
attribute indicates how many resources do not comply with the related rule. For example, the following output indicates that 3 resources do not comply with the rule named InstanceTypesAreT2micro
.
Output:
{
"ComplianceByConfigRules": [
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "InstanceTypesAreT2micro"
},
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 10,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "RequiredTagsForVolumes"
}
]
}
- PowerShell
-
- Tools for PowerShell
-
Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT_DATA
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
Output:
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
Example 2: This example returns the number of non-compliant resources for the rule ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK.
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
Output:
CapExceeded CappedCount
----------- -----------
False 2
The following code examples show how to use GetComplianceSummaryByConfigRule
.
- CLI
-
- Amazon CLI
-
To get the compliance summary for your Amazon Config rules
The following command returns the number of rules that are compliant and the number that are noncompliant:
aws configservice get-compliance-summary-by-config-rule
In the output, the value for each CappedCount
attribute indicates how many rules are compliant or noncompliant.
Output:
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204131.493,
"CompliantResourceCount": {
"CappedCount": 2,
"CapExceeded": false
}
}
}
- PowerShell
-
- Tools for PowerShell
-
Example 1: This sample returns the number of Config rules that are non-compliant.
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
Output:
CapExceeded CappedCount
----------- -----------
False 9
The following code examples show how to use GetComplianceDetailsByConfigRule
.
- CLI
-
- Amazon CLI
-
To get the evaluation results for an Amazon Config rule
The following command returns the evaluation results for all of the resources that don't comply with an Amazon Config rule named InstanceTypesAreT2micro
:
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro
--compliance-types NON_COMPLIANT
Output:
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.18,
"ConfigRuleInvokedTime": 1450314642.902,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-3a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.346,
"ConfigRuleInvokedTime": 1450314643.124,
"ComplianceType": "NON_COMPLIANT"
}
]
}
- PowerShell
-
- Tools for PowerShell
-
Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
Output:
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
Output:
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User