Viewing Compliance History Timeline for Resources - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Viewing Compliance History Timeline for Resources

Amazon Config supports storing compliance state changes of resources as evaluated by Amazon Config Rules. The resource compliance history is presented in the form of a timeline. The timeline captures changes as ConfigurationItems over a period of time for a specific resource. For information on the contents of ConfigurationItem, see ConfigurationItem in the Amazon Config API Reference.

You can opt in or out to record all resource types in Amazon Config. If you have opted to record all resource types, Amazon Config automatically begins recording the resource compliance history as evaluated by Amazon Config Rules. By default, Amazon Config records the configuration changes for all supported resources. You can also select only the specific resource compliance history resource type: AWS::Config::ResourceCompliance. For more information, see Selecting Which Resources Amazon Config Records.

Viewing Resource Timeline Using Resources

Access the resource timeline by selecting a specific resource from the Resource inventory page.

  1. Choose the Resources from the left navigation.

  2. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate.

    The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.

  3. Choose a resource from the resource identifier column.

  4. Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

    Note

    Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

Viewing Resource Timeline Using Rules

Access the resource timeline by selecting a specific rule from the Rule page.

  1. Select the Rules from the left navigation.

  2. On the Rule page, choose a rule evaluating your relevant resources. If no rules are displayed on the screen, add rules using the Add rule button.

  3. On the Rule details page, select the resources from the Resources evaluated table.

  4. Select the Resource Timeline button. The resource timeline is displayed.

Querying Compliance History

Query the resource compliance history using get-resource-config-history using the resource type AWS::Config::ResourceCompliance.

aws configservice get-resource-config-history --resource-type AWS::Config::ResourceCompliance --resource-id AWS::S3::Bucket/configrules-bucket

You should see output similar to the following:

{ "configurationItems": [ { "configurationItemCaptureTime": 1539799966.921, "relationships": [ { "resourceType": "AWS::S3::Bucket", "resourceId": "configrules-bucket", "relationshipName": "Is associated with " } ] "tags": {}, "resourceType": "AWS::Config::ResourceCompliance", "resourceId": "AWS::S3::Bucket/configrules-bucket", "ConfigurationStateId": "1539799966921", "relatedEvents": []; "awsRegion": "us-west-2", "version": "1.3", "configurationItemMD5Hash": "", "supplementaryConfiguration": {}, "configuaration": "{\"complianceType\":\"COMPLIANT\",\"targetResourceId\":\"configrules-bucket\",\"targetResourceType\":\"AWS::S3::Bucket\",\configRuleList"\":[{\"configRuleArn\":\"arn:aws:config:us-west-2:AccountID:config-rule/config-rule-w1gogw\",\"configRuleId\":\"config-rule-w1gogw\",\"configRuleName\":\"s3-bucket-logging-enabled\",\"complianceType\":\"COMPLIANT\"}]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "AccountID" } ] }