Viewing Configuration and Compliance History - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Viewing Configuration and Compliance History

Important

For accurate reporting on the compliance status, you must record the AWS::Config::ResourceCompliance resource type. For more information, see Recoding Amazon Resources.

You can view the configuration, relationships, and number of changes made to a resource in the Amazon Config console. You can view the configuration history for a resource using Amazon CLI.

Viewing Configuration Details (Console)

When you look up resources on the Resource inventory page, choose the resource name or ID in the resource identifier column to view the resource's details page. The details page provides information about the configuration, relationships, and number of changes made to that resource.

To access the resource timeline from the resource details page, choose the Resource Timeline button. The Resource timeline captures changes as ConfigurationItems over a period of time for a specific resource. You can filter by Configuration events, Compliance events, or CloudTrail Events.

Viewing Configuration Details (Amazon CLI)

The configuration items that Amazon Config records are delivered to the specified delivery channel on demand as a configuration snapshot and as a configuration stream. You can use the Amazon CLI to view history of configuration items for each resource.

Viewing Configuration History

Type the get-resource-config-history command and specify the resource type and the resource ID, for example:

$ aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup --resource-id sg-6fbb3807 { "configurationItems": [ { "configurationItemCaptureTime": 1414708529.9219999, "relationships": [ { "resourceType": "AWS::EC2::Instance", "resourceId": "i-7a3b232a", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-8b6eb2ab", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-c478efe5", "relationshipName": "Is associated with Instance" }, { "resourceType": "AWS::EC2::Instance", "resourceId": "i-e4cbe38d", "relationshipName": "Is associated with Instance" } ], "availabilityZone": "Not Applicable", "tags": {}, "resourceType": "AWS::EC2::SecurityGroup", "resourceId": "sg-6fbb3807", "configurationStateId": "1", "relatedEvents": [], "arn": "arn:aws:ec2:us-east-2:012345678912:security-group/default", "version": "1.0", "configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a", "configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "605053316265" } ], "nextToken": ..........

For detailed explanation of the response fields, see Components of a Configuration Item and Supported Resource Types.

Example Amazon EBS Configuration History from Amazon Config

Amazon Config generates a set of files that each represent a resource type and lists all configuration changes for the resources of that type that Amazon Config is recording. Amazon Config exports this resource-centric configuration history as an object in the Amazon S3 bucket that you specified when you enabled Amazon Config. The configuration history file for each resource type contains the changes that were detected for the resources of that type since the last history file was delivered. The history files are typically delivered every six hours.

The following is an example of the contents of the Amazon S3 object that describes the configuration history of all the Amazon Elastic Block Store volumes in the current region for your Amazon Web Services account. The volumes in this account include vol-ce676ccc and vol-cia007c. Volume vol-ce676ccc had two configuration changes since the previous history file was delivered while volume vol-cia007c had one change.

{ "fileVersion": "1.0", "requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye", "configurationItems": [ { "snapshotVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T23:47:08.918Z", "configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adb69edbb1e4", "c376e30d-71a2-4694-89b7-a5a04ad92281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T21:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f32-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-ad229edbb1e4", "c376e30d-71a2-4694-89b7-a5a04w292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T21:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T21:43:53.0885+0000", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume1" } ], "volumeType": "standard" } }, { "configurationItemVersion": "1.0", "resourceId": "vol-cia007c", "arn": "arn:aws:us-west-2b:123456789012:volume/vol-cia007c", "accountId": "12345678910", "configurationItemCaptureTime": "2014-03-07T20:47:08.918Z", "configurationItemState": "3e660fdf-4e34-4f88-sseb-0ace5bf3d63a", "configurationItemStatus": "OK", "relatedEvents": [ "06c12a39-eb35-11de-ae07-adjhk8edbb1e4", "c376e30d-71a2-4694-89b7-a5a67u292281" ], "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02-27T20:43:53.885Z", "tags": {}, "relationships": [ { "resourceId": "i-344e563d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "configuration": { "volumeId": "vol-cia007c", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-27T20:43:53.0885+0000", "attachments": [ { "volumeId": "vol-cia007c", "instanceId": "i-344e563d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-07T23:46:28.0000+0000", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" }, { "tagName": "name", "tagValue": "DataVolume2" } ], "volumeType": "standard" } } ] }

Viewing Compliance History Timeline for Resources

Amazon Config supports storing compliance state changes of resources as evaluated by Amazon Config Rules. The resource compliance history is presented in the form of a timeline. The timeline captures changes as ConfigurationItems over a period of time for a specific resource. For information on the contents of ConfigurationItem, see ConfigurationItem in the Amazon Config API Reference.

You can opt in or out to record all resource types in Amazon Config. If you have opted to record all resource types, Amazon Config automatically begins recording the resource compliance history as evaluated by Amazon Config Rules. By default, Amazon Config records the configuration changes for all supported resources. You can also select only the specific resource compliance history resource type: AWS::Config::ResourceCompliance. For more information, see Selecting Which Resources Amazon Config Records.

Viewing Resource Timeline Using Resources

Access the resource timeline by selecting a specific resource from the Resource inventory page.

  1. Choose the Resources from the left navigation.

  2. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose Include deleted resources if appropriate.

    The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.

  3. Choose a resource from the resource identifier column.

  4. Choose the Resource Timeline button. You can filter by Configuration events, Compliance events, or CloudTrail Events.

    Note

    Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the Resource Timeline button.

Viewing Resource Timeline Using Rules

Access the resource timeline by selecting a specific rule from the Rule page.

  1. Select the Rules from the left navigation.

  2. On the Rule page, choose a rule evaluating your relevant resources. If no rules are displayed on the screen, add rules using the Add rule button.

  3. On the Rule details page, select the resources from the Resources evaluated table.

  4. Select the Resource Timeline button. The resource timeline is displayed.

Querying Compliance History

Query the resource compliance history using get-resource-config-history using the resource type AWS::Config::ResourceCompliance.

aws configservice get-resource-config-history --resource-type AWS::Config::ResourceCompliance --resource-id AWS::S3::Bucket/configrules-bucket

You should see output similar to the following:

{ "configurationItems": [ { "configurationItemCaptureTime": 1539799966.921, "relationships": [ { "resourceType": "AWS::S3::Bucket", "resourceId": "configrules-bucket", "relationshipName": "Is associated with " } ] "tags": {}, "resourceType": "AWS::Config::ResourceCompliance", "resourceId": "AWS::S3::Bucket/configrules-bucket", "ConfigurationStateId": "1539799966921", "relatedEvents": []; "awsRegion": "us-west-2", "version": "1.3", "configurationItemMD5Hash": "", "supplementaryConfiguration": {}, "configuration": "{\"complianceType\":\"COMPLIANT\",\"targetResourceId\":\"configrules-bucket\",\"targetResourceType\":\"AWS::S3::Bucket\",\configRuleList"\":[{\"configRuleArn\":\"arn:aws:config:us-west-2:AccountID:config-rule/config-rule-w1gogw\",\"configRuleId\":\"config-rule-w1gogw\",\"configRuleName\":\"s3-bucket-logging-enabled\",\"complianceType\":\"COMPLIANT\"}]}", "configurationItemStatus": "ResourceDiscovered", "accountId": "AccountID" } ] }