2015/10/06 - AWS Config - 11 new 3 updated api methods
Returns the evaluation results for the specified AWS resource. The results indicate which AWS Config rules were used to evaluate the resource, when each rule was last used, and whether the resource complies with each rule.
Request Syntax
client.get_compliance_details_by_resource(
ResourceType='string',
ResourceId='string',
ComplianceTypes=[
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
],
NextToken='string'
)
string
[REQUIRED]
The type of the AWS resource for which you want compliance information.
string
[REQUIRED]
The ID of the AWS resource for which you want compliance information.
list
Specify to filter the results by compliance. The valid values are Compliant , NonCompliant , and NotApplicable .
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'EvaluationResults': [
{
'EvaluationResultIdentifier': {
'EvaluationResultQualifier': {
'ConfigRuleName': 'string',
'ResourceType': 'string',
'ResourceId': 'string'
},
'OrderingTimestamp': datetime(2015, 1, 1)
},
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'ResultRecordedTime': datetime(2015, 1, 1),
'ConfigRuleInvokedTime': datetime(2015, 1, 1),
'Annotation': 'string',
'ResultToken': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
EvaluationResults (list) --
Indicates whether the specified AWS resource complies each AWS Config rule.
(dict) --
The details of an AWS Config evaluation. Provides the AWS resource that was evaluated, the compliance of the resource, related timestamps, and supplementary information.
EvaluationResultIdentifier (dict) --
Uniquely identifies the evaluation result.
EvaluationResultQualifier (dict) --
Identifies an AWS Config rule used to evaluate an AWS resource, and provides the type and ID of the evaluated resource.
ConfigRuleName (string) --
The name of the AWS Config rule that was used in the evaluation.
ResourceType (string) --
The type of AWS resource that was evaluated.
ResourceId (string) --
The ID of the evaluated AWS resource.
OrderingTimestamp (datetime) --
The time of the event that triggered the evaluation of your AWS resources. The time can indicate when AWS Config delivered a configuration item change notification, or it can indicate when AWS Config delivered the configuration snapshot, depending on which event triggered the evaluation.
ComplianceType (string) --
Indicates whether the AWS resource complies with the AWS Config rule that evaluated it.
ResultRecordedTime (datetime) --
The time when AWS Config recorded the evaluation result.
ConfigRuleInvokedTime (datetime) --
The time when the AWS Config rule evaluated the AWS resource.
Annotation (string) --
Supplementary information about how the evaluation determined the compliance.
ResultToken (string) --
An encrypted token that associates an evaluation with an AWS Config rule. The token identifies the rule, the AWS resource being evaluated, and the event that triggered the evaluation.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
Indicates whether the specified AWS resources are compliant. If a resource is noncompliant, this action returns the number of AWS Config rules that the resource does not comply with.
A resource is compliant if it complies with all the AWS Config rules that evaluate it. It is noncompliant if it does not comply with one or more of these rules.
If AWS Config has no current evaluation results for the resource, it returns InsufficientData . This result might indicate one of the following conditions about the rules that evaluate the resource:
AWS Config has never invoked an evaluation for the rule. To check whether it has, use the DescribeConfigRuleEvaluationStatus action to get the LastSuccessfulInvocationTime and LastFailedInvocationTime .
The rule's AWS Lambda function is failing to send evaluation results to AWS Config. Verify that the role that you assigned to your configuration recorder includes the config:PutEvaluations permission. If the rule is a customer managed rule, verify that the AWS Lambda execution role includes the config:PutEvaluations permission.
The rule's AWS Lambda function has returned NOT_APPLICABLE for all evaluation results. This can occur if the resources were deleted or removed from the rule's scope.
Request Syntax
client.describe_compliance_by_resource(
ResourceType='string',
ResourceId='string',
ComplianceTypes=[
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
],
Limit=123,
NextToken='string'
)
string
The types of AWS resources for which you want compliance information; for example, AWS::EC2::Instance . For this action, you can specify that the resource type is an AWS account by specifying AWS::::Account .
string
The ID of the AWS resource for which you want compliance information. You can specify only one resource ID. If you specify a resource ID, you must also specify a type for ResourceType .
list
Filters the results by compliance. The valid values are Compliant and NonCompliant .
(string) --
integer
The maximum number of evaluation results returned on each page. The default is 10. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'ComplianceByResources': [
{
'ResourceType': 'string',
'ResourceId': 'string',
'Compliance': {
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'ComplianceContributorCount': {
'CappedCount': 123,
'CapExceeded': True|False
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ComplianceByResources (list) --
Indicates whether the specified AWS resource complies with all of the AWS Config rules that evaluate it.
(dict) --
Indicates whether an AWS resource that is evaluated according to one or more AWS Config rules is compliant. A resource is compliant if it complies with all of the rules that evaluate it, and it is noncompliant if it does not comply with one or more of these rules.
ResourceType (string) --
The type of the AWS resource that was evaluated.
ResourceId (string) --
The ID of the AWS resource that was evaluated.
Compliance (dict) --
Indicates whether the AWS resource complies with all of the AWS Config rules that evaluated it.
ComplianceType (string) --
Indicates whether an AWS resource or AWS Config rule is compliant.
A resource is compliant if it complies with all of the AWS Config rules that evaluate it, and it is noncompliant if it does not comply with one or more of these rules.
A rule is compliant if all of the resources that the rule evaluates comply with it, and it is noncompliant if any of these resources do not comply.
ComplianceContributorCount (dict) --
The number of AWS resources or AWS Config rules that cause a result of NON_COMPLIANT , up to a maximum of 25.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
Returns status information for each of your AWS managed Config rules. The status includes information such as the last time AWS Config invoked the rule, the last time AWS Config failed to invoke the rule, and the related error for the last failure.
Request Syntax
client.describe_config_rule_evaluation_status(
ConfigRuleNames=[
'string',
]
)
list
The name of the AWS managed Config rules for which you want status information. If you do not specify any names, AWS Config returns status information for all AWS managed Config rules that you use.
(string) --
dict
Response Syntax
{
'ConfigRulesEvaluationStatus': [
{
'ConfigRuleName': 'string',
'ConfigRuleArn': 'string',
'ConfigRuleId': 'string',
'LastSuccessfulInvocationTime': datetime(2015, 1, 1),
'LastFailedInvocationTime': datetime(2015, 1, 1),
'FirstActivatedTime': datetime(2015, 1, 1),
'LastErrorCode': 'string',
'LastErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
ConfigRulesEvaluationStatus (list) --
Status information about your AWS managed Config rules.
(dict) --
Status information for your AWS managed Config rules. The status includes information such as the last time the rule ran, the last time it failed, and the related error for the last failure.
This action does not return status information about customer managed Config rules.
ConfigRuleName (string) --
The name of the AWS Config rule.
ConfigRuleArn (string) --
The Amazon Resource Name (ARN) of the AWS Config rule.
ConfigRuleId (string) --
The ID of the AWS Config rule.
LastSuccessfulInvocationTime (datetime) --
The time that AWS Config last successfully invoked the AWS Config rule to evaluate your AWS resources.
LastFailedInvocationTime (datetime) --
The time that AWS Config last failed to invoke the AWS Config rule to evaluate your AWS resources.
FirstActivatedTime (datetime) --
The time that you first activated the AWS Config rule.
LastErrorCode (string) --
The error code that AWS Config returned when the rule last failed.
LastErrorMessage (string) --
The error message that AWS Config returned when the rule last failed.
Returns the evaluation results for the specified AWS Config rule. The results indicate which AWS resources were evaluated by the rule, when each resource was last evaluated, and whether each resource complies with the rule.
Request Syntax
client.get_compliance_details_by_config_rule(
ConfigRuleName='string',
ComplianceTypes=[
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
],
Limit=123,
NextToken='string'
)
string
[REQUIRED]
The name of the AWS Config rule for which you want compliance information.
list
Specify to filter the results by compliance. The valid values are Compliant , NonCompliant , and NotApplicable .
(string) --
integer
The maximum number of evaluation results returned on each page. The default is 10. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'EvaluationResults': [
{
'EvaluationResultIdentifier': {
'EvaluationResultQualifier': {
'ConfigRuleName': 'string',
'ResourceType': 'string',
'ResourceId': 'string'
},
'OrderingTimestamp': datetime(2015, 1, 1)
},
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'ResultRecordedTime': datetime(2015, 1, 1),
'ConfigRuleInvokedTime': datetime(2015, 1, 1),
'Annotation': 'string',
'ResultToken': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
EvaluationResults (list) --
Indicates whether the AWS resource complies with the specified AWS Config rule.
(dict) --
The details of an AWS Config evaluation. Provides the AWS resource that was evaluated, the compliance of the resource, related timestamps, and supplementary information.
EvaluationResultIdentifier (dict) --
Uniquely identifies the evaluation result.
EvaluationResultQualifier (dict) --
Identifies an AWS Config rule used to evaluate an AWS resource, and provides the type and ID of the evaluated resource.
ConfigRuleName (string) --
The name of the AWS Config rule that was used in the evaluation.
ResourceType (string) --
The type of AWS resource that was evaluated.
ResourceId (string) --
The ID of the evaluated AWS resource.
OrderingTimestamp (datetime) --
The time of the event that triggered the evaluation of your AWS resources. The time can indicate when AWS Config delivered a configuration item change notification, or it can indicate when AWS Config delivered the configuration snapshot, depending on which event triggered the evaluation.
ComplianceType (string) --
Indicates whether the AWS resource complies with the AWS Config rule that evaluated it.
ResultRecordedTime (datetime) --
The time when AWS Config recorded the evaluation result.
ConfigRuleInvokedTime (datetime) --
The time when the AWS Config rule evaluated the AWS resource.
Annotation (string) --
Supplementary information about how the evaluation determined the compliance.
ResultToken (string) --
An encrypted token that associates an evaluation with an AWS Config rule. The token identifies the rule, the AWS resource being evaluated, and the event that triggered the evaluation.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
Returns the number of AWS Config rules that are compliant and noncompliant, up to a maximum of 25 for each.
Request Syntax
client.get_compliance_summary_by_config_rule()
dict
Response Syntax
{
'ComplianceSummary': {
'CompliantResourceCount': {
'CappedCount': 123,
'CapExceeded': True|False
},
'NonCompliantResourceCount': {
'CappedCount': 123,
'CapExceeded': True|False
},
'ComplianceSummaryTimestamp': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
ComplianceSummary (dict) --
The number of AWS Config rules that are compliant and the number that are noncompliant, up to a maximum of 25 for each.
CompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are compliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
NonCompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are noncompliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
ComplianceSummaryTimestamp (datetime) --
The time that AWS Config created the compliance summary.
Deletes the specified AWS Config rule and all of its evaluation results.
AWS Config sets the state of a rule to DELETING until the deletion is complete. You cannot update a rule while it is in this state. If you make a PutConfigRule request for the rule, you will receive a ResourceInUseException .
You can check the state of a rule by using the DescribeConfigRules request.
Request Syntax
client.delete_config_rule(
ConfigRuleName='string'
)
string
[REQUIRED]
The name of the AWS Config rule that you want to delete.
None
Indicates whether the specified AWS Config rules are compliant. If a rule is noncompliant, this action returns the number of AWS resources that do not comply with the rule.
A rule is compliant if all of the evaluated resources comply with it, and it is noncompliant if any of these resources do not comply.
If AWS Config has no current evaluation results for the rule, it returns InsufficientData . This result might indicate one of the following conditions:
AWS Config has never invoked an evaluation for the rule. To check whether it has, use the DescribeConfigRuleEvaluationStatus action to get the LastSuccessfulInvocationTime and LastFailedInvocationTime .
The rule's AWS Lambda function is failing to send evaluation results to AWS Config. Verify that the role that you assigned to your configuration recorder includes the config:PutEvaluations permission. If the rule is a customer managed rule, verify that the AWS Lambda execution role includes the config:PutEvaluations permission.
The rule's AWS Lambda function has returned NOT_APPLICABLE for all evaluation results. This can occur if the resources were deleted or removed from the rule's scope.
Request Syntax
client.describe_compliance_by_config_rule(
ConfigRuleNames=[
'string',
],
ComplianceTypes=[
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
],
NextToken='string'
)
list
Specify one or more AWS Config rule names to filter the results by rule.
(string) --
list
Filters the results by compliance. The valid values are Compliant and NonCompliant .
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'ComplianceByConfigRules': [
{
'ConfigRuleName': 'string',
'Compliance': {
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'ComplianceContributorCount': {
'CappedCount': 123,
'CapExceeded': True|False
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ComplianceByConfigRules (list) --
Indicates whether each of the specified AWS Config rules is compliant.
(dict) --
Indicates whether an AWS Config rule is compliant. A rule is compliant if all of the resources that the rule evaluated comply with it, and it is noncompliant if any of these resources do not comply.
ConfigRuleName (string) --
The name of the AWS Config rule.
Compliance (dict) --
Indicates whether the AWS Config rule is compliant.
ComplianceType (string) --
Indicates whether an AWS resource or AWS Config rule is compliant.
A resource is compliant if it complies with all of the AWS Config rules that evaluate it, and it is noncompliant if it does not comply with one or more of these rules.
A rule is compliant if all of the resources that the rule evaluates comply with it, and it is noncompliant if any of these resources do not comply.
ComplianceContributorCount (dict) --
The number of AWS resources or AWS Config rules that cause a result of NON_COMPLIANT , up to a maximum of 25.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
Returns details about your AWS Config rules.
Request Syntax
client.describe_config_rules(
ConfigRuleNames=[
'string',
],
NextToken='string'
)
list
The names of the AWS Config rules for which you want details. If you do not specify any names, AWS Config returns details for all your rules.
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{
'ConfigRules': [
{
'ConfigRuleName': 'string',
'ConfigRuleArn': 'string',
'ConfigRuleId': 'string',
'Description': 'string',
'Scope': {
'ComplianceResourceTypes': [
'string',
],
'TagKey': 'string',
'TagValue': 'string',
'ComplianceResourceId': 'string'
},
'Source': {
'Owner': 'CUSTOM_LAMBDA'|'AWS',
'SourceIdentifier': 'string',
'SourceDetails': [
{
'EventSource': 'aws.config',
'MessageType': 'ConfigurationItemChangeNotification'|'ConfigurationSnapshotDeliveryCompleted'
},
]
},
'InputParameters': 'string',
'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours',
'ConfigRuleState': 'ACTIVE'|'DELETING'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ConfigRules (list) --
The details about your AWS Config rules.
(dict) --
An AWS Lambda function that evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change or delivers a configuration snapshot. This function can evaluate any resource in the recording group. To define which of these are evaluated, specify a value for the Scope key.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
ConfigRuleName (string) --
The name that you assign to the AWS Config rule. The name is required if you are adding a new rule.
ConfigRuleArn (string) --
The Amazon Resource Name (ARN) of the AWS Config rule.
ConfigRuleId (string) --
The ID of the AWS Config rule.
Description (string) --
The description that you provide for the AWS Config rule.
Scope (dict) --
Defines which resources the AWS Config rule evaluates. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one or more resource IDs. Specify a scope to constrain the resources that are evaluated. If you do not specify a scope, the AWS Config Rule evaluates all resources in the recording group.
ComplianceResourceTypes (list) --
The resource types of only those AWS resources that you want AWS Config to evaluate against the rule. You can specify only one type if you also specify resource IDs for ComplianceResourceId .
(string) --
TagKey (string) --
The tag key that is applied to only those AWS resources that you want AWS Config to evaluate against the rule.
TagValue (string) --
The tag value applied to only those AWS resources that you want AWS Config to evaluate against the rule. If you specify a value for TagValue , you must also specify a value for TagKey .
ComplianceResourceId (string) --
The IDs of only those AWS resources that you want AWS Config to evaluate against the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes .
Source (dict) --
Provides the rule owner (AWS or customer), the rule identifier, and the events that cause the function to evaluate your AWS resources.
Owner (string) --
Indicates whether AWS or the customer owns and manages the AWS Config rule.
SourceIdentifier (string) --
For AWS managed Config rules, a pre-defined identifier from a list. To reference the list, see Using AWS Managed Config Rules.
For customer managed Config rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function.
SourceDetails (list) --
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
(dict) --
Provides the source and type of the event that triggers AWS Config to evaluate your AWS resources against a rule.
EventSource (string) --
The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources.
MessageType (string) --
The type of SNS message that triggers AWS Config to run an evaluation. For evaluations that are initiated when AWS Config delivers a configuration item change notification, you must use ConfigurationItemChangeNotification . For evaluations that are initiated when AWS Config delivers a configuration snapshot, you must use ConfigurationSnapshotDeliveryCompleted .
InputParameters (string) --
A string in JSON format that is passed to the AWS Config rule Lambda function.
MaximumExecutionFrequency (string) --
The maximum frequency at which the AWS Config rule runs evaluations.
If your rule is periodic, meaning it runs an evaluation when AWS Config delivers a configuration snapshot, then it cannot run evaluations more frequently than AWS Config delivers the snapshots. For periodic rules, set the value of the MaximumExecutionFrequency key to be equal to or greater than the value of the deliveryFrequency key, which is part of ConfigSnapshotDeliveryProperties . To update the frequency with which AWS Config delivers your snapshots, use the PutDeliveryChannel action.
ConfigRuleState (string) --
Indicates whether the AWS Config rule is active or currently being deleted by AWS Config.
AWS Config sets the state of a rule to DELETING temporarily after you use the DeleteConfigRule request to delete the rule. After AWS Config finishes deleting a rule, the rule and all of its evaluations are erased and no longer available.
You cannot add a rule to AWS Config that has the state set to DELETING . If you want to delete a rule, you must use the DeleteConfigRule request.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
You can use this action for customer managed Config rules and AWS managed Config rules. A customer managed Config rule is a custom rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that is provided by AWS Config.
If you are adding a new customer managed Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.
If you are adding a new AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see Using AWS Managed Config Rules.
For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId . These values are generated by AWS Config for new rules.
If you are updating a rule that you have added previously, specify the rule's ConfigRuleName , ConfigRuleId , or ConfigRuleArn in the ConfigRule data type that you use in this request.
The maximum number of rules that AWS Config supports is 25.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
Request Syntax
client.put_config_rule(
ConfigRule={
'ConfigRuleName': 'string',
'ConfigRuleArn': 'string',
'ConfigRuleId': 'string',
'Description': 'string',
'Scope': {
'ComplianceResourceTypes': [
'string',
],
'TagKey': 'string',
'TagValue': 'string',
'ComplianceResourceId': 'string'
},
'Source': {
'Owner': 'CUSTOM_LAMBDA'|'AWS',
'SourceIdentifier': 'string',
'SourceDetails': [
{
'EventSource': 'aws.config',
'MessageType': 'ConfigurationItemChangeNotification'|'ConfigurationSnapshotDeliveryCompleted'
},
]
},
'InputParameters': 'string',
'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours',
'ConfigRuleState': 'ACTIVE'|'DELETING'
}
)
dict
[REQUIRED]
An AWS Lambda function that evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change or delivers a configuration snapshot. This function can evaluate any resource in the recording group. To define which of these are evaluated, specify a value for the Scope key.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
ConfigRuleName (string) --
The name that you assign to the AWS Config rule. The name is required if you are adding a new rule.
ConfigRuleArn (string) --
The Amazon Resource Name (ARN) of the AWS Config rule.
ConfigRuleId (string) --
The ID of the AWS Config rule.
Description (string) --
The description that you provide for the AWS Config rule.
Scope (dict) --
Defines which resources the AWS Config rule evaluates. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one or more resource IDs. Specify a scope to constrain the resources that are evaluated. If you do not specify a scope, the AWS Config Rule evaluates all resources in the recording group.
ComplianceResourceTypes (list) --
The resource types of only those AWS resources that you want AWS Config to evaluate against the rule. You can specify only one type if you also specify resource IDs for ComplianceResourceId .
(string) --
TagKey (string) --
The tag key that is applied to only those AWS resources that you want AWS Config to evaluate against the rule.
TagValue (string) --
The tag value applied to only those AWS resources that you want AWS Config to evaluate against the rule. If you specify a value for TagValue , you must also specify a value for TagKey .
ComplianceResourceId (string) --
The IDs of only those AWS resources that you want AWS Config to evaluate against the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes .
Source (dict) -- [REQUIRED]
Provides the rule owner (AWS or customer), the rule identifier, and the events that cause the function to evaluate your AWS resources.
Owner (string) --
Indicates whether AWS or the customer owns and manages the AWS Config rule.
SourceIdentifier (string) --
For AWS managed Config rules, a pre-defined identifier from a list. To reference the list, see Using AWS Managed Config Rules.
For customer managed Config rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function.
SourceDetails (list) --
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
(dict) --
Provides the source and type of the event that triggers AWS Config to evaluate your AWS resources against a rule.
EventSource (string) --
The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources.
MessageType (string) --
The type of SNS message that triggers AWS Config to run an evaluation. For evaluations that are initiated when AWS Config delivers a configuration item change notification, you must use ConfigurationItemChangeNotification . For evaluations that are initiated when AWS Config delivers a configuration snapshot, you must use ConfigurationSnapshotDeliveryCompleted .
InputParameters (string) --
A string in JSON format that is passed to the AWS Config rule Lambda function.
MaximumExecutionFrequency (string) --
The maximum frequency at which the AWS Config rule runs evaluations.
If your rule is periodic, meaning it runs an evaluation when AWS Config delivers a configuration snapshot, then it cannot run evaluations more frequently than AWS Config delivers the snapshots. For periodic rules, set the value of the MaximumExecutionFrequency key to be equal to or greater than the value of the deliveryFrequency key, which is part of ConfigSnapshotDeliveryProperties . To update the frequency with which AWS Config delivers your snapshots, use the PutDeliveryChannel action.
ConfigRuleState (string) --
Indicates whether the AWS Config rule is active or currently being deleted by AWS Config.
AWS Config sets the state of a rule to DELETING temporarily after you use the DeleteConfigRule request to delete the rule. After AWS Config finishes deleting a rule, the rule and all of its evaluations are erased and no longer available.
You cannot add a rule to AWS Config that has the state set to DELETING . If you want to delete a rule, you must use the DeleteConfigRule request.
None
Used by an AWS Lambda function to deliver evaluation results to AWS Config. This action is required in every AWS Lambda function that is invoked by an AWS Config rule.
Request Syntax
client.put_evaluations(
Evaluations=[
{
'ComplianceResourceType': 'string',
'ComplianceResourceId': 'string',
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'Annotation': 'string',
'OrderingTimestamp': datetime(2015, 1, 1)
},
],
ResultToken='string'
)
list
The assessments that the AWS Lambda function performs. Each evaluation identifies an AWS resource and indicates whether it complies with the AWS Config rule that invokes the AWS Lambda function.
(dict) --
Identifies an AWS resource and indicates whether it complies with the AWS Config rule that it was evaluated against.
ComplianceResourceType (string) -- [REQUIRED]
The type of AWS resource that was evaluated.
ComplianceResourceId (string) -- [REQUIRED]
The ID of the AWS resource that was evaluated.
ComplianceType (string) -- [REQUIRED]
Indicates whether the AWS resource complies with the AWS Config rule that it was evaluated against.
Annotation (string) --
Supplementary information about how the evaluation determined the compliance.
OrderingTimestamp (datetime) -- [REQUIRED]
The time of the event in AWS Config that triggered the evaluation. For event-based evaluations, the time indicates when AWS Config created the configuration item that triggered the evaluation. For periodic evaluations, the time indicates when AWS Config delivered the configuration snapshot that triggered the evaluation.
string
[REQUIRED]
An encrypted token that associates an evaluation with an AWS Config rule. Identifies the rule and the event that triggered the evaluation
dict
Response Syntax
{
'FailedEvaluations': [
{
'ComplianceResourceType': 'string',
'ComplianceResourceId': 'string',
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'Annotation': 'string',
'OrderingTimestamp': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
FailedEvaluations (list) --
Requests that failed because of a client or server error.
(dict) --
Identifies an AWS resource and indicates whether it complies with the AWS Config rule that it was evaluated against.
ComplianceResourceType (string) --
The type of AWS resource that was evaluated.
ComplianceResourceId (string) --
The ID of the AWS resource that was evaluated.
ComplianceType (string) --
Indicates whether the AWS resource complies with the AWS Config rule that it was evaluated against.
Annotation (string) --
Supplementary information about how the evaluation determined the compliance.
OrderingTimestamp (datetime) --
The time of the event in AWS Config that triggered the evaluation. For event-based evaluations, the time indicates when AWS Config created the configuration item that triggered the evaluation. For periodic evaluations, the time indicates when AWS Config delivered the configuration snapshot that triggered the evaluation.
Returns the number of resources that are compliant and the number that are noncompliant. You can specify one or more resource types to get these numbers for each resource type. The maximum number returned is 100.
Request Syntax
client.get_compliance_summary_by_resource_type(
ResourceTypes=[
'string',
]
)
list
Specify one or more resource types to get the number of resources that are compliant and the number that are noncompliant for each resource type.
For this request, you can specify an AWS resource type such as AWS::EC2::Instance , and you can specify that the resource type is an AWS account by specifying AWS::::Account .
(string) --
dict
Response Syntax
{
'ComplianceSummariesByResourceType': [
{
'ResourceType': 'string',
'ComplianceSummary': {
'CompliantResourceCount': {
'CappedCount': 123,
'CapExceeded': True|False
},
'NonCompliantResourceCount': {
'CappedCount': 123,
'CapExceeded': True|False
},
'ComplianceSummaryTimestamp': datetime(2015, 1, 1)
}
},
]
}
Response Structure
(dict) --
ComplianceSummariesByResourceType (list) --
The number of resources that are compliant and the number that are noncompliant. If one or more resource types were provided with the request, the numbers are returned for each resource type. The maximum number returned is 100.
(dict) --
The number of AWS resources of a specific type that are compliant or noncompliant, up to a maximum of 100 for each compliance.
ResourceType (string) --
The type of AWS resource.
ComplianceSummary (dict) --
The number of AWS resources that are compliant or noncompliant, up to a maximum of 100 for each compliance.
CompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are compliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
NonCompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are noncompliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
ComplianceSummaryTimestamp (datetime) --
The time that AWS Config created the compliance summary.
{'DeliveryChannelsStatus': {'configHistoryDeliveryInfo': {'nextDeliveryTime': 'timestamp'},
'configSnapshotDeliveryInfo': {'nextDeliveryTime': 'timestamp'}}}
Returns the current status of the specified delivery channel. If a delivery channel is not specified, this action returns the current status of all delivery channels associated with the account.
Note
Currently, you can specify only one delivery channel per account.
Request Syntax
client.describe_delivery_channel_status(
DeliveryChannelNames=[
'string',
]
)
list
A list of delivery channel names.
(string) --
dict
Response Syntax
{
'DeliveryChannelsStatus': [
{
'name': 'string',
'configSnapshotDeliveryInfo': {
'lastStatus': 'Success'|'Failure'|'Not_Applicable',
'lastErrorCode': 'string',
'lastErrorMessage': 'string',
'lastAttemptTime': datetime(2015, 1, 1),
'lastSuccessfulTime': datetime(2015, 1, 1),
'nextDeliveryTime': datetime(2015, 1, 1)
},
'configHistoryDeliveryInfo': {
'lastStatus': 'Success'|'Failure'|'Not_Applicable',
'lastErrorCode': 'string',
'lastErrorMessage': 'string',
'lastAttemptTime': datetime(2015, 1, 1),
'lastSuccessfulTime': datetime(2015, 1, 1),
'nextDeliveryTime': datetime(2015, 1, 1)
},
'configStreamDeliveryInfo': {
'lastStatus': 'Success'|'Failure'|'Not_Applicable',
'lastErrorCode': 'string',
'lastErrorMessage': 'string',
'lastStatusChangeTime': datetime(2015, 1, 1)
}
},
]
}
Response Structure
(dict) --
The output for the DescribeDeliveryChannelStatus action.
DeliveryChannelsStatus (list) --
A list that contains the status of a specified delivery channel.
(dict) --
The status of a specified delivery channel.
Valid values: Success | Failure
name (string) --
The name of the delivery channel.
configSnapshotDeliveryInfo (dict) --
A list containing the status of the delivery of the snapshot to the specified Amazon S3 bucket.
lastStatus (string) --
Status of the last attempted delivery.
lastErrorCode (string) --
The error code from the last attempted delivery.
lastErrorMessage (string) --
The error message from the last attempted delivery.
lastAttemptTime (datetime) --
The time of the last attempted delivery.
lastSuccessfulTime (datetime) --
The time of the last successful delivery.
nextDeliveryTime (datetime) --
The time that the next delivery occurs.
configHistoryDeliveryInfo (dict) --
A list that contains the status of the delivery of the configuration history to the specified Amazon S3 bucket.
lastStatus (string) --
Status of the last attempted delivery.
lastErrorCode (string) --
The error code from the last attempted delivery.
lastErrorMessage (string) --
The error message from the last attempted delivery.
lastAttemptTime (datetime) --
The time of the last attempted delivery.
lastSuccessfulTime (datetime) --
The time of the last successful delivery.
nextDeliveryTime (datetime) --
The time that the next delivery occurs.
configStreamDeliveryInfo (dict) --
A list containing the status of the delivery of the configuration stream notification to the specified Amazon SNS topic.
lastStatus (string) --
Status of the last attempted delivery.
Note Providing an SNS topic on a DeliveryChannel for AWS Config is optional. If the SNS delivery is turned off, the last status will be Not_Applicable .
lastErrorCode (string) --
The error code from the last attempted delivery.
lastErrorMessage (string) --
The error message from the last attempted delivery.
lastStatusChangeTime (datetime) --
The time from the last status change.
{'DeliveryChannels': {'configSnapshotDeliveryProperties': {'deliveryFrequency': 'One_Hour '
'| '
'Three_Hours '
'| '
'Six_Hours '
'| '
'Twelve_Hours '
'| '
'TwentyFour_Hours'}}}
Returns details about the specified delivery channel. If a delivery channel is not specified, this action returns the details of all delivery channels associated with the account.
Note
Currently, you can specify only one delivery channel per account.
Request Syntax
client.describe_delivery_channels(
DeliveryChannelNames=[
'string',
]
)
list
A list of delivery channel names.
(string) --
dict
Response Syntax
{
'DeliveryChannels': [
{
'name': 'string',
's3BucketName': 'string',
's3KeyPrefix': 'string',
'snsTopicARN': 'string',
'configSnapshotDeliveryProperties': {
'deliveryFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours'
}
},
]
}
Response Structure
(dict) --
The output for the DescribeDeliveryChannels action.
DeliveryChannels (list) --
A list that contains the descriptions of the specified delivery channel.
(dict) --
A logical container used for storing the configuration changes of an AWS resource.
name (string) --
The name of the delivery channel. By default, AWS Config automatically assigns the name "default" when creating the delivery channel. You cannot change the assigned name.
s3BucketName (string) --
The name of the Amazon S3 bucket used to store configuration history for the delivery channel.
s3KeyPrefix (string) --
The prefix for the specified Amazon S3 bucket.
snsTopicARN (string) --
The Amazon Resource Name (ARN) of the SNS topic that AWS Config delivers notifications to.
configSnapshotDeliveryProperties (dict) --
Options for how AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel.
deliveryFrequency (string) --
The frequency with which a AWS Config recurringly delivers configuration snapshots.
{'DeliveryChannel': {'configSnapshotDeliveryProperties': {'deliveryFrequency': 'One_Hour '
'| '
'Three_Hours '
'| '
'Six_Hours '
'| '
'Twelve_Hours '
'| '
'TwentyFour_Hours'}}}
Creates a new delivery channel object to deliver the configuration information to an Amazon S3 bucket, and to an Amazon SNS topic.
You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
Note
Currently, you can specify only one delivery channel per account.
Request Syntax
client.put_delivery_channel(
DeliveryChannel={
'name': 'string',
's3BucketName': 'string',
's3KeyPrefix': 'string',
'snsTopicARN': 'string',
'configSnapshotDeliveryProperties': {
'deliveryFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours'
}
}
)
dict
[REQUIRED]
The configuration delivery channel object that delivers the configuration information to an Amazon S3 bucket, and to an Amazon SNS topic.
name (string) --
The name of the delivery channel. By default, AWS Config automatically assigns the name "default" when creating the delivery channel. You cannot change the assigned name.
s3BucketName (string) --
The name of the Amazon S3 bucket used to store configuration history for the delivery channel.
s3KeyPrefix (string) --
The prefix for the specified Amazon S3 bucket.
snsTopicARN (string) --
The Amazon Resource Name (ARN) of the SNS topic that AWS Config delivers notifications to.
configSnapshotDeliveryProperties (dict) --
Options for how AWS Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel.
deliveryFrequency (string) --
The frequency with which a AWS Config recurringly delivers configuration snapshots.
None