AWS Config

2017/06/13 - AWS Config - 4 updated api methods

Changes  With this release AWS Config supports the Amazon CloudWatch alarm resource type.

DescribeConfigurationRecorders (updated) Link ¶
Changes (response)
{'ConfigurationRecorders': {'recordingGroup': {'resourceTypes': ['AWS::CloudWatch::Alarm']}}}

Returns the details for the specified configuration recorders. If the configuration recorder is not specified, this action returns the details for all configuration recorders associated with the account.

Note

Currently, you can specify only one configuration recorder per region in your account.

See also: AWS API Documentation

Request Syntax

client.describe_configuration_recorders(
    ConfigurationRecorderNames=[
        'string',
    ]
)
type ConfigurationRecorderNames

list

param ConfigurationRecorderNames

A list of configuration recorder names.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'ConfigurationRecorders': [
        {
            'name': 'string',
            'roleARN': 'string',
            'recordingGroup': {
                'allSupported': True|False,
                'includeGlobalResourceTypes': True|False,
                'resourceTypes': [
                    'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
                ]
            }
        },
    ]
}

Response Structure

  • (dict) --

    The output for the DescribeConfigurationRecorders action.

    • ConfigurationRecorders (list) --

      A list that contains the descriptions of the specified configuration recorders.

      • (dict) --

        An object that represents the recording of configuration changes of an AWS resource.

        • name (string) --

          The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.

        • roleARN (string) --

          Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.

        • recordingGroup (dict) --

          Specifies the types of AWS resource for which AWS Config records configuration changes.

          • allSupported (boolean) --

            Specifies whether AWS Config records configuration changes for every supported type of regional resource.

            If you set this option to true , when AWS Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

            If you set this option to true , you cannot enumerate a list of resourceTypes .

          • includeGlobalResourceTypes (boolean) --

            Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.

            Before you can set this option to true , you must set the allSupported option to true .

            If you set this option to true , when AWS Config adds support for a new type of global resource, it automatically starts recording resources of that type.

            The configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.

          • resourceTypes (list) --

            A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail ).

            Before you can set this option to true , you must set the allSupported option to false .

            If you set this option to true , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.

            For a list of valid resourceTypes values, see the resourceType Value column in Supported AWS Resource Types .

            • (string) --

GetResourceConfigHistory (updated) Link ¶
Changes (request, response)
Request
{'resourceType': ['AWS::CloudWatch::Alarm']}
Response
{'configurationItems': {'relationships': {'resourceType': ['AWS::CloudWatch::Alarm']},
                        'resourceType': ['AWS::CloudWatch::Alarm']}}

Returns a list of configuration items for the specified resource. The list contains details about each state of the resource during the specified time interval.

The response is paginated, and by default, AWS Config returns a limit of 10 configuration items per page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.

Note

Each call to the API is limited to span a duration of seven days. It is likely that the number of records returned is smaller than the specified limit . In such cases, you can make another call, using the nextToken .

See also: AWS API Documentation

Request Syntax

client.get_resource_config_history(
    resourceType='AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
    resourceId='string',
    laterTime=datetime(2015, 1, 1),
    earlierTime=datetime(2015, 1, 1),
    chronologicalOrder='Reverse'|'Forward',
    limit=123,
    nextToken='string'
)
type resourceType

string

param resourceType

[REQUIRED]

The resource type.

type resourceId

string

param resourceId

[REQUIRED]

The ID of the resource (for example., sg-xxxxxx ).

type laterTime

datetime

param laterTime

The time stamp that indicates a later time. If not specified, current time is taken.

type earlierTime

datetime

param earlierTime

The time stamp that indicates an earlier time. If not specified, the action returns paginated results that contain configuration items that start from when the first configuration item was recorded.

type chronologicalOrder

string

param chronologicalOrder

The chronological order for configuration items listed. By default the results are listed in reverse chronological order.

type limit

integer

param limit

The maximum number of configuration items returned on each page. The default is 10. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.

type nextToken

string

param nextToken

The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.

rtype

dict

returns

Response Syntax

{
    'configurationItems': [
        {
            'version': 'string',
            'accountId': 'string',
            'configurationItemCaptureTime': datetime(2015, 1, 1),
            'configurationItemStatus': 'Ok'|'Failed'|'Discovered'|'Deleted',
            'configurationStateId': 'string',
            'configurationItemMD5Hash': 'string',
            'arn': 'string',
            'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
            'resourceId': 'string',
            'resourceName': 'string',
            'awsRegion': 'string',
            'availabilityZone': 'string',
            'resourceCreationTime': datetime(2015, 1, 1),
            'tags': {
                'string': 'string'
            },
            'relatedEvents': [
                'string',
            ],
            'relationships': [
                {
                    'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
                    'resourceId': 'string',
                    'resourceName': 'string',
                    'relationshipName': 'string'
                },
            ],
            'configuration': 'string',
            'supplementaryConfiguration': {
                'string': 'string'
            }
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The output for the GetResourceConfigHistory action.

    • configurationItems (list) --

      A list that contains the configuration history of one or more resources.

      • (dict) --

        A list that contains detailed configurations of a specified resource.

        • version (string) --

          The version number of the resource configuration.

        • accountId (string) --

          The 12 digit AWS account ID associated with the resource.

        • configurationItemCaptureTime (datetime) --

          The time when the configuration recording was initiated.

        • configurationItemStatus (string) --

          The configuration item status.

        • configurationStateId (string) --

          An identifier that indicates the ordering of the configuration items of a resource.

        • configurationItemMD5Hash (string) --

          Unique MD5 hash that represents the configuration item's state.

          You can use MD5 hash to compare the states of two or more configuration items that are associated with the same resource.

        • arn (string) --

          The Amazon Resource Name (ARN) of the resource.

        • resourceType (string) --

          The type of AWS resource.

        • resourceId (string) --

          The ID of the resource (for example., sg-xxxxxx ).

        • resourceName (string) --

          The custom name of the resource, if available.

        • awsRegion (string) --

          The region where the resource resides.

        • availabilityZone (string) --

          The Availability Zone associated with the resource.

        • resourceCreationTime (datetime) --

          The time stamp when the resource was created.

        • tags (dict) --

          A mapping of key value tags associated with the resource.

          • (string) --

            • (string) --

        • relatedEvents (list) --

          A list of CloudTrail event IDs.

          A populated field indicates that the current configuration was initiated by the events recorded in the CloudTrail log. For more information about CloudTrail, see What is AWS CloudTrail? .

          An empty field indicates that the current configuration was not initiated by any event.

          • (string) --

        • relationships (list) --

          A list of related AWS resources.

          • (dict) --

            The relationship of the related resource to the main resource.

            • resourceType (string) --

              The resource type of the related resource.

            • resourceId (string) --

              The ID of the related resource (for example, sg-xxxxxx ).

            • resourceName (string) --

              The custom name of the related resource, if available.

            • relationshipName (string) --

              The type of relationship with the related resource.

        • configuration (string) --

          The description of the resource configuration.

        • supplementaryConfiguration (dict) --

          Configuration attributes that AWS Config returns for certain resource types to supplement the information returned for the configuration parameter.

          • (string) --

            • (string) --

    • nextToken (string) --

      The string that you use in a subsequent request to get the next page of results in a paginated response.

ListDiscoveredResources (updated) Link ¶
Changes (request, response)
Request
{'resourceType': ['AWS::CloudWatch::Alarm']}
Response
{'resourceIdentifiers': {'resourceType': ['AWS::CloudWatch::Alarm']}}

Accepts a resource type and returns a list of resource identifiers for the resources of that type. A resource identifier includes the resource type, ID, and (if available) the custom resource name. The results consist of resources that AWS Config has discovered, including those that AWS Config is not currently recording. You can narrow the results to include only resources that have specific resource IDs or a resource name.

Note

You can specify either resource IDs or a resource name but not both in the same request.

The response is paginated, and by default AWS Config lists 100 resource identifiers on each page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.

See also: AWS API Documentation

Request Syntax

client.list_discovered_resources(
    resourceType='AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
    resourceIds=[
        'string',
    ],
    resourceName='string',
    limit=123,
    includeDeletedResources=True|False,
    nextToken='string'
)
type resourceType

string

param resourceType

[REQUIRED]

The type of resources that you want AWS Config to list in the response.

type resourceIds

list

param resourceIds

The IDs of only those resources that you want AWS Config to list in the response. If you do not specify this parameter, AWS Config lists all resources of the specified type that it has discovered.

  • (string) --

type resourceName

string

param resourceName

The custom name of only those resources that you want AWS Config to list in the response. If you do not specify this parameter, AWS Config lists all resources of the specified type that it has discovered.

type limit

integer

param limit

The maximum number of resource identifiers returned on each page. The default is 100. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.

type includeDeletedResources

boolean

param includeDeletedResources

Specifies whether AWS Config includes deleted resources in the results. By default, deleted resources are not included.

type nextToken

string

param nextToken

The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.

rtype

dict

returns

Response Syntax

{
    'resourceIdentifiers': [
        {
            'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
            'resourceId': 'string',
            'resourceName': 'string',
            'resourceDeletionTime': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • resourceIdentifiers (list) --

      The details that identify a resource that is discovered by AWS Config, including the resource type, ID, and (if available) the custom resource name.

      • (dict) --

        The details that identify a resource that is discovered by AWS Config, including the resource type, ID, and (if available) the custom resource name.

        • resourceType (string) --

          The type of resource.

        • resourceId (string) --

          The ID of the resource (for example., sg-xxxxxx ).

        • resourceName (string) --

          The custom name of the resource (if available).

        • resourceDeletionTime (datetime) --

          The time that the resource was deleted.

    • nextToken (string) --

      The string that you use in a subsequent request to get the next page of results in a paginated response.

PutConfigurationRecorder (updated) Link ¶
Changes (request)
{'ConfigurationRecorder': {'recordingGroup': {'resourceTypes': ['AWS::CloudWatch::Alarm']}}}

Creates a new configuration recorder to record the selected resource configurations.

You can use this action to change the role roleARN and/or the recordingGroup of an existing recorder. To change the role, call the action on the existing configuration recorder and specify a role.

Note

Currently, you can specify only one configuration recorder per region in your account.

If ConfigurationRecorder does not have the recordingGroup parameter specified, the default is to record all supported resource types.

See also: AWS API Documentation

Request Syntax

client.put_configuration_recorder(
    ConfigurationRecorder={
        'name': 'string',
        'roleARN': 'string',
        'recordingGroup': {
            'allSupported': True|False,
            'includeGlobalResourceTypes': True|False,
            'resourceTypes': [
                'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription'|'AWS::ElasticLoadBalancingV2::LoadBalancer'|'AWS::S3::Bucket'|'AWS::SSM::ManagedInstanceInventory'|'AWS::Redshift::Cluster'|'AWS::Redshift::ClusterSnapshot'|'AWS::Redshift::ClusterParameterGroup'|'AWS::Redshift::ClusterSecurityGroup'|'AWS::Redshift::ClusterSubnetGroup'|'AWS::Redshift::EventSubscription'|'AWS::CloudWatch::Alarm',
            ]
        }
    }
)
type ConfigurationRecorder

dict

param ConfigurationRecorder

[REQUIRED]

The configuration recorder object that records each configuration change made to the resources.

  • name (string) --

    The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.

  • roleARN (string) --

    Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.

  • recordingGroup (dict) --

    Specifies the types of AWS resource for which AWS Config records configuration changes.

    • allSupported (boolean) --

      Specifies whether AWS Config records configuration changes for every supported type of regional resource.

      If you set this option to true , when AWS Config adds support for a new type of regional resource, it automatically starts recording resources of that type.

      If you set this option to true , you cannot enumerate a list of resourceTypes .

    • includeGlobalResourceTypes (boolean) --

      Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.

      Before you can set this option to true , you must set the allSupported option to true .

      If you set this option to true , when AWS Config adds support for a new type of global resource, it automatically starts recording resources of that type.

      The configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.

    • resourceTypes (list) --

      A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail ).

      Before you can set this option to true , you must set the allSupported option to false .

      If you set this option to true , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.

      For a list of valid resourceTypes values, see the resourceType Value column in Supported AWS Resource Types .

      • (string) --

returns

None