2016/07/21 - AWS Config - 2 new 6 updated api methods
Changes Adds support for RDS and ACM resources types and introduces two new APIs: DeleteEvaluationResults and StartConfigRulesEvaluation. Updated PutConfigRule API can now create Config rules that are triggered by both configuration changes and periodicity.
Evaluates your resources against the specified Config rules. You can specify up to 25 Config rules per request.
An existing StartConfigRulesEvaluation call must complete for the rules that you specified before you can call the API again. If you chose to have AWS Config stream to an Amazon SNS topic, you will receive a notification when the evaluation starts.
Request Syntax
client.start_config_rules_evaluation( ConfigRuleNames=[ 'string', ] )
list
The list of names of Config rules that you want to run evaluations for.
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
The output when you start the evaluation for the specified Config rule.
Deletes the evaluation results for the specified Config rule. You can specify one Config rule per request. After you delete the evaluation results, you can call the StartConfigRulesEvaluation API to start evaluating your AWS resources against the rule.
Request Syntax
client.delete_evaluation_results( ConfigRuleName='string' )
string
[REQUIRED]
The name of the Config rule for which you want to delete the evaluation results.
dict
Response Syntax
{}
Response Structure
(dict) --
The output when you delete the evaluation results for the specified Config rule.
{'ConfigRules': {'ConfigRuleState': ['EVALUATING', 'DELETING_RESULTS'], 'Source': {'SourceDetails': {'MaximumExecutionFrequency': 'One_Hour ' '| ' 'Three_Hours ' '| ' 'Six_Hours ' '| ' 'Twelve_Hours ' '| ' 'TwentyFour_Hours', 'MessageType': ['ScheduledNotification']}}}}
Returns details about your AWS Config rules.
Request Syntax
client.describe_config_rules( ConfigRuleNames=[ 'string', ], NextToken='string' )
list
The names of the AWS Config rules for which you want details. If you do not specify any names, AWS Config returns details for all your rules.
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'ConfigRules': [ { 'ConfigRuleName': 'string', 'ConfigRuleArn': 'string', 'ConfigRuleId': 'string', 'Description': 'string', 'Scope': { 'ComplianceResourceTypes': [ 'string', ], 'TagKey': 'string', 'TagValue': 'string', 'ComplianceResourceId': 'string' }, 'Source': { 'Owner': 'CUSTOM_LAMBDA'|'AWS', 'SourceIdentifier': 'string', 'SourceDetails': [ { 'EventSource': 'aws.config', 'MessageType': 'ConfigurationItemChangeNotification'|'ConfigurationSnapshotDeliveryCompleted'|'ScheduledNotification', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours' }, ] }, 'InputParameters': 'string', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours', 'ConfigRuleState': 'ACTIVE'|'DELETING'|'DELETING_RESULTS'|'EVALUATING' }, ], 'NextToken': 'string' }
Response Structure
(dict) --
ConfigRules (list) --
The details about your AWS Config rules.
(dict) --
An AWS Lambda function that evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change to an AWS resource and at a periodic frequency that you choose (for example, every 24 hours).
Note
You can use the AWS CLI and AWS SDKs if you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties .
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
ConfigRuleName (string) --
The name that you assign to the AWS Config rule. The name is required if you are adding a new rule.
ConfigRuleArn (string) --
The Amazon Resource Name (ARN) of the AWS Config rule.
ConfigRuleId (string) --
The ID of the AWS Config rule.
Description (string) --
The description that you provide for the AWS Config rule.
Scope (dict) --
Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
ComplianceResourceTypes (list) --
The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId .
(string) --
TagKey (string) --
The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
TagValue (string) --
The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue , you must also specify a value for TagKey .
ComplianceResourceId (string) --
The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes .
Source (dict) --
Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
Owner (string) --
Indicates whether AWS or the customer owns and manages the AWS Config rule.
SourceIdentifier (string) --
For AWS managed Config rules, a pre-defined identifier from a list. To reference the list, see Using AWS Managed Config Rules .
For custom Config rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function.
SourceDetails (list) --
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
(dict) --
Provides the source and the message type that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.
EventSource (string) --
The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources.
MessageType (string) --
The type of SNS message that triggers AWS Config to run an evaluation.
For evaluations that are initiated when AWS Config delivers a configuration item change notification, you must use ConfigurationItemChangeNotification .
For evaluations that are initiated at a frequency that you choose (for example, every 24 hours), you must use ScheduledNotification .
For evaluations that are initiated when AWS Config delivers a configuration snapshot, you must use ConfigurationSnapshotDeliveryCompleted .
MaximumExecutionFrequency (string) --
If the trigger type for your rule includes periodic, AWS Config runs evaluations for the rule at a frequency that you choose. If you specify a value for MaximumExecutionFrequency , then MessageType must use the ScheduledNotification value.
InputParameters (string) --
A string in JSON format that is passed to the AWS Config rule Lambda function.
MaximumExecutionFrequency (string) --
If you want to create a rule that evaluates at a frequency that is independent of the configuration snapshot delivery, use the MaximumExecutionFrequency parameter in the SourceDetail object.
Note
If you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot, see the following:
A rule that runs an evaluation when AWS Config delivers a configuration snapshot cannot run evaluations more frequently than AWS Config delivers the snapshots. Set the value of the MaximumExecutionFrequency to be equal to or greater than the value of the deliveryFrequency key, which is part of ConfigSnapshotDeliveryProperties .
For more information, see ConfigSnapshotDeliveryProperties .
ConfigRuleState (string) --
Indicates whether the AWS Config rule is active or is currently being deleted by AWS Config. It can also indicate the evaluation status for the Config rule.
AWS Config sets the state of the rule to EVALUATING temporarily after you use the StartConfigRulesEvaluation request to evaluate your resources against the Config rule.
AWS Config sets the state of the rule to DELETING_RESULTS temporarily after you use the DeleteEvaluationResults request to delete the current evaluation results for the Config rule.
AWS Config sets the state of a rule to DELETING temporarily after you use the DeleteConfigRule request to delete the rule. After AWS Config deletes the rule, the rule and all of its evaluations are erased and are no longer available.
NextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
{'ConfigurationRecorders': {'recordingGroup': {'resourceTypes': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}}}
Returns the name of one or more specified configuration recorders. If the recorder name is not specified, this action returns the names of all the configuration recorders associated with the account.
Note
Currently, you can specify only one configuration recorder per account.
Request Syntax
client.describe_configuration_recorders( ConfigurationRecorderNames=[ 'string', ] )
list
A list of configuration recorder names.
(string) --
dict
Response Syntax
{ 'ConfigurationRecorders': [ { 'name': 'string', 'roleARN': 'string', 'recordingGroup': { 'allSupported': True|False, 'includeGlobalResourceTypes': True|False, 'resourceTypes': [ 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', ] } }, ] }
Response Structure
(dict) --
The output for the DescribeConfigurationRecorders action.
ConfigurationRecorders (list) --
A list that contains the descriptions of the specified configuration recorders.
(dict) --
An object that represents the recording of configuration changes of an AWS resource.
name (string) --
The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.
roleARN (string) --
Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.
recordingGroup (dict) --
Specifies the types of AWS resource for which AWS Config records configuration changes.
allSupported (boolean) --
Specifies whether AWS Config records configuration changes for every supported type of regional resource.
If you set this option to true , when AWS Config adds support for a new type of regional resource, it automatically starts recording resources of that type.
If you set this option to true , you cannot enumerate a list of resourceTypes .
includeGlobalResourceTypes (boolean) --
Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.
Before you can set this option to true , you must set the allSupported option to true .
If you set this option to true , when AWS Config adds support for a new type of global resource, it automatically starts recording resources of that type.
The configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.
resourceTypes (list) --
A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail ).
Before you can set this option to true , you must set the allSupported option to false .
If you set this option to true , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.
For a list of valid resourceTypes values, see the resourceType Value column in Supported AWS Resource Types .
(string) --
{'resourceType': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}Response
{'configurationItems': {'relationships': {'resourceType': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}, 'resourceType': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup'], 'supplementaryConfiguration': {'string': 'string'}}}
Returns a list of configuration items for the specified resource. The list contains details about each state of the resource during the specified time interval.
The response is paginated, and by default, AWS Config returns a limit of 10 configuration items per page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.
Note
Each call to the API is limited to span a duration of seven days. It is likely that the number of records returned is smaller than the specified limit . In such cases, you can make another call, using the nextToken .
Request Syntax
client.get_resource_config_history( resourceType='AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', resourceId='string', laterTime=datetime(2015, 1, 1), earlierTime=datetime(2015, 1, 1), chronologicalOrder='Reverse'|'Forward', limit=123, nextToken='string' )
string
[REQUIRED]
The resource type.
string
[REQUIRED]
The ID of the resource (for example., sg-xxxxxx ).
datetime
The time stamp that indicates a later time. If not specified, current time is taken.
datetime
The time stamp that indicates an earlier time. If not specified, the action returns paginated results that contain configuration items that start from when the first configuration item was recorded.
string
The chronological order for configuration items listed. By default the results are listed in reverse chronological order.
integer
The maximum number of configuration items returned on each page. The default is 10. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'configurationItems': [ { 'version': 'string', 'accountId': 'string', 'configurationItemCaptureTime': datetime(2015, 1, 1), 'configurationItemStatus': 'Ok'|'Failed'|'Discovered'|'Deleted', 'configurationStateId': 'string', 'configurationItemMD5Hash': 'string', 'arn': 'string', 'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', 'resourceId': 'string', 'resourceName': 'string', 'awsRegion': 'string', 'availabilityZone': 'string', 'resourceCreationTime': datetime(2015, 1, 1), 'tags': { 'string': 'string' }, 'relatedEvents': [ 'string', ], 'relationships': [ { 'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', 'resourceId': 'string', 'resourceName': 'string', 'relationshipName': 'string' }, ], 'configuration': 'string', 'supplementaryConfiguration': { 'string': 'string' } }, ], 'nextToken': 'string' }
Response Structure
(dict) --
The output for the GetResourceConfigHistory action.
configurationItems (list) --
A list that contains the configuration history of one or more resources.
(dict) --
A list that contains detailed configurations of a specified resource.
Note
Currently, the list does not contain information about non-AWS components (for example, applications on your Amazon EC2 instances).
version (string) --
The version number of the resource configuration.
accountId (string) --
The 12 digit AWS account ID associated with the resource.
configurationItemCaptureTime (datetime) --
The time when the configuration recording was initiated.
configurationItemStatus (string) --
The configuration item status.
configurationStateId (string) --
An identifier that indicates the ordering of the configuration items of a resource.
configurationItemMD5Hash (string) --
Unique MD5 hash that represents the configuration item's state.
You can use MD5 hash to compare the states of two or more configuration items that are associated with the same resource.
arn (string) --
The Amazon Resource Name (ARN) of the resource.
resourceType (string) --
The type of AWS resource.
resourceId (string) --
The ID of the resource (for example., sg-xxxxxx ).
resourceName (string) --
The custom name of the resource, if available.
awsRegion (string) --
The region where the resource resides.
availabilityZone (string) --
The Availability Zone associated with the resource.
resourceCreationTime (datetime) --
The time stamp when the resource was created.
tags (dict) --
A mapping of key value tags associated with the resource.
(string) --
(string) --
relatedEvents (list) --
A list of CloudTrail event IDs.
A populated field indicates that the current configuration was initiated by the events recorded in the CloudTrail log. For more information about CloudTrail, see What is AWS CloudTrail? .
An empty field indicates that the current configuration was not initiated by any event.
(string) --
relationships (list) --
A list of related AWS resources.
(dict) --
The relationship of the related resource to the main resource.
resourceType (string) --
The resource type of the related resource.
resourceId (string) --
The ID of the related resource (for example, sg-xxxxxx ).
resourceName (string) --
The custom name of the related resource, if available.
relationshipName (string) --
The type of relationship with the related resource.
configuration (string) --
The description of the resource configuration.
supplementaryConfiguration (dict) --
Configuration attributes that AWS Config returns for certain resource types to supplement the information returned for the configuration parameter.
(string) --
(string) --
nextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
{'resourceType': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}Response
{'resourceIdentifiers': {'resourceType': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}}
Accepts a resource type and returns a list of resource identifiers for the resources of that type. A resource identifier includes the resource type, ID, and (if available) the custom resource name. The results consist of resources that AWS Config has discovered, including those that AWS Config is not currently recording. You can narrow the results to include only resources that have specific resource IDs or a resource name.
Note
You can specify either resource IDs or a resource name but not both in the same request.
The response is paginated, and by default AWS Config lists 100 resource identifiers on each page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.
Request Syntax
client.list_discovered_resources( resourceType='AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', resourceIds=[ 'string', ], resourceName='string', limit=123, includeDeletedResources=True|False, nextToken='string' )
string
[REQUIRED]
The type of resources that you want AWS Config to list in the response.
list
The IDs of only those resources that you want AWS Config to list in the response. If you do not specify this parameter, AWS Config lists all resources of the specified type that it has discovered.
(string) --
string
The custom name of only those resources that you want AWS Config to list in the response. If you do not specify this parameter, AWS Config lists all resources of the specified type that it has discovered.
integer
The maximum number of resource identifiers returned on each page. The default is 100. You cannot specify a limit greater than 100. If you specify 0, AWS Config uses the default.
boolean
Specifies whether AWS Config includes deleted resources in the results. By default, deleted resources are not included.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'resourceIdentifiers': [ { 'resourceType': 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', 'resourceId': 'string', 'resourceName': 'string', 'resourceDeletionTime': datetime(2015, 1, 1) }, ], 'nextToken': 'string' }
Response Structure
(dict) --
resourceIdentifiers (list) --
The details that identify a resource that is discovered by AWS Config, including the resource type, ID, and (if available) the custom resource name.
(dict) --
The details that identify a resource that is discovered by AWS Config, including the resource type, ID, and (if available) the custom resource name.
resourceType (string) --
The type of resource.
resourceId (string) --
The ID of the resource (for example., sg-xxxxxx ).
resourceName (string) --
The custom name of the resource (if available).
resourceDeletionTime (datetime) --
The time that the resource was deleted.
nextToken (string) --
The string that you use in a subsequent request to get the next page of results in a paginated response.
{'ConfigRule': {'ConfigRuleState': ['EVALUATING', 'DELETING_RESULTS'], 'Source': {'SourceDetails': {'MaximumExecutionFrequency': 'One_Hour ' '| ' 'Three_Hours ' '| ' 'Six_Hours ' '| ' 'Twelve_Hours ' '| ' 'TwentyFour_Hours', 'MessageType': ['ScheduledNotification']}}}}
Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.
You can use this action for custom Config rules and AWS managed Config rules. A custom Config rule is a rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that AWS Config provides.
If you are adding a new custom Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.
If you are adding a new AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see Using AWS Managed Config Rules .
For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId . These values are generated by AWS Config for new rules.
If you are updating a rule that you have added previously, specify the rule's ConfigRuleName , ConfigRuleId , or ConfigRuleArn in the ConfigRule data type that you use in this request.
The maximum number of rules that AWS Config supports is 25.
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
Request Syntax
client.put_config_rule( ConfigRule={ 'ConfigRuleName': 'string', 'ConfigRuleArn': 'string', 'ConfigRuleId': 'string', 'Description': 'string', 'Scope': { 'ComplianceResourceTypes': [ 'string', ], 'TagKey': 'string', 'TagValue': 'string', 'ComplianceResourceId': 'string' }, 'Source': { 'Owner': 'CUSTOM_LAMBDA'|'AWS', 'SourceIdentifier': 'string', 'SourceDetails': [ { 'EventSource': 'aws.config', 'MessageType': 'ConfigurationItemChangeNotification'|'ConfigurationSnapshotDeliveryCompleted'|'ScheduledNotification', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours' }, ] }, 'InputParameters': 'string', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours', 'ConfigRuleState': 'ACTIVE'|'DELETING'|'DELETING_RESULTS'|'EVALUATING' } )
dict
[REQUIRED]
An AWS Lambda function that evaluates configuration items to assess whether your AWS resources comply with your desired configurations. This function can run when AWS Config detects a configuration change to an AWS resource and at a periodic frequency that you choose (for example, every 24 hours).
Note
You can use the AWS CLI and AWS SDKs if you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties .
For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide .
ConfigRuleName (string) --
The name that you assign to the AWS Config rule. The name is required if you are adding a new rule.
ConfigRuleArn (string) --
The Amazon Resource Name (ARN) of the AWS Config rule.
ConfigRuleId (string) --
The ID of the AWS Config rule.
Description (string) --
The description that you provide for the AWS Config rule.
Scope (dict) --
Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
ComplianceResourceTypes (list) --
The resource types of only those AWS resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId .
(string) --
TagKey (string) --
The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
TagValue (string) --
The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue , you must also specify a value for TagKey .
ComplianceResourceId (string) --
The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes .
Source (dict) -- [REQUIRED]
Provides the rule owner (AWS or customer), the rule identifier, and the notifications that cause the function to evaluate your AWS resources.
Owner (string) --
Indicates whether AWS or the customer owns and manages the AWS Config rule.
SourceIdentifier (string) --
For AWS managed Config rules, a pre-defined identifier from a list. To reference the list, see Using AWS Managed Config Rules .
For custom Config rules, the identifier is the Amazon Resource Name (ARN) of the rule's AWS Lambda function.
SourceDetails (list) --
Provides the source and type of the event that causes AWS Config to evaluate your AWS resources.
(dict) --
Provides the source and the message type that trigger AWS Config to evaluate your AWS resources against a rule. It also provides the frequency with which you want AWS Config to run evaluations for the rule if the trigger type is periodic.
EventSource (string) --
The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources.
MessageType (string) --
The type of SNS message that triggers AWS Config to run an evaluation.
For evaluations that are initiated when AWS Config delivers a configuration item change notification, you must use ConfigurationItemChangeNotification .
For evaluations that are initiated at a frequency that you choose (for example, every 24 hours), you must use ScheduledNotification .
For evaluations that are initiated when AWS Config delivers a configuration snapshot, you must use ConfigurationSnapshotDeliveryCompleted .
MaximumExecutionFrequency (string) --
If the trigger type for your rule includes periodic, AWS Config runs evaluations for the rule at a frequency that you choose. If you specify a value for MaximumExecutionFrequency , then MessageType must use the ScheduledNotification value.
InputParameters (string) --
A string in JSON format that is passed to the AWS Config rule Lambda function.
MaximumExecutionFrequency (string) --
If you want to create a rule that evaluates at a frequency that is independent of the configuration snapshot delivery, use the MaximumExecutionFrequency parameter in the SourceDetail object.
Note
If you want to create a rule that triggers evaluations for your resources when AWS Config delivers the configuration snapshot, see the following:
A rule that runs an evaluation when AWS Config delivers a configuration snapshot cannot run evaluations more frequently than AWS Config delivers the snapshots. Set the value of the MaximumExecutionFrequency to be equal to or greater than the value of the deliveryFrequency key, which is part of ConfigSnapshotDeliveryProperties .
For more information, see ConfigSnapshotDeliveryProperties .
ConfigRuleState (string) --
Indicates whether the AWS Config rule is active or is currently being deleted by AWS Config. It can also indicate the evaluation status for the Config rule.
AWS Config sets the state of the rule to EVALUATING temporarily after you use the StartConfigRulesEvaluation request to evaluate your resources against the Config rule.
AWS Config sets the state of the rule to DELETING_RESULTS temporarily after you use the DeleteEvaluationResults request to delete the current evaluation results for the Config rule.
AWS Config sets the state of a rule to DELETING temporarily after you use the DeleteConfigRule request to delete the rule. After AWS Config deletes the rule, the rule and all of its evaluations are erased and are no longer available.
None
{'ConfigurationRecorder': {'recordingGroup': {'resourceTypes': ['AWS::ACM::Certificate', 'AWS::RDS::DBSnapshot', 'AWS::RDS::EventSubscription', 'AWS::RDS::DBInstance', 'AWS::RDS::DBSubnetGroup', 'AWS::RDS::DBSecurityGroup']}}}
Creates a new configuration recorder to record the selected resource configurations.
You can use this action to change the role roleARN and/or the recordingGroup of an existing recorder. To change the role, call the action on the existing configuration recorder and specify a role.
Note
Currently, you can specify only one configuration recorder per account.
If ConfigurationRecorder does not have the recordingGroup parameter specified, the default is to record all supported resource types.
Request Syntax
client.put_configuration_recorder( ConfigurationRecorder={ 'name': 'string', 'roleARN': 'string', 'recordingGroup': { 'allSupported': True|False, 'includeGlobalResourceTypes': True|False, 'resourceTypes': [ 'AWS::EC2::CustomerGateway'|'AWS::EC2::EIP'|'AWS::EC2::Host'|'AWS::EC2::Instance'|'AWS::EC2::InternetGateway'|'AWS::EC2::NetworkAcl'|'AWS::EC2::NetworkInterface'|'AWS::EC2::RouteTable'|'AWS::EC2::SecurityGroup'|'AWS::EC2::Subnet'|'AWS::CloudTrail::Trail'|'AWS::EC2::Volume'|'AWS::EC2::VPC'|'AWS::EC2::VPNConnection'|'AWS::EC2::VPNGateway'|'AWS::IAM::Group'|'AWS::IAM::Policy'|'AWS::IAM::Role'|'AWS::IAM::User'|'AWS::ACM::Certificate'|'AWS::RDS::DBInstance'|'AWS::RDS::DBSubnetGroup'|'AWS::RDS::DBSecurityGroup'|'AWS::RDS::DBSnapshot'|'AWS::RDS::EventSubscription', ] } } )
dict
[REQUIRED]
The configuration recorder object that records each configuration change made to the resources.
name (string) --
The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name.
roleARN (string) --
Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account.
recordingGroup (dict) --
Specifies the types of AWS resource for which AWS Config records configuration changes.
allSupported (boolean) --
Specifies whether AWS Config records configuration changes for every supported type of regional resource.
If you set this option to true , when AWS Config adds support for a new type of regional resource, it automatically starts recording resources of that type.
If you set this option to true , you cannot enumerate a list of resourceTypes .
includeGlobalResourceTypes (boolean) --
Specifies whether AWS Config includes all supported types of global resources (for example, IAM resources) with the resources that it records.
Before you can set this option to true , you must set the allSupported option to true .
If you set this option to true , when AWS Config adds support for a new type of global resource, it automatically starts recording resources of that type.
The configuration details for any global resource are the same in all regions. To prevent duplicate configuration items, you should consider customizing AWS Config in only one region to record global resources.
resourceTypes (list) --
A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail ).
Before you can set this option to true , you must set the allSupported option to false .
If you set this option to true , when AWS Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.
For a list of valid resourceTypes values, see the resourceType Value column in Supported AWS Resource Types .
(string) --
None