2018/04/04 - AWS Config - 12 new api methods
Changes AWS Config introduces multi-account multi-region data aggregation features. Customers can create an aggregator (a new resource type) in AWS Config that collects AWS Config data from multiple source accounts and regions into an aggregator account. Customers can aggregate data from individual account(s) or an organization and multiple regions. In this release, AWS Config adds several API's for multi-account multi-region data aggregation.
Authorizes the aggregator account and region to collect data from the source account and region.
See also: AWS API Documentation
Request Syntax
client.put_aggregation_authorization( AuthorizedAccountId='string', AuthorizedAwsRegion='string' )
string
[REQUIRED]
The 12-digit account ID of the account authorized to aggregate data.
string
[REQUIRED]
The region authorized to collect aggregated data.
dict
Response Syntax
{ 'AggregationAuthorization': { 'AggregationAuthorizationArn': 'string', 'AuthorizedAccountId': 'string', 'AuthorizedAwsRegion': 'string', 'CreationTime': datetime(2015, 1, 1) } }
Response Structure
(dict) --
AggregationAuthorization (dict) --
Returns an AggregationAuthorization object.
AggregationAuthorizationArn (string) --
The Amazon Resource Name (ARN) of the aggregation object.
AuthorizedAccountId (string) --
The 12-digit account ID of the account authorized to aggregate data.
AuthorizedAwsRegion (string) --
The region authorized to collect aggregated data.
CreationTime (datetime) --
The time stamp when the aggregation authorization was created.
Creates and updates the configuration aggregator with the selected source accounts and regions.
Note
AWS Config should be enabled in accounts and regions you want to aggreagate.
See also: AWS API Documentation
Request Syntax
client.put_configuration_aggregator( ConfigurationAggregatorName='string', AccountAggregationSources=[ { 'AccountIds': [ 'string', ], 'AllAwsRegions': True|False, 'AwsRegions': [ 'string', ] }, ], OrganizationAggregationSource={ 'RoleArn': 'string', 'AwsRegions': [ 'string', ], 'AllAwsRegions': True|False } )
string
[REQUIRED]
The name of the configuration aggregator.
list
A list of AccountAggregationSource object.
(dict) --
A collection of accounts and regions.
AccountIds (list) -- [REQUIRED]
The 12-digit account ID of the account being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
AwsRegions (list) --
The source regions being aggregated.
(string) --
dict
An OrganizationAggregationSource object.
RoleArn (string) -- [REQUIRED]
ARN of the IAM role used to retreive AWS Organization details associated with the aggregator account.
AwsRegions (list) --
The source regions being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
dict
Response Syntax
{ 'ConfigurationAggregator': { 'ConfigurationAggregatorName': 'string', 'ConfigurationAggregatorArn': 'string', 'AccountAggregationSources': [ { 'AccountIds': [ 'string', ], 'AllAwsRegions': True|False, 'AwsRegions': [ 'string', ] }, ], 'OrganizationAggregationSource': { 'RoleArn': 'string', 'AwsRegions': [ 'string', ], 'AllAwsRegions': True|False }, 'CreationTime': datetime(2015, 1, 1), 'LastUpdatedTime': datetime(2015, 1, 1) } }
Response Structure
(dict) --
ConfigurationAggregator (dict) --
Returns a ConfigurationAggregator object.
ConfigurationAggregatorName (string) --
The name of the aggregator.
ConfigurationAggregatorArn (string) --
The Amazon Resource Name (ARN) of the aggregator.
AccountAggregationSources (list) --
Provides a list of source accounts and regions to be aggregated.
(dict) --
A collection of accounts and regions.
AccountIds (list) --
The 12-digit account ID of the account being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
AwsRegions (list) --
The source regions being aggregated.
(string) --
OrganizationAggregationSource (dict) --
Provides an organization and list of regions to be aggregated.
RoleArn (string) --
ARN of the IAM role used to retreive AWS Organization details associated with the aggregator account.
AwsRegions (list) --
The source regions being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
CreationTime (datetime) --
The time stamp when the configuration aggregator was created.
LastUpdatedTime (datetime) --
The time of the last update.
Returns a list of authorizations granted to various aggregator accounts and regions.
See also: AWS API Documentation
Request Syntax
client.describe_aggregation_authorizations( Limit=123, NextToken='string' )
integer
The maximum number of AggregationAuthorizations returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'AggregationAuthorizations': [ { 'AggregationAuthorizationArn': 'string', 'AuthorizedAccountId': 'string', 'AuthorizedAwsRegion': 'string', 'CreationTime': datetime(2015, 1, 1) }, ], 'NextToken': 'string' }
Response Structure
(dict) --
AggregationAuthorizations (list) --
Returns a list of authorizations granted to various aggregator accounts and regions.
(dict) --
An object that represents the authorizations granted to aggregator accounts and regions.
AggregationAuthorizationArn (string) --
The Amazon Resource Name (ARN) of the aggregation object.
AuthorizedAccountId (string) --
The 12-digit account ID of the account authorized to aggregate data.
AuthorizedAwsRegion (string) --
The region authorized to collect aggregated data.
CreationTime (datetime) --
The time stamp when the aggregation authorization was created.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Deletes the authorization granted to the specified configuration aggregator account in a specified region.
See also: AWS API Documentation
Request Syntax
client.delete_aggregation_authorization( AuthorizedAccountId='string', AuthorizedAwsRegion='string' )
string
[REQUIRED]
The 12-digit account ID of the account authorized to aggregate data.
string
[REQUIRED]
The region authorized to collect aggregated data.
None
Returns status information for sources within an aggregator. The status includes information about the last time AWS Config aggregated data from source accounts or AWS Config failed to aggregate data from source accounts with the related error code or message.
See also: AWS API Documentation
Request Syntax
client.describe_configuration_aggregator_sources_status( ConfigurationAggregatorName='string', UpdateStatus=[ 'FAILED'|'SUCCEEDED'|'OUTDATED', ], NextToken='string', Limit=123 )
string
[REQUIRED]
The name of the configuration aggregator.
list
Filters the status type.
Valid value FAILED indicates errors while moving data.
Valid value SUCCEEDED indicates the data was successfully moved.
Valid value OUTDATED indicates the data is not the most recent.
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
integer
The maximum number of AggregatorSourceStatus returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
dict
Response Syntax
{ 'AggregatedSourceStatusList': [ { 'SourceId': 'string', 'SourceType': 'ACCOUNT'|'ORGANIZATION', 'AwsRegion': 'string', 'LastUpdateStatus': 'FAILED'|'SUCCEEDED'|'OUTDATED', 'LastUpdateTime': datetime(2015, 1, 1), 'LastErrorCode': 'string', 'LastErrorMessage': 'string' }, ], 'NextToken': 'string' }
Response Structure
(dict) --
AggregatedSourceStatusList (list) --
Retuns an AggregatedSourceStatus object.
(dict) --
The current sync status between the source and the aggregator account.
SourceId (string) --
The source account ID or an organization.
SourceType (string) --
The source account or an organization.
AwsRegion (string) --
The region authorized to collect aggregated data.
LastUpdateStatus (string) --
Filters the last updated status type.
Valid value FAILED indicates errors while moving data.
Valid value SUCCEEDED indicates the data was successfully moved.
Valid value OUTDATED indicates the data is not the most recent.
LastUpdateTime (datetime) --
The time of the last update.
LastErrorCode (string) --
The error code that AWS Config returned when the source account aggregation last failed.
LastErrorMessage (string) --
The message indicating that the source account aggregation failed due to an error.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Returns a list of compliant and noncompliant rules with the number of resources for compliant and noncompliant rules.
Note
The results can return an empty result page, but if you have a nextToken, the results are displayed on the next page.
See also: AWS API Documentation
Request Syntax
client.describe_aggregate_compliance_by_config_rules( ConfigurationAggregatorName='string', Filters={ 'ConfigRuleName': 'string', 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'AccountId': 'string', 'AwsRegion': 'string' }, Limit=123, NextToken='string' )
string
[REQUIRED]
The name of the configuration aggregator.
dict
Filters the results by ConfigRuleComplianceFilters object.
ConfigRuleName (string) --
The name of the AWS Config rule.
ComplianceType (string) --
The rule compliance status.
For the ConfigRuleComplianceFilters data type, AWS Config supports only COMPLIANT and NON_COMPLIANT . AWS Config does not support the NOT_APPLICABLE and the INSUFFICIENT_DATA values.
AccountId (string) --
The 12-digit account ID of the source account.
AwsRegion (string) --
The source region where the data is aggregated.
integer
The maximum number of evaluation results returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'AggregateComplianceByConfigRules': [ { 'ConfigRuleName': 'string', 'Compliance': { 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'ComplianceContributorCount': { 'CappedCount': 123, 'CapExceeded': True|False } }, 'AccountId': 'string', 'AwsRegion': 'string' }, ], 'NextToken': 'string' }
Response Structure
(dict) --
AggregateComplianceByConfigRules (list) --
Returns a list of AggregateComplianceByConfigRule object.
(dict) --
Indicates whether an AWS Config rule is compliant based on account ID, region, compliance, and rule name.
A rule is compliant if all of the resources that the rule evaluated comply with it. It is noncompliant if any of these resources do not comply.
ConfigRuleName (string) --
The name of the AWS Config rule.
Compliance (dict) --
Indicates whether an AWS resource or AWS Config rule is compliant and provides the number of contributors that affect the compliance.
ComplianceType (string) --
Indicates whether an AWS resource or AWS Config rule is compliant.
A resource is compliant if it complies with all of the AWS Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
A rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.
AWS Config returns the INSUFFICIENT_DATA value when no evaluation results are available for the AWS resource or AWS Config rule.
For the Compliance data type, AWS Config supports only COMPLIANT , NON_COMPLIANT , and INSUFFICIENT_DATA values. AWS Config does not support the NOT_APPLICABLE value for the Compliance data type.
ComplianceContributorCount (dict) --
The number of AWS resources or AWS Config rules that cause a result of NON_COMPLIANT , up to a maximum number.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
AccountId (string) --
The 12-digit account ID of the source account.
AwsRegion (string) --
The source region from where the data is aggregated.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
Note
The results can return an empty result page, but if you have a nextToken, the results are displayed on the next page.
See also: AWS API Documentation
Request Syntax
client.get_aggregate_config_rule_compliance_summary( ConfigurationAggregatorName='string', Filters={ 'AccountId': 'string', 'AwsRegion': 'string' }, GroupByKey='ACCOUNT_ID'|'AWS_REGION', Limit=123, NextToken='string' )
string
[REQUIRED]
The name of the configuration aggregator.
dict
Filters the results based on the ConfigRuleComplianceSummaryFilters object.
AccountId (string) --
The 12-digit account ID of the source account.
AwsRegion (string) --
The source region where the data is aggregated.
string
Groups the result based on ACCOUNT_ID or AWS_REGION.
integer
The maximum number of evaluation results returned on each page. The default is 1000. You cannot specify a number greater than 1000. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'GroupByKey': 'string', 'AggregateComplianceCounts': [ { 'GroupName': 'string', 'ComplianceSummary': { 'CompliantResourceCount': { 'CappedCount': 123, 'CapExceeded': True|False }, 'NonCompliantResourceCount': { 'CappedCount': 123, 'CapExceeded': True|False }, 'ComplianceSummaryTimestamp': datetime(2015, 1, 1) } }, ], 'NextToken': 'string' }
Response Structure
(dict) --
GroupByKey (string) --
Groups the result based on ACCOUNT_ID or AWS_REGION.
AggregateComplianceCounts (list) --
Returns a list of AggregateComplianceCounts object.
(dict) --
Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
GroupName (string) --
The 12-digit account ID or region based on the GroupByKey value.
ComplianceSummary (dict) --
The number of compliant and noncompliant AWS Config rules.
CompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are compliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
NonCompliantResourceCount (dict) --
The number of AWS Config rules or AWS resources that are noncompliant, up to a maximum of 25 for rules and 100 for resources.
CappedCount (integer) --
The number of AWS resources or AWS Config rules responsible for the current compliance of the item.
CapExceeded (boolean) --
Indicates whether the maximum count is reached.
ComplianceSummaryTimestamp (datetime) --
The time that AWS Config created the compliance summary.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Returns a list of all pending aggregation requests.
See also: AWS API Documentation
Request Syntax
client.describe_pending_aggregation_requests( Limit=123, NextToken='string' )
integer
The maximum number of evaluation results returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'PendingAggregationRequests': [ { 'RequesterAccountId': 'string', 'RequesterAwsRegion': 'string' }, ], 'NextToken': 'string' }
Response Structure
(dict) --
PendingAggregationRequests (list) --
Returns a PendingAggregationRequests object.
(dict) --
An object that represents the account ID and region of an aggregator account that is requesting authorization but is not yet authorized.
RequesterAccountId (string) --
The 12-digit account ID of the account requesting to aggregate data.
RequesterAwsRegion (string) --
The region requesting to aggregate data.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Returns the evaluation results for the specified AWS Config rule for a specific resource in a rule. The results indicate which AWS resources were evaluated by the rule, when each resource was last evaluated, and whether each resource complies with the rule.
Note
The results can return an empty result page. But if you have a nextToken, the results are displayed on the next page.
See also: AWS API Documentation
Request Syntax
client.get_aggregate_compliance_details_by_config_rule( ConfigurationAggregatorName='string', ConfigRuleName='string', AccountId='string', AwsRegion='string', ComplianceType='COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', Limit=123, NextToken='string' )
string
[REQUIRED]
The name of the configuration aggregator.
string
[REQUIRED]
The name of the AWS Config rule for which you want compliance information.
string
[REQUIRED]
The 12-digit account ID of the source account.
string
[REQUIRED]
The source region from where the data is aggregated.
string
The resource compliance status.
Note
For the GetAggregateComplianceDetailsByConfigRuleRequest data type, AWS Config supports only the COMPLIANT and NON_COMPLIANT . AWS Config does not support the NOT_APPLICABLE and INSUFFICIENT_DATA values.
integer
The maximum number of evaluation results returned on each page. The default is 50. You cannot specify a number greater than 100. If you specify 0, AWS Config uses the default.
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
dict
Response Syntax
{ 'AggregateEvaluationResults': [ { 'EvaluationResultIdentifier': { 'EvaluationResultQualifier': { 'ConfigRuleName': 'string', 'ResourceType': 'string', 'ResourceId': 'string' }, 'OrderingTimestamp': datetime(2015, 1, 1) }, 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'ResultRecordedTime': datetime(2015, 1, 1), 'ConfigRuleInvokedTime': datetime(2015, 1, 1), 'Annotation': 'string', 'AccountId': 'string', 'AwsRegion': 'string' }, ], 'NextToken': 'string' }
Response Structure
(dict) --
AggregateEvaluationResults (list) --
Returns an AggregateEvaluationResults object.
(dict) --
The details of an AWS Config evaluation for an account ID and region in an aggregator. Provides the AWS resource that was evaluated, the compliance of the resource, related time stamps, and supplementary information.
EvaluationResultIdentifier (dict) --
Uniquely identifies the evaluation result.
EvaluationResultQualifier (dict) --
Identifies an AWS Config rule used to evaluate an AWS resource, and provides the type and ID of the evaluated resource.
ConfigRuleName (string) --
The name of the AWS Config rule that was used in the evaluation.
ResourceType (string) --
The type of AWS resource that was evaluated.
ResourceId (string) --
The ID of the evaluated AWS resource.
OrderingTimestamp (datetime) --
The time of the event that triggered the evaluation of your AWS resources. The time can indicate when AWS Config delivered a configuration item change notification, or it can indicate when AWS Config delivered the configuration snapshot, depending on which event triggered the evaluation.
ComplianceType (string) --
The resource compliance status.
For the AggregationEvaluationResult data type, AWS Config supports only the COMPLIANT and NON_COMPLIANT . AWS Config does not support the NOT_APPLICABLE and INSUFFICIENT_DATA value.
ResultRecordedTime (datetime) --
The time when AWS Config recorded the aggregate evaluation result.
ConfigRuleInvokedTime (datetime) --
The time when the AWS Config rule evaluated the AWS resource.
Annotation (string) --
Supplementary information about how the agrregate evaluation determined the compliance.
AccountId (string) --
The 12-digit account ID of the source account.
AwsRegion (string) --
The source region from where the data is aggregated.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
Deletes the specified configuration aggregator and the aggregated data associated with the aggregator.
See also: AWS API Documentation
Request Syntax
client.delete_configuration_aggregator( ConfigurationAggregatorName='string' )
string
[REQUIRED]
The name of the configuration aggregator.
None
Deletes pending authorization requests for a specified aggregator account in a specified region.
See also: AWS API Documentation
Request Syntax
client.delete_pending_aggregation_request( RequesterAccountId='string', RequesterAwsRegion='string' )
string
[REQUIRED]
The 12-digit account ID of the account requesting to aggregate data.
string
[REQUIRED]
The region requesting to aggregate data.
None
Returns the details of one or more configuration aggregators. If the configuration aggregator is not specified, this action returns the details for all the configuration aggregators associated with the account.
See also: AWS API Documentation
Request Syntax
client.describe_configuration_aggregators( ConfigurationAggregatorNames=[ 'string', ], NextToken='string', Limit=123 )
list
The name of the configuration aggregators.
(string) --
string
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
integer
The maximum number of configuration aggregators returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
dict
Response Syntax
{ 'ConfigurationAggregators': [ { 'ConfigurationAggregatorName': 'string', 'ConfigurationAggregatorArn': 'string', 'AccountAggregationSources': [ { 'AccountIds': [ 'string', ], 'AllAwsRegions': True|False, 'AwsRegions': [ 'string', ] }, ], 'OrganizationAggregationSource': { 'RoleArn': 'string', 'AwsRegions': [ 'string', ], 'AllAwsRegions': True|False }, 'CreationTime': datetime(2015, 1, 1), 'LastUpdatedTime': datetime(2015, 1, 1) }, ], 'NextToken': 'string' }
Response Structure
(dict) --
ConfigurationAggregators (list) --
Returns a ConfigurationAggregators object.
(dict) --
The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator.
ConfigurationAggregatorName (string) --
The name of the aggregator.
ConfigurationAggregatorArn (string) --
The Amazon Resource Name (ARN) of the aggregator.
AccountAggregationSources (list) --
Provides a list of source accounts and regions to be aggregated.
(dict) --
A collection of accounts and regions.
AccountIds (list) --
The 12-digit account ID of the account being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
AwsRegions (list) --
The source regions being aggregated.
(string) --
OrganizationAggregationSource (dict) --
Provides an organization and list of regions to be aggregated.
RoleArn (string) --
ARN of the IAM role used to retreive AWS Organization details associated with the aggregator account.
AwsRegions (list) --
The source regions being aggregated.
(string) --
AllAwsRegions (boolean) --
If true, aggreagate existing AWS Config regions and future regions.
CreationTime (datetime) --
The time stamp when the configuration aggregator was created.
LastUpdatedTime (datetime) --
The time of the last update.
NextToken (string) --
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.