FMS.Client.
get_compliance_detail
(**kwargs)¶Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
See also: AWS API Documentation
Request Syntax
response = client.get_compliance_detail(
PolicyId='string',
MemberAccount='string'
)
[REQUIRED]
The ID of the policy that you want to get the details for. PolicyId
is returned by PutPolicy
and by ListPolicies
.
[REQUIRED]
The Amazon Web Services account that owns the resources that you want to get the details for.
dict
Response Syntax
{
'PolicyComplianceDetail': {
'PolicyOwner': 'string',
'PolicyId': 'string',
'MemberAccount': 'string',
'Violators': [
{
'ResourceId': 'string',
'ViolationReason': 'WEB_ACL_MISSING_RULE_GROUP'|'RESOURCE_MISSING_WEB_ACL'|'RESOURCE_INCORRECT_WEB_ACL'|'RESOURCE_MISSING_SHIELD_PROTECTION'|'RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION'|'RESOURCE_MISSING_SECURITY_GROUP'|'RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP'|'SECURITY_GROUP_UNUSED'|'SECURITY_GROUP_REDUNDANT'|'FMS_CREATED_SECURITY_GROUP_EDITED'|'MISSING_FIREWALL'|'MISSING_FIREWALL_SUBNET_IN_AZ'|'MISSING_EXPECTED_ROUTE_TABLE'|'NETWORK_FIREWALL_POLICY_MODIFIED'|'FIREWALL_SUBNET_IS_OUT_OF_SCOPE'|'INTERNET_GATEWAY_MISSING_EXPECTED_ROUTE'|'FIREWALL_SUBNET_MISSING_EXPECTED_ROUTE'|'UNEXPECTED_FIREWALL_ROUTES'|'UNEXPECTED_TARGET_GATEWAY_ROUTES'|'TRAFFIC_INSPECTION_CROSSES_AZ_BOUNDARY'|'INVALID_ROUTE_CONFIGURATION'|'MISSING_TARGET_GATEWAY'|'INTERNET_TRAFFIC_NOT_INSPECTED'|'BLACK_HOLE_ROUTE_DETECTED'|'BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET'|'RESOURCE_MISSING_DNS_FIREWALL'|'ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT'|'FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT',
'ResourceType': 'string',
'Metadata': {
'string': 'string'
}
},
],
'EvaluationLimitExceeded': True|False,
'ExpiredAt': datetime(2015, 1, 1),
'IssueInfoMap': {
'string': 'string'
}
}
}
Response Structure
(dict) --
PolicyComplianceDetail (dict) --
Information about the resources and the policy that you specified in the GetComplianceDetail
request.
PolicyOwner (string) --
The Amazon Web Services account that created the Firewall Manager policy.
PolicyId (string) --
The ID of the Firewall Manager policy.
MemberAccount (string) --
The Amazon Web Services account ID.
Violators (list) --
An array of resources that aren't protected by the WAF or Shield Advanced policy or that aren't in compliance with the security group policy.
(dict) --
Details of the resource that is not protected by the policy.
ResourceId (string) --
The resource ID.
ViolationReason (string) --
The reason that the resource is not protected by the policy.
ResourceType (string) --
The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference. For example: AWS::ElasticLoadBalancingV2::LoadBalancer
, AWS::CloudFront::Distribution
, or AWS::NetworkFirewall::FirewallPolicy
.
Metadata (dict) --
Metadata about the resource that doesn't comply with the policy scope.
EvaluationLimitExceeded (boolean) --
Indicates if over 100 resources are noncompliant with the Firewall Manager policy.
ExpiredAt (datetime) --
A timestamp that indicates when the returned information should be considered out of date.
IssueInfoMap (dict) --
Details about problems with dependent services, such as WAF or Config, and the error message received that indicates the problem with the service.
Exceptions
FMS.Client.exceptions.ResourceNotFoundException
FMS.Client.exceptions.InternalErrorException
FMS.Client.exceptions.InvalidInputException
FMS.Client.exceptions.InvalidOperationException