ConfigService / Client / describe_compliance_by_config_rule
describe_compliance_by_config_rule#
- ConfigService.Client.describe_compliance_by_config_rule(**kwargs)#
Indicates whether the specified Config rules are compliant. If a rule is noncompliant, this action returns the number of Amazon Web Services resources that do not comply with the rule.
A rule is compliant if all of the evaluated resources comply with it. It is noncompliant if any of these resources do not comply.
If Config has no current evaluation results for the rule, it returns
INSUFFICIENT_DATA. This result might indicate one of the following conditions:Config has never invoked an evaluation for the rule. To check whether it has, use the
DescribeConfigRuleEvaluationStatusaction to get theLastSuccessfulInvocationTimeandLastFailedInvocationTime.The rule’s Lambda function is failing to send evaluation results to Config. Verify that the role you assigned to your configuration recorder includes the
config:PutEvaluationspermission. If the rule is a custom rule, verify that the Lambda execution role includes theconfig:PutEvaluationspermission.The rule’s Lambda function has returned
NOT_APPLICABLEfor all evaluation results. This can occur if the resources were deleted or removed from the rule’s scope.
See also: AWS API Documentation
Request Syntax
response = client.describe_compliance_by_config_rule( ConfigRuleNames=[ 'string', ], ComplianceTypes=[ 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', ], NextToken='string' )
- Parameters:
ConfigRuleNames (list) –
Specify one or more Config rule names to filter the results by rule.
(string) –
ComplianceTypes (list) –
Filters the results by compliance.
(string) –
NextToken (string) – The
nextTokenstring returned on a previous page that you use to get the next page of results in a paginated response.
- Return type:
dict
- Returns:
Response Syntax
{ 'ComplianceByConfigRules': [ { 'ConfigRuleName': 'string', 'Compliance': { 'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA', 'ComplianceContributorCount': { 'CappedCount': 123, 'CapExceeded': True|False } } }, ], 'NextToken': 'string' }
Response Structure
(dict) –
ComplianceByConfigRules (list) –
Indicates whether each of the specified Config rules is compliant.
(dict) –
Indicates whether an Config rule is compliant. A rule is compliant if all of the resources that the rule evaluated comply with it. A rule is noncompliant if any of these resources do not comply.
ConfigRuleName (string) –
The name of the Config rule.
Compliance (dict) –
Indicates whether the Config rule is compliant.
ComplianceType (string) –
Indicates whether an Amazon Web Services resource or Config rule is compliant.
A resource is compliant if it complies with all of the Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
A rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.
Config returns the
INSUFFICIENT_DATAvalue when no evaluation results are available for the Amazon Web Services resource or Config rule.For the
Compliancedata type, Config supports onlyCOMPLIANT,NON_COMPLIANT, andINSUFFICIENT_DATAvalues. Config does not support theNOT_APPLICABLEvalue for theCompliancedata type.ComplianceContributorCount (dict) –
The number of Amazon Web Services resources or Config rules that cause a result of
NON_COMPLIANT, up to a maximum number.CappedCount (integer) –
The number of Amazon Web Services resources or Config rules responsible for the current compliance of the item.
CapExceeded (boolean) –
Indicates whether the maximum count is reached.
NextToken (string) –
The string that you use in a subsequent request to get the next page of results in a paginated response.
Exceptions
ConfigService.Client.exceptions.InvalidParameterValueExceptionConfigService.Client.exceptions.NoSuchConfigRuleExceptionConfigService.Client.exceptions.InvalidNextTokenException