ConfigService / Client / describe_config_rules
describe_config_rules#
- ConfigService.Client.describe_config_rules(**kwargs)#
- Returns details about your Config rules. - See also: AWS API Documentation - Request Syntax- response = client.describe_config_rules( ConfigRuleNames=[ 'string', ], NextToken='string', Filters={ 'EvaluationMode': 'DETECTIVE'|'PROACTIVE' } ) - Parameters:
- ConfigRuleNames (list) – - The names of the Config rules for which you want details. If you do not specify any names, Config returns details for all your rules. - (string) – 
 
- NextToken (string) – The - nextTokenstring returned on a previous page that you use to get the next page of results in a paginated response.
- Filters (dict) – - Returns a list of Detective or Proactive Config rules. By default, this API returns an unfiltered list. For more information on Detective or Proactive Config rules, see **Evaluation Mode** in the Config Developer Guide. - EvaluationMode (string) – - The mode of an evaluation. The valid values are Detective or Proactive. 
 
 
- Return type:
- dict 
- Returns:
- Response Syntax- { 'ConfigRules': [ { 'ConfigRuleName': 'string', 'ConfigRuleArn': 'string', 'ConfigRuleId': 'string', 'Description': 'string', 'Scope': { 'ComplianceResourceTypes': [ 'string', ], 'TagKey': 'string', 'TagValue': 'string', 'ComplianceResourceId': 'string' }, 'Source': { 'Owner': 'CUSTOM_LAMBDA'|'AWS'|'CUSTOM_POLICY', 'SourceIdentifier': 'string', 'SourceDetails': [ { 'EventSource': 'aws.config', 'MessageType': 'ConfigurationItemChangeNotification'|'ConfigurationSnapshotDeliveryCompleted'|'ScheduledNotification'|'OversizedConfigurationItemChangeNotification', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours' }, ], 'CustomPolicyDetails': { 'PolicyRuntime': 'string', 'PolicyText': 'string', 'EnableDebugLogDelivery': True|False } }, 'InputParameters': 'string', 'MaximumExecutionFrequency': 'One_Hour'|'Three_Hours'|'Six_Hours'|'Twelve_Hours'|'TwentyFour_Hours', 'ConfigRuleState': 'ACTIVE'|'DELETING'|'DELETING_RESULTS'|'EVALUATING', 'CreatedBy': 'string', 'EvaluationModes': [ { 'Mode': 'DETECTIVE'|'PROACTIVE' }, ] }, ], 'NextToken': 'string' } - Response Structure- (dict) – - ConfigRules (list) – - The details about your Config rules. - (dict) – - Config rules evaluate the configuration settings of your Amazon Web Services resources. A rule can run when Config detects a configuration change to an Amazon Web Services resource or at a periodic frequency that you choose (for example, every 24 hours). There are two types of rules: Config Managed Rules and Config Custom Rules. - Config Managed Rules are predefined, customizable rules created by Config. For a list of managed rules, see List of Config Managed Rules. - Config Custom Rules are rules that you create from scratch. There are two ways to create Config custom rules: with Lambda functions ( Lambda Developer Guide) and with Guard ( Guard GitHub Repository), a policy-as-code language. Config custom rules created with Lambda are called Config Custom Lambda Rules and Config custom rules created with Guard are called Config Custom Policy Rules. - For more information about developing and using Config rules, see Evaluating Resource with Config Rules in the Config Developer Guide. - Note- You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create a rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties. - ConfigRuleName (string) – - The name that you assign to the Config rule. The name is required if you are adding a new rule. 
- ConfigRuleArn (string) – - The Amazon Resource Name (ARN) of the Config rule. 
- ConfigRuleId (string) – - The ID of the Config rule. 
- Description (string) – - The description that you provide for the Config rule. 
- Scope (dict) – - Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes. - Note- The scope can be empty. - ComplianceResourceTypes (list) – - The resource types of only those Amazon Web Services resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for - ComplianceResourceId.- (string) – 
 
- TagKey (string) – - The tag key that is applied to only those Amazon Web Services resources that you want to trigger an evaluation for the rule. 
- TagValue (string) – - The tag value applied to only those Amazon Web Services resources that you want to trigger an evaluation for the rule. If you specify a value for - TagValue, you must also specify a value for- TagKey.
- ComplianceResourceId (string) – - The ID of the only Amazon Web Services resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for - ComplianceResourceTypes.
 
- Source (dict) – - Provides the rule owner ( - Amazon Web Servicesfor managed rules,- CUSTOM_POLICYfor Custom Policy rules, and- CUSTOM_LAMBDAfor Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your Amazon Web Services resources.- Owner (string) – - Indicates whether Amazon Web Services or the customer owns and manages the Config rule. - Config Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide. - Config Custom Rules are rules that you can develop either with Guard ( - CUSTOM_POLICY) or Lambda (- CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
- SourceIdentifier (string) – - For Config Managed rules, a predefined identifier from a list. For example, - IAM_PASSWORD_POLICYis a managed rule. To reference a managed rule, see List of Config Managed Rules.- For Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule’s Lambda function, such as - arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name.- For Config Custom Policy rules, this field will be ignored. 
- SourceDetails (list) – - Provides the source and the message types that cause Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic. - If the owner is set to - CUSTOM_POLICY, the only acceptable values for the Config rule trigger message type are- ConfigurationItemChangeNotificationand- OversizedConfigurationItemChangeNotification.- (dict) – - Provides the source and the message types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic. You can specify the parameter values for - SourceDetailonly for custom rules.- EventSource (string) – - The source of the event, such as an Amazon Web Services service, that triggers Config to evaluate your Amazon Web Services resources. 
- MessageType (string) – - The type of notification that triggers Config to run an evaluation for a rule. You can specify the following notification types: - ConfigurationItemChangeNotification- Triggers an evaluation when Config delivers a configuration item as a result of a resource change.
- OversizedConfigurationItemChangeNotification- Triggers an evaluation when Config delivers an oversized configuration item. Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.
- ScheduledNotification- Triggers a periodic evaluation at the frequency specified for- MaximumExecutionFrequency.
- ConfigurationSnapshotDeliveryCompleted- Triggers a periodic evaluation when Config delivers a configuration snapshot.
 - If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for - ConfigurationItemChangeNotificationand one for- OversizedConfigurationItemChangeNotification.
- MaximumExecutionFrequency (string) – - The frequency at which you want Config to run evaluations for a custom rule with a periodic trigger. If you specify a value for - MaximumExecutionFrequency, then- MessageTypemust use the- ScheduledNotificationvalue.- Note- By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the - MaximumExecutionFrequencyparameter.- Based on the valid value you choose, Config runs evaluations once for each valid value. For example, if you choose - Three_Hours, Config runs evaluations once every three hours. In this case,- Three_Hoursis the frequency of this rule.
 
 
- CustomPolicyDetails (dict) – - Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to - CUSTOM_POLICY.- PolicyRuntime (string) – - The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository. 
- PolicyText (string) – - The policy definition containing the logic for your Config Custom Policy rule. 
- EnableDebugLogDelivery (boolean) – - The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is - false.
 
 
- InputParameters (string) – - A string, in JSON format, that is passed to the Config rule Lambda function. 
- MaximumExecutionFrequency (string) – - The maximum frequency with which Config runs evaluations for a rule. You can specify a value for - MaximumExecutionFrequencywhen:- This is for an Config managed rule that is triggered at a periodic frequency. 
- Your custom rule is triggered when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties. 
 - Note- By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the - MaximumExecutionFrequencyparameter.
- ConfigRuleState (string) – - Indicates whether the Config rule is active or is currently being deleted by Config. It can also indicate the evaluation status for the Config rule. - Config sets the state of the rule to - EVALUATINGtemporarily after you use the- StartConfigRulesEvaluationrequest to evaluate your resources against the Config rule.- Config sets the state of the rule to - DELETING_RESULTStemporarily after you use the- DeleteEvaluationResultsrequest to delete the current evaluation results for the Config rule.- Config temporarily sets the state of a rule to - DELETINGafter you use the- DeleteConfigRulerequest to delete the rule. After Config deletes the rule, the rule and all of its evaluations are erased and are no longer available.
- CreatedBy (string) – - Service principal name of the service that created the rule. - Note- The field is populated only if the service-linked rule is created by a service. The field is empty if you create your own rule. 
- EvaluationModes (list) – - The modes the Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only. - (dict) – - The configuration object for Config rule evaluation mode. The supported valid values are Detective or Proactive. - Mode (string) – - The mode of an evaluation. The valid values are Detective or Proactive. 
 
 
 
 
- NextToken (string) – - The string that you use in a subsequent request to get the next page of results in a paginated response. 
 
 
 - Exceptions- ConfigService.Client.exceptions.NoSuchConfigRuleException
- ConfigService.Client.exceptions.InvalidNextTokenException
- ConfigService.Client.exceptions.InvalidParameterValueException