There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo.
# Code examples for AWS Config using AWS SDKs
The following code examples show you how to use AWS Config with an AWS software development kit (SDK).
*Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
*Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services.
**More resources**
+ **[AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html)** – More information about AWS Config.
+ **[AWS Config API Reference](https://docs.aws.amazon.com/config/latest/APIReference/Welcome.html)** – Details about all available AWS Config actions.
+ **[AWS Developer Center](https://aws.amazon.com/developer/code-examples/?awsf.sdk-code-examples-product=product%23config)** – Code examples that you can filter by category or full-text search.
+ **[AWS SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples)** – GitHub repo with complete code in preferred languages. Includes instructions for setting up and running the code.
**Contents**
+ [Basics](config-service_code_examples_basics.md)
+ [Actions](config-service_code_examples_actions.md)
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
+ [Scenarios](config-service_code_examples_scenarios.md)
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
# Basic examples for AWS Config using AWS SDKs
The following code examples show how to use the basics of AWS Config with AWS SDKs.
**Contents**
+ [Actions](config-service_code_examples_actions.md)
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
# Actions for AWS Config using AWS SDKs
The following code examples demonstrate how to perform individual AWS Config actions with AWS SDKs. Each example includes a link to GitHub, where you can find instructions for setting up and running the code.
These excerpts call the AWS Config API and are code excerpts from larger programs that must be run in context. You can see actions in context in [Scenarios for AWS Config using AWS SDKs](config-service_code_examples_scenarios.md).
The following examples include only the most commonly used actions. For a complete list, see the [AWS Config API Reference](https://docs.aws.amazon.com/config/latest/APIReference/Welcome.html).
**Topics**
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
# Use `DeleteConfigRule` with an AWS SDK or CLI
The following code examples show how to use `DeleteConfigRule`.
------
#### [ CLI ]
**AWS CLI**
**To delete an AWS Config rule**
The following command deletes an AWS Config rule named `MyConfigRule`:
```
aws configservice delete-config-rule --config-rule-name MyConfigRule
```
+ For API details, see [DeleteConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/delete-config-rule.html) in *AWS CLI Command Reference*.
------
#### [ Python ]
**SDK for Python (Boto3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples).
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def delete_config_rule(self, rule_name):
"""
Delete the specified rule.
:param rule_name: The name of the rule to delete.
"""
try:
self.config_client.delete_config_rule(ConfigRuleName=rule_name)
logger.info("Deleted rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't delete rule %s.", rule_name)
raise
```
+ For API details, see [DeleteConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DeleteConfigRule) in *AWS SDK for Python (Boto3) API Reference*.
------
#### [ SAP ABAP ]
**SDK for SAP ABAP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples).
```
lo_cfs->deleteconfigrule( iv_rule_name ).
MESSAGE 'Deleted AWS Config rule.' TYPE 'I'.
```
+ For API details, see [DeleteConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*.
------
# Use `DescribeComplianceByConfigRule` with a CLI
The following code examples show how to use `DescribeComplianceByConfigRule`.
------
#### [ CLI ]
**AWS CLI**
**To get compliance information for your AWS Config rules**
The following command returns compliance information for each AWS Config rule that is violated by one or more AWS resources:
```
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
```
In the output, the value for each `CappedCount` attribute indicates how many resources do not comply with the related rule. For example, the following output indicates that 3 resources do not comply with the rule named `InstanceTypesAreT2micro`.
Output:
```
{
"ComplianceByConfigRules": [
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "InstanceTypesAreT2micro"
},
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 10,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "RequiredTagsForVolumes"
}
]
}
```
+ For API details, see [DescribeComplianceByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-config-rule.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**Output:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**Example 2: This example returns the number of non-compliant resources for the rule ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK.**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**Output:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ For API details, see [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example retrieves compliances details for the rule ebs-optimized-instance, for which there is no current evaluation results for the rule, hence it returns INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**Output:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**Example 2: This example returns the number of non-compliant resources for the rule ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK.**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**Output:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ For API details, see [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `DescribeComplianceByResource` with a CLI
The following code examples show how to use `DescribeComplianceByResource`.
------
#### [ CLI ]
**AWS CLI**
**To get compliance information for your AWS resources**
The following command returns compliance information for each EC2 instance that is recorded by AWS Config and that violates one or more rules:
```
aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT
```
In the output, the value for each `CappedCount` attribute indicates how many rules the resource violates. For example, the following output indicates that instance `i-1a2b3c4d` violates 2 rules.
Output:
```
{
"ComplianceByResources": [
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 2,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
},
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d ",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
}
]
}
```
+ For API details, see [DescribeComplianceByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-resource.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example checks the `AWS::SSM::ManagedInstanceInventory` resource type for 'COMPLIANT' compliance type.**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**Output:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ For API details, see [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example checks the `AWS::SSM::ManagedInstanceInventory` resource type for 'COMPLIANT' compliance type.**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**Output:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ For API details, see [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `DescribeConfigRuleEvaluationStatus` with a CLI
The following code examples show how to use `DescribeConfigRuleEvaluationStatus`.
------
#### [ CLI ]
**AWS CLI**
**To get status information for an AWS Config rule**
The following command returns the status information for an AWS Config rule named `MyConfigRule`:
```
aws configservice describe-config-rule-evaluation-status --config-rule-names MyConfigRule
```
Output:
```
{
"ConfigRulesEvaluationStatus": [
{
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"FirstActivatedTime": 1450311703.844,
"ConfigRuleId": "config-rule-abcdef",
"LastSuccessfulInvocationTime": 1450314643.156,
"ConfigRuleName": "MyConfigRule"
}
]
}
```
+ For API details, see [DescribeConfigRuleEvaluationStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rule-evaluation-status.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample returns the status information for the given config rules. **
```
Get-CFGConfigRuleEvaluationStatus -ConfigRuleName root-account-mfa-enabled, vpc-flow-logs-enabled
```
**Output:**
```
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-kvq1wk
ConfigRuleId : config-rule-kvq1wk
ConfigRuleName : root-account-mfa-enabled
FirstActivatedTime : 8/27/2019 8:05:17 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 8:12:03 AM
LastSuccessfulInvocationTime : 12/13/2019 8:12:03 AM
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-z1s23b
ConfigRuleId : config-rule-z1s23b
ConfigRuleName : vpc-flow-logs-enabled
FirstActivatedTime : 8/14/2019 6:23:44 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 7:12:01 AM
LastSuccessfulInvocationTime : 12/13/2019 7:12:01 AM
```
+ For API details, see [DescribeConfigRuleEvaluationStatus](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample returns the status information for the given config rules. **
```
Get-CFGConfigRuleEvaluationStatus -ConfigRuleName root-account-mfa-enabled, vpc-flow-logs-enabled
```
**Output:**
```
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-kvq1wk
ConfigRuleId : config-rule-kvq1wk
ConfigRuleName : root-account-mfa-enabled
FirstActivatedTime : 8/27/2019 8:05:17 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 8:12:03 AM
LastSuccessfulInvocationTime : 12/13/2019 8:12:03 AM
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-z1s23b
ConfigRuleId : config-rule-z1s23b
ConfigRuleName : vpc-flow-logs-enabled
FirstActivatedTime : 8/14/2019 6:23:44 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 7:12:01 AM
LastSuccessfulInvocationTime : 12/13/2019 7:12:01 AM
```
+ For API details, see [DescribeConfigRuleEvaluationStatus](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `DescribeConfigRules` with an AWS SDK or CLI
The following code examples show how to use `DescribeConfigRules`.
------
#### [ CLI ]
**AWS CLI**
**To get details for an AWS Config rule**
The following command returns details for an AWS Config rule named `InstanceTypesAreT2micro`:
```
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
```
Output:
```
{
"ConfigRules": [
{
"ConfigRuleState": "ACTIVE",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"ConfigRuleName": "InstanceTypesAreT2micro",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"ConfigRuleId": "config-rule-abcdef"
}
]
}
```
+ For API details, see [DescribeConfigRules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rules.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample lists config rules for the account, with selected properties.**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**Output:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample lists config rules for the account, with selected properties.**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**Output:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
#### [ Python ]
**SDK for Python (Boto3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples).
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def describe_config_rule(self, rule_name):
"""
Gets data for the specified rule.
:param rule_name: The name of the rule to retrieve.
:return: The rule data.
"""
try:
response = self.config_client.describe_config_rules(
ConfigRuleNames=[rule_name]
)
rule = response["ConfigRules"]
logger.info("Got data for rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't get data for rule %s.", rule_name)
raise
else:
return rule
```
+ For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DescribeConfigRules) in *AWS SDK for Python (Boto3) API Reference*.
------
#### [ SAP ABAP ]
**SDK for SAP ABAP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples).
```
DATA(lo_result) = lo_cfs->describeconfigrules(
it_configrulenames = VALUE /aws1/cl_cfsconfigrulenames_w=>tt_configrulenames(
( NEW /aws1/cl_cfsconfigrulenames_w( iv_rule_name ) )
)
).
ot_cfg_rules = lo_result->get_configrules( ).
MESSAGE 'Retrieved AWS Config rule data.' TYPE 'I'.
```
+ For API details, see [DescribeConfigRules](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*.
------
# Use `DescribeConfigurationRecorderStatus` with a CLI
The following code examples show how to use `DescribeConfigurationRecorderStatus`.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
------
#### [ CLI ]
**AWS CLI**
**To get status information for the configuration recorder**
The following command returns the status of the default configuration recorder:
```
aws configservice describe-configuration-recorder-status
```
Output:
```
{
"ConfigurationRecordersStatus": [
{
"name": "default",
"lastStatus": "SUCCESS",
"recording": true,
"lastStatusChangeTime": 1452193834.344,
"lastStartTime": 1441039997.819,
"lastStopTime": 1441039992.835
}
]
}
```
+ For API details, see [DescribeConfigurationRecorderStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-configuration-recorder-status.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample returns status of the configuration recorders. **
```
Get-CFGConfigurationRecorderStatus
```
**Output:**
```
LastErrorCode :
LastErrorMessage :
LastStartTime : 10/11/2019 10:13:51 AM
LastStatus : Success
LastStatusChangeTime : 12/31/2019 6:14:12 AM
LastStopTime : 10/11/2019 10:13:46 AM
Name : default
Recording : True
```
+ For API details, see [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample returns status of the configuration recorders. **
```
Get-CFGConfigurationRecorderStatus
```
**Output:**
```
LastErrorCode :
LastErrorMessage :
LastStartTime : 10/11/2019 10:13:51 AM
LastStatus : Success
LastStatusChangeTime : 12/31/2019 6:14:12 AM
LastStopTime : 10/11/2019 10:13:46 AM
Name : default
Recording : True
```
+ For API details, see [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `DescribeConfigurationRecorders` with a CLI
The following code examples show how to use `DescribeConfigurationRecorders`.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
------
#### [ CLI ]
**AWS CLI**
**To get details about the configuration recorder**
The following command returns details about the default configuration recorder:
```
aws configservice describe-configuration-recorders
```
Output:
```
{
"ConfigurationRecorders": [
{
"recordingGroup": {
"allSupported": true,
"resourceTypes": [],
"includeGlobalResourceTypes": true
},
"roleARN": "arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6",
"name": "default"
}
]
}
```
+ For API details, see [DescribeConfigurationRecorders](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-configuration-recorders.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example returns the details of configuration recorders.**
```
Get-CFGConfigurationRecorder | Format-List
```
**Output:**
```
Name : default
RecordingGroup : Amazon.ConfigService.Model.RecordingGroup
RoleARN : arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
```
+ For API details, see [DescribeConfigurationRecorders](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example returns the details of configuration recorders.**
```
Get-CFGConfigurationRecorder | Format-List
```
**Output:**
```
Name : default
RecordingGroup : Amazon.ConfigService.Model.RecordingGroup
RoleARN : arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
```
+ For API details, see [DescribeConfigurationRecorders](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `DescribeDeliveryChannels` with a CLI
The following code examples show how to use `DescribeDeliveryChannels`.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
------
#### [ CLI ]
**AWS CLI**
**To get details about the delivery channel**
The following command returns details about the delivery channel:
```
aws configservice describe-delivery-channels
```
Output:
```
{
"DeliveryChannels": [
{
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
+ For API details, see [DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example retrieves the delivery channel for the region and displays details.**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**Output:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ For API details, see [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example retrieves the delivery channel for the region and displays details.**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**Output:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ For API details, see [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `GetComplianceDetailsByConfigRule` with a CLI
The following code examples show how to use `GetComplianceDetailsByConfigRule`.
------
#### [ CLI ]
**AWS CLI**
**To get the evaluation results for an AWS Config rule**
The following command returns the evaluation results for all of the resources that don't comply with an AWS Config rule named `InstanceTypesAreT2micro`:
```
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT
```
Output:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.18,
"ConfigRuleInvokedTime": 1450314642.902,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-3a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.346,
"ConfigRuleInvokedTime": 1450314643.124,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ For API details, see [GetComplianceDetailsByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-config-rule.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**Output:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**Output:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ For API details, see [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example obtains the evaluation results for the rule access-keys-rotated and returns the output grouped by compliance-type**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**Output:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**Example 2: This example queries compliance details for the rule access-keys-rotated for COMPLIANT resources.**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**Output:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ For API details, see [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `GetComplianceDetailsByResource` with a CLI
The following code examples show how to use `GetComplianceDetailsByResource`.
------
#### [ CLI ]
**AWS CLI**
**To get the evaluation results for an AWS resource**
The following command returns the evaluation results for each rule with which the EC2 instance `i-1a2b3c4d` does not comply:
```
aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT
```
Output:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.288,
"ConfigRuleInvokedTime": 1450314643.034,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "RequiredTagForEC2Instances"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ For API details, see [GetComplianceDetailsByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-resource.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example evaulation results for the given resource.**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**Output:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ For API details, see [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example evaulation results for the given resource.**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**Output:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ For API details, see [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `GetComplianceSummaryByConfigRule` with a CLI
The following code examples show how to use `GetComplianceSummaryByConfigRule`.
------
#### [ CLI ]
**AWS CLI**
**To get the compliance summary for your AWS Config rules**
The following command returns the number of rules that are compliant and the number that are noncompliant:
```
aws configservice get-compliance-summary-by-config-rule
```
In the output, the value for each `CappedCount` attribute indicates how many rules are compliant or noncompliant.
Output:
```
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204131.493,
"CompliantResourceCount": {
"CappedCount": 2,
"CapExceeded": false
}
}
}
```
+ For API details, see [GetComplianceSummaryByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-config-rule.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample returns the number of Config rules that are non-compliant.**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**Output:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ For API details, see [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample returns the number of Config rules that are non-compliant.**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**Output:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ For API details, see [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `GetComplianceSummaryByResourceType` with a CLI
The following code examples show how to use `GetComplianceSummaryByResourceType`.
------
#### [ CLI ]
**AWS CLI**
**To get the compliance summary for all resource types**
The following command returns the number of AWS resources that are noncompliant and the number that are compliant:
```
aws configservice get-compliance-summary-by-resource-type
```
In the output, the value for each `CappedCount` attribute indicates how many resources are compliant or noncompliant.
Output:
```
{
"ComplianceSummariesByResourceType": [
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 16,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1453237464.543,
"CompliantResourceCount": {
"CappedCount": 10,
"CapExceeded": false
}
}
}
]
}
```
**To get the compliance summary for a specific resource type**
The following command returns the number of EC2 instances that are noncompliant and the number that are compliant:
```
aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance
```
In the output, the value for each `CappedCount` attribute indicates how many resources are compliant or noncompliant.
Output:
```
{
"ComplianceSummariesByResourceType": [
{
"ResourceType": "AWS::EC2::Instance",
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204923.518,
"CompliantResourceCount": {
"CappedCount": 7,
"CapExceeded": false
}
}
}
]
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-resource-type.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Use `PutConfigRule` with an AWS SDK or CLI
The following code examples show how to use `PutConfigRule`.
------
#### [ CLI ]
**AWS CLI**
**To add an AWS managed Config rule**
The following command provides JSON code to add an AWS managed Config rule:
```
aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json
```
`RequiredTagsForEC2Instances.json` is a JSON file that contains the rule configuration:
```
{
"ConfigRuleName": "RequiredTagsForEC2Instances",
"Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
},
"InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because the rule is a managed rule, the `Owner` attribute is set to `AWS`, and the `SourceIdentifier` attribute is set to the rule identifier, `REQUIRED_TAGS`. For the `InputParameters` attribute, the tag keys that the rule requires, `CostCenter` and `Owner`, are specified.
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.
**To add a customer managed Config rule**
The following command provides JSON code to add a customer managed Config rule:
```
aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json
```
`InstanceTypesAreT2micro.json` is a JSON file that contains the rule configuration:
```
{
"ConfigRuleName": "InstanceTypesAreT2micro",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}"
}
```
For the `ComplianceResourceTypes` attribute, this JSON code limits the scope to resources of the `AWS::EC2::Instance` type, so AWS Config will evaluate only EC2 instances against the rule. Because this rule is a customer managed rule, the `Owner` attribute is set to `CUSTOM_LAMBDA`, and the `SourceIdentifier` attribute is set to the ARN of the AWS Lambda function. The `SourceDetails` object is required. The parameters that are specified for the `InputParameters` attribute are passed to the AWS Lambda function when AWS Config invokes it to evaluate resources against the rule.
If the command succeeds, AWS Config returns no output. To verify the rule configuration, run the describe-config-rules command, and specify the rule name.
+ For API details, see [PutConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-config-rule.html) in *AWS CLI Command Reference*.
------
#### [ Python ]
**SDK for Python (Boto3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples).
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def put_config_rule(self, rule_name):
"""
Sets a configuration rule that prohibits making Amazon S3 buckets publicly
readable.
:param rule_name: The name to give the rule.
"""
try:
self.config_client.put_config_rule(
ConfigRule={
"ConfigRuleName": rule_name,
"Description": "S3 Public Read Prohibited Bucket Rule",
"Scope": {
"ComplianceResourceTypes": [
"AWS::S3::Bucket",
],
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
},
"InputParameters": "{}",
"ConfigRuleState": "ACTIVE",
}
)
logger.info("Created configuration rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't create configuration rule %s.", rule_name)
raise
```
+ For API details, see [PutConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/PutConfigRule) in *AWS SDK for Python (Boto3) API Reference*.
------
#### [ SAP ABAP ]
**SDK for SAP ABAP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples).
```
" Create a config rule for S3 bucket public read prohibition
lo_cfs->putconfigrule(
io_configrule = NEW /aws1/cl_cfsconfigrule(
iv_configrulename = iv_rule_name
iv_description = |S3 Public Read Prohibited Bucket Rule|
io_scope = NEW /aws1/cl_cfsscope(
it_complianceresourcetypes = VALUE /aws1/cl_cfscplncresrctypes_w=>tt_complianceresourcetypes(
( NEW /aws1/cl_cfscplncresrctypes_w( |AWS::S3::Bucket| ) )
)
)
io_source = NEW /aws1/cl_cfssource(
iv_owner = |AWS|
iv_sourceidentifier = |S3_BUCKET_PUBLIC_READ_PROHIBITED|
)
iv_inputparameters = '{}'
iv_configrulestate = |ACTIVE|
)
).
MESSAGE 'Created AWS Config rule.' TYPE 'I'.
```
+ For API details, see [PutConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in *AWS SDK for SAP ABAP API reference*.
------
# Use `PutDeliveryChannel` with a CLI
The following code examples show how to use `PutDeliveryChannel`.
Action examples are code excerpts from larger programs and must be run in context. You can see this action in context in the following code example:
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
------
#### [ CLI ]
**AWS CLI**
**To create a delivery channel**
The following command provides the settings for the delivery channel as JSON code:
```
aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
```
The `deliveryChannel.json` file specifies the delivery channel attributes:
```
{
"name": "default",
"s3BucketName": "config-bucket-123456789012",
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
```
This example sets the following attributes:
`name` - The name of the delivery channel. By default, AWS Config assigns the name `default` to a new delivery channel.You cannot update the delivery channel name with the `put-delivery-channel` command. For the steps to change the name, see Renaming the Delivery Channel.`s3BucketName` - The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files.If you specify a bucket that belongs to another AWS account, that bucket must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon S3 Bucket.
`snsTopicARN` - The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes.If you choose a topic from another account, the topic must have policies that grant access permissions to AWS Config. For more information, see Permissions for the Amazon SNS Topic.
`configSnapshotDeliveryProperties` - Contains the `deliveryFrequency` attribute, which sets how often AWS Config delivers configuration snapshots and how often it invokes evaluations for periodic Config rules.
If the command succeeds, AWS Config returns no output. To verify the settings of your delivery channel, run the describe-delivery-channels command.
+ For API details, see [PutDeliveryChannel](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-delivery-channel.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example changes the deliveryFrequency property of an existing delivery channel.**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ For API details, see [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example changes the deliveryFrequency property of an existing delivery channel.**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ For API details, see [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
# Scenarios for AWS Config using AWS SDKs
The following code examples show you how to implement common scenarios in AWS Config with AWS SDKs. These scenarios show you how to accomplish specific tasks by calling multiple functions within AWS Config or combined with other AWS services. Each scenario includes a link to the complete source code, where you can find instructions on how to set up and run the code.
Scenarios target an intermediate level of experience to help you understand service actions in context.
**Topics**
+ [Getting started with Config](config-service_example_config_service_GettingStarted_053_section.md)
# Getting started with Config
The following code example shows how to:
+ Create an Amazon S3 bucket
+ Create an Amazon SNS topic
+ Create an IAM role for Config
+ Set up the Config configuration recorder
+ Set up the Config delivery channel
+ Start the configuration recorder
+ Verify the Config setup
------
#### [ Bash ]
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/053-aws-config-gs) repository.
```
#!/bin/bash
# AWS Config Setup Script (v2)
# This script sets up AWS Config with the AWS CLI
# Error handling
set -e
LOGFILE="aws-config-setup-v2.log"
touch $LOGFILE
exec > >(tee -a $LOGFILE)
exec 2>&1
# Function to handle errors
handle_error() {
echo "ERROR: An error occurred at line $1"
echo "Attempting to clean up resources..."
cleanup_resources
exit 1
}
# Set trap for error handling
trap 'handle_error $LINENO' ERR
# Function to generate random identifier
generate_random_id() {
echo $(openssl rand -hex 6)
}
# Function to check if command was successful
check_command() {
if echo "$1" | grep -i "error" > /dev/null; then
echo "ERROR: $1"
return 1
fi
return 0
}
# Function to clean up resources
cleanup_resources() {
if [ -n "$CONFIG_RECORDER_NAME" ]; then
echo "Stopping configuration recorder..."
aws configservice stop-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true
fi
# Check if we created a new delivery channel before trying to delete it
if [ -n "$DELIVERY_CHANNEL_NAME" ] && [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then
echo "Deleting delivery channel..."
aws configservice delete-delivery-channel --delivery-channel-name "$DELIVERY_CHANNEL_NAME" 2>/dev/null || true
fi
if [ -n "$CONFIG_RECORDER_NAME" ] && [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then
echo "Deleting configuration recorder..."
aws configservice delete-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true
fi
if [ -n "$ROLE_NAME" ]; then
if [ -n "$POLICY_NAME" ]; then
echo "Detaching custom policy from role..."
aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" 2>/dev/null || true
fi
if [ -n "$MANAGED_POLICY_ARN" ]; then
echo "Detaching managed policy from role..."
aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN" 2>/dev/null || true
fi
echo "Deleting IAM role..."
aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null || true
fi
if [ -n "$SNS_TOPIC_ARN" ]; then
echo "Deleting SNS topic..."
aws sns delete-topic --topic-arn "$SNS_TOPIC_ARN" 2>/dev/null || true
fi
if [ -n "$S3_BUCKET_NAME" ]; then
echo "Emptying S3 bucket..."
aws s3 rm "s3://$S3_BUCKET_NAME" --recursive 2>/dev/null || true
echo "Deleting S3 bucket..."
aws s3api delete-bucket --bucket "$S3_BUCKET_NAME" 2>/dev/null || true
fi
}
# Function to display created resources
display_resources() {
echo ""
echo "==========================================="
echo "CREATED RESOURCES"
echo "==========================================="
echo "S3 Bucket: $S3_BUCKET_NAME"
echo "SNS Topic ARN: $SNS_TOPIC_ARN"
echo "IAM Role: $ROLE_NAME"
if [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then
echo "Configuration Recorder: $CONFIG_RECORDER_NAME (newly created)"
else
echo "Configuration Recorder: $CONFIG_RECORDER_NAME (existing)"
fi
if [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then
echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (newly created)"
else
echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (existing)"
fi
echo "==========================================="
}
# Get AWS account ID
echo "Getting AWS account ID..."
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
if [ -z "$ACCOUNT_ID" ]; then
echo "ERROR: Failed to get AWS account ID"
exit 1
fi
echo "AWS Account ID: $ACCOUNT_ID"
# Generate random identifier for resources
RANDOM_ID=$(generate_random_id)
echo "Generated random identifier: $RANDOM_ID"
# Step 1: Create an S3 bucket
S3_BUCKET_NAME="configservice-${RANDOM_ID}"
echo "Creating S3 bucket: $S3_BUCKET_NAME"
# Get the current region
AWS_REGION=$(aws configure get region)
if [ -z "$AWS_REGION" ]; then
AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured
fi
echo "Using AWS Region: $AWS_REGION"
# Create bucket with appropriate command based on region
if [ "$AWS_REGION" = "us-east-1" ]; then
BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME")
else
BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" --create-bucket-configuration LocationConstraint="$AWS_REGION")
fi
check_command "$BUCKET_RESULT"
echo "S3 bucket created: $S3_BUCKET_NAME"
# Block public access for the bucket
aws s3api put-public-access-block \
--bucket "$S3_BUCKET_NAME" \
--public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
echo "Public access blocked for bucket"
# Step 2: Create an SNS topic
TOPIC_NAME="config-topic-${RANDOM_ID}"
echo "Creating SNS topic: $TOPIC_NAME"
SNS_RESULT=$(aws sns create-topic --name "$TOPIC_NAME")
check_command "$SNS_RESULT"
SNS_TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o 'arn:aws:sns:[^"]*')
echo "SNS topic created: $SNS_TOPIC_ARN"
# Step 3: Create an IAM role for AWS Config
ROLE_NAME="config-role-${RANDOM_ID}"
POLICY_NAME="config-delivery-permissions"
MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
echo "Creating trust policy document..."
cat > config-trust-policy.json << EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
echo "Creating IAM role: $ROLE_NAME"
ROLE_RESULT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://config-trust-policy.json)
check_command "$ROLE_RESULT"
ROLE_ARN=$(echo "$ROLE_RESULT" | grep -o 'arn:aws:iam::[^"]*' | head -1)
echo "IAM role created: $ROLE_ARN"
echo "Attaching AWS managed policy to role..."
ATTACH_RESULT=$(aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN")
check_command "$ATTACH_RESULT"
echo "AWS managed policy attached"
echo "Creating custom policy document for S3 and SNS access..."
cat > config-delivery-permissions.json << EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::${S3_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/*",
"Condition": {
"StringLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::${S3_BUCKET_NAME}"
},
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": "${SNS_TOPIC_ARN}"
}
]
}
EOF
echo "Attaching custom policy to role..."
POLICY_RESULT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" --policy-document file://config-delivery-permissions.json)
check_command "$POLICY_RESULT"
echo "Custom policy attached"
# Wait for IAM role to propagate
echo "Waiting for IAM role to propagate (15 seconds)..."
sleep 15
# Step 4: Check if configuration recorder already exists
CONFIG_RECORDER_NAME="default"
CREATED_NEW_CONFIG_RECORDER="false"
echo "Checking for existing configuration recorder..."
EXISTING_RECORDERS=$(aws configservice describe-configuration-recorders 2>/dev/null || echo "")
if echo "$EXISTING_RECORDERS" | grep -q "name"; then
echo "Configuration recorder already exists. Will update it."
# Get the name of the existing recorder
CONFIG_RECORDER_NAME=$(echo "$EXISTING_RECORDERS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4)
echo "Using existing configuration recorder: $CONFIG_RECORDER_NAME"
else
echo "No existing configuration recorder found. Will create a new one."
CREATED_NEW_CONFIG_RECORDER="true"
fi
echo "Creating configuration recorder configuration..."
cat > configurationRecorder.json << EOF
{
"name": "${CONFIG_RECORDER_NAME}",
"roleARN": "${ROLE_ARN}",
"recordingMode": {
"recordingFrequency": "CONTINUOUS"
}
}
EOF
echo "Creating recording group configuration..."
cat > recordingGroup.json << EOF
{
"allSupported": true,
"includeGlobalResourceTypes": true
}
EOF
echo "Setting up configuration recorder..."
RECORDER_RESULT=$(aws configservice put-configuration-recorder --configuration-recorder file://configurationRecorder.json --recording-group file://recordingGroup.json)
check_command "$RECORDER_RESULT"
echo "Configuration recorder set up"
# Step 5: Check if delivery channel already exists
DELIVERY_CHANNEL_NAME="default"
CREATED_NEW_DELIVERY_CHANNEL="false"
echo "Checking for existing delivery channel..."
EXISTING_CHANNELS=$(aws configservice describe-delivery-channels 2>/dev/null || echo "")
if echo "$EXISTING_CHANNELS" | grep -q "name"; then
echo "Delivery channel already exists."
# Get the name of the existing channel
DELIVERY_CHANNEL_NAME=$(echo "$EXISTING_CHANNELS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4)
echo "Using existing delivery channel: $DELIVERY_CHANNEL_NAME"
# Update the existing delivery channel
echo "Creating delivery channel configuration for update..."
cat > deliveryChannel.json << EOF
{
"name": "${DELIVERY_CHANNEL_NAME}",
"s3BucketName": "${S3_BUCKET_NAME}",
"snsTopicARN": "${SNS_TOPIC_ARN}",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Six_Hours"
}
}
EOF
echo "Updating delivery channel..."
CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json)
check_command "$CHANNEL_RESULT"
echo "Delivery channel updated"
else
echo "No existing delivery channel found. Will create a new one."
CREATED_NEW_DELIVERY_CHANNEL="true"
echo "Creating delivery channel configuration..."
cat > deliveryChannel.json << EOF
{
"name": "${DELIVERY_CHANNEL_NAME}",
"s3BucketName": "${S3_BUCKET_NAME}",
"snsTopicARN": "${SNS_TOPIC_ARN}",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Six_Hours"
}
}
EOF
echo "Creating delivery channel..."
CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json)
check_command "$CHANNEL_RESULT"
echo "Delivery channel created"
fi
# Step 6: Start the configuration recorder
echo "Checking configuration recorder status..."
RECORDER_STATUS=$(aws configservice describe-configuration-recorder-status 2>/dev/null || echo "")
if echo "$RECORDER_STATUS" | grep -q '"recording": true'; then
echo "Configuration recorder is already running."
else
echo "Starting configuration recorder..."
START_RESULT=$(aws configservice start-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME")
check_command "$START_RESULT"
echo "Configuration recorder started"
fi
# Step 7: Verify the AWS Config setup
echo "Verifying delivery channel..."
VERIFY_CHANNEL=$(aws configservice describe-delivery-channels)
check_command "$VERIFY_CHANNEL"
echo "$VERIFY_CHANNEL"
echo "Verifying configuration recorder..."
VERIFY_RECORDER=$(aws configservice describe-configuration-recorders)
check_command "$VERIFY_RECORDER"
echo "$VERIFY_RECORDER"
echo "Verifying configuration recorder status..."
VERIFY_STATUS=$(aws configservice describe-configuration-recorder-status)
check_command "$VERIFY_STATUS"
echo "$VERIFY_STATUS"
# Display created resources
display_resources
# Ask if user wants to clean up resources
echo ""
echo "==========================================="
echo "CLEANUP CONFIRMATION"
echo "==========================================="
echo "Do you want to clean up all created resources? (y/n): "
read -r CLEANUP_CHOICE
if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then
echo "Cleaning up resources..."
cleanup_resources
echo "Cleanup completed."
else
echo "Resources will not be cleaned up. You can manually clean them up later."
fi
echo "Script completed successfully!"
```
+ For API details, see the following topics in *AWS CLI Command Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)
+ [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic)
+ [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket)
+ [DeleteConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteConfigurationRecorder)
+ [DeleteDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteDeliveryChannel)
+ [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)
+ [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy)
+ [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic)
+ [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorderStatus)
+ [DescribeConfigurationRecorders](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorders)
+ [DescribeDeliveryChannels](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeDeliveryChannels)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)
+ [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity)
+ [PutConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutConfigurationRecorder)
+ [PutDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutDeliveryChannel)
+ [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock)
+ [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy)
+ [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm)
+ [StartConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StartConfigurationRecorder)
+ [StopConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StopConfigurationRecorder)
------