# Viewing Compliance Information and Evaluation Results for your AWS Resources with AWS Config
**Important**
For accurate reporting on the compliance status, you must record the `AWS::Config::ResourceCompliance` resource type. For more information, see [Recording AWS Resources](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html).
You can use the AWS Config console or AWS SDKs to view the compliance information and the evaluation results of your resources.
**Topics**
+ [Viewing compliance (Console)](#evaluate-config_view-compliance-console)
+ [Viewing compliance (AWS SDKs)](#evaluate-config_view-compliance-cli)
## Viewing compliance (Console)
### To view compliance (Console)
1. Sign in to the AWS Management Console and open the AWS Config console at [https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home).
1. In the AWS Management Console menu, verify that the region selector is set to a region that supports AWS Config rules. For the list of supported regions, see [AWS Config Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region) in the *Amazon Web Services General Reference*.
1. In the navigation pane, choose **Resources**. On the Resource inventory page, you can filter by resource category, resource type, and compliance status. Choose **Include deleted resources** if appropriate. The table displays the resource identifier for the resource type and the resource compliance status for that resource. The resource identifier might be a resource ID or a resource name.
1. Choose a resource from the resource identifier column.
1. Choose the **Resource Timeline** button. You can filter by Configuration events, Compliance events, or CloudTrail Events.
**Note**
Alternatively, on the Resource inventory page, you can directly choose the resource name. To access the resource timeline from the resource details page, choose the **Resource Timeline** button.
You can also view the compliance of your resources by looking them up on the **Resource inventory** page. For more information, see [Looking Up Resources That Are Discovered by AWS Config](looking-up-discovered-resources.md).
## Viewing compliance (AWS SDKs)
### To get compliance information for your AWS resources
The following code examples show how to use `DescribeComplianceByResource`.
------
#### [ CLI ]
**AWS CLI**
**To get compliance information for your AWS resources**
The following command returns compliance information for each EC2 instance that is recorded by AWS Config and that violates one or more rules:
```
aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT
```
In the output, the value for each `CappedCount` attribute indicates how many rules the resource violates. For example, the following output indicates that instance `i-1a2b3c4d` violates 2 rules.
Output:
```
{
"ComplianceByResources": [
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 2,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
},
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d ",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
}
]
}
```
+ For API details, see [DescribeComplianceByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-resource.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example checks the `AWS::SSM::ManagedInstanceInventory` resource type for 'COMPLIANT' compliance type.**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**Output:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ For API details, see [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example checks the `AWS::SSM::ManagedInstanceInventory` resource type for 'COMPLIANT' compliance type.**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**Output:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ For API details, see [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
### To get the compliance summary of your AWS resources
The following code examples show how to use `GetComplianceSummaryByResourceType`.
------
#### [ CLI ]
**AWS CLI**
**To get the compliance summary for all resource types**
The following command returns the number of AWS resources that are noncompliant and the number that are compliant:
```
aws configservice get-compliance-summary-by-resource-type
```
In the output, the value for each `CappedCount` attribute indicates how many resources are compliant or noncompliant.
Output:
```
{
"ComplianceSummariesByResourceType": [
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 16,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1453237464.543,
"CompliantResourceCount": {
"CappedCount": 10,
"CapExceeded": false
}
}
}
]
}
```
**To get the compliance summary for a specific resource type**
The following command returns the number of EC2 instances that are noncompliant and the number that are compliant:
```
aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance
```
In the output, the value for each `CappedCount` attribute indicates how many resources are compliant or noncompliant.
Output:
```
{
"ComplianceSummariesByResourceType": [
{
"ResourceType": "AWS::EC2::Instance",
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204923.518,
"CompliantResourceCount": {
"CappedCount": 7,
"CapExceeded": false
}
}
}
]
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-resource-type.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This sample returns the number of resources that are compliant or noncompliant and converts the output to json.**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ For API details, see [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------
### To get the evaluation results for an AWS resource
The following code examples show how to use `GetComplianceDetailsByResource`.
------
#### [ CLI ]
**AWS CLI**
**To get the evaluation results for an AWS resource**
The following command returns the evaluation results for each rule with which the EC2 instance `i-1a2b3c4d` does not comply:
```
aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT
```
Output:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.288,
"ConfigRuleInvokedTime": 1450314643.034,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "RequiredTagForEC2Instances"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ For API details, see [GetComplianceDetailsByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-resource.html) in *AWS CLI Command Reference*.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**Example 1: This example evaulation results for the given resource.**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**Output:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ For API details, see [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v4/reference) in *AWS Tools for PowerShell Cmdlet Reference (V4)*.
**Tools for PowerShell V5**
**Example 1: This example evaulation results for the given resource.**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**Output:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ For API details, see [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v5/reference) in *AWS Tools for PowerShell Cmdlet Reference (V5)*.
------