文件 AWS 開發套件範例 GitHub 儲存庫中有更多可用的 [AWS SDK 範例](https://github.com/awsdocs/aws-doc-sdk-examples)。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Config 使用 AWS SDKs程式碼範例
下列程式碼範例示範如何使用 AWS Config 搭配 AWS 軟體開發套件 (SDK)。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
**其他資源**
+ **[AWS Config 開發人員指南](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html)** – 有關 的詳細資訊 AWS Config。
+ **[AWS Config API 參考](https://docs.aws.amazon.com/config/latest/APIReference/Welcome.html)** – 所有可用 AWS Config 動作的詳細資訊。
+ **[AWS 開發人員中心](https://aws.amazon.com/developer/code-examples/?awsf.sdk-code-examples-product=product%23config)** – 您可以依類別或全文搜尋篩選的程式碼範例。
+ **[AWS SDK 範例](https://github.com/awsdocs/aws-doc-sdk-examples)** – GitHub 儲存庫使用慣用語言的完整程式碼。包含設定和執行程式碼的指示。
**Contents**
+ [基本概念](config-service_code_examples_basics.md)
+ [動作](config-service_code_examples_actions.md)
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
# AWS Config 使用 AWS SDKs的基本範例
下列程式碼範例示範如何 AWS Config 搭配 AWS SDKs 使用 的基本概念。
**Contents**
+ [動作](config-service_code_examples_actions.md)
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
# AWS Config 使用 AWS SDKs的動作
下列程式碼範例示範如何使用 AWS SDKs執行個別 AWS Config 動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。
下列範例僅包含最常使用的動作。如需完整清單,請參閱《[AWS Config API 參考](https://docs.aws.amazon.com/config/latest/APIReference/Welcome.html)》。
**Topics**
+ [`DeleteConfigRule`](config-service_example_config-service_DeleteConfigRule_section.md)
+ [`DescribeComplianceByConfigRule`](config-service_example_config-service_DescribeComplianceByConfigRule_section.md)
+ [`DescribeComplianceByResource`](config-service_example_config-service_DescribeComplianceByResource_section.md)
+ [`DescribeConfigRuleEvaluationStatus`](config-service_example_config-service_DescribeConfigRuleEvaluationStatus_section.md)
+ [`DescribeConfigRules`](config-service_example_config-service_DescribeConfigRules_section.md)
+ [`DescribeConfigurationRecorderStatus`](config-service_example_config-service_DescribeConfigurationRecorderStatus_section.md)
+ [`DescribeConfigurationRecorders`](config-service_example_config-service_DescribeConfigurationRecorders_section.md)
+ [`DescribeDeliveryChannels`](config-service_example_config-service_DescribeDeliveryChannels_section.md)
+ [`GetComplianceDetailsByConfigRule`](config-service_example_config-service_GetComplianceDetailsByConfigRule_section.md)
+ [`GetComplianceDetailsByResource`](config-service_example_config-service_GetComplianceDetailsByResource_section.md)
+ [`GetComplianceSummaryByConfigRule`](config-service_example_config-service_GetComplianceSummaryByConfigRule_section.md)
+ [`GetComplianceSummaryByResourceType`](config-service_example_config-service_GetComplianceSummaryByResourceType_section.md)
+ [`PutConfigRule`](config-service_example_config-service_PutConfigRule_section.md)
+ [`PutDeliveryChannel`](config-service_example_config-service_PutDeliveryChannel_section.md)
# `DeleteConfigRule` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**刪除 Config AWS 規則**
下列命令會刪除名為 的 AWS Config 規則`MyConfigRule`:
```
aws configservice delete-config-rule --config-rule-name MyConfigRule
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/delete-config-rule.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples)中設定和執行。
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def delete_config_rule(self, rule_name):
"""
Delete the specified rule.
:param rule_name: The name of the rule to delete.
"""
try:
self.config_client.delete_config_rule(ConfigRuleName=rule_name)
logger.info("Deleted rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't delete rule %s.", rule_name)
raise
```
+ 如需 API 詳細資訊,請參閱《*適用於 Python (Boto3) 的AWS 開發套件 API 參考*》中的 [DeleteConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DeleteConfigRule)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples)中設定和執行。
```
lo_cfs->deleteconfigrule( iv_rule_name ).
MESSAGE 'Deleted AWS Config rule.' TYPE 'I'.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DeleteConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
# 搭配使用 `DescribeComplianceByConfigRule` 與 CLI
下列程式碼範例示範如何使用 `DescribeComplianceByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的合規資訊**
下列命令會傳回一或多個 AWS 資源違反的每個 AWS Config 規則的合規資訊:
```
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
```
在輸出中,每個 `CappedCount` 屬性的值表示不符合相關規定的資源數。例如,下列輸出表示有 3 個資源不符合名為 `InstanceTypesAreT2micro` 的規則。
輸出:
```
{
"ComplianceByConfigRules": [
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "InstanceTypesAreT2micro"
},
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 10,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "RequiredTagsForVolumes"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeComplianceByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取規則 ebs-optimized-instance 的合規詳細資訊,其中並無規則目前適用的評估結果,因此會傳回 INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**輸出:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**範例 2:此範例傳回規則 ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK 的不合規資源數目。**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取規則 ebs-optimized-instance 的合規詳細資訊,其中並無規則目前適用的評估結果,因此會傳回 INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**輸出:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**範例 2:此範例傳回規則 ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK 的不合規資源數目。**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `DescribeComplianceByResource` 與 CLI
下列程式碼範例示範如何使用 `DescribeComplianceByResource`。
------
#### [ CLI ]
**AWS CLI**
**取得 AWS 資源的合規資訊**
下列命令會傳回 Config 所記錄且違反一或多個規則的每個 EC2 AWS 執行個體的合規資訊:
```
aws configservice describe-compliance-by-resource --resource-type AWS::EC2::Instance --compliance-types NON_COMPLIANT
```
在輸出中,每個 `CappedCount` 屬性的值表示資源違反多少規則。例如,下列輸出表示執行個體 `i-1a2b3c4d` 違反 2 個規則。
輸出:
```
{
"ComplianceByResources": [
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 2,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
},
{
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d ",
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
}
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeComplianceByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-resource.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會檢查 'COMPLIANT' 合規類型的 `AWS::SSM::ManagedInstanceInventory` 資源類型。**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**輸出:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會檢查 'COMPLIANT' 合規類型的 `AWS::SSM::ManagedInstanceInventory` 資源類型。**
```
Get-CFGComplianceByResource -ComplianceType COMPLIANT -ResourceType AWS::SSM::ManagedInstanceInventory
```
**輸出:**
```
Compliance ResourceId ResourceType
---------- ---------- ------------
Amazon.ConfigService.Model.Compliance i-0123bcf4b567890e3 AWS::SSM::ManagedInstanceInventory
Amazon.ConfigService.Model.Compliance i-0a1234f6f5d6b78f7 AWS::SSM::ManagedInstanceInventory
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeComplianceByResource](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `DescribeConfigRuleEvaluationStatus` 與 CLI
下列程式碼範例示範如何使用 `DescribeConfigRuleEvaluationStatus`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的狀態資訊**
下列命令會傳回名為 之 AWS Config 規則的狀態資訊`MyConfigRule`:
```
aws configservice describe-config-rule-evaluation-status --config-rule-names MyConfigRule
```
輸出:
```
{
"ConfigRulesEvaluationStatus": [
{
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"FirstActivatedTime": 1450311703.844,
"ConfigRuleId": "config-rule-abcdef",
"LastSuccessfulInvocationTime": 1450314643.156,
"ConfigRuleName": "MyConfigRule"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeConfigRuleEvaluationStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rule-evaluation-status.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回給定 Config 規則的狀態資訊。 **
```
Get-CFGConfigRuleEvaluationStatus -ConfigRuleName root-account-mfa-enabled, vpc-flow-logs-enabled
```
**輸出:**
```
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-kvq1wk
ConfigRuleId : config-rule-kvq1wk
ConfigRuleName : root-account-mfa-enabled
FirstActivatedTime : 8/27/2019 8:05:17 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 8:12:03 AM
LastSuccessfulInvocationTime : 12/13/2019 8:12:03 AM
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-z1s23b
ConfigRuleId : config-rule-z1s23b
ConfigRuleName : vpc-flow-logs-enabled
FirstActivatedTime : 8/14/2019 6:23:44 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 7:12:01 AM
LastSuccessfulInvocationTime : 12/13/2019 7:12:01 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeConfigRuleEvaluationStatus](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回給定 Config 規則的狀態資訊。**
```
Get-CFGConfigRuleEvaluationStatus -ConfigRuleName root-account-mfa-enabled, vpc-flow-logs-enabled
```
**輸出:**
```
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-kvq1wk
ConfigRuleId : config-rule-kvq1wk
ConfigRuleName : root-account-mfa-enabled
FirstActivatedTime : 8/27/2019 8:05:17 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 8:12:03 AM
LastSuccessfulInvocationTime : 12/13/2019 8:12:03 AM
ConfigRuleArn : arn:aws:config:eu-west-1:123456789012:config-rule/config-rule-z1s23b
ConfigRuleId : config-rule-z1s23b
ConfigRuleName : vpc-flow-logs-enabled
FirstActivatedTime : 8/14/2019 6:23:44 AM
FirstEvaluationStarted : True
LastErrorCode :
LastErrorMessage :
LastFailedEvaluationTime : 1/1/0001 12:00:00 AM
LastFailedInvocationTime : 1/1/0001 12:00:00 AM
LastSuccessfulEvaluationTime : 12/13/2019 7:12:01 AM
LastSuccessfulInvocationTime : 12/13/2019 7:12:01 AM
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeConfigRuleEvaluationStatus](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# `DescribeConfigRules` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DescribeConfigRules`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的詳細資訊**
下列命令會傳回名為 之 AWS Config 規則的詳細資訊`InstanceTypesAreT2micro`:
```
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
```
輸出:
```
{
"ConfigRules": [
{
"ConfigRuleState": "ACTIVE",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"ConfigRuleName": "InstanceTypesAreT2micro",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"ConfigRuleId": "config-rule-abcdef"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeConfigRules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rules.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例列出具有所選屬性的帳戶 Config 規則。**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**輸出:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例列出具有所選屬性的帳戶 Config 規則。**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**輸出:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples)中設定和執行。
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def describe_config_rule(self, rule_name):
"""
Gets data for the specified rule.
:param rule_name: The name of the rule to retrieve.
:return: The rule data.
"""
try:
response = self.config_client.describe_config_rules(
ConfigRuleNames=[rule_name]
)
rule = response["ConfigRules"]
logger.info("Got data for rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't get data for rule %s.", rule_name)
raise
else:
return rule
```
+ 如需 API 詳細資訊,請參閱《*適用於 Python (Boto3) 的AWS 開發套件 API 參考*》中的 [DescribeConfigRules](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DescribeConfigRules)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples)中設定和執行。
```
DATA(lo_result) = lo_cfs->describeconfigrules(
it_configrulenames = VALUE /aws1/cl_cfsconfigrulenames_w=>tt_configrulenames(
( NEW /aws1/cl_cfsconfigrulenames_w( iv_rule_name ) )
)
).
ot_cfg_rules = lo_result->get_configrules( ).
MESSAGE 'Retrieved AWS Config rule data.' TYPE 'I'.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DescribeConfigRules](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
# 搭配使用 `DescribeConfigurationRecorderStatus` 與 CLI
下列程式碼範例示範如何使用 `DescribeConfigurationRecorderStatus`。
------
#### [ CLI ]
**AWS CLI**
**取得組態記錄器的狀態資訊**
下列命令會傳回預設組態記錄器的狀態:
```
aws configservice describe-configuration-recorder-status
```
輸出:
```
{
"ConfigurationRecordersStatus": [
{
"name": "default",
"lastStatus": "SUCCESS",
"recording": true,
"lastStatusChangeTime": 1452193834.344,
"lastStartTime": 1441039997.819,
"lastStopTime": 1441039992.835
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeConfigurationRecorderStatus](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-configuration-recorder-status.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回組態記錄器的狀態。**
```
Get-CFGConfigurationRecorderStatus
```
**輸出:**
```
LastErrorCode :
LastErrorMessage :
LastStartTime : 10/11/2019 10:13:51 AM
LastStatus : Success
LastStatusChangeTime : 12/31/2019 6:14:12 AM
LastStopTime : 10/11/2019 10:13:46 AM
Name : default
Recording : True
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回組態記錄器的狀態。**
```
Get-CFGConfigurationRecorderStatus
```
**輸出:**
```
LastErrorCode :
LastErrorMessage :
LastStartTime : 10/11/2019 10:13:51 AM
LastStatus : Success
LastStatusChangeTime : 12/31/2019 6:14:12 AM
LastStopTime : 10/11/2019 10:13:46 AM
Name : default
Recording : True
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `DescribeConfigurationRecorders` 與 CLI
下列程式碼範例示範如何使用 `DescribeConfigurationRecorders`。
------
#### [ CLI ]
**AWS CLI**
**取得組態記錄器的詳細資訊**
下列命令會傳回預設組態記錄器的詳細資訊:
```
aws configservice describe-configuration-recorders
```
輸出:
```
{
"ConfigurationRecorders": [
{
"recordingGroup": {
"allSupported": true,
"resourceTypes": [],
"includeGlobalResourceTypes": true
},
"roleARN": "arn:aws:iam::123456789012:role/config-ConfigRole-A1B2C3D4E5F6",
"name": "default"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeConfigurationRecorders](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-configuration-recorders.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回組態記錄器的詳細資訊。**
```
Get-CFGConfigurationRecorder | Format-List
```
**輸出:**
```
Name : default
RecordingGroup : Amazon.ConfigService.Model.RecordingGroup
RoleARN : arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeConfigurationRecorders](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回組態記錄器的詳細資訊。**
```
Get-CFGConfigurationRecorder | Format-List
```
**輸出:**
```
Name : default
RecordingGroup : Amazon.ConfigService.Model.RecordingGroup
RoleARN : arn:aws:iam::123456789012:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeConfigurationRecorders](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `DescribeDeliveryChannels` 與 CLI
下列程式碼範例示範如何使用 `DescribeDeliveryChannels`。
------
#### [ CLI ]
**AWS CLI**
**取得交付管道的詳細資訊**
下列命令會傳回有關交付管道的詳細資訊:
```
aws configservice describe-delivery-channels
```
輸出:
```
{
"DeliveryChannels": [
{
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"name": "default",
"s3BucketName": "config-bucket-123456789012"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeDeliveryChannels](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-delivery-channels.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取區域的交付管道,並顯示詳細資訊。**
```
Get-CFGDeliveryChannel -Region eu-west-1 | Select-Object Name, S3BucketName, S3KeyPrefix, @{N="DeliveryFrequency";E={$_.ConfigSnapshotDeliveryProperties.DeliveryFrequency}}
```
**輸出:**
```
Name S3BucketName S3KeyPrefix DeliveryFrequency
---- ------------ ----------- -----------------
default config-bucket-NA my TwentyFour_Hours
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeDeliveryChannels](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `GetComplianceDetailsByConfigRule` 與 CLI
下列程式碼範例示範如何使用 `GetComplianceDetailsByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的評估結果**
下列命令會傳回不符合名為 之 AWS Config 規則的所有資源的評估結果`InstanceTypesAreT2micro`:
```
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT
```
輸出:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.18,
"ConfigRuleInvokedTime": 1450314642.902,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-3a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.346,
"ConfigRuleInvokedTime": 1450314643.124,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetComplianceDetailsByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會取得規則 access-keys-rotated 的評估結果,並傳回依 compliance-type 分組的輸出**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**輸出:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**範例 2:此範例會查詢 COMPLIANT 資源之 access-keys-rotated 規則的合規詳細資訊。**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**輸出:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會取得規則 access-keys-rotated 的評估結果,並傳回依 compliance-type 分組的輸出**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**輸出:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**範例 2:此範例會查詢 COMPLIANT 資源之 access-keys-rotated 規則的合規詳細資訊。**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**輸出:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `GetComplianceDetailsByResource` 與 CLI
下列程式碼範例示範如何使用 `GetComplianceDetailsByResource`。
------
#### [ CLI ]
**AWS CLI**
**取得 AWS 資源的評估結果**
下列命令會傳回 EC2 執行個體 `i-1a2b3c4d` 未遵守之每個規則的評估結果:
```
aws configservice get-compliance-details-by-resource --resource-type AWS::EC2::Instance --resource-id i-1a2b3c4d --compliance-types NON_COMPLIANT
```
輸出:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.288,
"ConfigRuleInvokedTime": 1450314643.034,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "RequiredTagForEC2Instances"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetComplianceDetailsByResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-resource.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會評估給定資源的結果。**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**輸出:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會評估給定資源的結果。**
```
Get-CFGComplianceDetailsByResource -ResourceId ABCD5STJ4EFGHIVEW6JAH -ResourceType 'AWS::IAM::User'
```
**輸出:**
```
Annotation :
ComplianceType : COMPLIANT
ConfigRuleInvokedTime : 8/25/2019 11:34:56 PM
EvaluationResultIdentifier : Amazon.ConfigService.Model.EvaluationResultIdentifier
ResultRecordedTime : 8/25/2019 11:34:56 PM
ResultToken :
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceDetailsByResource](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `GetComplianceSummaryByConfigRule` 與 CLI
下列程式碼範例示範如何使用 `GetComplianceSummaryByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的合規摘要**
以下命令傳回符合規則的數量,以及不符合規則的數量:
```
aws configservice get-compliance-summary-by-config-rule
```
在輸出中,每個 `CappedCount` 屬性的值會表示遵守或未遵守的規則數量。
輸出:
```
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204131.493,
"CompliantResourceCount": {
"CappedCount": 2,
"CapExceeded": false
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetComplianceSummaryByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回不合規的 Config 規則數目。**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回不合規的 Config 規則數目。**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# 搭配使用 `GetComplianceSummaryByResourceType` 與 CLI
下列程式碼範例示範如何使用 `GetComplianceSummaryByResourceType`。
------
#### [ CLI ]
**AWS CLI**
**取得所有資源類型的合規摘要**
下列命令會傳回不合規 AWS 的資源數目,以及合規的數目:
```
aws configservice get-compliance-summary-by-resource-type
```
在輸出中,每個 `CappedCount` 屬性的值表示有多少資源合規或不合規。
輸出:
```
{
"ComplianceSummariesByResourceType": [
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 16,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1453237464.543,
"CompliantResourceCount": {
"CappedCount": 10,
"CapExceeded": false
}
}
}
]
}
```
**取得特定資源類型的合規摘要**
以下命令傳回不合規的 EC2 執行個體數目,以及合規的數目:
```
aws configservice get-compliance-summary-by-resource-type --resource-types AWS::EC2::Instance
```
在輸出中,每個 `CappedCount` 屬性的值表示有多少資源合規或不合規。
輸出:
```
{
"ComplianceSummariesByResourceType": [
{
"ResourceType": "AWS::EC2::Instance",
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204923.518,
"CompliantResourceCount": {
"CappedCount": 7,
"CapExceeded": false
}
}
}
]
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetComplianceSummaryByResourceType](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-resource-type.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回合規或不合規的資源數目,並將輸出轉換為 json。**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回合規或不合規的資源數目,並將輸出轉換為 json。**
```
Get-CFGComplianceSummaryByResourceType -Select ComplianceSummariesByResourceType.ComplianceSummary | ConvertTo-Json
{
"ComplianceSummaryTimestamp": "2019-12-14T06:14:49.778Z",
"CompliantResourceCount": {
"CapExceeded": false,
"CappedCount": 2
},
"NonCompliantResourceCount": {
"CapExceeded": true,
"CappedCount": 100
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceSummaryByResourceType](https://docs.aws.amazon.com/powershell/v5/reference)。
------
# `PutConfigRule` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `PutConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**新增 AWS 受管 Config 規則**
下列命令提供 JSON 程式碼來新增 AWS 受管 Config 規則:
```
aws configservice put-config-rule --config-rule file://RequiredTagsForEC2Instances.json
```
`RequiredTagsForEC2Instances.json` 是包含規則組態的 JSON 檔案:
```
{
"ConfigRuleName": "RequiredTagsForEC2Instances",
"Description": "Checks whether the CostCenter and Owner tags are applied to EC2 instances.",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "REQUIRED_TAGS"
},
"InputParameters": "{\"tag1Key\":\"CostCenter\",\"tag2Key\":\"Owner\"}"
}
```
對於 `ComplianceResourceTypes` 屬性,此 JSON 程式碼會將範圍限制為 `AWS::EC2::Instance`類型的資源,因此 AWS Config 只會針對規則評估 EC2 執行個體。由於規則是受管規則,`Owner` 屬性會設為 `AWS`,而 `SourceIdentifier` 屬性則設為規則識別碼 `REQUIRED_TAGS`。針對 `InputParameters` 屬性,會指定規則需要的標籤索引鍵 `CostCenter` 和 `Owner`。
如果命令成功, AWS Config 不會傳回任何輸出。若要驗證規則組態,請執行 describe-config-rules 命令,並指定規則名稱。
**新增客戶管理的 Config 規則**
下列命令提供 JSON 程式碼,以新增客戶管理的 Config 規則:
```
aws configservice put-config-rule --config-rule file://InstanceTypesAreT2micro.json
```
`InstanceTypesAreT2micro.json` 是包含規則組態的 JSON 檔案:
```
{
"ConfigRuleName": "InstanceTypesAreT2micro",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}"
}
```
對於 `ComplianceResourceTypes` 屬性,此 JSON 程式碼會將範圍限制為 `AWS::EC2::Instance`類型的資源,因此 AWS Config 只會針對規則評估 EC2 執行個體。由於此規則是客戶受管規則,`Owner`屬性設定為 `CUSTOM_LAMBDA`,而`SourceIdentifier`屬性設定為 AWS Lambda 函數的 ARN。`SourceDetails` 物件為必要項目。當 Config 調用屬性來根據規則評估資源時,為 `InputParameters` 屬性指定的參數會傳遞至 AWS Lambda AWS 函數。
如果命令成功, AWS Config 不會傳回任何輸出。若要驗證規則組態,請執行 describe-config-rules 命令,並指定規則名稱。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-config-rule.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples)中設定和執行。
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def put_config_rule(self, rule_name):
"""
Sets a configuration rule that prohibits making Amazon S3 buckets publicly
readable.
:param rule_name: The name to give the rule.
"""
try:
self.config_client.put_config_rule(
ConfigRule={
"ConfigRuleName": rule_name,
"Description": "S3 Public Read Prohibited Bucket Rule",
"Scope": {
"ComplianceResourceTypes": [
"AWS::S3::Bucket",
],
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
},
"InputParameters": "{}",
"ConfigRuleState": "ACTIVE",
}
)
logger.info("Created configuration rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't create configuration rule %s.", rule_name)
raise
```
+ 如需 API 詳細資訊,請參閱《*適用於 Python (Boto3) 的AWS 開發套件 API 參考*》中的 [PutConfigRule](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/PutConfigRule)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples)中設定和執行。
```
" Create a config rule for S3 bucket public read prohibition
lo_cfs->putconfigrule(
io_configrule = NEW /aws1/cl_cfsconfigrule(
iv_configrulename = iv_rule_name
iv_description = |S3 Public Read Prohibited Bucket Rule|
io_scope = NEW /aws1/cl_cfsscope(
it_complianceresourcetypes = VALUE /aws1/cl_cfscplncresrctypes_w=>tt_complianceresourcetypes(
( NEW /aws1/cl_cfscplncresrctypes_w( |AWS::S3::Bucket| ) )
)
)
io_source = NEW /aws1/cl_cfssource(
iv_owner = |AWS|
iv_sourceidentifier = |S3_BUCKET_PUBLIC_READ_PROHIBITED|
)
iv_inputparameters = '{}'
iv_configrulestate = |ACTIVE|
)
).
MESSAGE 'Created AWS Config rule.' TYPE 'I'.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [PutConfigRule](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
# 搭配使用 `PutDeliveryChannel` 與 CLI
下列程式碼範例示範如何使用 `PutDeliveryChannel`。
------
#### [ CLI ]
**AWS CLI**
**建立交付管道**
下列命令會以 JSON 程式碼的形式提供交付管道的設定:
```
aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json
```
`deliveryChannel.json` 檔案指定交付管道屬性:
```
{
"name": "default",
"s3BucketName": "config-bucket-123456789012",
"snsTopicARN": "arn:aws:sns:us-east-1:123456789012:config-topic",
"configSnapshotDeliveryProperties": {
"deliveryFrequency": "Twelve_Hours"
}
}
```
此範例會設定下列屬性:
`name` – 交付管道的名稱。根據預設, AWS Config 會將名稱指派給`default`新的交付管道。您無法使用 `put-delivery-channel`命令更新交付管道名稱。如需變更名稱的步驟,請參閱重新命名交付管道。`s3BucketName`- Config AWS 交付組態快照和組態歷史記錄檔案的 Amazon S3 儲存貯體名稱。如果您指定屬於另一個 AWS 帳戶的儲存貯體,則該儲存貯體必須具有將存取許可授予 AWS Config 的政策。如需詳細資訊,請參閱《Amazon S3 儲存貯體許可》。
`snsTopicARN` - 組態傳送組態變更通知的 Amazon SNS 主題的 Amazon Resource Name (ARN)。如果您從另一個帳戶選擇主題,該主題必須具有授予 Config AWS 存取許可的政策。 AWS 如需詳細資訊,請參閱 Amazon SNS 主題的許可。
`configSnapshotDeliveryProperties` - 包含 `deliveryFrequency` 屬性,這會設定 Config AWS 交付組態快照的頻率,以及叫用定期 Config 規則評估的頻率。
如果命令成功, AWS Config 不會傳回任何輸出。若要驗證交付管道的設定,請執行 describe-delivery-channels 命令。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [PutDeliveryChannel](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/put-delivery-channel.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會變更現有交付管道的 deliveryFrequency 屬性。**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會變更現有交付管道的 deliveryFrequency 屬性。**
```
Write-CFGDeliveryChannel -ConfigSnapshotDeliveryProperties_DeliveryFrequency TwentyFour_Hours -DeliveryChannelName default -DeliveryChannel_S3BucketName amzn-s3-demo-bucket -DeliveryChannel_S3KeyPrefix my
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [PutDeliveryChannel](https://docs.aws.amazon.com/powershell/v5/reference)。
------