本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 檢視 AWS Config 規則的詳細資訊和合規資訊
**重要**
若要準確報告合規狀態,您必須記錄 `AWS::Config::ResourceCompliance` 資源類型。如需詳細資訊,請參閱[錄製 AWS 資源](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html)。
您可以使用 AWS Config 主控台或 AWS SDKs來檢視您的規則。
**Topics**
+ [使用主控台](#evaluate-config_view-rules-console)
+ [使用 AWS SDKs](#evaluate-config_view-rules-cli)
## 檢視規則 (主控台)
**規則** 頁面會在表格中顯示您的規則和其目前的合規結果。每個規則的結果都是**評估...**,直到 AWS Config 完成針對規則評估您的資源為止。您可以使用重新整理按鈕來更新結果。評估 AWS Config 完成後,您可以看到合規或不合規的規則和資源類型。如需詳細資訊,請參閱[使用 檢視 AWS 資源的合規資訊和評估結果 AWS Config](evaluate-config_view-compliance.md)。
**注意**
AWS Config 只會評估正在記錄的資源類型。例如,如果您新增**啟用 cloudtrail 的**規則,但未記錄 CloudTrail 追蹤資源類型,則 AWS Config 無法評估您帳戶中的追蹤是否合規。如需詳細資訊,請參閱[使用 錄製 AWS 資源 AWS Config考量事項](select-resources.md)。
### 檢視規則
**檢視您的規則**
1. 登入 AWS 管理主控台 ,並在 https://[https://console.aws.amazon.com/config/home](https://console.aws.amazon.com/config/home) 開啟 AWS Config 主控台。
1. 在 AWS 管理主控台 選單中,確認區域選擇器已設定為支援 AWS Config 規則的區域。如需支援區域的清單,請參閱《*Amazon Web Services 一般參考*》中的 [AWS Config 區域與端點](https://docs.aws.amazon.com/general/latest/gr/rande.html#awsconfig_region)。
1. 在左側導覽中,選擇 **規則**。
1. **規則**頁面會顯示目前在您 中的所有規則 AWS 帳戶。其會列出每個規則的名稱、相關聯的修復動作和合規狀態。
+ 選擇 **Add rule (新增規則)** 以開始建立規則。
+ 請選擇規則以查看其設定,或選擇規則及 **檢視詳細資訊**。
+ 當規則評估您的資源時,查看規則的合規狀態。
+ 選擇規則,然後選擇 **編輯規則** 以變更規則的組態設定,並為不合規的規則設定修復動作。
## 檢視規則 (AWS SDKs)
### 檢視規則的詳細資訊
下列程式碼範例示範如何使用 `DescribeConfigRules`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的詳細資訊**
下列命令會傳回名為 之 AWS Config 規則的詳細資訊`InstanceTypesAreT2micro`:
```
aws configservice describe-config-rules --config-rule-names InstanceTypesAreT2micro
```
輸出:
```
{
"ConfigRules": [
{
"ConfigRuleState": "ACTIVE",
"Description": "Evaluates whether EC2 instances are the t2.micro type.",
"ConfigRuleName": "InstanceTypesAreT2micro",
"ConfigRuleArn": "arn:aws:config:us-east-1:123456789012:config-rule/config-rule-abcdef",
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:us-east-1:123456789012:function:InstanceTypeCheck",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{\"desiredInstanceType\":\"t2.micro\"}",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"ConfigRuleId": "config-rule-abcdef"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeConfigRules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-config-rules.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例列出具有所選屬性的帳戶 Config 規則。**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**輸出:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例列出具有所選屬性的帳戶 Config 規則。**
```
Get-CFGConfigRule | Select-Object ConfigRuleName, ConfigRuleId, ConfigRuleArn, ConfigRuleState
```
**輸出:**
```
ConfigRuleName ConfigRuleId ConfigRuleArn ConfigRuleState
-------------- ------------ ------------- ---------------
ALB_REDIRECTION_CHECK config-rule-12iyn3 arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-12iyn3 ACTIVE
access-keys-rotated config-rule-aospfr arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-aospfr ACTIVE
autoscaling-group-elb-healthcheck-required config-rule-cn1f2x arn:aws:config-service:eu-west-1:123456789012:config-rule/config-rule-cn1f2x ACTIVE
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeConfigRules](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/config#code-examples)中設定和執行。
```
class ConfigWrapper:
"""
Encapsulates AWS Config functions.
"""
def __init__(self, config_client):
"""
:param config_client: A Boto3 AWS Config client.
"""
self.config_client = config_client
def describe_config_rule(self, rule_name):
"""
Gets data for the specified rule.
:param rule_name: The name of the rule to retrieve.
:return: The rule data.
"""
try:
response = self.config_client.describe_config_rules(
ConfigRuleNames=[rule_name]
)
rule = response["ConfigRules"]
logger.info("Got data for rule %s.", rule_name)
except ClientError:
logger.exception("Couldn't get data for rule %s.", rule_name)
raise
else:
return rule
```
+ 如需 API 詳細資訊,請參閱《*適用於 Python (Boto3) 的AWS 開發套件 API 參考*》中的 [DescribeConfigRules](https://docs.aws.amazon.com/goto/boto3/config-2014-11-12/DescribeConfigRules)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cfs#code-examples)中設定和執行。
```
DATA(lo_result) = lo_cfs->describeconfigrules(
it_configrulenames = VALUE /aws1/cl_cfsconfigrulenames_w=>tt_configrulenames(
( NEW /aws1/cl_cfsconfigrulenames_w( iv_rule_name ) )
)
).
ot_cfg_rules = lo_result->get_configrules( ).
MESSAGE 'Retrieved AWS Config rule data.' TYPE 'I'.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [DescribeConfigRules](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
### 檢視規則的合規資訊
下列程式碼範例示範如何使用 `DescribeComplianceByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的合規資訊**
下列命令會傳回一或多個 AWS 資源違反的每個 AWS Config 規則的合規資訊:
```
aws configservice describe-compliance-by-config-rule --compliance-types NON_COMPLIANT
```
在輸出中,每個 `CappedCount` 屬性的值表示不符合相關規定的資源數。例如,下列輸出表示有 3 個資源不符合名為 `InstanceTypesAreT2micro` 的規則。
輸出:
```
{
"ComplianceByConfigRules": [
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "InstanceTypesAreT2micro"
},
{
"Compliance": {
"ComplianceContributorCount": {
"CappedCount": 10,
"CapExceeded": false
},
"ComplianceType": "NON_COMPLIANT"
},
"ConfigRuleName": "RequiredTagsForVolumes"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeComplianceByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/describe-compliance-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會擷取規則 ebs-optimized-instance 的合規詳細資訊,其中並無規則目前適用的評估結果,因此會傳回 INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**輸出:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**範例 2:此範例傳回規則 ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK 的不合規資源數目。**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會擷取規則 ebs-optimized-instance 的合規詳細資訊,其中並無規則目前適用的評估結果,因此會傳回 INSUFFICIENT\$1DATA**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ebs-optimized-instance).Compliance
```
**輸出:**
```
ComplianceContributorCount ComplianceType
-------------------------- --------------
INSUFFICIENT_DATA
```
**範例 2:此範例傳回規則 ALB\$1HTTP\$1TO\$1HTTPS\$1REDIRECTION\$1CHECK 的不合規資源數目。**
```
(Get-CFGComplianceByConfigRule -ConfigRuleName ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK -ComplianceType NON_COMPLIANT).Compliance.ComplianceContributorCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 2
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeComplianceByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------
### 檢視規則的合規摘要
下列程式碼範例示範如何使用 `GetComplianceSummaryByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的合規摘要**
以下命令傳回符合規則的數量,以及不符合規則的數量:
```
aws configservice get-compliance-summary-by-config-rule
```
在輸出中,每個 `CappedCount` 屬性的值會表示遵守或未遵守的規則數量。
輸出:
```
{
"ComplianceSummary": {
"NonCompliantResourceCount": {
"CappedCount": 3,
"CapExceeded": false
},
"ComplianceSummaryTimestamp": 1452204131.493,
"CompliantResourceCount": {
"CappedCount": 2,
"CapExceeded": false
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetComplianceSummaryByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-summary-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例傳回不合規的 Config 規則數目。**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例傳回不合規的 Config 規則數目。**
```
Get-CFGComplianceSummaryByConfigRule -Select ComplianceSummary.NonCompliantResourceCount
```
**輸出:**
```
CapExceeded CappedCount
----------- -----------
False 9
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceSummaryByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------
### 檢視規則的評估結果
下列程式碼範例示範如何使用 `GetComplianceDetailsByConfigRule`。
------
#### [ CLI ]
**AWS CLI**
**取得 Config AWS 規則的評估結果**
下列命令會傳回不符合名為 之 AWS Config 規則的所有資源的評估結果`InstanceTypesAreT2micro`:
```
aws configservice get-compliance-details-by-config-rule --config-rule-name InstanceTypesAreT2micro --compliance-types NON_COMPLIANT
```
輸出:
```
{
"EvaluationResults": [
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-1a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.261,
"ConfigRuleInvokedTime": 1450314642.948,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-2a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314645.18,
"ConfigRuleInvokedTime": 1450314642.902,
"ComplianceType": "NON_COMPLIANT"
},
{
"EvaluationResultIdentifier": {
"OrderingTimestamp": 1450314635.065,
"EvaluationResultQualifier": {
"ResourceType": "AWS::EC2::Instance",
"ResourceId": "i-3a2b3c4d",
"ConfigRuleName": "InstanceTypesAreT2micro"
}
},
"ResultRecordedTime": 1450314643.346,
"ConfigRuleInvokedTime": 1450314643.124,
"ComplianceType": "NON_COMPLIANT"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [GetComplianceDetailsByConfigRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/get-compliance-details-by-config-rule.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:此範例會取得規則 access-keys-rotated 的評估結果,並傳回依 compliance-type 分組的輸出**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**輸出:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**範例 2:此範例會查詢 COMPLIANT 資源之 access-keys-rotated 規則的合規詳細資訊。**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**輸出:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:此範例會取得規則 access-keys-rotated 的評估結果,並傳回依 compliance-type 分組的輸出**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated | Group-Object ComplianceType
```
**輸出:**
```
Count Name Group
----- ---- -----
2 COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult}
5 NON_COMPLIANT {Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationResult, Amazon.ConfigService.Model.EvaluationRes...
```
**範例 2:此範例會查詢 COMPLIANT 資源之 access-keys-rotated 規則的合規詳細資訊。**
```
Get-CFGComplianceDetailsByConfigRule -ConfigRuleName access-keys-rotated -ComplianceType COMPLIANT | ForEach-Object {$_.EvaluationResultIdentifier.EvaluationResultQualifier}
```
**輸出:**
```
ConfigRuleName ResourceId ResourceType
-------------- ---------- ------------
access-keys-rotated BCAB1CDJ2LITAPVEW3JAH AWS::IAM::User
access-keys-rotated BCAB1CDJ2LITL3EHREM4Q AWS::IAM::User
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetComplianceDetailsByConfigRule](https://docs.aws.amazon.com/powershell/v5/reference)。
------