本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 檢視 AWS 資源的合規歷史記錄 AWS Config
**重要**
`AWS::Config::ResourceCompliance` 資源類型用於存放資源的歷史合規結果。Config 規則**不需要**記錄此資源類型,即可在主控台中評估資源或檢視目前的合規狀態。
`AWS::Config::ResourceCompliance` 僅錄製可讓您在資源時間軸中檢視一段時間內的歷史合規變更。如果您不需要歷史合規資料,則可以排除此資源類型。如需選取要記錄的資源的詳細資訊,請參閱[錄製 AWS 資源](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html)。
您可以在 AWS Config 主控台中檢視資源的組態、關係和變更數量。您可以使用 檢視資源的組態歷史記錄 AWS CLI。
**Topics**
+ [檢視合規歷史記錄 (主控台)](#view-config-details-console)
+ [檢視合規歷史記錄 (AWS CLI)](#view-config-details-cli)
+ [針對資源和規則](#view-compliance-history)
## 檢視合規歷史記錄 (主控台)
### 使用主控台檢視合規歷史記錄
當您在 **資源庫存** 頁面上查詢資源時,選擇資源識別符欄中的資源名稱或 ID 以檢視資源的詳細資訊頁面。詳細資訊頁面提供該資源的組態、關係以及對其所做的變更。
若要從資源詳細資訊頁面存取資源時間軸,請選擇 **資源時間軸** 按鈕。資源時間軸會為特定資源擷取 `ConfigurationItems` 在一段時間內的變更。您可以依組態事件、合規事件或 CloudTrail 事件進行篩選。
## 檢視合規歷史記錄 (AWS CLI)
### 使用 檢視合規歷史記錄 AWS CLI
AWS Config 記錄的組態項目會隨需交付至指定的交付管道,做為組態快照和組態串流。您可以使用 AWS CLI 來檢視每個資源的組態項目歷史記錄。
#### 檢視組態歷史記錄
輸入 [https://docs.aws.amazon.com/cli/latest/reference/configservice/get-resource-config-history.html](https://docs.aws.amazon.com/cli/latest/reference/configservice/get-resource-config-history.html)命令並指定資源類型和資源 ID,例如:
```
$ aws configservice get-resource-config-history --resource-type AWS::EC2::SecurityGroup --resource-id sg-6fbb3807
{
"configurationItems": [
{
"configurationItemCaptureTime": 1414708529.9219999,
"relationships": [
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-7a3b232a",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-8b6eb2ab",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-c478efe5",
"relationshipName": "Is associated with Instance"
},
{
"resourceType": "AWS::EC2::Instance",
"resourceId": "i-e4cbe38d",
"relationshipName": "Is associated with Instance"
}
],
"availabilityZone": "Not Applicable",
"tags": {},
"resourceType": "AWS::EC2::SecurityGroup",
"resourceId": "sg-6fbb3807",
"configurationStateId": "1",
"relatedEvents": [],
"arn": "arn:aws:ec2:us-east-2:012345678912:security-group/default",
"version": "1.0",
"configurationItemMD5Hash": "860aa81fc3869e186b2ee00bc638a01a",
"configuration": "{\"ownerId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\",\"description\":\"default group\",\"ipPermissions\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"userIdGroupPairs\":[{\"userId\":\"amazon-elb\",\"groupName\":\"amazon-elb-sg\",\"groupId\":\"sg-843f59ed\"}],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"udp\",\"fromPort\":0,\"toPort\":65535,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"icmp\",\"fromPort\":-1,\"toPort\":-1,\"userIdGroupPairs\":[{\"userId\":\"605053316265\",\"groupName\":\"default\",\"groupId\":\"sg-6fbb3807\"}],\"ipRanges\":[]},{\"ipProtocol\":\"tcp\",\"fromPort\":1433,\"toPort\":1433,\"userIdGroupPairs\":[],\"ipRanges\":[\"0.0.0.0/0\"]},{\"ipProtocol\":\"tcp\",\"fromPort\":3389,\"toPort\":3389,\"userIdGroupPairs\":[],\"ipRanges\":[\"207.171.160.0/19\"]}],\"ipPermissionsEgress\":[],\"vpcId\":null,\"tags\":[]}",
"configurationItemStatus": "ResourceDiscovered",
"accountId": "605053316265"
}
],
"nextToken":
..........
```
如需回應欄位的詳細說明,請參閱[組態項目的元件](config-item-table.md)和 [支援的資源類型 AWS Config](resource-config-reference.md)。
#### 來自 的 Amazon EBS 組態歷史記錄範例 AWS Config
AWS Config 會產生一組檔案,每個檔案都代表資源類型,並列出 AWS Config 正在記錄的該類型資源的所有組態變更。 AWS Config 會將此資源中心組態歷史記錄匯出為您啟用時指定的 Amazon S3 儲存貯體中的物件 AWS Config。每種資源類型的組態歷史記錄檔案都會包含自交付最後一個歷史記錄檔案之後,針對該類型的資源所偵測到的變更。通常每六小時會交付歷史記錄檔案一次。
以下是 Amazon S3 物件的內容範例,描述 目前區域中所有 Amazon Elastic Block Store 磁碟區的組態歷史記錄 AWS 帳戶。此帳戶中的磁碟區包含 `vol-ce676ccc` 和 `vol-cia007c`。自交付先前的歷史記錄檔案以來,磁碟區 `vol-ce676ccc` 有兩項組態變更,而磁碟區 `vol-cia007c` 有一項變更。
```
{
"fileVersion": "1.0",
"requestId": "asudf8ow-4e34-4f32-afeb-0ace5bf3trye",
"configurationItems": [
{
"snapshotVersion": "1.0",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T23:47:08.918Z",
"configurationStateID": "3e660fdf-4e34-4f32-afeb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adb69edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04ad92281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
{
"configurationItemVersion": "1.0",
"resourceId": "vol-ce676ccc",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-ce676ccc",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T21:47:08.918Z",
"configurationItemState": "3e660fdf-4e34-4f32-sseb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-ad229edbb1e4",
"c376e30d-71a2-4694-89b7-a5a04w292281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T21:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344c463d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-ce676ccc",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T21:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-ce676ccc",
"instanceId": "i-344c463d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume1"
}
],
"volumeType": "standard"
}
},
{
"configurationItemVersion": "1.0",
"resourceId": "vol-cia007c",
"arn": "arn:aws:us-west-2b:123456789012:volume/vol-cia007c",
"accountId": "12345678910",
"configurationItemCaptureTime": "2014-03-07T20:47:08.918Z",
"configurationItemState": "3e660fdf-4e34-4f88-sseb-0ace5bf3d63a",
"configurationItemStatus": "OK",
"relatedEvents": [
"06c12a39-eb35-11de-ae07-adjhk8edbb1e4",
"c376e30d-71a2-4694-89b7-a5a67u292281"
],
"availibilityZone": "us-west-2b",
"resourceType": "AWS::EC2::Volume",
"resourceCreationTime": "2014-02-27T20:43:53.885Z",
"tags": {},
"relationships": [
{
"resourceId": "i-344e563d",
"resourceType": "AWS::EC2::Instance",
"name": "Attached to Instance"
}
],
"configuration": {
"volumeId": "vol-cia007c",
"size": 1,
"snapshotId": "",
"availabilityZone": "us-west-2b",
"state": "in-use",
"createTime": "2014-02-27T20:43:53.0885+0000",
"attachments": [
{
"volumeId": "vol-cia007c",
"instanceId": "i-344e563d",
"device": "/dev/sdf",
"state": "attached",
"attachTime": "2014-03-07T23:46:28.0000+0000",
"deleteOnTermination": false
}
],
"tags": [
{
"tagName": "environment",
"tagValue": "PROD"
},
{
"tagName": "name",
"tagValue": "DataVolume2"
}
],
"volumeType": "standard"
}
}
]
}
```
## 檢視資源和規則的合規歷史記錄時間表
AWS Config 支援依 評估存放資源的合規狀態變更 AWS Config 規則。資源合規歷史記錄會以時間軸的形式呈現。時間軸會為特定資源擷取 `ConfigurationItems` 在一段時間內的變更。如需 內容的資訊`ConfigurationItem`,請參閱 AWS Config API 參考中的 [ConfigurationItem](https://docs.aws.amazon.com/config/latest/APIReference/API_ConfigurationItem.html)。
您可以選擇使用或選擇退出在 AWS Config中記錄所有資源類型。如果您已選擇記錄所有資源類型, AWS Config 會自動開始記錄由 評估的資源合規歷史記錄 AWS Config 規則。根據預設, 會 AWS Config 記錄所有支援資源的組態變更。您也可以僅選取特定的資源合規歷史記錄資源類型:`AWS::Config::ResourceCompliance`。如需詳細資訊,請參閱[錄製 AWS 記錄](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html#select-resources-console)。
------
#### [ Viewing Resource Timeline Using Resources ]
從「資源庫存」頁面選擇特定資源來存取資源時間軸。
1. 從左側導覽選擇**資源**。
1. 在「資源庫存」頁面上,您可以依資源類別、資源類型和合規狀態進行篩選。如果適用,請選擇 **納入已刪除的資源**。
下表顯示資源類型和適用於該資源之資源合規狀態的資源識別符。資源識別符可能是資源 ID 或資源名稱。
1. 從資源識別符資料行選取資源。
1. 選擇 **資源時間軸** 按鈕。您可以依組態事件、合規事件或 CloudTrail 事件進行篩選。
**注意**
或者,您可以直接在「資源庫存」頁面選擇資源名稱。若要從「資源詳細資訊」頁面存取資源時間軸,請選擇 **資源時間軸** 按鈕。
------
#### [ Viewing Resource Timeline Using Rules ]
從「規則」頁面選擇特定規則來存取資源時間軸。
1. 從左側導覽選取**規則**。
1. 在「規則」頁面上,選擇評估相關資源的規則。如果畫面上沒有規則顯示,請使用**新增規則**按鈕新增規則。
1. 在「規則」詳細資訊頁面上,從「資源」評估表格中選取資源。
1. 選取 **資源時間表** 按鈕。資源時間軸會隨即顯示。
------