All Products
Search
Document Center

Cloud Config:ListAggregateConfigRuleEvaluationResults

Last Updated:Mar 01, 2024

Queries the compliance evaluation results of resources based on a rule in an account group.

Operation description

This topic provides an example on how to query the compliance evaluation results of resources based on the cr-888f626622af00ae**** rule in the ca-d1e3326622af00cb**** account group. The returned result indicates that the Bucket-test resource is evaluated as NON_COMPLIANT by using the rule. The resource is an Object Storage Service (OSS) bucket.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
config:ListAggregateConfigRuleEvaluationResultsList
  • All Resources
    *
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
ComplianceTypestringNo

The compliance evaluation result of the resource. Valid values:

  • COMPLIANT: The resource is evaluated as compliant.
  • NON_COMPLIANT: The resource is evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to the resource.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
NON_COMPLIANT
NextTokenstringNo

The token that is used to initiate the next request. If the response to the current request is truncated, this token is used to initiate another request and obtain the remaining entries.``

IWBjqMYSy0is7zSMGu16****
MaxResultsintegerNo

The maximum number of entries to return for a single request. Valid values: 1 to 100.

10
ConfigRuleIdstringNo

The ID of the rule.

For more information about how to obtain the ID of a rule, see ListAggregateConfigRules .

cr-888f626622af00ae****
AggregatorIdstringYes

The ID of the account group.

For more information about how to obtain the ID of an account group, see ListAggregators .

ca-b1e6626622af00cb****
CompliancePackIdstringNo

The ID of the compliance package.

For more information about how to obtain the ID of a compliance package, see ListAggregateCompliancePacks .

cp-f1e3326622af00cb****
RegionsstringNo

The ID of the region whose resources you want to evaluate. Separate multiple region IDs with commas (,).

cn-shanghai
ResourceTypesstringNo

The type of the resources that you want to evaluate. Separate multiple resource types with commas (,).

ACS::ECS::Instance
ResourceGroupIdsstringNo

The ID of the resource group whose resources you want to evaluate. Separate multiple resource group IDs with commas (,).

rg-aek2cqyzvuj****
ResourceAccountIdlongNo

Member accountId to which the resource to be queried belongs.

100931896542****

For more information about common request parameters, see Common parameters.

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request.

A6662516-D056-4325-B6A7-CD3E89C97C39
EvaluationResultsobject

The information about the compliance evaluation results returned.

NextTokenstring

The token that was used to initiate the next request.

IWBjqMYSy0is7zSMGu16****
MaxResultsinteger

The maximum number of entries returned per page.

10
EvaluationResultListobject []

The details of the compliance evaluation results.

RiskLevelinteger

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk level
  • 2: medium risk level
  • 3: low risk level
1
ComplianceTypestring

The compliance evaluation result of the resources. Valid values:

  • COMPLIANT: The resources are evaluated as compliant.
  • NON_COMPLIANT: The resources are evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to the resources.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resources are ignored during compliance evaluation.
NON_COMPLIANT
ResultRecordedTimestamplong

The timestamp when the compliance evaluation result was generated. Unit: milliseconds.

1624869013065
Annotationstring

The annotation to the resource that is evaluated as incompliant. The following section describe the parameters that can be returned:

  • configuration: the current resource configuration that is evaluated as incompliant by using the rule.
  • desiredValue: the expected resource configuration that is evaluated as compliant by using the rule.
  • operator: the operator that is used to compare the current configuration with the expected configuration of the resource.
  • property: the JSON path of the current configuration in the resource property struct.
  • reason: the reason why the resource is evaluated as incompliant.
{\"configuration\":\"LRS\",\"desiredValue\":\"ZRS\",\"operator\":\"StringEquals\",\"property\":\"$.DataRedundancyType\"}
ConfigRuleInvokedTimestamplong

The timestamp when the rule was triggered for the compliance evaluation. Unit: milliseconds.

1624869012713
InvokingEventMessageTypestring

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is periodically triggered.
ScheduledNotification
EvaluationResultIdentifierobject

The identifier of the compliance evaluation result.

OrderingTimestamplong

The timestamp when the compliance evaluation was performed. Unit: milliseconds.

Note This timestamp indicates the time when the rule was triggered. You can obtain the timestamp from the value of the ConfigRuleInvokedTimestamp parameter.
1624869012713
EvaluationResultQualifierobject

The information about the evaluated resource in the compliance evaluation result.

ResourceOwnerIdlong

The ID of the Alibaba Cloud account to which the resource belongs.

173808452267****
ConfigRuleArnstring

The Alibaba Cloud Resource Name (ARN) of the rule.

acs:config::100931896542****:rule/cr-888f626622af00ae****
ResourceTypestring

The type of the resource.

ACS::OSS::Bucket
ConfigRuleNamestring

The name of the rule.

test-rule-name
ResourceIdstring

The ID of the resource.

Bucket-test
ConfigRuleIdstring

The ID of the rule.

cr-888f626622af00ae****
ResourceNamestring

The name of the resource.

Bucket-test
RegionIdstring

The ID of the region where the resource resides.

cn-hangzhou
CompliancePackIdstring

The ID of the compliance package to which the rule belongs.

cr-7263fd26622af00bc****
IgnoreDatestring

The date on which the system automatically re-evaluates the ignored incompliant resources.

Note If this parameter is left empty, the system does not automatically re-evaluate the ignored incompliant resources. You must manually re-evaluate the ignored incompliant resources.
2022-06-01
RemediationEnabledboolean

Indicates whether the remediation template is enabled. Valid values:

  • true: The remediation template is enabled.
  • false: The remediation template is disabled.
false

Examples

Sample success responses

JSONformat

{
  "RequestId": "A6662516-D056-4325-B6A7-CD3E89C97C39",
  "EvaluationResults": {
    "NextToken": "IWBjqMYSy0is7zSMGu16****",
    "MaxResults": 10,
    "EvaluationResultList": [
      {
        "RiskLevel": 1,
        "ComplianceType": "NON_COMPLIANT",
        "ResultRecordedTimestamp": 1624869013065,
        "Annotation": "{\\\"configuration\\\":\\\"LRS\\\",\\\"desiredValue\\\":\\\"ZRS\\\",\\\"operator\\\":\\\"StringEquals\\\",\\\"property\\\":\\\"$.DataRedundancyType\\\"}",
        "ConfigRuleInvokedTimestamp": 1624869012713,
        "InvokingEventMessageType": "ScheduledNotification",
        "EvaluationResultIdentifier": {
          "OrderingTimestamp": 1624869012713,
          "EvaluationResultQualifier": {
            "ResourceOwnerId": 0,
            "ConfigRuleArn": "acs:config::100931896542****:rule/cr-888f626622af00ae****",
            "ResourceType": "ACS::OSS::Bucket",
            "ConfigRuleName": "test-rule-name",
            "ResourceId": "Bucket-test",
            "ConfigRuleId": "cr-888f626622af00ae****",
            "ResourceName": "Bucket-test",
            "RegionId": "cn-hangzhou",
            "CompliancePackId": "cr-7263fd26622af00bc****",
            "IgnoreDate": "2022-06-01"
          }
        },
        "RemediationEnabled": false
      }
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400NoPermissionYou are not authorized to perform this operation.You are not authorized to perform this operation.
400Invalid.AggregatorId.ValueThe specified AggregatorId is invalid.The specified aggregator ID does not exist or you are not authorized to use the aggregator.
400Invalid.CompliancePackId.ValueThe specified CompliancePackId does not exist.The specified compliance pack ID does not exist.
404CloudConfigServiceRoleNotExistedThe CloudConfigServiceRole does not exist.The CloudConfig service role does not exist.
404AccountNotExistedYour account does not exist.The specified account does not exist.
503ServiceUnavailableThe request has failed due to a temporary failure of the server.The request has failed due to a temporary failure of the server.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-04-12The Error code has changed. The request parameters of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 503
Input ParametersThe request parameters of the API has changed.
    Added Input Parameters: ResourceAccountId