Queries the details of a rule.

In this topic, the cr-7f7d626622af0041**** rule is used as an example.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes GetConfigRule

The operation that you want to perform. Set the value to GetConfigRule.

ConfigRuleId String Yes cr-7f7d626622af0041****

The ID of the rule.

For more information about how to obtain the ID of a rule, see ListConfigRules.

For information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
RequestId String 811234F4-C3AB-4D15-B90B-F55016D1B5AA

The ID of the request.

ConfigRule Object

The details of the rule.

RiskLevel Integer 1

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk level.
  • 2: medium risk level.
  • 3: low risk level.
InputParameters Map

The input parameters of the rule.

Source Object

The information about how the rule was created.

SourceDetails Array of SourceDetails

The details of the source of the rule.

MessageType String ConfigurationItemChangeNotification

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is triggered as scheduled.
EventSource String aliyun.config

The event source of the rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
MaximumExecutionFrequency String One_Hour

The intervals at which the rule is triggered.

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours.
  • TwentyFour_Hours: 24 hours.
Note This parameter is returned if the rule is triggered as scheduled.
Owner String ALIYUN

The way in which the rule was created. Valid values:

  • CUSTOM_FC: The rule is a custom rule.
  • ALIYUN: The rule was created based on a managed rule of Alibaba Cloud.
SourceConditions Array of SourceConditions

The condition used to trigger the rule.

DesiredValue String True

The expected value of the input parameter.

Tips String ECS instance type

The description of the input parameter.

Operator String StringEqualsIn

The operator used to compare the actual value against the expected value of the input parameter. The operator varies based on the data type of parameter values. Valid values:

  • Valid values for the String data type:
    • StringEquals: The actual value is equal to the expected value.
    • NotStringEquals: The actual value is not equal to the expected value.
    • StringIn: The actual value exists in the expected value.
    • NotStringIn: The actual value does not exist in the expected value.
    • StringContains: The actual value contains the expected value.
    • NotStringContains: The actual value does not contain the expected value.
  • Valid values for the Number data type:
    • Equals: The actual value is equal to the expected value.
    • NotEquals: The actual value is not equal to the expected value.
    • Less: The actual value is less than the expected value.
    • LessOrEquals: The actual value is less than or equal to the expected value.
    • Greater: The actual value is greater than the expected value.
    • GreaterOrEquals: The actual value is greater than or equal to the expected value.
  • Valid values for the Base64String data type that indicates a Base64-encoded string:
    • Base64Contains: The actual value contains the expected value.
    • NotBase64Contains: The actual value does not contain the expected value.
    • Base64ContainsAll: The actual value contains all characters in the expected value.
    • Base64ExcludeAll: The actual value excludes all characters in the expected value.
  • Valid values for the Array data type:
    • Contains: The actual value contains the expected value.
    • NotContains: The actual value does not contain the expected value.
    • In: The actual value exists in the expected value.
    • NotIn: The actual value does not exist in the expected value.
    • ContainsAll: The actual value contains all elements of the expected value.
    • ExcludeAll: The actual value excludes all elements of the expected value.
    • IsEmpty: The actual value is null.
Name String instanceTypes

The name of the input parameter.

Identifier String acs:fc:cn-hangzhou:100931896542****:services/ConfigService.LATEST/functions/specific-config

The identifier of the rule.

  • If the rule was created based on a managed rule, the value of this parameter is the name of the managed rule.
  • If the rule is a custom rule, the value of this parameter is the Alibaba Cloud Resource Name (ARN) of the relevant function in Function Compute.
ConfigRuleState String ACTIVE

The status of the rule. Valid values:

  • ACTIVE: The rule is being used to monitor resource configurations.
  • DELETING: The rule is being deleted.
  • EVALUATING: The rule is triggered and is being used to monitor resource configurations.
  • INACTIVE: The rule is disabled and is no longer used to monitor resource configurations.
MaximumExecutionFrequency String One_Hour

The intervals at which the rule is triggered.

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours.
  • TwentyFour_Hours: 24 hours.
Note This parameter is returned if the rule is triggered as scheduled.
ManagedRule Object

The details of the managed rule.

SourceDetails Array of SourceDetails

The details of the source of the managed rule.

MessageType String ConfigurationItemChangeNotification

The trigger type of the managed rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is triggered as scheduled.
EventSource String aliyun.config

The event source of the managed rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
MaximumExecutionFrequency String One_Hour

The intervals at which the managed rule is triggered.

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours.
  • TwentyFour_Hours: 24 hours.
Note This parameter is returned if the rule is triggered as scheduled.
Description String If no ECS disk is locked due to some issues, the configuration is considered compliant. These issues include overdue payments and security risks.

The description of the managed rule.

Labels Array of String ["RAM","User"]

The tags of the managed rule.

Identifier String ram-user-mfa-check

The identifier of the managed rule.

OptionalInputParameterDetails Map

The settings of the optional input parameters for the managed rule.

ManagedRuleName String ram-user-mfa-check

The name of the managed rule.

CompulsoryInputParameterDetails Map

The settings of the required input parameters for the managed rule.

ConfigRuleArn String acs:config::100931896542****:rule/cr-7f7d626622af0041****

The ARN of the managed rule.

Description String If MFA is enabled for the RAM user, the configuration is considered compliant.

The description of the managed rule.

CreateBy Object

The information about the creation of the rule.

CompliancePackId String cp-541e626622af008****

The ID of the compliance package.

CompliancePackName String BestPracticesForOSS

The name of the compliance package.

CreatorName String Alice

The name of the account that was used to create the rule.

CreatorId String 100931896542****

The ID of the account that was used to create the rule.

ConfigRuleName String ram-user-mfa-check

The name of the rule.

ConfigRuleEvaluationStatus Object

The information about compliance evaluations performed by the rule.

LastErrorCode String TimeOut

The error code returned for the last failed compliance evaluation.

LastSuccessfulEvaluationTimestamp Long 1624932227486

The timestamp when the last successful compliance evaluation of the rule ended. Unit: milliseconds.

FirstActivatedTimestamp Long 1624932221993

The timestamp when the rule was first triggered. Unit: milliseconds.

FirstEvaluationStarted Boolean true

Indicates whether resources were evaluated based on the rule. Valid values:

  • true
  • false
LastSuccessfulInvocationTimestamp Long 1624932227476

The timestamp when the last successful compliance evaluation of the rule started. Unit: milliseconds.

LastErrorMessage String Time out

The error message returned for the last failed compliance evaluation.

LastFailedEvaluationTimestamp Long 1614687022000

The timestamp when the last failed compliance evaluation of the rule ended. Unit: milliseconds.

LastFailedInvocationTimestamp Long 1614687022000

The timestamp when the last failed compliance evaluation of the rule started. Unit: milliseconds.

ConfigRuleId String cr-7f7d626622af0041****

The ID of the rule.

ModifiedTimestamp Long 1614687022000

The timestamp when the rule was last updated. Unit: milliseconds.

CreateTimestamp Long 1604684022000

The timestamp when the rule was created. Unit: milliseconds.

ResourceTypesScope String ACS::RAM::User

The type of resources evaluated by the rule.

RegionIdsScope String global

The ID of the region to which the rule applies.

ExcludeResourceIdsScope String 23642660635687****

The ID of the resource excluded from the compliance evaluations performed by the rule.

ResourceGroupIdsScope String rg-aekzdibsjjc****

The ID of the resource group to which the rule applies.

TagKeyScope String RAM

The tag key used to filter resources. The rule applies only to the resources with the specified tag key.

Note The TagKeyScope and TagValueScope parameters are returned at the same time.
TagValueScope String MFA

The tag value used to filter resources. The rule applies only to the resources with the specified tag value.

Note The TagKeyScope and TagValueScope parameters are returned at the same time.
ConfigRuleTriggerTypes String ConfigurationItemChangeNotification

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is triggered as scheduled.

Examples

Sample requests

http(s)://[Endpoint]/?Action=GetConfigRule
&ConfigRuleId=cr-7f7d626622af0041****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<GetAggregateConfigRuleResponse>
    <RequestId>811234F4-C3AB-4D15-B90B-F55016D1B5AA</RequestId>
    <ConfigRule>
        <ManagedRule>
            <ManagedRuleName>ram-user-mfa-check</ManagedRuleName>
            <OptionalInputParameterDetails />
            <Description>If MFA is enabled for the RAM user, the configuration is considered compliant. </Description>
            <Identifier>ram-user-mfa-check</Identifier>
            <CompulsoryInputParameterDetails />
            <Labels>RAM</Labels>
            <Labels>User</Labels>
            <SourceDetails>
                <EventSource>aliyun.config</EventSource>
                <MessageType>ConfigurationItemChangeNotification</MessageType>
            </SourceDetails>
        </ManagedRule>
        <Description>If MFA is enabled for the RAM user, the configuration is considered compliant. </Description>
        <CreateBy>
            <CreatorId>100931896542****</CreatorId>
            <CreatorName>Alice</CreatorName>
        </CreateBy>
        <ConfigRuleEvaluationStatus>
            <LastSuccessfulEvaluationTimestamp>1624932227486</LastSuccessfulEvaluationTimestamp>
            <FirstActivatedTimestamp>1624932221993</FirstActivatedTimestamp>
            <FirstEvaluationStarted>true</FirstEvaluationStarted>
            <LastSuccessfulInvocationTimestamp>1624932227476</LastSuccessfulInvocationTimestamp>
        </ConfigRuleEvaluationStatus>
        <ConfigRuleState>ACTIVE</ConfigRuleState>
        <Source>
            <Owner>ALIYUN</Owner>
            <Identifier>ram-user-mfa-check</Identifier>
            <SourceConditions>
                <Operator>StringEquals</Operator>
                <DesiredValue>True</DesiredValue>
                <Required>true</Required>
            </SourceConditions>
            <SourceDetails>
                <EventSource>aliyun.config</EventSource>
                <MessageType>ConfigurationItemChangeNotification</MessageType>
            </SourceDetails>
        </Source>
        <ConfigRuleId>cr-7f7d626622af0041****</ConfigRuleId>
        <Scope>
            <ComplianceResourceTypes>ACS::RAM::User</ComplianceResourceTypes>
        </Scope>
        <ConfigRuleArn>acs:config::100931896542****:rule/cr-7f7d626622af0041****</ConfigRuleArn>
        <ConfigRuleTriggerTypes>ConfigurationItemChangeNotification</ConfigRuleTriggerTypes>
        <ConfigRuleName>ram-user-mfa-check</ConfigRuleName>
        <RiskLevel>1</RiskLevel>
        <ResourceTypesScope>ACS::RAM::User</ResourceTypesScope>
        <InputParameters>
            <tag1Key>RAM</tag1Key>
            <tag1Value>test</tag1Value>
        </InputParameters>
    </ConfigRule>
</GetAggregateConfigRuleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "811234F4-C3AB-4D15-B90B-F55016D1B5AA",
  "ConfigRule" : {
    "ManagedRule" : {
      "ManagedRuleName" : "ram-user-mfa-check",
      "OptionalInputParameterDetails" : { },
      "Description" : "If MFA is enabled for the RAM user, the configuration is considered compliant.",
      "Identifier" : "ram-user-mfa-check",
      "CompulsoryInputParameterDetails" : { },
      "Labels" : [ "RAM", "User" ],
      "SourceDetails" : [ {
        "EventSource" : "aliyun.config",
        "MessageType" : "ConfigurationItemChangeNotification"
      } ]
    },
    "Description" : "If MFA is enabled for the RAM user, the configuration is considered compliant.",
    "CreateBy" : {
      "CreatorId" : "100931896542****",
      "CreatorName" : "Alice"
    },
    "ConfigRuleEvaluationStatus" : {
      "LastSuccessfulEvaluationTimestamp" : 1624932227486,
      "FirstActivatedTimestamp" : 1624932221993,
      "FirstEvaluationStarted" : true,
      "LastSuccessfulInvocationTimestamp" : 1624932227476
    },
    "ConfigRuleState" : "ACTIVE",
    "Source" : {
      "Owner" : "ALIYUN",
      "Identifier" : "ram-user-mfa-check",
      "SourceConditions" : [ {
        "Operator" : "StringEquals",
        "DesiredValue" : "True",
        "Required" : true
      } ],
      "SourceDetails" : [ {
        "EventSource" : "aliyun.config",
        "MessageType" : "ConfigurationItemChangeNotification"
      } ]
    },
    "ConfigRuleId" : "cr-7f7d626622af0041****",
    "Scope" : {
      "ComplianceResourceTypes" : [ "ACS::RAM::User" ]
    },
    "ConfigRuleArn" : "acs:config::100931896542****:rule/cr-7f7d626622af0041****",
    "ConfigRuleTriggerTypes" : "ConfigurationItemChangeNotification",
    "ConfigRuleName" : "ram-user-mfa-check",
    "RiskLevel" : 1,
    "ResourceTypesScope" : "ACS::RAM::User",
    "InputParameters" : {
      "tag1Key" : "RAM",
      "tag1Value" : "test"
    }
  }
}

Error codes

HTTP status code Error code Error message Description
400 ConfigRuleNotExists The ConfigRule does not exist. The error message returned because the specified rule does not exist.
400 NoPermission You are not authorized to perform this operation. The error message returned because you are not authorized to perform the specified operation.
404 AccountNotExisted Your account does not exist. The error message returned because your account does not exist.
503 ServiceUnavailable The request has failed due to a temporary failure of the server. The error message returned because the service is unavailable.

For a list of error codes, visit the API Error Center.