All Products
Search
Document Center

Cloud Config:GetAggregateConfigRule

Last Updated:Jan 17, 2025

Queries the details of a rule in an account group.

Operation description

This example shows how to query the details of the cr-7f7d626622af0041**** rule in the ca-7f00626622af0041**** account group.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • For mandatory resource types, indicate with a prefix of * .
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
config:GetAggregateConfigRuleget
*All Resources
*
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
ConfigRuleIdstringYes

The ID of the rule.

You can call the ListAggregateConfigRules operation to obtain the rule ID.

cr-7f7d626622af0041****
AggregatorIdstringYes

The ID of the account group.

For more information about how to obtain the ID of an account group, see ListAggregators .

ca-7f00626622af0041****
Tagarray<object>No

The tags of the resource.

You can add up to 20 tags to a resource.

objectNo

The tags.

KeystringNo

The tag key of the resource. You can specify up to 20 tag keys.

The tag key cannot be an empty string. The tag key must be 1 to 64 characters in length and cannot start with aliyun or acs:. The tag key cannot contain http:// or https://.

key-1
ValuestringNo

The tag values.

The tag values can be an empty string or up to 128 characters in length. The tag values cannot start with aliyun or acs: and cannot contain http:// or https://.

Each key-value must be unique. You can specify at most 20 tag values in each call.

value-1

For more information about common request parameters, see Common parameters.

Response parameters

ParameterTypeDescriptionExample
object

This operation does not return any operation-specific parameters.

RequestIdstring

The ID of the request.

811234F4-C3AB-4D15-B90B-F55016D1B5AA
ConfigRuleobject

The rules.

RiskLevelinteger

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk level
  • 2: medium risk level
  • 3: low risk level
1
InputParametersobject

The input parameters of the rule.

{"tag1Key":"ECS","tag1Value":"test"}
Sourceobject

The information about how the rule was created.

SourceDetailsarray<object>

The details of the source of the rule.

SourceDetailsobject
MessageTypestring

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is periodically triggered.
ConfigurationItemChangeNotification
EventSourcestring

The event source of the managed rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
aliyun.config
MaximumExecutionFrequencystring

The intervals at which the managed rule is triggered. Valid values:

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
One_Hour
Ownerstring

The way in which the rule was created. Valid values:

  • CUSTOM_FC: The rule is a custom rule.
  • ALIYUN: The rule was created based on a managed rule of Alibaba Cloud.
ALIYUN
Identifierstring

The identifier of the rule.

  • If the rule was created based on a managed rule, the value of this parameter is the name of the managed rule.
  • If the rule is a custom rule, the value of this parameter is the Alibaba Cloud Resource Name (ARN) of the relevant function in Function Compute.
acs:fc:cn-hangzhou:100931896542****:services/ConfigService.LATEST/functions/specific-config
ConfigRuleStatestring

The status of the rule. Valid values:

  • ACTIVE: The rule is being used to monitor resource configurations.
  • DELETING: The rule is being deleted.
  • EVALUATING: The rule is triggered and is being used to monitor resource configurations.
  • INACTIVE: The rule is disabled and is no longer used to monitor resource configurations.
ACTIVE
MaximumExecutionFrequencystring

The intervals at which the managed rule is triggered. Valid values:

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
One_Hour
ManagedRuleobject

The details of the managed rule.

SourceDetailsarray<object>

The details of the source of the managed rule.

SourceDetailsobject
MessageTypestring

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is periodically triggered.
ConfigurationItemChangeNotification
EventSourcestring

The event source of the managed rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
aliyun.config
MaximumExecutionFrequencystring

The intervals at which the managed rule is triggered. Valid values:

  • One_Hour: 1 hour.
  • Three_Hours: 3 hours.
  • Six_Hours: 6 hours.
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
One_Hour
Descriptionstring

The description of the managed rule.

The description of the managed rule.
Labelsarray

The tags of the managed rule.

Labelsstring

The tag of the managed rule.

["RAM","USer"]
Identifierstring

The identifier of the managed rule.

ram-user-mfa-check
OptionalInputParameterDetailsobject

The optional input parameters of the managed rule.

{}
ManagedRuleNamestring

The name of the managed rule.

ram-user-mfa-check
CompulsoryInputParameterDetailsobject

The required input parameters of the managed rule.

{}
ConfigRuleArnstring

The ARN of the managed rule.

acs:config::100931896542****:rule/cr-7f7d626622af0041****
Descriptionstring

The description of the managed rule.

The description of the managed rule.
CreateByobject

The information about the creation of the rule.

CompliancePackIdstring

The ID of the compliance package.

cp-541e626622af008****
AggregatorNamestring

The name of the account group.

Test_Group
CompliancePackNamestring

The name of the compliance package.

The name of the compliance package.
CreatorNamestring

The name of the account that was used to create the rule.

Alice
CreatorTypestring

The type of the entity to which the rule belongs. The value is fixed to AGGREGATOR, which indicates an account group.

AGGREGATOR
CreatorIdstring

The ID of the account that was used to create the rule.

100931896542****
AggregatorIdstring

The ID of the account group.

ca-04b3fd170e340007****
ConfigRuleNamestring

The name of the monitoring rule.

The name of the rule.
ConfigRuleEvaluationStatusobject

The information about compliance evaluations performed by the rule.

LastErrorCodestring

The error code returned for the last failed compliance evaluation.

TimeOut
LastSuccessfulEvaluationTimestamplong

The timestamp when the last successful compliance evaluation of the rule ended. Unit: milliseconds.

1624932227486
FirstActivatedTimestamplong

The timestamp when the rule was first triggered.

1624932221993
FirstEvaluationStartedboolean

Indicates whether resources were evaluated based on the rule. Valid values:

  • true: Resources were evaluated based on the rule.
  • false: Resources were not evaluated based on the rule.
true
LastSuccessfulInvocationTimestamplong

The timestamp when the last successful compliance evaluation of the rule started. Unit: milliseconds.

1624932227476
LastErrorMessagestring

The error message returned for the last failed compliance evaluation.

time out
LastFailedEvaluationTimestamplong

The timestamp when the last failed compliance evaluation of the rule ended. Unit: milliseconds.

1614687022000
LastFailedInvocationTimestamplong

The timestamp when the last failed compliance evaluation of the rule started. Unit: milliseconds.

1614687022000
ConfigRuleIdstring

The ID of the rule.

cr-7f7d626622af0041****
ModifiedTimestamplong

The timestamp when the rule was last updated. Unit: milliseconds.

1614687022000
CreateTimestamplong

The timestamp when the rule was created. Unit: milliseconds.

1604684022000
ResourceTypesScopestring

The type of the resource evaluated by the rule.

ACS::RAM::User
ExcludeRegionIdsScopestring

The IDs of the regions excluded from the compliance evaluations performed by the rule. Separate multiple region IDs with commas (,).

cn-hangzhou
RegionIdsScopestring

The ID of the region to which the rule applies.

global
ExcludeResourceIdsScopestring

The ID of the resource excluded from the compliance evaluations performed by the rule.

23642660635687****
ResourceIdsScopestring

The IDs of the resources to which the rule applies. Separate multiple resource IDs with commas (,).

eip-8vbf3x310fn56ijfd****
ResourceGroupIdsScopestring

The ID of the resource group to which the rule applies.

rg-aekzdibsjjc****
ExcludeResourceGroupIdsScopestring

The IDs of the resource groups excluded from the compliance evaluations performed by the rule. Separate multiple resource group IDs with commas (,).

rg-aekzdibsjjc****
TagKeyScopestring

The tag key used to filter resources. The rule applies only to the resources with the specified tag key.

RAM
TagValueScopestring

The tag value used to filter resources. The rule applies only to the resources with the specified tag value.

MFA
TagsScopearray<object>

The tag scope.

TagsScopeobject
TagKeystring

The key of the tag.

key-1
TagValuestring

The value of the tag.

value-1
ExcludeTagsScopearray<object>

The scope of the tag that is excluded.

ExcludeTagsScopeobject
TagKeystring

The key of the tag.

key-2
TagValuestring

The value of the tag.

value-2
ConfigRuleTriggerTypesstring

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is periodically triggered.
ConfigurationItemChangeNotification
TagKeyLogicScopestring

The logical relationship among the tag keys if you specify multiple tag keys by using the TagKeyScope parameter. For example, if the TagKeyScope parameter is set to ECS,OSS and the TagKeyLogicScope parameter is set to AND, the rule applies to resources with both the ECS and OSS tag keys. Valid values:

  • AND: the logical relationship of AND
  • OR: the logical relationship of OR
AND
FolderIdsScopestring

The ID of the resource directory to which the rule applies, which means that the resources within member accounts in the resource directory are evaluated based on the rule.

Note
  • This parameter applies only to rules of a global account group.
  • This parameter applies only to managed rules.
fd-ZtHsRH****
ExcludeFolderIdsScopestring

The ID of the resource directory to which the rule does not apply, which means that the resources within member accounts in the resource directory are not evaluated based on the rule.

Note
  • This parameter applies only to a rule of a global account group.
  • This parameter applies only to a managed rule.
fd-pWmkqZ****
ExcludeAccountIdsScopestring

The ID of the member account to which the rule does not apply, which means that the resources within the member account are not evaluated based on the rule.

Note This parameter applies only to a managed rule.
120886317861****
AccountIdsScopestring

The IDs of the members to which the rule applies. Separate multiple member IDs with commas (,).

120886317861****
Complianceobject

The details of compliance evaluation results.

ComplianceTypestring

The statistics on the compliance evaluation results by compliance type. Valid values:

  • COMPLIANT: The resources are evaluated as compliant.
  • NON_COMPLIANT: The resources are evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to your resources.
  • INSUFFICIENT_DATA: No resource data is available.
NON_COMPLIANT
Countinteger

The number of evaluated resources.

3
AccountIdlong

The ID of the Alibaba Cloud account to which the rule belongs.

120886317861****
ExtendContentstring

The extended content, which is temporarily only used to configure the trigger time with a 24-hour cycle trigger.

{"fixedHour":"12"}
Tagsarray<object>

The list of tags.

tagsobject

tags

TagKeystring

The tag key.

key-1
TagValuestring

The tag value.

value-1

Examples

Sample success responses

JSONformat

{
  "RequestId": "811234F4-C3AB-4D15-B90B-F55016D1B5AA",
  "ConfigRule": {
    "RiskLevel": 1,
    "InputParameters": {
      "tag1Key": "ECS",
      "tag1Value": "test"
    },
    "Source": {
      "SourceDetails": [
        {
          "MessageType": "ConfigurationItemChangeNotification",
          "EventSource": "aliyun.config",
          "MaximumExecutionFrequency": "One_Hour"
        }
      ],
      "Owner": "ALIYUN",
      "Identifier": "acs:fc:cn-hangzhou:100931896542****:services/ConfigService.LATEST/functions/specific-config"
    },
    "ConfigRuleState": "ACTIVE",
    "MaximumExecutionFrequency": "One_Hour",
    "ManagedRule": {
      "SourceDetails": [
        {
          "MessageType": "ConfigurationItemChangeNotification",
          "EventSource": "aliyun.config",
          "MaximumExecutionFrequency": "One_Hour"
        }
      ],
      "Description": "The description of the managed rule.\n\n",
      "Labels": [
        "[\"RAM\",\"USer\"]"
      ],
      "Identifier": "ram-user-mfa-check",
      "OptionalInputParameterDetails": {},
      "ManagedRuleName": "ram-user-mfa-check\n",
      "CompulsoryInputParameterDetails": {}
    },
    "ConfigRuleArn": "acs:config::100931896542****:rule/cr-7f7d626622af0041****",
    "Description": "The description of the managed rule.\n\n",
    "CreateBy": {
      "CompliancePackId": "cp-541e626622af008****",
      "AggregatorName": "Test_Group",
      "CompliancePackName": "The name of the compliance package.\n\n",
      "CreatorName": "Alice",
      "CreatorType": "AGGREGATOR",
      "CreatorId": "100931896542****",
      "AggregatorId": "ca-04b3fd170e340007****"
    },
    "ConfigRuleName": "The name of the rule.\n\n",
    "ConfigRuleEvaluationStatus": {
      "LastErrorCode": "TimeOut",
      "LastSuccessfulEvaluationTimestamp": 1624932227486,
      "FirstActivatedTimestamp": 1624932221993,
      "FirstEvaluationStarted": true,
      "LastSuccessfulInvocationTimestamp": 1624932227476,
      "LastErrorMessage": "time out",
      "LastFailedEvaluationTimestamp": 1614687022000,
      "LastFailedInvocationTimestamp": 1614687022000
    },
    "ConfigRuleId": "cr-7f7d626622af0041****",
    "ModifiedTimestamp": 1614687022000,
    "CreateTimestamp": 1604684022000,
    "ResourceTypesScope": "ACS::RAM::User",
    "ExcludeRegionIdsScope": "cn-hangzhou",
    "RegionIdsScope": "global",
    "ExcludeResourceIdsScope": "23642660635687****",
    "ResourceIdsScope": "eip-8vbf3x310fn56ijfd****\n",
    "ResourceGroupIdsScope": "rg-aekzdibsjjc****",
    "ExcludeResourceGroupIdsScope": "rg-aekzdibsjjc****",
    "TagKeyScope": "RAM",
    "TagValueScope": "MFA",
    "TagsScope": [
      {
        "TagKey": "key-1",
        "TagValue": "value-1"
      }
    ],
    "ExcludeTagsScope": [
      {
        "TagKey": "key-2",
        "TagValue": "value-2"
      }
    ],
    "ConfigRuleTriggerTypes": "ConfigurationItemChangeNotification",
    "TagKeyLogicScope": "AND",
    "FolderIdsScope": "fd-ZtHsRH****",
    "ExcludeFolderIdsScope": "fd-pWmkqZ****",
    "ExcludeAccountIdsScope": "120886317861****",
    "AccountIdsScope": "120886317861****\n",
    "Compliance": {
      "ComplianceType": "NON_COMPLIANT",
      "Count": 3
    },
    "AccountId": 0,
    "ExtendContent": "{\"fixedHour\":\"12\"}",
    "Tags": [
      {
        "TagKey": "key-1",
        "TagValue": "value-1"
      }
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400ConfigRuleNotExistsThe ConfigRule does not exist.The rule does not exist.
400NoPermissionYou are not authorized to perform this operation.You are not authorized to perform this operation.
400Invalid.AggregatorId.ValueThe specified AggregatorId is invalid.The specified aggregator ID does not exist or you are not authorized to use the aggregator.
404AccountNotExistedYour account does not exist.-
503ServiceUnavailableThe request has failed due to a temporary failure of the server.The request has failed due to a temporary failure of the server.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
No change history