All Products
Search
Document Center

Cloud Config:ListAggregateConfigRuleEvaluationResults

Last Updated:Jun 17, 2024

Queries the compliance evaluation results of resources based on a rule in an account group.

Operation description

This topic provides an example on how to query the compliance evaluation results of resources based on the cr-888f626622af00ae**** rule in the ca-d1e3326622af00cb**** account group. The returned result indicates that the Bucket-test resource is evaluated as NON_COMPLIANT by using the rule. The resource is an Object Storage Service (OSS) bucket.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
config:ListAggregateConfigRuleEvaluationResultsList
  • All Resources
    *
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
ComplianceTypestringNo

The compliance evaluation result of the resource. Valid values:

  • COMPLIANT: The resource is evaluated as compliant.
  • NON_COMPLIANT: The resource is evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to your resource.
  • INSUFFICIENT_DATA: No data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
NON_COMPLIANT
NextTokenstringNo

The pagination token that is used in the next request to retrieve a new page of results. You do not need to specify this parameter for the first request. You must specify the token that is obtained from the previous query as the value of NextToken.

IWBjqMYSy0is7zSMGu16****
MaxResultsintegerNo

The maximum number of entries to return in a request. Valid values: 1 to 100.

10
ConfigRuleIdstringNo

The rule ID.

For more information about how to query the ID of a rule, see ListAggregateConfigRules .

cr-888f626622af00ae****
AggregatorIdstringYes

The ID of the account group.

For more information about how to obtain the ID of an account group, see ListAggregators .

ca-b1e6626622af00cb****
CompliancePackIdstringNo

The ID of the compliance package.

For more information about how to obtain the ID of a compliance package, see ListAggregateCompliancePacks .

cp-f1e3326622af00cb****
RegionsstringNo

The ID of the region whose resources you want to evaluate. Separate multiple region IDs with commas (,).

cn-shanghai
ResourceTypesstringNo

The type of the resources that you want to evaluate. Separate multiple resource types with commas (,).

ACS::ECS::Instance
ResourceGroupIdsstringNo

The ID of the resource group whose resources you want to evaluate. Separate multiple resource group IDs with commas (,).

rg-aek2cqyzvuj****
ResourceAccountIdlongNo

Member accountId to which the resource to be queried belongs.

100931896542****

For more information about common request parameters, see Common parameters.

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The request ID.

A6662516-D056-4325-B6A7-CD3E89C97C39
EvaluationResultsobject

The information about the compliance evaluation results returned.

NextTokenstring

A pagination token. It can be used in the next request to retrieve a new page of results.

IWBjqMYSy0is7zSMGu16****
MaxResultsinteger

The maximum number of entries returned on each page.

10
EvaluationResultListobject []

The details of the compliance evaluation result.

RiskLevelinteger

The risk level of the resources that do not comply with the rule. Valid values:

  • 1: high
  • 2: medium.
  • 3: low.
1
ComplianceTypestring

The compliance evaluation result of the resource. Valid values:

  • COMPLIANT: The resource is evaluated as compliant.
  • NON_COMPLIANT: The resource is evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to your resource.
  • INSUFFICIENT_DATA: No data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
NON_COMPLIANT
ResultRecordedTimestamplong

The timestamp when the compliance evaluation result was recorded. The value of this parameter is a UNIX timestamp in milliseconds.

1624869013065
Annotationstring

The annotation to the resource that is evaluated as non-compliant. The following parameters may be returned:

  • configuration: the current resource configuration that is evaluated as incompliant by using the rule.
  • desiredValue: the expected resource configuration that is evaluated as compliant.
  • operator: the operator that compares the current configuration with the expected configuration of the resource.
  • property: the JSON path of the current configuration in the resource property struct.
  • reason: the reason why the resource is evaluated as non-compliant.
{\"configuration\":\"LRS\",\"desiredValue\":\"ZRS\",\"operator\":\"StringEquals\",\"property\":\"$.DataRedundancyType\"}
ConfigRuleInvokedTimestamplong

The timestamp when the rule was triggered for the compliance evaluation. Unit: milliseconds.

1624869012713
InvokingEventMessageTypestring

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is periodically triggered.
ScheduledNotification
EvaluationResultIdentifierobject

The identifying information about the compliance evaluation result.

OrderingTimestamplong

The timestamp when the compliance evaluation was performed. Unit: milliseconds.

Note This timestamp indicates the time when the rule was triggered. You can obtain the timestamp from the ConfigRuleInvokedTimestamp parameter.
1624869012713
EvaluationResultQualifierobject

The information about the evaluated resource in the compliance evaluation result.

ResourceOwnerIdlong

The ID of the Alibaba Cloud account to which the resource belongs.

173808452267****
ConfigRuleArnstring

The ARN of the rule.

acs:config::100931896542****:rule/cr-888f626622af00ae****
ResourceTypestring

The type of the resource.

ACS::OSS::Bucket
ConfigRuleNamestring

The rule name.

test-rule-name
ResourceIdstring

The resource ID.

Bucket-test
ConfigRuleIdstring

The rule ID.

cr-888f626622af00ae****
ResourceNamestring

The resource name.

Bucket-test
RegionIdstring

The ID of the region in which your resources reside.

cn-hangzhou
CompliancePackIdstring

The ID of the compliance package to which the rule belongs.

cr-7263fd26622af00bc****
IgnoreDatestring

The date on which the system automatically re-evaluates the ignored incompliant resources.

Note If the value of this parameter is left empty, the system does not automatically re-evaluate the ignored incompliant resources. You must manually re-evaluate the ignored incompliant resources.
2022-06-01
RemediationEnabledboolean

Indicates whether the remediation template is enabled. Valid values:

  • true
  • false
false

Examples

Sample success responses

JSONformat

{
  "RequestId": "A6662516-D056-4325-B6A7-CD3E89C97C39",
  "EvaluationResults": {
    "NextToken": "IWBjqMYSy0is7zSMGu16****",
    "MaxResults": 10,
    "EvaluationResultList": [
      {
        "RiskLevel": 1,
        "ComplianceType": "NON_COMPLIANT",
        "ResultRecordedTimestamp": 1624869013065,
        "Annotation": "{\\\"configuration\\\":\\\"LRS\\\",\\\"desiredValue\\\":\\\"ZRS\\\",\\\"operator\\\":\\\"StringEquals\\\",\\\"property\\\":\\\"$.DataRedundancyType\\\"}",
        "ConfigRuleInvokedTimestamp": 1624869012713,
        "InvokingEventMessageType": "ScheduledNotification",
        "EvaluationResultIdentifier": {
          "OrderingTimestamp": 1624869012713,
          "EvaluationResultQualifier": {
            "ResourceOwnerId": 0,
            "ConfigRuleArn": "acs:config::100931896542****:rule/cr-888f626622af00ae****",
            "ResourceType": "ACS::OSS::Bucket",
            "ConfigRuleName": "test-rule-name",
            "ResourceId": "Bucket-test",
            "ConfigRuleId": "cr-888f626622af00ae****",
            "ResourceName": "Bucket-test",
            "RegionId": "cn-hangzhou",
            "CompliancePackId": "cr-7263fd26622af00bc****",
            "IgnoreDate": "2022-06-01"
          }
        },
        "RemediationEnabled": false
      }
    ]
  }
}

Error codes

HTTP status codeError codeError messageDescription
400NoPermissionYou are not authorized to perform this operation.You are not authorized to perform this operation.
400Invalid.AggregatorId.ValueThe specified AggregatorId is invalid.The specified aggregator ID does not exist or you are not authorized to use the aggregator.
400Invalid.CompliancePackId.ValueThe specified CompliancePackId does not exist.The specified compliance pack ID does not exist.
404CloudConfigServiceRoleNotExistedThe CloudConfigServiceRole does not exist.The CloudConfig service role does not exist.
404AccountNotExistedYour account does not exist.The specified account does not exist.
503ServiceUnavailableThe request has failed due to a temporary failure of the server.The request has failed due to a temporary failure of the server.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-04-12The Error code has changed. The request parameters of the API has changedsee changesets
Change itemChange content
Error CodesThe Error code has changed.
    delete Error Codes: 400
    delete Error Codes: 404
    delete Error Codes: 503
Input ParametersThe request parameters of the API has changed.
    Added Input Parameters: ResourceAccountId