Queries the details of a rule in an account group.

The sample request in this topic shows you how to query the details of the cr-7f7d626622af0041**** rule in the ca-7f00626622af0041**** account group.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes GetAggregateConfigRule

The operation that you want to perform. Set the value to GetAggregateConfigRule.

ConfigRuleId String Yes cr-7f7d626622af0041****

The ID of the rule.

For more information about how to query the ID of a rule, see ListAggregateConfigRules.

AggregatorId String Yes ca-7f00626622af0041****

The ID of the account group.

For more information about how to query the ID of an account group, see ListAggregators.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
RequestId String 811234F4-C3AB-4D15-B90B-F55016D1B5AA

The ID of the request.

ConfigRule Object

The details of the rule.

RiskLevel Integer 1

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk level
  • 2: medium risk level
  • 3: low risk level
InputParameters Map

The input parameters of the rule.

Source Object

The information about how the rule was created.

SourceDetails Array of SourceDetails

The details of the source of the rule.

MessageType String ConfigurationItemChangeNotification

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is periodically triggered.
EventSource String aliyun.config

The event source of the rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
MaximumExecutionFrequency String One_Hour

The intervals at which the rule is triggered. Valid values:

  • One_Hour: 1 hour
  • Three_Hours: 3 hours
  • Six_Hours: 6 hours
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
Owner String ALIYUN

The way in which the rule was created. Valid values:

  • CUSTOM_FC: The rule is a custom rule.
  • ALIYUN: The rule was created based on a managed rule of Alibaba Cloud.
Identifier String acs:fc:cn-hangzhou:100931896542****:services/ConfigService.LATEST/functions/specific-config

The identifier of the rule.

  • If the rule was created based on a managed rule, the value of this parameter is the name of the managed rule.
  • If the rule is a custom rule, the value of this parameter is the Alibaba Cloud Resource Name (ARN) of the relevant function in Function Compute.
ConfigRuleState String ACTIVE

The status of the rule. Valid values:

  • ACTIVE: The rule is being used to monitor resource configurations.
  • DELETING: The rule is being deleted.
  • EVALUATING: The rule is triggered and is being used to monitor resource configurations.
  • INACTIVE: The rule is disabled and is no longer used to monitor resource configurations.
MaximumExecutionFrequency String One_Hour

The intervals at which the rule is triggered.

  • One_Hour: 1 hour
  • Three_Hours: 3 hours
  • Six_Hours: 6 hours
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
ManagedRule Object

The details of the managed rule.

SourceDetails Array of SourceDetails

The details of the source of the managed rule.

MessageType String ConfigurationItemChangeNotification

The trigger type of the managed rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is periodically triggered.
EventSource String aliyun.config

The event source of the managed rule.

Note Only events related to Cloud Config are supported. The value is fixed to aliyun.config.
MaximumExecutionFrequency String One_Hour

The intervals at which the managed rule is triggered.

  • One_Hour: 1 hour
  • Three_Hours: 3 hours
  • Six_Hours: 6 hours
  • Twelve_Hours: 12 hours
  • TwentyFour_Hours: 24 hours
Description String If no ECS disk is locked due to some issues, the configuration is considered compliant. These issues include overdue payments and security risks.

The description of the managed rule.

Labels Array of String ["RAM","USer"]

The tags of the managed rule.

Identifier String ram-user-mfa-check

The identifier of the managed rule.

OptionalInputParameterDetails Map

The optional input parameters of the managed rule.

ManagedRuleName String ram-user-mfa-check

The name of the managed rule.

CompulsoryInputParameterDetails Map

The required input parameters of the managed rule.

ConfigRuleArn String acs:config::100931896542****:rule/cr-7f7d626622af0041****

The ARN of the managed rule.

Description String If MFA is enabled for the RAM user, the configuration is considered compliant.

The description of the managed rule.

CreateBy Object

The information about the creation of the rule.

CompliancePackId String cp-541e626622af008****

The ID of the compliance package.

AggregatorName String Test_Group

The name of the account group.

CompliancePackName String BestPracticesForOSS

The name of the compliance package.

CreatorName String Alice

The name of the account that was used to create the rule.

CreatorType String AGGREGATOR

The type of the entity to which the rule belongs. The value is fixed to AGGREGATOR, which indicates an account group.

CreatorId String 100931896542****

The ID of the account that was used to create the rule.

AggregatorId String ca-04b3fd170e340007****

The ID of the account group.

ConfigRuleName String ram-user-mfa-check

The name of the rule.

ConfigRuleEvaluationStatus Object

The information about compliance evaluations performed by the rule.

LastErrorCode String TimeOut

The error code returned for the last failed compliance evaluation.

LastSuccessfulEvaluationTimestamp Long 1624932227486

The timestamp when the last successful compliance evaluation of the rule ended. Unit: milliseconds.

FirstActivatedTimestamp Long 1624932221993

The timestamp when the rule was first triggered.

FirstEvaluationStarted Boolean true

Indicates whether resources were evaluated based on the rule. Valid values:

  • true: Resources were evaluated based on the rule.
  • false: Resources were not evaluated based on the rule.
LastSuccessfulInvocationTimestamp Long 1624932227476

The timestamp when the last successful compliance evaluation of the rule started. Unit: milliseconds.

LastErrorMessage String time out

The error message returned for the last failed compliance evaluation.

LastFailedEvaluationTimestamp Long 1614687022000

The timestamp when the last failed compliance evaluation of the rule ended. Unit: milliseconds.

LastFailedInvocationTimestamp Long 1614687022000

The timestamp when the last failed compliance evaluation of the rule started. Unit: milliseconds.

ConfigRuleId String cr-7f7d626622af0041****

The ID of the rule.

ModifiedTimestamp Long 1614687022000

The timestamp when the rule was last updated. Unit: milliseconds.

CreateTimestamp Long 1604684022000

The timestamp when the rule was created. Unit: milliseconds.

ResourceTypesScope String ACS::RAM::User

The type of the resource evaluated by the rule.

RegionIdsScope String global

The ID of the region to which the rule applies.

ExcludeResourceIdsScope String 23642660635687****

The ID of the resource excluded from the compliance evaluations performed by the rule.

ResourceGroupIdsScope String rg-aekzdibsjjc****

The ID of the resource group to which the rule applies.

TagKeyScope String RAM

The tag key used to filter resources. The rule applies only to the resources with the specified tag key.

TagValueScope String MFA

The tag value used to filter resources. The rule applies only to the resources with the specified tag value.

ConfigRuleTriggerTypes String ConfigurationItemChangeNotification

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The rule is triggered by configuration changes.
  • ScheduledNotification: The rule is periodically triggered.
TagKeyLogicScope String AND

The logical relationship among the tag keys if you specify multiple tag keys by using the TagKeyScope parameter. For example, if the TagKeyScope parameter is set to ECS,OSS and the TagKeyLogicScope parameter is set to AND, the rule applies to resources with both the ECS and OSS tag keys. Valid values:

  • AND: the logical relationship of AND
  • OR: the logical relationship of OR
FolderIdsScope String fd-ZtHsRH****

The ID of the resource directory to which the rule applies, which means that the resources within member accounts in the resource directory are evaluated based on the rule.

Note
  • This parameter applies only to a rule of a global account group.
  • This parameter applies only to a managed rule.
ExcludeFolderIdsScope String fd-pWmkqZ****

The ID of the resource directory to which the rule does not apply, which means that the resources within member accounts in the resource directory are not evaluated based on the rule.

Note
  • This parameter applies only to a rule of a global account group.
  • This parameter applies only to a managed rule.
ExcludeAccountIdsScope String 120886317861****

The ID of the member account to which the rule does not apply, which means that the resources within the member account are not evaluated based on the rule.

Note This parameter applies only to a managed rule.

Examples

Sample requests

http(s)://[Endpoint]/?Action=GetAggregateConfigRule
&ConfigRuleId=cr-7f7d626622af0041****
&AggregatorId=ca-7f00626622af0041****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<GetAggregateConfigRuleResponse>
	<RequestId>811234F4-C3AB-4D15-B90B-F55016D1B5AA</RequestId>
	<ConfigRule>
		<ManagedRule>
			<ManagedRuleName>ram-user-mfa-check</ManagedRuleName>
			<OptionalInputParameterDetails />
			<Description>If MFA is enabled for the RAM user, the configuration is considered compliant. </Description>
			<Identifier>ram-user-mfa-check</Identifier>
			<CompulsoryInputParameterDetails />
			<Labels>RAM</Labels>
			<Labels>USer</Labels>
			<SourceDetails>
				<EventSource>aliyun.config</EventSource>
				<MessageType>ConfigurationItemChangeNotification</MessageType>
			</SourceDetails>
		</ManagedRule>
		<Description>If MFA is enabled for the RAM user, the configuration is considered compliant. </Description>
		<CreateBy>
			<CreatorId>100931896542****</CreatorId>
			<CreatorType>AGGREGATOR</CreatorType>
			<CreatorName>Alice</CreatorName>
			<AggregatorName>Test_Group</AggregatorName>
			<AggregatorId>ca-04b3fd170e340007****</AggregatorId>
		</CreateBy>
		<ConfigRuleEvaluationStatus>
			<LastSuccessfulEvaluationTimestamp>1624932227486</LastSuccessfulEvaluationTimestamp>
			<FirstActivatedTimestamp>1624932221993</FirstActivatedTimestamp>
			<FirstEvaluationStarted>true</FirstEvaluationStarted>
			<LastSuccessfulInvocationTimestamp>1624932227476</LastSuccessfulInvocationTimestamp>
		</ConfigRuleEvaluationStatus>
		<ConfigRuleState>ACTIVE</ConfigRuleState>
		<Source>
			<Owner>ALIYUN</Owner>
			<Identifier>ram-user-mfa-check</Identifier>
			<SourceDetails>
				<EventSource>aliyun.config</EventSource>
				<MessageType>ConfigurationItemChangeNotification</MessageType>
			</SourceDetails>
		</Source>
		<ConfigRuleId>cr-7f7d626622af0041****</ConfigRuleId>
		<Scope>
			<ComplianceResourceTypes>ACS::RAM::User</ComplianceResourceTypes>
		</Scope>
		<ConfigRuleArn>acs:config::100931896542****:rule/cr-7f7d626622af0041****</ConfigRuleArn>
		<ConfigRuleTriggerTypes>ConfigurationItemChangeNotification</ConfigRuleTriggerTypes>
		<ConfigRuleName>ram-user-mfa-check</ConfigRuleName>
		<RiskLevel>1</RiskLevel>
		<ResourceTypesScope>ACS::RAM::User</ResourceTypesScope>
		<InputParameters>
			<tag1Key>RAM</tag1Key>
			<tag1Value>test</tag1Value>
		</InputParameters>
	</ConfigRule>
</GetAggregateConfigRuleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "811234F4-C3AB-4D15-B90B-F55016D1B5AA",
  "ConfigRule" : {
    "ManagedRule" : {
      "ManagedRuleName" : "ram-user-mfa-check",
      "OptionalInputParameterDetails" : { },
      "Description" : "If MFA is enabled for the RAM user, the configuration is considered compliant.",
      "Identifier" : "ram-user-mfa-check",
      "CompulsoryInputParameterDetails" : { },
      "Labels" : [ "RAM", "USer" ],
      "SourceDetails" : [ {
        "EventSource" : "aliyun.config",
        "MessageType" : "ConfigurationItemChangeNotification"
      } ]
    },
    "Description" : "If MFA is enabled for the RAM user, the configuration is considered compliant.",
    "CreateBy" : {
      "CreatorId" : "100931896542****",
      "CreatorType" : "AGGREGATOR",
      "CreatorName" : "Alice",
      "AggregatorName" : "Test_Group",
      "AggregatorId" : "ca-04b3fd170e340007****"
    },
    "ConfigRuleEvaluationStatus" : {
      "LastSuccessfulEvaluationTimestamp" : 1624932227486,
      "FirstActivatedTimestamp" : 1624932221993,
      "FirstEvaluationStarted" : true,
      "LastSuccessfulInvocationTimestamp" : 1624932227476
    },
    "ConfigRuleState" : "ACTIVE",
    "Source" : {
      "Owner" : "ALIYUN",
      "Identifier" : "ram-user-mfa-check",
      "SourceDetails" : [ {
        "EventSource" : "aliyun.config",
        "MessageType" : "ConfigurationItemChangeNotification"
      } ]
    },
    "ConfigRuleId" : "cr-7f7d626622af0041****",
    "Scope" : {
      "ComplianceResourceTypes" : [ "ACS::RAM::User" ]
    },
    "ConfigRuleArn" : "acs:config::100931896542****:rule/cr-7f7d626622af0041****",
    "ConfigRuleTriggerTypes" : "ConfigurationItemChangeNotification",
    "ConfigRuleName" : "ram-user-mfa-check",
    "RiskLevel" : 1,
    "ResourceTypesScope" : "ACS::RAM::User",
    "InputParameters" : {
      "tag1Key" : "RAM",
      "tag1Value" : "test"
    }
  }
}

Error codes

HTTP status code Error code Error message Description
400 ConfigRuleNotExists The ConfigRule does not exist. The error message returned because the specified rule does not exist.
400 NoPermission You are not authorized to perform this operation. The error message returned because you are not authorized to perform the specified operation.
400 Invalid.AggregatorId.Value The specified AggregatorId is invalid. The error message returned because the specified account group ID does not exist or you are not authorized to use the account group.
404 AccountNotExisted Your account does not exist. The error message returned because the specified account does not exist.
503 ServiceUnavailable The request has failed due to a temporary failure of the server. The error message returned because the service is unavailable.

For a list of error codes, visit the API Error Center.