Queries the compliance evaluation results of resources based on rules in an account group.

The sample request in this topic shows you how to query the compliance evaluation results of resources based on the cr-888f626622af00ae**** rule in the ca-d1e3326622af00cb**** account group. The return result shows that the Bucket-test resource is evaluated as NON_COMPLIANT against the rule. The resource is an Object Storage Service (OSS) bucket.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ListAggregateConfigRuleEvaluationResults

The operation that you want to perform. Set the value to ListAggregateConfigRuleEvaluationResults.

ComplianceType String No NON_COMPLIANT

The compliance evaluation result of the resource. Valid values:

  • COMPLIANT: The resource is evaluated as compliant.
  • NON_COMPLIANT: The resource is evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to your resources.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
NextToken String No IWBjqMYSy0is7zSMGu16****

The token that is used to initiate the next request. If the response of the current request is truncated, this token is used to initiate another request and obtain the remaining entries.

MaxResults Integer No 10

The maximum number of entries to return for a single request. Valid values: 1 to 100.

ConfigRuleId String No cr-888f626622af00ae****

The ID of the rule.

For more information about how to obtain the ID of a rule, see ListAggregateConfigRules.

ResourceOwnerId Long No 173808452267****

The ID of the Alibaba Cloud account to which the resources belong.

AggregatorId String Yes ca-b1e6626622af00cb****

The ID of the account group.

For more information about how to obtain the ID of an account group, see ListAggregators.

CompliancePackId String No cp-f1e3326622af00cb****

The ID of the compliance package.

For more information about how to obtain the ID of a compliance package, see ListAggregateCompliancePacks.

For more information about common request parameters, see the Common request parameters section of the Common parameters topic.

Response parameters

Parameter Type Example Description
RequestId String A6662516-D056-4325-B6A7-CD3E89C97C39

The ID of the request.

EvaluationResults Object

The information about the compliance evaluation results returned.

NextToken String IWBjqMYSy0is7zSMGu16****

The token that is used to initiate the next request.

MaxResults Integer 10

The maximum number of entries returned on each page.

EvaluationResultList Array of EvaluationResult

The details of the compliance evaluation result.

RiskLevel Integer 1

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk.
  • 2: medium risk.
  • 3: low risk.
ComplianceType String NON_COMPLIANT

The compliance evaluation result of the resource. Valid values:

  • COMPLIANT: The resource is evaluated as compliant.
  • NON_COMPLIANT: The resource is evaluated as non-compliant.
  • NOT_APPLICABLE: The rule does not apply to your resources.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
ResultRecordedTimestamp Long 1624869013065

The timestamp when the compliance evaluation result was recorded. Unit: milliseconds.

Annotation String {\"configuration\":\"LRS\",\"desiredValue\":\"ZRS\",\"operator\":\"StringEquals\",\"property\":\"$.DataRedundancyType\"}

The annotation to the resource that is evaluated as non-compliant. The following parameters may be returned:

  • configuration: the current resource configuration that is evaluated as non-compliant against the rule.
  • desiredValue: the expected resource configuration that is evaluated as compliant against the rule.
  • operator: the operator that compares the current configuration with the expected configuration of the resource.
  • property: the JSON path of the current configuration in the resource property struct.
  • reason: the reason why the resource is evaluated as non-compliant.
ConfigRuleInvokedTimestamp Long 1624869012713

The timestamp when the rule was triggered for the compliance evaluation. Unit: milliseconds.

InvokingEventMessageType String ScheduledNotification

The trigger type of the rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is triggered as scheduled.
EvaluationResultIdentifier Object

The identifying information about the compliance evaluation result.

OrderingTimestamp Long 1624869012713

The timestamp when the compliance evaluation was performed. Unit: milliseconds.

Note This timestamp indicates the time when the rule was triggered. You can obtain the timestamp from the ConfigRuleInvokedTimestamp parameter.
EvaluationResultQualifier Object

The information about the evaluated resource in the compliance evaluation result.

ResourceOwnerId Long 173808452267****

The ID of the Alibaba Cloud account to which the resources belong.

ConfigRuleArn String acs:config::100931896542****:rule/cr-888f626622af00ae****

The Alibaba Cloud Resource Name (ARN) of the rule.

ResourceType String ACS::OSS::Bucket

The type of resources whose compliance evaluation result were queried.

ConfigRuleName String oss-zrs-enabled

The name of the rule.

ResourceId String Bucket-test

The ID of the resource whose compliance evaluation result was queried.

ConfigRuleId String cr-888f626622af00ae****

The ID of the rule.

ResourceName String Bucket-test

The name of the resource.

RegionId String cn-hangzhou

The ID of the region in which your resources reside.

CompliancePackId String cr-7263fd26622af00bc****

The ID of the compliance package to which the rule belongs.

RemediationEnabled Boolean false

Indicates whether the remediation template is enabled. Valid values:

  • true
  • false

Examples

Sample requests

http(s)://[Endpoint]/?Action=ListAggregateConfigRuleEvaluationResults
&ConfigRuleId=cr-888f626622af00ae****
&AggregatorId=ca-b1e6626622af00cb****
&<Common request parameters>

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<ListAggregateConfigRuleEvaluationResultsResponse>
    <RequestId>A6662516-D056-4325-B6A7-CD3E89C97C39</RequestId>
    <EvaluationResults>
        <NextToken>IWBjqMYSy0is7zSMGu16****</NextToken>
        <MaxResults>10</MaxResults>
        <EvaluationResultList>
            <RiskLevel>1</RiskLevel>
            <ComplianceType>NON_COMPLIANT</ComplianceType>
            <ResultRecordedTimestamp>1624869013065</ResultRecordedTimestamp>
            <Annotation>{\"configuration\":\"LRS\",\"desiredValue\":\"ZRS\",\"operator\":\"StringEquals\",\"property\":\"$.DataRedundancyType\"}</Annotation>
            <ConfigRuleInvokedTimestamp>1624869012713</ConfigRuleInvokedTimestamp>
            <InvokingEventMessageType>ScheduledNotification</InvokingEventMessageType>
            <EvaluationResultIdentifier>
                <OrderingTimestamp>1624869012713</OrderingTimestamp>
                <EvaluationResultQualifier>
                    <ConfigRuleArn>acs:config::100931896542****:rule/cr-888f626622af00ae****</ConfigRuleArn>
                    <ResourceType>ACS::OSS::Bucket</ResourceType>
                    <ConfigRuleName>oss-zrs-enabled</ConfigRuleName>
                    <ResourceId>Bucket-test</ResourceId>
                    <ConfigRuleId>cr-888f626622af00ae****</ConfigRuleId>
                    <ResourceName>Bucket-test</ResourceName>
                    <RegionId>cn-hangzhou</RegionId>
                    <CompliancePackId>cr-7263fd26622af00bc****</CompliancePackId>
                </EvaluationResultQualifier>
            </EvaluationResultIdentifier>
            <RemediationEnabled>false</RemediationEnabled>
        </EvaluationResultList>
    </EvaluationResults>
</ListAggregateConfigRuleEvaluationResultsResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "A6662516-D056-4325-B6A7-CD3E89C97C39",
  "EvaluationResults" : {
    "NextToken" : "IWBjqMYSy0is7zSMGu16****",
    "MaxResults" : 10,
    "EvaluationResultList" : [ {
      "RiskLevel" : 1,
      "ComplianceType" : "NON_COMPLIANT",
      "ResultRecordedTimestamp" : 1624869013065,
      "Annotation" : "{\\\"configuration\\\":\\\"LRS\\\",\\\"desiredValue\\\":\\\"ZRS\\\",\\\"operator\\\":\\\"StringEquals\\\",\\\"property\\\":\\\"$.DataRedundancyType\\\"}",
      "ConfigRuleInvokedTimestamp" : 1624869012713,
      "InvokingEventMessageType" : "ScheduledNotification",
      "EvaluationResultIdentifier" : {
        "OrderingTimestamp" : 1624869012713,
        "EvaluationResultQualifier" : {
          "ConfigRuleArn" : "acs:config::100931896542****:rule/cr-888f626622af00ae****",
          "ResourceType" : "ACS::OSS::Bucket",
          "ConfigRuleName": "oss-zrs-enabled",
          "ResourceId" : "Bucket-test",
          "ConfigRuleId" : "cr-888f626622af00ae****",
          "ResourceName" : "Bucket-test",
          "RegionId" : "cn-hangzhou",
          "CompliancePackId" : "cr-7263fd26622af00bc****"
        }
      },
      "RemediationEnabled" : false
    } ]
  }
}

Error codes

HTTP status code Error code Error message Description
400 NoPermission You are not authorized to perform this operation. The error message returned because you are not authorized to perform the specified operation.
400 Invalid.AggregatorId.Value The specified AggregatorId is invalid. The error message returned because the specified account group ID does not exist or you are not authorized to use the account group.
400 Invalid.CompliancePackId.Value The specified CompliancePackId does not exist. The error message returned because the specified compliance package ID does not exist.
404 CloudConfigServiceRoleNotExisted The CloudConfigServiceRole does not exist. The error message returned because the AliyunServiceRoleForConfig role does not exist.
404 AccountNotExisted Your account does not exist. The error message returned because your account does not exist.
503 ServiceUnavailable The request has failed due to a temporary failure of the server. The error message returned because the service is unavailable.

For a list of error codes, visit the API Error Center.