Queries the compliance evaluation results of resources in an account group.

This example shows how to query the compliance evaluation result of the 23642660635396**** resource in the ca-7f00626622af0041**** account group. The resource is a RAM user. The returned result indicates that the resource is evaluated as NON_COMPLIANT by using the cr-7f7d626622af0041**** rule.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ListAggregateResourceEvaluationResults

The operation that you want to perform. Set the value to ListAggregateResourceEvaluationResults.

ResourceType String No ACS::RAM::User

The type of the resource.

For more information about how to query the type of a resource, see ListAggregateDiscoveredResources.

ResourceId String No 23642660635396****

The ID of the resource.

For more information about how to obtain the ID of a resource, see ListAggregateDiscoveredResources.

ComplianceType String No NON_COMPLIANT

The compliance evaluation result of the resources. Valid values:

  • COMPLIANT: The resources are evaluated as compliant.
  • NON_COMPLIANT: The resources are evaluated as incompliant.
  • NOT_APPLICABLE: The rule does not apply to your resources.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
NextToken String No IWBjqMYSy0is7zSMGu16****

The token that you want to use to initiate the current request. If the response of the previous request is truncated, you can use this token to initiate another request and obtain the remaining entries.

MaxResults Integer No 10

The maximum number of entries to return for a single request. Valid values: 1 to 100.

Region String No global

The ID of the region where one or more resources that you want to query reside. For example, the value global indicates global regions and the value cn-hangzhou indicates the China (Hangzhou) region.

For more information about how to obtain the ID of a region, see ListAggregateDiscoveredResources.

AggregatorId String Yes ca-7f00626622af0041****

The ID of the account group.

For more information about how to obtain the ID of an account group, see ListAggregators.

For more information about common request parameters, see Common parameters.

Response parameters

Parameter Type Example Description
RequestId String 25C89DDB-BB79-487D-88C3-4A561F21EFC4

The ID of the request.

EvaluationResults Object

The information about the compliance evaluation results returned.

NextToken String IWBjqMYSy0is7zSMGu16****

The token that was used to initiate the next request.

MaxResults Integer 10

The maximum number of entries returned on each page.

EvaluationResultList Array of EvaluationResult

The details of the compliance evaluation result.

RiskLevel Integer 1

The risk level of the resources that are not compliant with the rule. Valid values:

  • 1: high risk level
  • 2: medium risk level
  • 3: low risk level
ComplianceType String NON_COMPLIANT

The compliance evaluation result of the resources. Valid values:

  • COMPLIANT: The resources are evaluated as compliant.
  • NON_COMPLIANT: The resources are evaluated as incompliant.
  • NOT_APPLICABLE: The rule does not apply to your resources.
  • INSUFFICIENT_DATA: No resource data is available.
  • IGNORED: The resource is ignored during compliance evaluation.
ResultRecordedTimestamp Long 1624932227595

The timestamp when the compliance evaluation result was recorded. Unit: milliseconds.

Annotation String {\"configuration\":\"false\",\"desiredValue\":\"True\",\"operator\":\"StringEquals\",\"property\":\"$.LoginProfile.MFABindRequired\"}

The annotation to the resource that is evaluated as incompliant.

ConfigRuleInvokedTimestamp Long 1624932227157

The timestamp when the rule was triggered. Unit: milliseconds.

InvokingEventMessageType String ScheduledNotification

The trigger type of the managed rule. Valid values:

  • ConfigurationItemChangeNotification: The managed rule is triggered by configuration changes.
  • ScheduledNotification: The managed rule is periodically triggered.
EvaluationResultIdentifier Object

The identifying information about the compliance evaluation result.

OrderingTimestamp Long 1624932227157

The timestamp when the compliance evaluation was performed. Unit: milliseconds.

EvaluationResultQualifier Object

The information about the evaluated resource in the compliance evaluation result.

ConfigRuleArn String acs:config::100931896542****:rule/cr-7f7d626622af0041****

The Alibaba Cloud Resource Name (ARN) of the rule.

ResourceType String ACS::RAM::User

The type of the resource.

ConfigRuleName String ram-user-mfa-check

The name of the monitoring rule.

ResourceId String 23642660635396****

The ID of the resource.

ConfigRuleId String cr-7f7d626622af0041****

The ID of the rule.

ResourceName String rd_member

The name of the resource.

RegionId String global

The ID of the region where the resource resides.

IgnoreDate String 2022-06-01

The date from which the system automatically re-evaluates the ignored incompliant resources.

Note If the value of this parameter is left empty, the system does not automatically re-evaluate the ignored incompliant resources. You must manually re-evaluate the ignored incompliant resources.
RemediationEnabled Boolean false

Indicates whether the remediation template is enabled. Valid values:

  • true: The remediation template is enabled.
  • false: The remediation template is disabled.

Examples

Sample requests

http(s)://[Endpoint]/?Action=ListAggregateResourceEvaluationResults
&ResourceId=23642660635396****
&AggregatorId=ca-7f00626622af0041****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ListAggregateResourceEvaluationResultsResponse>
	<code>200</code>
	<data>
		<RequestId>25C89DDB-BB79-487D-88C3-4A561F21EFC4</RequestId>
		<EvaluationResults>
			<EvaluationResultList>
				<ConfigRuleInvokedTimestamp>1624932227157</ConfigRuleInvokedTimestamp>
				<ComplianceType>NON_COMPLIANT</ComplianceType>
				<ResultRecordedTimestamp>1624932227595</ResultRecordedTimestamp>
				<InvokingEventMessageType>ScheduledNotification</InvokingEventMessageType>
				<EvaluationResultIdentifier>
					<EvaluationResultQualifier>
						<ConfigRuleId>cr-7f7d626622af0041****</ConfigRuleId>
						<ConfigRuleArn>acs:config::100931896542****:rule/cr-7f7d626622af0041****</ConfigRuleArn>
						<ResourceId>23642660635396****</ResourceId>
						<ResourceName>rd_member</ResourceName>
						<ConfigRuleName>ram-user-mfa-check</ConfigRuleName>
						<ResourceType>ACS::RAM::User</ResourceType>
						<RegionId>global</RegionId>
					</EvaluationResultQualifier>
					<OrderingTimestamp>1624932227157</OrderingTimestamp>
				</EvaluationResultIdentifier>
				<RiskLevel>1</RiskLevel>
				<RemediationEnabled>false</RemediationEnabled>
				<Annotation>{\"configuration\":\"false\",\"desiredValue\":\"True\",\"operator\":\"StringEquals\",\"property\":\"$.LoginProfile.MFABindRequired\"}</Annotation>
			</EvaluationResultList>
			<MaxResults>10</MaxResults>
		</EvaluationResults>
	</data>
	<httpStatusCode>200</httpStatusCode>
	<requestId>25C89DDB-BB79-487D-88C3-4A561F21EFC4</requestId>
</ListAggregateResourceEvaluationResultsResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "code" : "200",
  "data" : {
    "RequestId" : "25C89DDB-BB79-487D-88C3-4A561F21EFC4",
    "EvaluationResults" : {
      "EvaluationResultList" : [ {
        "ConfigRuleInvokedTimestamp" : 1624932227157,
        "ComplianceType" : "NON_COMPLIANT",
        "ResultRecordedTimestamp" : 1624932227595,
        "InvokingEventMessageType" : "ScheduledNotification",
        "EvaluationResultIdentifier" : {
          "EvaluationResultQualifier" : {
            "ConfigRuleId" : "cr-7f7d626622af0041****",
            "ConfigRuleArn" : "acs:config::100931896542****:rule/cr-7f7d626622af0041****",
            "ResourceId" : "23642660635396****",
            "ResourceName" : "rd_member",
            "ConfigRuleName" : "ram-user-mfa-check",
            "ResourceType" : "ACS::RAM::User",
            "RegionId" : "global"
          },
          "OrderingTimestamp" : 1624932227157
        },
        "RiskLevel" : 1,
        "RemediationEnabled" : false,
        "Annotation" : "{\"configuration\":\"false\",\"desiredValue\":\"True\",\"operator\":\"StringEquals\",\"property\":\"$.LoginProfile.MFABindRequired\"}"
      } ],
      "MaxResults" : 10
    }
  },
  "httpStatusCode" : "200",
  "requestId" : "25C89DDB-BB79-487D-88C3-4A561F21EFC4"
}

Error codes

HttpCode Error code Error message Description
400 NoPermission You are not authorized to perform this operation. The error message returned because you are not authorized to perform the specified operation.
400 Invalid.AggregatorId.Value The specified AggregatorId is invalid. The error message returned because the specified account group ID does not exist or you are not authorized to use the account group.
404 CloudConfigServiceRoleNotExisted The CloudConfigServiceRole does not exist. The error message returned because the AliyunServiceRoleForConfig role does not exist.
404 AccountNotExisted Your account does not exist. The error message returned because the account does not exist.
503 ServiceUnavailable The request has failed due to a temporary failure of the server. The error message returned because the service is unavailable.

For a list of error codes, visit the API Error Center.