Deploying a Conformance Pack Using the AWS Command Line Interface
You can deploy, view, update, view compliance status, and delete an AWS Config conformance pack using the AWS Command Line Interface (AWS CLI).
To install the AWS CLI on your local machine see,
AWS Config Conforms Amazon S3 bucket.
If necessary, type aws configure
to configure the AWS CLI to use an AWS Region where AWS Config conformance packs are available.
Topics
Deploy a Conformance Pack
-
Open a command prompt or a terminal window.
-
Type the following command to deploy a conformance pack named
MyConformancePack1
.aws configservice put-conformance-pack --conformance-pack-name="MyConformancePack1" --template-s3-uri="s3://
AmazonS3bucketname
/template name
.yaml" --delivery-s3-bucket=AmazonS3bucketname
OR
You can also upload a YAML template from your local directory.
aws configservice put-conformance-pack --conformance-pack-name="MyConformancePack1" --template-body=
template body
--delivery-s3-bucket=AmazonS3bucketname
-
Press Enter to run the command.
You should see output similar to the following.
{ "conformancePackArn": "arn:aws:config:us-west-2:
AccountID
:conformance-pack/MyConformancePack1/conformance-pack-ID
" }
View a Conformance Pack
-
Type the following command.
aws configservice describe-conformance-packs
OR
aws configservice describe-conformance-packs --conformance-pack-name="MyConformancePack1"
-
You should see output similar to the following.
{ "conformancePackName": "MyConformancePack1", "conformancePackId": "
conformance-pack-ID
", "conformancePackArn": "arn:aws:config:us-west-2:AccountID
:conformance-pack/MyConformancePack1/conformance-pack-ID
", "conformancePackInputParameters": [], "lastUpdateRequestedTime": "Thu Jul 18 16:07:05 PDT 2019" }
View Conformance Pack Status
-
Type the following command.
aws configservice describe-conformance-pack-status --conformance-pack-name="MyConformancePack1"
-
You should see output similar to the following .
{ "stackArn": "arn:aws:cloudformation:us-west-2:
AccountID
:stack/awsconfigconforms-MyConformancePack1-conformance-pack-ID
/d4301fe0-a9b1-11e9-994d-025f28dd83ba", "conformancePackName": "MyConformancePack1", "conformancePackId": "conformance-pack-ID
", "lastUpdateCompletedTime": "Thu Jul 18 16:15:17 PDT 2019", "conformancePackState": "CREATE_COMPLETE", "conformancePackArn": "arn:aws:config:us-west-2:AccountID
:conformance-pack/MyConformancePack1/conformance-pack-ID
", "lastUpdateRequestedTime": "Thu Jul 18 16:14:35 PDT 2019" }
View Conformance Pack Compliance Status
-
Type the following command.
aws configservice describe-conformance-pack-compliance --conformance-pack-name="MyConformancePack1"
-
You should see output similar to the following.
{ "conformancePackName": "MyConformancePack1", "conformancePackRuleComplianceList": [ { "configRuleName": "awsconfigconforms-
RuleName1
-conformance-pack-ID
", "complianceType": "NON_COMPLIANT" }, { "configRuleName": "awsconfigconforms-RuleName2
-conformance-pack-ID
", "complianceType": "COMPLIANT" } ] }
Get Compliance Details for a Specific Conformance Pack
-
Type the following command.
aws configservice get-conformance-pack-compliance-details --conformance-pack-name="MyConformancePack1"
-
You should see output similar to the following.
{ "conformancePackRuleEvaluationResults": [ { "evaluationResultIdentifier": { "orderingTimestamp": "Tue Jul 16 23:07:35 PDT 2019", "evaluationResultQualifier": { "resourceId": "
resourceID
", "configRuleName": "awsconfigconforms-RuleName1
-conformance-pack-ID
", "resourceType": "AWS::::Account" } }, "configRuleInvokedTime": "Tue Jul 16 23:07:50 PDT 2019", "resultRecordedTime": "Tue Jul 16 23:07:51 PDT 2019", "complianceType": "NON_COMPLIANT" }, { "evaluationResultIdentifier": { "orderingTimestamp": "Thu Jun 27 15:16:36 PDT 2019", "evaluationResultQualifier": { "resourceId": "resourceID
", "configRuleName": "awsconfigconforms-RuleName2
-conformance-pack-ID
", "resourceType": "AWS::EC2::SecurityGroup" } }, "configRuleInvokedTime": "Thu Jul 11 23:08:06 PDT 2019", "resultRecordedTime": "Thu Jul 11 23:08:06 PDT 2019", "complianceType": "COMPLIANT" } ], "conformancePackName": "MyConformancePack1" } }
Delete a Conformance Pack
-
Type the following command.
aws configservice delete-conformance-pack --conformance-pack-name MyConformancePack1
If successful, the command runs with no additional output.