Smaws_Client_ConfigService.TypesThe requested operation is not valid. You will see this exception if there are missing required fields or if the input value fails the validation.
For PutStoredQuery, one of the following errors:
For DescribeConfigurationRecorders and DescribeConfigurationRecorderStatus, one of the following errors:
For AssociateResourceTypes and DisassociateResourceTypes, one of the following errors:
type nonrec tag_key_list = tag_key listtype nonrec untag_resource_request = {tag_keys : tag_key_list;The keys of the tags to be removed.
*)resource_arn : amazon_resource_name;The Amazon Resource Name (ARN) that identifies the resource for which to list the tags. The following resources are supported:
ConfigurationRecorderConfigRuleOrganizationConfigRuleConformancePackOrganizationConformancePackConfigurationAggregatorAggregationAuthorizationStoredQuery}type nonrec resource_not_found_exception = {message : error_message option;Error executing the command
*)}You have specified a resource that does not exist.
type nonrec resource_type = | TransferProfile| SecurityHubStandard| SageMakerInferenceExperiment| S3ExpressDirectoryBucket| S3ExpressBucketPolicy| S3StorageLensGroup| Route53ProfilesProfile| RedshiftEndpointAuthorization| OpenSearchServerlessVpcEndpoint| OpenSearchServerlessCollection| MemoryDBSubnetGroup| MediaConnectGateway| MSKVpcConnection| MSKClusterPolicy| InspectorV2Activation| IAMOIDCProvider| EvidentlySegment| EC2VPNConnectionRoute| EC2VPCEndpointConnectionNotification| EC2VPCBlockPublicAccessOptions| EC2VPCBlockPublicAccessExclusion| EC2SnapshotBlockPublicAccess| EC2InstanceConnectEndpoint| EC2IPAMResourceDiscoveryAssociation| EC2IPAMResourceDiscovery| EC2EIPAssociation| EC2ClientVpnTargetNetworkAssociation| ConnectUser| ConnectRule| CognitoIdentityPool| BedrockKnowledgeBase| BedrockGuardrail| AppSyncApiCache| AppIntegrationsApplication| AppConfigExtensionAssociation| SSMDocument| Route53ResolverFirewallRuleGroup| RedshiftEndpointAccess| RDSOptionGroup| QuickSightTheme| QuickSightTemplate| QuickSightDataSource| M2Environment| KMSAlias| ImageBuilderImageRecipe| GroundStationDataflowEndpointGroup| GrafanaWorkspace| EC2NetworkInsightsAnalysis| EC2NetworkInsightsAccessScope| CognitoUserPoolGroup| CognitoUserPoolClient| CognitoUserPool| AppStreamFleet| ResourceExplorer2Index| NetworkManagerConnectPeer| LambdaCodeSigningConfig| KafkaConnectConnector| IoTTwinMakerSyncJob| IoTCACertificate| IAMInstanceProfile| ECSCapacityProvider| EC2TransitGatewayMulticastDomain| EC2TransitGatewayConnect| EC2IPAMPool| EC2CarrierGateway| ConnectQuickConnect| ConnectInstance| AppMeshMesh| AppMeshGatewayRoute| ACMPCACertificateAuthorityActivation| BatchSchedulingPolicy| Route53ResolverResolverQueryLoggingConfig| CodeGuruProfilerProfilingGroup| APSRuleGroupsNamespace| MediaConnectFlowSource| TransferCertificate| ServiceDiscoveryInstance| Route53ResolverResolverQueryLoggingConfigAssociation| InspectorV2Filter| IoTProvisioningTemplate| IoTWirelessFuotaTask| IoTJobTemplate| AppStreamStack| MSKBatchScramSecret| SageMakerFeatureGroup| CodeBuildReportGroup| IoTTwinMakerComponentType| PersonalizeDatasetGroup| IoTWirelessMulticastGroup| NetworkManagerLinkAssociation| NetworkManagerCustomerGatewayAssociation| S3AccessPoint| PinpointEmailChannel| LogsDestination| KinesisVideoStream| KendraIndex| EC2ClientVpnEndpoint| EC2CapacityReservation| DMSEndpoint| CustomerProfilesObjectType| AppRunnerService| AppMeshVirtualRouter| AppMeshVirtualGateway| AppConfigHostedConfigurationVersion| ACMPCACertificateAuthority| ResilienceHubApp| PinpointEventStream| PinpointEmailTemplate| PersonalizeSolution| PersonalizeSchema| PersonalizeDataset| MSKConfiguration| MediaTailorPlaybackConfiguration| MediaConnectFlowVpcInterface| MediaConnectFlowEntitlement| GroundStationMissionProfile| GreengrassV2ComponentVersion| ForecastDatasetGroup| EvidentlyLaunch| EC2IPAMScope| AthenaPreparedStatement| AppMeshRoute| AppIntegrationsEventIntegration| AmplifyBranch| KinesisFirehoseDeliveryStream| TransferConnector| TransferAgreement| SageMakerDomain| PinpointInAppTemplate| PinpointCampaign| IAMServerCertificate| IAMSAMLProvider| ForecastDataset| EvidentlyProject| EC2SpotFleet| EC2PrefixList| CodeArtifactRepository| AppStreamApplication| AppRunnerVpcConnector| AppMeshVirtualService| AppMeshVirtualNode| AmplifyApp| SignerSigningProfile| CassandraKeyspace| ECSTaskSet| SageMakerImage| SageMakerAppImageConfig| Route53ResolverFirewallRuleGroupAssociation| RedshiftScheduledAction| PinpointApp| PanoramaPackage| NetworkManagerSite| NetworkManagerLink| NetworkManagerGlobalNetwork| NetworkManagerDevice| IoTWirelessServiceProfile| IoTFleetMetric| ImageBuilderImagePipeline| GroundStationConfig| ECRPullThroughCacheRule| EC2SubnetRouteTableAssociation| EC2EC2Fleet| DeviceFarmProject| DeviceFarmInstanceProfile| CloudWatchMetricStream| AuditManagerAssessment| AppFlowFlow| AppConfigDeploymentStrategy| ConnectPhoneNumber| AutoScalingWarmPool| CustomerProfilesDomain| NetworkManagerTransitGatewayRegistration| IoTTwinMakerScene| EC2IPAM| EC2TrafficMirrorFilter| EC2NetworkInsightsPath| EC2DHCPOptions| EventsRule| PinpointApplicationSettings| PinpointSegment| HealthLakeFHIRDatastore| RoboMakerRobotApplication| RoboMakerSimulationApplication| Route53RecoveryReadinessResourceSet| Route53RecoveryControlRoutingControl| Route53RecoveryControlControlPanel| Route53RecoveryControlSafetyRule| Route53RecoveryControlCluster| LookoutVisionProject| AppStreamDirectoryConfig| KinesisVideoSignalingChannel| MediaPackagePackagingConfiguration| EventSchemasSchema| EventsConnection| IoTScheduledAudit| S3StorageLens| EC2TrafficMirrorTarget| IoTAccountAuditConfiguration| LookoutMetricsAlert| LexBotAlias| IoTSiteWiseGateway| EC2TrafficMirrorSession| RoboMakerRobotApplicationVersion| Route53ResolverFirewallDomainList| IoTCustomMetric| CodeGuruReviewerRepositoryAssociation| LexBot| BudgetsBudgetsAction| DeviceFarmTestGridProject| S3MultiRegionAccessPoint| RDSGlobalCluster| KinesisAnalyticsV2Application| IVSPlaybackKeyPair| IVSRecordingConfiguration| IVSChannel| IoTSiteWiseAssetModel| IoTSiteWisePortal| IoTSiteWiseProject| IoTSiteWiseDashboard| IoTAnalyticsChannel| IoTAnalyticsPipeline| IoTAnalyticsDataset| IoTTwinMakerEntity| IoTTwinMakerWorkspace| IoTMitigationAction| IoTPolicy| GlueMLTransform| EKSAddon| EKSIdentityProviderConfig| TransferWorkflow| ResilienceHubResiliencyPolicy| Route53RecoveryReadinessRecoveryGroup| MediaPackagePackagingGroup| LightsailStaticIp| LightsailBucket| IoTAnalyticsDatastore| IoTDimension| IoTRoleAlias| IoTSecurityProfile| IoTAuthorizer| FraudDetectorOutcome| FraudDetectorVariable| FraudDetectorEntityType| FraudDetectorLabel| EventSchemasDiscoverer| EventSchemasRegistryPolicy| EventSchemasRegistry| Cloud9EnvironmentEC2| AppConfigConfigurationProfile| AppConfigEnvironment| AmazonMQBroker| SESTemplate| GuardDutyFilter| SESReceiptFilter| DataSyncLocationFSxWindows| FISExperimentTemplate| LightsailDisk| EventsApiDestination| EventsArchive| SESReceiptRuleSet| EventsEndpoint| RUMAppMonitor| LightsailCertificate| BackupReportPlan| ECRRegistryPolicy| Route53RecoveryReadinessReadinessCheck| Route53RecoveryReadinessCell| GlueClassifier| DataSyncLocationHDFS| DataSyncLocationObjectStorage| ImageBuilderInfrastructureConfiguration| ImageBuilderDistributionConfiguration| ImageBuilderContainerRecipe| EventsEventBus| ServiceDiscoveryHttpNamespace| IoTEventsAlarmModel| IoTEventsDetectorModel| IoTEventsInput| Route53HostedZone| SESConfigurationSet| SESContactList| ServiceDiscoveryPublicDnsNamespace| ServiceDiscoveryService| SageMakerNotebookInstanceLifecycleConfig| SageMakerWorkteam| GuardDutyIPSet| GuardDutyThreatIntelSet| GlueJob| EKSFargateProfile| NetworkInsightsAccessScopeAnalysis| DataSyncLocationNFS| DataSyncTask| DataSyncLocationEFS| DataSyncLocationS3| DataSyncLocationFSxLustre| DataSyncLocationSMB| AppSyncGraphQLApi| AppConfigApplication| DMSCertificate| TransitGatewayRouteTable| TransitGatewayAttachment| GlobalAcceleratorListener| GlobalAcceleratorEndpointGroup| GlobalAcceleratorAccelerator| DetectiveGraph| AthenaDataCatalog| AthenaWorkGroup| AccessAnalyzerAnalyzer| BatchComputeEnvironment| BatchJobQueue| StepFunctionsStateMachine| ListenerV2| SageMakerModel| WorkSpacesConnectionAlias| WorkSpacesWorkspace| StepFunctionsActivity| MSKCluster| DMSEventSubscription| DMSReplicationSubnetGroup| Route53ResolverResolverRuleAssociation| Route53ResolverResolverRule| Route53ResolverResolverEndpoint| SageMakerCodeRepository| EMRSecurityConfiguration| GuardDutyDetector| ECRPublicRepository| LaunchTemplate| CodeDeployDeploymentGroup| CodeDeployDeploymentConfig| CodeDeployApplication| KinesisStreamConsumer| KinesisStream| TransitGateway| OpenSearchDomain| EKSCluster| EFSFileSystem| EFSAccessPoint| ECSTaskDefinition| ECSService| ECSCluster| ECRRepository| BackupRecoveryPoint| BackupVault| BackupSelection| BackupPlan| FileData| Topic| Secret| QLDBLedger| Key| Queue| Portfolio| CloudFormationProduct| CloudFormationProvisionedProduct| Pipeline| Api| StageV2| RestApi| Stage| ResourceCompliance| ConformancePackCompliance| RegionalProtection| Protection| PatchCompliance| AssociationCompliance| EncryptionConfig| ManagedRuleSetV2| RegexPatternSetV2| IPSetV2| RuleGroupV2| WebACLV2| Environment| ApplicationVersion| Application| NetworkFirewallRuleGroup| NetworkFirewallFirewallPolicy| NetworkFirewallFirewall| Function| StreamingDistribution| Distribution| RegionalWebACL| RegionalRuleGroup| RegionalRule| RegionalRateBasedRule| WebACL| RuleGroup| Rule| RateBasedRule| Project| Table| ScheduledAction| ScalingPolicy| LaunchConfiguration| AutoScalingGroup| LoadBalancer| Stack| Alarm| ManagedInstanceInventory| RedshiftEventSubscription| ClusterSubnetGroup| ClusterSecurityGroup| ClusterParameterGroup| ClusterSnapshot| Cluster| AccountPublicAccessBlock| Bucket| EventSubscription| DBClusterSnapshot| DBCluster| DBSnapshot| DBSecurityGroup| DBSubnetGroup| DBInstance| Certificate| LoadBalancerV2| User| Role| Policy| Group| Domain| VPCPeeringConnection| FlowLog| VPCEndpointService| VPCEndpoint| EgressOnlyInternetGateway| NatGateway| RegisteredHAInstance| VPNGateway| VPNConnection| VPC| Volume| Trail| Subnet| SecurityGroup| RouteTable| NetworkInterface| NetworkAcl| InternetGateway| Instance| Host| EIP| CustomerGatewaytype nonrec aggregate_resource_identifier = {resource_name : resource_name option;The name of the Amazon Web Services resource.
*)resource_type : resource_type;The type of the Amazon Web Services resource.
*)resource_id : resource_id;The ID of the Amazon Web Services resource.
*)source_region : aws_region;The source region where data is aggregated.
*)source_account_id : account_id;The 12-digit account ID of the source account.
*)}The details that identify a resource that is collected by Config aggregator, including the resource type, ID, (if available) the custom resource name, the source account, and source region.
type nonrec unprocessed_resource_identifier_list =
aggregate_resource_identifier listtype nonrec unmodifiable_entity_exception = {message : error_message option;Error executing the command
*)}The requested operation is not valid.
For PutConfigurationRecorder, you will see this exception because you cannot use this operation to create a service-linked configuration recorder. Use the PutServiceLinkedConfigurationRecorder operation to create a service-linked configuration recorder.
For DeleteConfigurationRecorder, you will see this exception because you cannot use this operation to delete a service-linked configuration recorder. Use the DeleteServiceLinkedConfigurationRecorder operation to delete a service-linked configuration recorder.
For StartConfigurationRecorder and StopConfigurationRecorder, you will see this exception because these operations do not affect service-linked configuration recorders. Service-linked configuration recorders are always recording. To stop recording, you must delete the service-linked configuration recorder. Use the DeleteServiceLinkedConfigurationRecorder operation to delete a service-linked configuration recorder.
You have reached the limit of the number of tags you can use. For more information, see Service Limits in the Config Developer Guide.
type nonrec time_window = {end_time : date option;The end time of an execution. The end time must be after the start date.
*)start_time : date option;The start time of an execution.
*)}Filters evaluation results based on start and end times.
type nonrec template_ssm_document_details = {document_version : ssm_document_version option;The version of the SSM document to use to create a conformance pack. By default, Config uses the latest version.
This field is optional.
*)document_name : ssm_document_name;The name or Amazon Resource Name (ARN) of the SSM document to use to create a conformance pack. If you use the document name, Config checks only your account and Amazon Web Services Region for the SSM document.
*)}This API allows you to create a conformance pack template with an Amazon Web Services Systems Manager document (SSM document). To deploy a conformance pack using an SSM document, first create an SSM document with conformance pack content, and then provide the DocumentName in the PutConformancePack API. You can also provide the DocumentVersion.
The TemplateSSMDocumentDetails object contains the name of the SSM document and the version of the SSM document.
type nonrec tag = {value : tag_value option;The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
*)key : tag_key option;One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
*)}The tags for the resource. The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
type nonrec tags_list = tag listtype nonrec tag_list = tag listtype nonrec tag_resource_request = {resource_arn : amazon_resource_name;The Amazon Resource Name (ARN) that identifies the resource for which to list the tags. The following resources are supported:
ConfigurationRecorderConfigRuleOrganizationConfigRuleConformancePackOrganizationConformancePackConfigurationAggregatorAggregationAuthorizationStoredQuery}type nonrec supplementary_configuration =
(supplementary_configuration_name * supplementary_configuration_value) listtype nonrec stored_query_metadata = {description : query_description option;A unique description for the query.
*)query_name : query_name;The name of the query.
*)query_arn : query_arn;Amazon Resource Name (ARN) of the query. For example, arn:partition:service:region:account-id:resource-type/resource-name/resource-id.
*)query_id : query_id;The ID of the query.
*)}Returns details of a specific query.
type nonrec stored_query_metadata_list = stored_query_metadata listtype nonrec stored_query = {expression : query_expression option;The expression of the query. For example, SELECT resourceId, resourceType, supplementaryConfiguration.BucketVersioningConfiguration.status WHERE resourceType = 'AWS::S3::Bucket' AND supplementaryConfiguration.BucketVersioningConfiguration.status = 'Off'.
description : query_description option;A unique description for the query.
*)query_name : query_name;The name of the query.
*)query_arn : query_arn option;Amazon Resource Name (ARN) of the query. For example, arn:partition:service:region:account-id:resource-type/resource-name/resource-id.
*)query_id : query_id option;The ID of the query.
*)}Provides the details of a stored query.
type nonrec stop_configuration_recorder_request = {configuration_recorder_name : recorder_name;The name of the customer managed configuration recorder that you want to stop.
*)}The input for the StopConfigurationRecorder operation.
type nonrec no_such_configuration_recorder_exception = {message : error_message option;Error executing the command
*)}You have specified a configuration recorder that does not exist.
type nonrec status_detail_filters = {member_account_rule_status : member_account_rule_status option;Indicates deployment status for Config rule in the member account. When management account calls PutOrganizationConfigRule action for the first time, Config rule status is created in the member account. When management account calls PutOrganizationConfigRule action for the second time, Config rule status is updated in the member account. Config rule status is deleted when the management account deletes OrganizationConfigRule and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the rule to:
CREATE_SUCCESSFUL when Config rule has been created in the member account.CREATE_IN_PROGRESS when Config rule is being created in the member account.CREATE_FAILED when Config rule creation has failed in the member account.DELETE_FAILED when Config rule deletion has failed in the member account.DELETE_IN_PROGRESS when Config rule is being deleted in the member account.DELETE_SUCCESSFUL when Config rule has been deleted in the member account.UPDATE_SUCCESSFUL when Config rule has been updated in the member account.UPDATE_IN_PROGRESS when Config rule is being updated in the member account.UPDATE_FAILED when Config rule deletion has failed in the member account.account_id : account_id option;The 12-digit account ID of the member account within an organization.
*)}Status filter object to filter results based on specific member account ID or status type for an organization Config rule.
type nonrec static_parameter_values = string_with_char_limit256 listtype nonrec static_value = {values : static_parameter_values;A list of values. For example, the ARN of the assumed role.
*)}The static value of the resource.
type nonrec start_resource_evaluation_response = {resource_evaluation_id : resource_evaluation_id option;A unique ResourceEvaluationId that is associated with a single execution.
*)}type nonrec resource_details = {resource_configuration_schema_type : resource_configuration_schema_type option;The schema type of the resource configuration.
You can find the Resource type schema, or CFN_RESOURCE_SCHEMA, in "Amazon Web Services public extensions" within the CloudFormation registry or with the following CLI commmand: aws cloudformation describe-type --type-name "AWS::S3::Bucket" --type RESOURCE.
For more information, see Managing extensions through the CloudFormation registry and Amazon Web Services resource and property types reference in the CloudFormation User Guide.
*)resource_configuration : resource_configuration;The resource definition to be evaluated as per the resource configuration schema type.
*)resource_type : string_with_char_limit256;The type of resource being evaluated.
*)resource_id : base_resource_id;A unique resource ID for an evaluation.
*)}Returns information about the resource being evaluated.
type nonrec evaluation_context = {evaluation_context_identifier : evaluation_context_identifier option;A unique EvaluationContextIdentifier ID for an EvaluationContext.
*)}Use EvaluationContext to group independently initiated proactive resource evaluations. For example, CFN Stack. If you want to check just a resource definition, you do not need to provide evaluation context.
type nonrec start_resource_evaluation_request = {client_token : client_token option;A client token is a unique, case-sensitive string of up to 64 ASCII characters. To make an idempotent API request using one of these actions, specify a client token in the request.
Avoid reusing the same client token for other API requests. If you retry a request that completed successfully using the same client token and the same parameters, the retry succeeds without performing any further actions. If you retry a successful request using the same client token, but one or more of the parameters are different, other than the Region or Availability Zone, the retry fails with an IdempotentParameterMismatch error.
*)evaluation_timeout : evaluation_timeout option;The timeout for an evaluation. The default is 900 seconds. You cannot specify a number greater than 3600. If you specify 0, Config uses the default.
*)evaluation_mode : evaluation_mode;The mode of an evaluation. The valid values for this API are DETECTIVE and PROACTIVE.
evaluation_context : evaluation_context option;Returns an EvaluationContext object.
resource_details : resource_details;Returns a ResourceDetails object.
}type nonrec invalid_parameter_value_exception = {message : error_message option;Error executing the command
*)}One or more of the specified parameters are not valid. Verify that your parameters are valid and try again.
Using the same client token with one or more different parameters. Specify a new client token with the parameter changes and try again.
type nonrec resource_key = {resource_id : resource_id;The ID of the resource (for example., sg-xxxxxx).
*)resource_type : resource_type;The resource type.
*)}The details that identify a resource within Config, including the resource type and resource ID.
type nonrec resource_keys = resource_key listtype nonrec start_remediation_execution_response = {failed_items : resource_keys option;For resources that have failed to start execution, the API returns a resource key object.
*)failure_message : string_ option;Returns a failure message. For example, the resource is already compliant.
*)}type nonrec start_remediation_execution_request = {resource_keys : resource_keys;A list of resource keys to be processed with the current request. Each element in the list consists of the resource type and resource ID.
*)config_rule_name : config_rule_name;The list of names of Config rules that you want to run remediation execution for.
*)}type nonrec no_such_remediation_configuration_exception = {message : error_message option;Error executing the command
*)}You specified an Config rule without a remediation configuration.
type nonrec insufficient_permissions_exception = {message : error_message option;Error executing the command
*)}Indicates one of the following errors:
GetRole action or create a service-linked role.For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have the following permissions:
GetRole action or create a service-linked role.CreateServiceLinkedRole.type nonrec start_configuration_recorder_request = {configuration_recorder_name : recorder_name;The name of the customer managed configuration recorder that you want to start.
*)}The input for the StartConfigurationRecorder operation.
type nonrec no_available_delivery_channel_exception = {message : error_message option;Error executing the command
*)}There is no delivery channel available to record configurations.
type nonrec reevaluate_config_rule_names = config_rule_name listtype nonrec start_config_rules_evaluation_request = {config_rule_names : reevaluate_config_rule_names option;The list of names of Config rules that you want to run evaluations for.
*)}type nonrec resource_in_use_exception = {message : error_message option;Error executing the command
*)}You see this exception in the following cases:
type nonrec no_such_config_rule_exception = {message : error_message option;Error executing the command
*)}The Config rule in the request is not valid. Verify that the rule is an Config Process Check rule, that the rule name is correct, and that valid Amazon Resouce Names (ARNs) are used before trying again.
type nonrec limit_exceeded_exception = {message : error_message option;Error executing the command
*)}For PutServiceLinkedConfigurationRecorder API, this exception is thrown if the number of service-linked roles in the account exceeds the limit.
For StartConfigRulesEvaluation API, this exception is thrown if an evaluation is in progress or if you call the StartConfigRulesEvaluation API more than once per minute.
For PutConfigurationAggregator API, this exception is thrown if the number of accounts and aggregators exceeds the limit.
type nonrec invalid_next_token_exception = {message : error_message option;Error executing the command
*)}The specified next token is not valid. Specify the nextToken string that was returned in the previous response to get the next page of results.
type nonrec invalid_limit_exception = {message : error_message option;Error executing the command
*)}The specified limit is outside the allowable range.
type nonrec invalid_expression_exception = {message : error_message option;Error executing the command
*)}The syntax of the query is incorrect.
type nonrec results = string_ listDetails about the fields such as name of the field.
type nonrec field_info_list = field_info listDetails about the query.
type nonrec select_resource_config_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
query_info : query_info option;Returns the QueryInfo object.
results : results option;Returns the results for the SQL query.
*)}type nonrec select_resource_config_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : limit option;The maximum number of query results returned on each page.
*)expression : expression;The SQL query SELECT command.
}type nonrec no_such_configuration_aggregator_exception = {message : error_message option;Error executing the command
*)}You have specified a configuration aggregator that does not exist.
type nonrec select_aggregate_resource_config_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
*)query_info : query_info option;results : results option;Returns the results for the SQL query.
*)}type nonrec select_aggregate_resource_config_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
*)max_results : limit option;The maximum number of query results returned on each page. Config also allows the Limit request parameter.
*)limit : limit option;The maximum number of query results returned on each page.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)expression : expression;The SQL query SELECT command.
*)}Two users are trying to modify the same query at the same time. Wait for a moment and try again.
type nonrec put_stored_query_response = {query_arn : query_arn option;Amazon Resource Name (ARN) of the query. For example, arn:partition:service:region:account-id:resource-type/resource-name/resource-id.
*)}type nonrec put_stored_query_request = {stored_query : stored_query;A list of StoredQuery objects. The mandatory fields are QueryName and Expression.
When you are creating a query, you must provide a query name and an expression. When you are updating a query, you must provide a query name but updating the description is optional.
*)}For PutServiceLinkedConfigurationRecorder, you cannot create a service-linked recorder because a service-linked recorder already exists for the specified service.
For DeleteServiceLinkedConfigurationRecorder, you cannot delete the service-linked recorder because it is currently in use by the linked Amazon Web Services service.
For DeleteDeliveryChannel, you cannot delete the specified delivery channel because the customer managed configuration recorder is running. Use the StopConfigurationRecorder operation to stop the customer managed configuration recorder.
For AssociateResourceTypes and DisassociateResourceTypes, one of the following errors:
type nonrec put_service_linked_configuration_recorder_response = {name : recorder_name option;The name of the specified configuration recorder.
For service-linked configuration recorders, Config automatically assigns a name that has the prefix "AWS" to the new service-linked configuration recorder.
arn : amazon_resource_name option;The Amazon Resource Name (ARN) of the specified configuration recorder.
*)}type nonrec put_service_linked_configuration_recorder_request = {service_principal : service_principal;The service principal of the Amazon Web Services service for the service-linked configuration recorder that you want to create.
*)}type nonrec max_number_of_retention_configurations_exceeded_exception = {message : error_message option;Error executing the command
*)}Failed to add the retention configuration because a retention configuration with that name already exists.
type nonrec retention_configuration = {retention_period_in_days : retention_period_in_days;Number of days Config stores your historical information.
Currently, only applicable to the configuration item history.
*)name : retention_configuration_name;The name of the retention configuration object.
*)}An object with the name of the retention configuration and the retention period in days. The object stores the configuration for data retention in Config.
type nonrec put_retention_configuration_response = {retention_configuration : retention_configuration option;Returns a retention configuration object.
*)}type nonrec put_retention_configuration_request = {retention_period_in_days : retention_period_in_days;Number of days Config stores your historical information.
Currently, only applicable to the configuration item history.
*)}type nonrec no_running_configuration_recorder_exception = {message : error_message option;Error executing the command
*)}There is no configuration recorder running.
type nonrec max_active_resources_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of active custom resource types in your account. There is a limit of 100,000. Delete unused resources using DeleteResourceConfig .
type nonrec put_resource_config_request = {configuration : configuration;The configuration object of the resource in valid JSON format. It must match the schema registered with CloudFormation.
The configuration JSON must not exceed 64 KB.
*)resource_name : resource_name option;Name of the resource.
*)resource_id : resource_id;Unique identifier of the resource.
*)schema_version_id : schema_version_id;Version of the schema registered for the ResourceType in CloudFormation.
*)resource_type : resource_type_string;The type of the resource. The custom resource type must be registered with CloudFormation.
You cannot use the organization names “amzn”, “amazon”, “alexa”, “custom” with custom resource types. It is the first part of the ResourceType up to the first ::.
*)}type nonrec remediation_exception = {expiration_time : date option;The time when the remediation exception will be deleted.
*)message : string_with_char_limit1024 option;An explanation of an remediation exception.
*)resource_id : string_with_char_limit1024;The ID of the resource (for example., sg-xxxxxx).
*)resource_type : string_with_char_limit256;The type of a resource.
*)config_rule_name : config_rule_name;The name of the Config rule.
*)}An object that represents the details about the remediation exception. The details include the rule name, an explanation of an exception, the time when the exception will be deleted, the resource ID, and resource type.
type nonrec remediation_exceptions = remediation_exception listtype nonrec failed_remediation_exception_batch = {failed_items : remediation_exceptions option;Returns remediation exception resource key object of the failed items.
*)failure_message : string_ option;Returns a failure message. For example, the auto-remediation has failed.
*)}List of each of the failed remediation exceptions with specific reasons.
type nonrec failed_remediation_exception_batches =
failed_remediation_exception_batch listtype nonrec put_remediation_exceptions_response = {failed_batches : failed_remediation_exception_batches option;Returns a list of failed remediation exceptions batch objects. Each object in the batch consists of a list of failed items and failure messages.
*)}type nonrec remediation_exception_resource_key = {resource_id : string_with_char_limit1024 option;The ID of the resource (for example., sg-xxxxxx).
*)resource_type : string_with_char_limit256 option;The type of a resource.
*)}The details that identify a resource within Config, including the resource type and resource ID.
type nonrec remediation_exception_resource_keys =
remediation_exception_resource_key listtype nonrec put_remediation_exceptions_request = {expiration_time : date option;The exception is automatically deleted after the expiration date.
*)message : string_with_char_limit1024 option;The message contains an explanation of the exception.
*)resource_keys : remediation_exception_resource_keys;An exception list of resource exception keys to be processed with the current request. Config adds exception for each resource key. For example, Config adds 3 exceptions for 3 resource keys.
*)config_rule_name : config_rule_name;The name of the Config rule for which you want to create remediation exception.
*)}The dynamic value of the resource.
type nonrec remediation_parameter_value = {static_value : static_value option;The value is static and does not change at run-time.
*)resource_value : resource_value option;The value is dynamic and changes at run-time.
*)}The value is either a dynamic (resource) value or a static value. You must select either a dynamic value or a static value.
type nonrec remediation_parameters =
(string_with_char_limit256 * remediation_parameter_value) listtype nonrec ssm_controls = {error_percentage : percentage option;The percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. You can specify a percentage of errors, for example 10%. If you do not specifiy a percentage, the default is 50%. For example, if you set the ErrorPercentage to 40% for 10 non-compliant resources, then SSM stops running the automations when the fifth error is received.
*)concurrent_execution_rate_percentage : percentage option;The maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. You can specify a percentage, such as 10%. The default value is 10.
*)}Amazon Web Services Systems Manager (SSM) specific remediation controls.
The controls that Config uses for executing remediations.
type nonrec remediation_configuration = {created_by_service : string_with_char_limit1024 option;Name of the service that owns the service-linked rule, if applicable.
*)arn : string_with_char_limit1024 option;Amazon Resource Name (ARN) of remediation configuration.
*)retry_attempt_seconds : auto_remediation_attempt_seconds option;Time window to determine whether or not to add a remediation exception to prevent infinite remediation attempts. If MaximumAutomaticAttempts remediation attempts have been made under RetryAttemptSeconds, a remediation exception will be added to the resource. If you do not select a number, the default is 60 seconds.
For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, Config will run auto-remediations 5 times within 50 seconds before adding a remediation exception to the resource.
maximum_automatic_attempts : auto_remediation_attempts option;The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.
For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.
*)execution_controls : execution_controls option;An ExecutionControls object.
*)automatic : boolean_ option;The remediation is triggered automatically.
*)resource_type : string_ option;The type of a resource.
*)parameters : remediation_parameters option;An object of the RemediationParameterValue.
*)target_version : string_ option;Version of the target. For example, version of the SSM document.
If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run.
*)target_id : string_with_char_limit256;Target ID is the name of the SSM document.
*)target_type : remediation_target_type;The type of the target. Target executes remediation. For example, SSM document.
*)config_rule_name : config_rule_name;The name of the Config rule.
*)}An object that represents the details about the remediation configuration that includes the remediation action, parameters, and data to execute the action.
type nonrec remediation_configurations = remediation_configuration listtype nonrec failed_remediation_batch = {failed_items : remediation_configurations option;Returns remediation configurations of the failed items.
*)failure_message : string_ option;Returns a failure message. For example, the resource is already compliant.
*)}List of each of the failed remediations with specific reasons.
type nonrec failed_remediation_batches = failed_remediation_batch listtype nonrec put_remediation_configurations_response = {failed_batches : failed_remediation_batches option;Returns a list of failed remediation batch objects.
*)}type nonrec put_remediation_configurations_request = {remediation_configurations : remediation_configurations;A list of remediation configuration objects.
*)}type nonrec organization_conformance_pack_template_validation_exception = {message : error_message option;Error executing the command
*)}You have specified a template that is not valid or supported.
type nonrec organization_all_features_not_enabled_exception = {message : error_message option;Error executing the command
*)}Config resource cannot be created because your organization does not have all features enabled.
type nonrec organization_access_denied_exception = {message : error_message option;Error executing the command
*)}For PutConfigurationAggregator API, you can see this exception for the following reasons:
EnableAWSServiceAccess APIListDelegatedAdministrators API. Ensure that the management account registers delagated administrator for Config service principal name before the delegated administrator creates an aggregator.For all OrganizationConfigRule and OrganizationConformancePack APIs, Config throws an exception if APIs are called from member accounts. All APIs must be called from organization management account.
type nonrec no_available_organization_exception = {message : error_message option;Error executing the command
*)}Organization is no longer available.
type nonrec max_number_of_organization_conformance_packs_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of the number of organization conformance packs you can create in an account. For more information, see Service Limits in the Config Developer Guide.
type nonrec put_organization_conformance_pack_response = {organization_conformance_pack_arn : string_with_char_limit256 option;ARN of the organization conformance pack.
*)}type nonrec conformance_pack_input_parameter = {parameter_value : parameter_value;Another part of the key-value pair.
*)parameter_name : parameter_name;One part of a key-value pair.
*)}Input parameters in the form of key-value pairs for the conformance pack, both of which you define. Keys can have a maximum character length of 255 characters, and values can have a maximum length of 4096 characters.
type nonrec conformance_pack_input_parameters =
conformance_pack_input_parameter listtype nonrec excluded_accounts = account_id listtype nonrec put_organization_conformance_pack_request = {excluded_accounts : excluded_accounts option;A list of Amazon Web Services accounts to be excluded from an organization conformance pack while deploying a conformance pack.
*)conformance_pack_input_parameters : conformance_pack_input_parameters option;A list of ConformancePackInputParameter objects.
delivery_s3_key_prefix : delivery_s3_key_prefix option;The prefix for the Amazon S3 bucket.
This field is optional.
*)delivery_s3_bucket : delivery_s3_bucket option;The name of the Amazon S3 bucket where Config stores conformance pack templates.
This field is optional. If used, it must be prefixed with awsconfigconforms.
template_body : template_body option;A string containing full conformance pack template body. Structure containing the template body with a minimum length of 1 byte and a maximum length of 51,200 bytes.
*)template_s3_uri : template_s3_uri option;Location of file containing the template body. The uri must point to the conformance pack template (max size: 300 KB).
You must have access to read Amazon S3 bucket. In addition, in order to ensure a successful deployment, the template object must not be in an archived storage class if this parameter is passed.
*)organization_conformance_pack_name : organization_conformance_pack_name;Name of the organization conformance pack you want to create.
*)}type nonrec max_number_of_organization_config_rules_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of the number of organization Config rules you can create. For more information, see see Service Limits in the Config Developer Guide.
type nonrec put_organization_config_rule_response = {organization_config_rule_arn : string_with_char_limit256 option;The Amazon Resource Name (ARN) of an organization Config rule.
*)}type nonrec resource_types_scope = string_with_char_limit256 listtype nonrec organization_managed_rule_metadata = {tag_value_scope : string_with_char_limit256 option;The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
*)tag_key_scope : string_with_char_limit128 option;One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
*)resource_id_scope : string_with_char_limit768 option;The ID of the Amazon Web Services resource that was evaluated.
*)resource_types_scope : resource_types_scope option;The type of the Amazon Web Services resource that was evaluated.
*)maximum_execution_frequency : maximum_execution_frequency option;The maximum frequency with which Config runs evaluations for a rule. This is for an Config managed rule that is triggered at a periodic frequency.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter.
input_parameters : string_with_char_limit2048 option;A string, in JSON format, that is passed to your organization Config rule Lambda function.
*)rule_identifier : string_with_char_limit256;For organization config managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see Using Config managed rules.
description : string_with_char_limit256_min0 option;The description that you provide for your organization Config rule.
*)}An object that specifies organization managed rule metadata such as resource type and ID of Amazon Web Services resource along with the rule identifier. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
type nonrec organization_config_rule_trigger_types =
organization_config_rule_trigger_type listtype nonrec organization_custom_rule_metadata = {tag_value_scope : string_with_char_limit256 option;The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
*)tag_key_scope : string_with_char_limit128 option;One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
*)resource_id_scope : string_with_char_limit768 option;The ID of the Amazon Web Services resource that was evaluated.
*)resource_types_scope : resource_types_scope option;The type of the Amazon Web Services resource that was evaluated.
*)maximum_execution_frequency : maximum_execution_frequency option;The maximum frequency with which Config runs evaluations for a rule. Your custom rule is triggered when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter.
input_parameters : string_with_char_limit2048 option;A string, in JSON format, that is passed to your organization Config rule Lambda function.
*)organization_config_rule_trigger_types : organization_config_rule_trigger_types;The type of notification that triggers Config to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification - Triggers an evaluation when Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification - Triggers an evaluation when Config delivers an oversized configuration item. Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification - Triggers a periodic evaluation at the frequency specified for MaximumExecutionFrequency.lambda_function_arn : string_with_char_limit256;The lambda function ARN.
*)description : string_with_char_limit256_min0 option;The description that you provide for your organization Config rule.
*)}An object that specifies organization custom rule metadata such as resource type, resource ID of Amazon Web Services resource, Lambda function ARN, and organization trigger types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
type nonrec organization_config_rule_trigger_type_no_s_ns =
organization_config_rule_trigger_type_no_s_n listtype nonrec debug_log_delivery_accounts = account_id listtype nonrec organization_custom_policy_rule_metadata = {debug_log_delivery_accounts : debug_log_delivery_accounts option;A list of accounts that you can enable debug logging for your organization Config Custom Policy rule. List is null when debug logging is enabled for all accounts.
*)policy_text : policy_text;The policy definition containing the logic for your organization Config Custom Policy rule.
*)policy_runtime : policy_runtime;The runtime system for your organization Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
*)tag_value_scope : string_with_char_limit256 option;The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
*)tag_key_scope : string_with_char_limit128 option;One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
*)resource_id_scope : string_with_char_limit768 option;The ID of the Amazon Web Services resource that was evaluated.
*)resource_types_scope : resource_types_scope option;The type of the Amazon Web Services resource that was evaluated.
*)maximum_execution_frequency : maximum_execution_frequency option;The maximum frequency with which Config runs evaluations for a rule. Your Config Custom Policy rule is triggered when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
input_parameters : string_with_char_limit2048 option;A string, in JSON format, that is passed to your organization Config Custom Policy rule.
*)organization_config_rule_trigger_types : organization_config_rule_trigger_type_no_s_ns
option;The type of notification that initiates Config to run an evaluation for a rule. For Config Custom Policy rules, Config supports change-initiated notification types:
ConfigurationItemChangeNotification - Initiates an evaluation when Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification - Initiates an evaluation when Config delivers an oversized configuration item. Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.description : string_with_char_limit256_min0 option;The description that you provide for your organization Config Custom Policy rule.
*)}An object that specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
type nonrec put_organization_config_rule_request = {organization_custom_policy_rule_metadata : organization_custom_policy_rule_metadata
option;An OrganizationCustomPolicyRuleMetadata object. This object specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
excluded_accounts : excluded_accounts option;A comma-separated list of accounts that you want to exclude from an organization Config rule.
*)organization_custom_rule_metadata : organization_custom_rule_metadata option;An OrganizationCustomRuleMetadata object. This object specifies organization custom rule metadata such as resource type, resource ID of Amazon Web Services resource, Lambda function ARN, and organization trigger types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
organization_managed_rule_metadata : organization_managed_rule_metadata option;An OrganizationManagedRuleMetadata object. This object specifies organization managed rule metadata such as resource type and ID of Amazon Web Services resource along with the rule identifier. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
organization_config_rule_name : organization_config_rule_name;The name that you assign to an organization Config rule.
*)}type nonrec external_evaluation = {ordering_timestamp : ordering_timestamp;The time when the compliance was recorded.
*)annotation : string_with_char_limit256 option;Supplementary information about the reason of compliance. For example, this task was completed on a specific date.
*)compliance_type : compliance_type;The compliance of the Amazon Web Services resource. The valid values are COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE.
compliance_resource_id : base_resource_id;The evaluated compliance resource ID. Config accepts only Amazon Web Services account ID.
*)compliance_resource_type : string_with_char_limit256;The evaluated compliance resource type. Config accepts AWS::::Account resource type.
}Identifies an Amazon Web Services resource and indicates whether it complies with the Config rule that it was evaluated against.
type nonrec put_external_evaluation_request = {external_evaluation : external_evaluation;An ExternalEvaluation object that provides details about compliance.
config_rule_name : config_rule_name;The name of the Config rule.
*)}type nonrec invalid_result_token_exception = {message : error_message option;Error executing the command
*)}The specified ResultToken is not valid.
type nonrec evaluation = {ordering_timestamp : ordering_timestamp;The time of the event in Config that triggered the evaluation. For event-based evaluations, the time indicates when Config created the configuration item that triggered the evaluation. For periodic evaluations, the time indicates when Config triggered the evaluation at the frequency that you specified (for example, every 24 hours).
*)annotation : string_with_char_limit256 option;Supplementary information about how the evaluation determined the compliance.
*)compliance_type : compliance_type;Indicates whether the Amazon Web Services resource complies with the Config rule that it was evaluated against.
For the Evaluation data type, Config supports only the COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE values. Config does not support the INSUFFICIENT_DATA value for this data type.
Similarly, Config does not accept INSUFFICIENT_DATA as the value for ComplianceType from a PutEvaluations request. For example, an Lambda function for a custom Config rule cannot pass an INSUFFICIENT_DATA value to Config.
compliance_resource_id : base_resource_id;The ID of the Amazon Web Services resource that was evaluated.
*)compliance_resource_type : string_with_char_limit256;The type of Amazon Web Services resource that was evaluated.
*)}Identifies an Amazon Web Services resource and indicates whether it complies with the Config rule that it was evaluated against.
type nonrec evaluations = evaluation listtype nonrec put_evaluations_response = {failed_evaluations : evaluations option;Requests that failed because of a client or server error.
*)}type nonrec put_evaluations_request = {test_mode : boolean_ option;Use this parameter to specify a test run for PutEvaluations. You can verify whether your Lambda function will deliver evaluation results to Config. No updates occur to your existing evaluations, and evaluation results are not sent to Config.
When TestMode is true, PutEvaluations doesn't require a valid value for the ResultToken parameter, but the value cannot be null.
result_token : string_;An encrypted token that associates an evaluation with an Config rule. Identifies the rule and the event that triggered the evaluation.
*)evaluations : evaluations option;The assessments that the Lambda function performs. Each evaluation identifies an Amazon Web Services resource and indicates whether it complies with the Config rule that invokes the Lambda function.
*)}type nonrec no_such_bucket_exception = {message : error_message option;Error executing the command
*)}The specified Amazon S3 bucket does not exist.
type nonrec no_available_configuration_recorder_exception = {message : error_message option;Error executing the command
*)}There are no customer managed configuration recorders available to record your resources. Use the PutConfigurationRecorder operation to create the customer managed configuration recorder.
type nonrec max_number_of_delivery_channels_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of the number of delivery channels you can create.
type nonrec invalid_sns_topic_arn_exception = {message : error_message option;Error executing the command
*)}The specified Amazon SNS topic does not exist.
type nonrec invalid_s3_kms_key_arn_exception = {message : error_message option;Error executing the command
*)}The specified Amazon KMS Key ARN is not valid.
type nonrec invalid_s3_key_prefix_exception = {message : error_message option;Error executing the command
*)}The specified Amazon S3 key prefix is not valid.
type nonrec invalid_delivery_channel_name_exception = {message : error_message option;Error executing the command
*)}The specified delivery channel name is not valid.
type nonrec insufficient_delivery_policy_exception = {message : error_message option;Error executing the command
*)}Your Amazon S3 bucket policy does not allow Config to write to it.
type nonrec config_snapshot_delivery_properties = {delivery_frequency : maximum_execution_frequency option;The frequency with which Config delivers configuration snapshots.
*)}Provides options for how often Config delivers configuration snapshots to the Amazon S3 bucket in your delivery channel.
The frequency for a rule that triggers evaluations for your resources when Config delivers the configuration snapshot is set by one of two values, depending on which is less frequent:
deliveryFrequency parameter within the delivery channel configuration, which sets how often Config delivers configuration snapshots. This value also sets how often Config invokes evaluations for Config rules.MaximumExecutionFrequency parameter, which sets the maximum frequency with which Config invokes evaluations for the rule. For more information, see ConfigRule.If the deliveryFrequency value is less frequent than the MaximumExecutionFrequency value for a rule, Config invokes the rule only as often as the deliveryFrequency value.
MaximumExecutionFrequency value for Six_Hours.deliveryFrequency value for TwentyFour_Hours.deliveryFrequency is less frequent than MaximumExecutionFrequency, Config invokes evaluations for the rule every 24 hours.You should set the MaximumExecutionFrequency value to be at least as frequent as the deliveryFrequency value. You can view the deliveryFrequency value by using the DescribeDeliveryChannnels action.
To update the deliveryFrequency with which Config delivers your configuration snapshots, use the PutDeliveryChannel action.
type nonrec delivery_channel = {config_snapshot_delivery_properties : config_snapshot_delivery_properties
option;The options for how often Config delivers configuration snapshots to the Amazon S3 bucket.
*)sns_topic_ar_n : string_ option;The Amazon Resource Name (ARN) of the Amazon SNS topic to which Config sends notifications about configuration changes.
If you choose a topic from another account, the topic must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon SNS Topic in the Config Developer Guide.
*)s3_kms_key_arn : string_ option;The Amazon Resource Name (ARN) of the Key Management Service (KMS ) KMS key (KMS key) used to encrypt objects delivered by Config. Must belong to the same Region as the destination S3 bucket.
*)s3_key_prefix : string_ option;The prefix for the specified Amazon S3 bucket.
*)s3_bucket_name : string_ option;The name of the Amazon S3 bucket to which Config delivers configuration snapshots and configuration history files.
If you specify a bucket that belongs to another Amazon Web Services account, that bucket must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon S3 Bucket in the Config Developer Guide.
*)name : channel_name option;The name of the delivery channel. By default, Config assigns the name "default" when creating the delivery channel. To change the delivery channel name, you must use the DeleteDeliveryChannel action to delete your current delivery channel, and then you must use the PutDeliveryChannel command to create a delivery channel that has the desired name.
*)}The channel through which Config delivers notifications and updated configuration states.
type nonrec put_delivery_channel_request = {delivery_channel : delivery_channel;An object for the delivery channel. A delivery channel sends notifications and updated configuration states.
*)}The input for the PutDeliveryChannel action.
type nonrec max_number_of_conformance_packs_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of the number of conformance packs you can create in an account. For more information, see Service Limits in the Config Developer Guide.
type nonrec conformance_pack_template_validation_exception = {message : error_message option;Error executing the command
*)}You have specified a template that is not valid or supported.
type nonrec put_conformance_pack_response = {conformance_pack_arn : conformance_pack_arn option;ARN of the conformance pack.
*)}type nonrec put_conformance_pack_request = {template_ssm_document_details : template_ssm_document_details option;An object of type TemplateSSMDocumentDetails, which contains the name or the Amazon Resource Name (ARN) of the Amazon Web Services Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.
conformance_pack_input_parameters : conformance_pack_input_parameters option;A list of ConformancePackInputParameter objects.
delivery_s3_key_prefix : delivery_s3_key_prefix option;The prefix for the Amazon S3 bucket.
This field is optional.
*)delivery_s3_bucket : delivery_s3_bucket option;The name of the Amazon S3 bucket where Config stores conformance pack templates.
This field is optional.
*)template_body : template_body option;A string containing the full conformance pack template body. The structure containing the template body has a minimum length of 1 byte and a maximum length of 51,200 bytes.
You can use a YAML template with two resource types: Config rule (AWS::Config::ConfigRule) and remediation action (AWS::Config::RemediationConfiguration).
template_s3_uri : template_s3_uri option;The location of the file containing the template body (s3://bucketname/prefix). The uri must point to a conformance pack template (max size: 300 KB) that is located in an Amazon S3 bucket in the same Region as the conformance pack.
You must have access to read Amazon S3 bucket. In addition, in order to ensure a successful deployment, the template object must not be in an archived storage class if this parameter is passed.
*)conformance_pack_name : conformance_pack_name;The unique name of the conformance pack you want to deploy.
*)}type nonrec max_number_of_configuration_recorders_exceeded_exception = {message : error_message option;Error executing the command
*)}You have reached the limit of the number of configuration recorders you can create.
type nonrec invalid_role_exception = {message : error_message option;Error executing the command
*)}You have provided a null or empty Amazon Resource Name (ARN) for the IAM role assumed by Config and used by the customer managed configuration recorder.
type nonrec invalid_recording_group_exception = {message : error_message option;Error executing the command
*)}One of the following errors:
You have provided a combination of parameter values that is not valid. For example:
allSupported field of RecordingGroup to true, but providing a non-empty list for the resourceTypesfield of RecordingGroup.allSupported field of RecordingGroup to true, but also setting the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES.type nonrec invalid_configuration_recorder_name_exception = {message : error_message option;Error executing the command
*)}You have provided a name for the customer managed configuration recorder that is not valid.
type nonrec resource_type_list = resource_type listtype nonrec exclusion_by_resource_types = {resource_types : resource_type_list option;A comma-separated list of resource types to exclude from recording by the configuration recorder.
*)}Specifies whether the configuration recorder excludes certain resource types from being recorded. Use the resourceTypes field to enter a comma-separated list of resource types you want to exclude from recording.
By default, when Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, Config starts recording resources of that type automatically.
How to use the exclusion recording strategy
To use this option, you must set the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES.
Config will then record configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded.
Global resource types and the exclusion recording strategy
Unless specifically listed as exclusions, AWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.
IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Config after February 2022. For a list of those Regions, see Recording Amazon Web Services Resources | Global Resources.
type nonrec recording_strategy = {use_only : recording_strategy_type option;The recording strategy for the configuration recorder.
ALL_SUPPORTED_RESOURCE_TYPES, Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the allSupported field of RecordingGroup to true. When Config adds support for a new resource type, Config automatically starts recording resources of that type. For a list of supported resource types, see Supported Resource Types in the Config developer guide.INCLUSION_BY_RESOURCE_TYPES, Config records configuration changes for only the resource types that you specify in the resourceTypes field of RecordingGroup.EXCLUSION_BY_RESOURCE_TYPES, Config records configuration changes for all supported resource types, except the resource types that you specify to exclude from being recorded in the resourceTypes field of ExclusionByResourceTypes.Required and optional fields
The recordingStrategy field is optional when you set the allSupported field of RecordingGroup to true.
The recordingStrategy field is optional when you list resource types in the resourceTypes field of RecordingGroup.
The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.
Overriding fields
If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.
For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.
Global resource types and the exclusion recording strategy
By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy, when Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, Config starts recording resources of that type automatically.
Unless specifically listed as exclusions, AWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.
IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Config after February 2022. This list where you cannot record the global IAM resource types includes the following Regions:
}Specifies the recording strategy of the configuration recorder.
type nonrec recording_group = {recording_strategy : recording_strategy option;An object that specifies the recording strategy for the configuration recorder.
useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES, Config records configuration changes for all supported resource types, excluding the global IAM resource types. You also must set the allSupported field of RecordingGroup to true. When Config adds support for a new resource type, Config automatically starts recording resources of that type.useOnly field of RecordingStrategy to INCLUSION_BY_RESOURCE_TYPES, Config records configuration changes for only the resource types you specify in the resourceTypes field of RecordingGroup.useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES, Config records configuration changes for all supported resource types except the resource types that you specify to exclude from being recorded in the resourceTypes field of ExclusionByResourceTypes.Required and optional fields
The recordingStrategy field is optional when you set the allSupported field of RecordingGroup to true.
The recordingStrategy field is optional when you list resource types in the resourceTypes field of RecordingGroup.
The recordingStrategy field is required if you list resource types to exclude from recording in the resourceTypes field of ExclusionByResourceTypes.
Overriding fields
If you choose EXCLUSION_BY_RESOURCE_TYPES for the recording strategy, the exclusionByResourceTypes field will override other properties in the request.
For example, even if you set includeGlobalResourceTypes to false, global IAM resource types will still be automatically recorded in this option unless those resource types are specifically listed as exclusions in the resourceTypes field of exclusionByResourceTypes.
Global resources types and the resource exclusion recording strategy
By default, if you choose the EXCLUSION_BY_RESOURCE_TYPES recording strategy, when Config adds support for a new resource type in the Region where you set up the configuration recorder, including global resource types, Config starts recording resources of that type automatically.
Unless specifically listed as exclusions, AWS::RDS::GlobalCluster will be recorded automatically in all supported Config Regions were the configuration recorder is enabled.
IAM users, groups, roles, and customer managed policies will be recorded in the Region where you set up the configuration recorder if that is a Region where Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Config after February 2022. For a list of those Regions, see Recording Amazon Web Services Resources | Global Resources.
*)exclusion_by_resource_types : exclusion_by_resource_types option;An object that specifies how Config excludes resource types from being recorded by the configuration recorder.
Required fields
To use this option, you must set the useOnly field of RecordingStrategy to EXCLUSION_BY_RESOURCE_TYPES.
resource_types : resource_type_list option;A comma-separated list that specifies which resource types Config records.
For a list of valid resourceTypes values, see the Resource Type Value column in Supported Amazon Web Services resource Types in the Config developer guide.
Required and optional fields
Optionally, you can set the useOnly field of RecordingStrategy to INCLUSION_BY_RESOURCE_TYPES.
To record all configuration changes, set the allSupported field of RecordingGroup to true, and either omit this field or don't specify any resource types in this field. If you set the allSupported field to false and specify values for resourceTypes, when Config adds support for a new type of resource, it will not record resources of that type unless you manually add that type to your recording group.
Region availability
Before specifying a resource type for Config to track, check Resource Coverage by Region Availability to see if the resource type is supported in the Amazon Web Services Region where you set up Config. If a resource type is supported by Config in at least one Region, you can enable the recording of that resource type in all Regions supported by Config, even if the specified resource type is not supported in the Amazon Web Services Region where you set up Config.
*)include_global_resource_types : include_global_resource_types option;This option is a bundle which only applies to the global IAM resource types: IAM users, groups, roles, and customer managed policies. These global IAM resource types can only be recorded by Config in Regions where Config was available before February 2022. You cannot be record the global IAM resouce types in Regions supported by Config after February 2022. For a list of those Regions, see Recording Amazon Web Services Resources | Global Resources.
Aurora global clusters are recorded in all enabled Regions
The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled, even if includeGlobalResourceTypes is setfalse. The includeGlobalResourceTypes option is a bundle which only applies to IAM users, groups, roles, and customer managed policies.
If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use one of the following recording strategies:
EXCLUSION_BY_RESOURCE_TYPES), orINCLUSION_BY_RESOURCE_TYPES).For more information, see Selecting Which Resources are Recorded in the Config developer guide.
includeGlobalResourceTypes and the exclusion recording strategy
The includeGlobalResourceTypes field has no impact on the EXCLUSION_BY_RESOURCE_TYPES recording strategy. This means that the global IAM resource types (IAM users, groups, roles, and customer managed policies) will not be automatically added as exclusions for exclusionByResourceTypes when includeGlobalResourceTypes is set to false.
The includeGlobalResourceTypes field should only be used to modify the AllSupported field, as the default for the AllSupported field is to record configuration changes for all supported resource types excluding the global IAM resource types. To include the global IAM resource types when AllSupported is set to true, make sure to set includeGlobalResourceTypes to true.
To exclude the global IAM resource types for the EXCLUSION_BY_RESOURCE_TYPES recording strategy, you need to manually add them to the resourceTypes field of exclusionByResourceTypes.
Required and optional fields
Before you set this field to true, set the allSupported field of RecordingGroup to true. Optionally, you can set the useOnly field of RecordingStrategy to ALL_SUPPORTED_RESOURCE_TYPES.
Overriding fields
If you set this field to false but list global IAM resource types in the resourceTypes field of RecordingGroup, Config will still record configuration changes for those specified resource types regardless of if you set the includeGlobalResourceTypes field to false.
If you do not want to record configuration changes to the global IAM resource types (IAM users, groups, roles, and customer managed policies), make sure to not list them in the resourceTypes field in addition to setting the includeGlobalResourceTypes field to false.
all_supported : all_supported option;Specifies whether Config records configuration changes for all supported resource types, excluding the global IAM resource types.
If you set this field to true, when Config adds support for a new resource type, Config starts recording resources of that type automatically.
If you set this field to true, you cannot enumerate specific resource types to record in the resourceTypes field of RecordingGroup, or to exclude in the resourceTypes field of ExclusionByResourceTypes.
Region availability
Check Resource Coverage by Region Availability to see if a resource type is supported in the Amazon Web Services Region where you set up Config.
*)}Specifies which resource types Config records for configuration changes. By default, Config records configuration changes for all current and future supported resource types in the Amazon Web Services Region where you have enabled Config, excluding the global IAM resource types: IAM users, groups, roles, and customer managed policies.
In the recording group, you specify whether you want to record all supported current and future supported resource types or to include or exclude specific resources types. For a list of supported resource types, see Supported Resource Types in the Config developer guide.
If you don't want Config to record all current and future supported resource types (excluding the global IAM resource types), use one of the following recording strategies:
EXCLUSION_BY_RESOURCE_TYPES), orINCLUSION_BY_RESOURCE_TYPES).If you use the recording strategy to Record all current and future resource types (ALL_SUPPORTED_RESOURCE_TYPES), you can use the flag includeGlobalResourceTypes to include the global IAM resource types in your recording.
Aurora global clusters are recorded in all enabled Regions
The AWS::RDS::GlobalCluster resource type will be recorded in all supported Config Regions where the configuration recorder is enabled.
If you do not want to record AWS::RDS::GlobalCluster in all enabled Regions, use the EXCLUSION_BY_RESOURCE_TYPES or INCLUSION_BY_RESOURCE_TYPES recording strategy.
type nonrec recording_mode_resource_types_list = resource_type listtype nonrec recording_mode_override = {recording_frequency : recording_frequency;The recording frequency that will be applied to all the resource types specified in the override.
Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
*)resource_types : recording_mode_resource_types_list;A comma-separated list that specifies which resource types Config includes in the override.
Daily recording cannot be specified for the following resource types:
AWS::Config::ResourceComplianceAWS::Config::ConformancePackComplianceAWS::Config::ConfigurationRecorderdescription : description option;A description that you provide for the override.
*)}An object for you to specify your overrides for the recording mode.
type nonrec recording_mode_overrides = recording_mode_override listtype nonrec recording_mode = {recording_mode_overrides : recording_mode_overrides option;An array of recordingModeOverride objects for you to specify your overrides for the recording mode. The recordingModeOverride object in the recordingModeOverrides array consists of three fields: a description, the new recordingFrequency, and an array of resourceTypes to override.
recording_frequency : recording_frequency;The default recording frequency that Config uses to record configuration changes.
Daily recording cannot be specified for the following resource types:
AWS::Config::ResourceComplianceAWS::Config::ConformancePackComplianceAWS::Config::ConfigurationRecorderFor the allSupported (ALL_SUPPORTED_RESOURCE_TYPES) recording strategy, these resource types will be set to Continuous recording.
}Specifies the default recording frequency that Config uses to record configuration changes. Config supports Continuous recording and Daily recording.
Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
You can also override the recording frequency for specific resource types.
type nonrec configuration_recorder = {service_principal : service_principal option;For service-linked configuration recorders, specifies the linked Amazon Web Services service for the configuration recorder.
*)recording_scope : recording_scope option;Specifies whether the ConfigurationItems in scope for the specified configuration recorder are recorded for free (INTERNAL) or if it impacts the costs to your bill (PAID).
recording_mode : recording_mode option;Specifies the default recording frequency for the configuration recorder. Config supports Continuous recording and Daily recording.
Some resource types require continuous recording
Firewall Manager depends on continuous recording to monitor your resources. If you are using Firewall Manager, it is recommended that you set the recording frequency to Continuous.
You can also override the recording frequency for specific resource types.
*)recording_group : recording_group option;Specifies which resource types are in scope for the configuration recorder to record.
High Number of Config Evaluations
You might notice increased activity in your account during your initial month recording with Config when compared to subsequent months. During the initial bootstrapping process, Config runs evaluations on all the resources in your account that you have selected for Config to record.
If you are running ephemeral workloads, you may see increased activity from Config as it records configuration changes associated with creating and deleting these temporary resources. An ephemeral workload is a temporary use of computing resources that are loaded and run when needed. Examples include Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances, Amazon EMR jobs, and Auto Scaling.
If you want to avoid the increased activity from running ephemeral workloads, you can set up the configuration recorder to exclude these resource types from being recorded, or run these types of workloads in a separate account with Config turned off to avoid increased configuration recording and rule evaluations.
*)role_ar_n : string_ option;The Amazon Resource Name (ARN) of the IAM role assumed by Config and used by the specified configuration recorder.
The server will reject a request without a defined roleARN for the configuration recorder
While the API model does not require this field, the server will reject a request without a defined roleARN for the configuration recorder.
Policies and compliance results
IAM policies and other policies managed in Organizations can impact whether Config has permissions to record configuration changes for your resources. Additionally, rules directly evaluate the configuration of a resource and rules don't take into account these policies when running evaluations. Make sure that the policies in effect align with how you intend to use Config.
Keep Minimum Permisions When Reusing an IAM role
If you use an Amazon Web Services service that uses Config, such as Security Hub or Control Tower, and an IAM role has already been created, make sure that the IAM role that you use when setting up Config keeps the same minimum permissions as the pre-existing IAM role. You must do this to ensure that the other Amazon Web Services service continues to run as expected.
For example, if Control Tower has an IAM role that allows Config to read S3 objects, make sure that the same permissions are granted to the IAM role you use when setting up Config. Otherwise, it may interfere with how Control Tower operates.
The service-linked IAM role for Config must be used for service-linked configuration recorders
For service-linked configuration recorders, you must use the service-linked IAM role for Config: AWSServiceRoleForConfig.
*)name : recorder_name option;The name of the configuration recorder.
For customer managed configuration recorders, Config automatically assigns the name of "default" when creating a configuration recorder if you do not specify a name at creation time.
For service-linked configuration recorders, Config automatically assigns a name that has the prefix "AWS" to a new service-linked configuration recorder.
Changing the name of a configuration recorder
To change the name of the customer managed configuration recorder, you must delete it and create a new customer managed configuration recorder with a new name.
You cannot change the name of a service-linked configuration recorder.
*)arn : amazon_resource_name option;The Amazon Resource Name (ARN) of the specified configuration recorder.
*)}Records configuration changes to the resource types in scope.
For more information about the configuration recorder, see Working with the Configuration Recorder in the Config Developer Guide.
type nonrec put_configuration_recorder_request = {configuration_recorder : configuration_recorder;An object for the configuration recorder. A configuration recorder records configuration changes for the resource types in scope.
*)}The input for the PutConfigurationRecorder action.
type nonrec account_aggregation_source_account_list = account_id listtype nonrec aggregator_region_list = string_ listtype nonrec account_aggregation_source = {aws_regions : aggregator_region_list option;The source regions being aggregated.
*)all_aws_regions : boolean_ option;If true, aggregate existing Config regions and future regions.
*)account_ids : account_aggregation_source_account_list;The 12-digit account ID of the account being aggregated.
*)}A collection of accounts and regions.
type nonrec account_aggregation_source_list = account_aggregation_source listtype nonrec organization_aggregation_source = {all_aws_regions : boolean_ option;If true, aggregate existing Config regions and future regions.
*)aws_regions : aggregator_region_list option;The source regions being aggregated.
*)role_arn : string_;ARN of the IAM role used to retrieve Amazon Web Services Organization details associated with the aggregator account.
*)}This object contains regions to set up the aggregator and an IAM role to retrieve organization details.
type nonrec resource_type_value_list = resource_type_value listtype nonrec aggregator_filter_resource_type = {value : resource_type_value_list option;Comma-separate list of resource types to filter your aggregated configuration recorders.
*)type_ : aggregator_filter_type option;The type of resource type filter to apply. INCLUDE specifies that the list of resource types in the Value field will be aggregated and no other resource types will be filtered.
}An object to filter the configuration recorders based on the resource types in scope for recording.
type nonrec service_principal_value_list = service_principal_value listtype nonrec aggregator_filter_service_principal = {value : service_principal_value_list option;Comma-separated list of service principals for the linked Amazon Web Services services to filter your aggregated service-linked configuration recorders.
*)type_ : aggregator_filter_type option;The type of service principal filter to apply. INCLUDE specifies that the list of service principals in the Value field will be aggregated and no other service principals will be filtered.
}An object to filter service-linked configuration recorders in an aggregator based on the linked Amazon Web Services service.
type nonrec aggregator_filters = {service_principal : aggregator_filter_service_principal option;An object to filter service-linked configuration recorders in an aggregator based on the linked Amazon Web Services service.
*)resource_type : aggregator_filter_resource_type option;An object to filter the configuration recorders based on the resource types in scope for recording.
*)}An object to filter the data you specify for an aggregator.
type nonrec configuration_aggregator = {aggregator_filters : aggregator_filters option;An object to filter the data you specify for an aggregator.
*)created_by : string_with_char_limit256 option;Amazon Web Services service that created the configuration aggregator.
*)last_updated_time : date option;The time of the last update.
*)creation_time : date option;The time stamp when the configuration aggregator was created.
*)organization_aggregation_source : organization_aggregation_source option;Provides an organization and list of regions to be aggregated.
*)account_aggregation_sources : account_aggregation_source_list option;Provides a list of source accounts and regions to be aggregated.
*)configuration_aggregator_arn : configuration_aggregator_arn option;The Amazon Resource Name (ARN) of the aggregator.
*)configuration_aggregator_name : configuration_aggregator_name option;The name of the aggregator.
*)}The details about the configuration aggregator, including information about source accounts, regions, and metadata of the aggregator.
type nonrec put_configuration_aggregator_response = {configuration_aggregator : configuration_aggregator option;Returns a ConfigurationAggregator object.
*)}type nonrec put_configuration_aggregator_request = {aggregator_filters : aggregator_filters option;An object to filter configuration recorders in an aggregator. Either ResourceType or ServicePrincipal is required.
organization_aggregation_source : organization_aggregation_source option;An OrganizationAggregationSource object.
*)account_aggregation_sources : account_aggregation_source_list option;A list of AccountAggregationSource object.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec max_number_of_config_rules_exceeded_exception = {message : error_message option;Error executing the command
*)}Failed to add the Config rule because the account already contains the maximum number of 1000 rules. Consider deleting any deactivated rules before you add new rules.
type nonrec compliance_resource_types = string_with_char_limit256 listtype nonrec scope = {compliance_resource_id : base_resource_id option;The ID of the only Amazon Web Services resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for ComplianceResourceTypes.
tag_value : string_with_char_limit256 option;The tag value applied to only those Amazon Web Services resources that you want to trigger an evaluation for the rule. If you specify a value for TagValue, you must also specify a value for TagKey.
tag_key : string_with_char_limit128 option;The tag key that is applied to only those Amazon Web Services resources that you want to trigger an evaluation for the rule.
*)compliance_resource_types : compliance_resource_types option;The resource types of only those Amazon Web Services resources that you want to trigger an evaluation for the rule. You can only specify one type if you also specify a resource ID for ComplianceResourceId.
}Defines which resources trigger an evaluation for an Config rule. The scope can include one or more resource types, a combination of a tag key and value, or a combination of one resource type and one resource ID. Specify a scope to constrain which resources trigger an evaluation for a rule. Otherwise, evaluations for the rule are triggered when any resource in your recording group changes in configuration.
type nonrec source_detail = {maximum_execution_frequency : maximum_execution_frequency option;The frequency at which you want Config to run evaluations for a custom rule with a periodic trigger. If you specify a value for MaximumExecutionFrequency, then MessageType must use the ScheduledNotification value.
By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter.
Based on the valid value you choose, Config runs evaluations once for each valid value. For example, if you choose Three_Hours, Config runs evaluations once every three hours. In this case, Three_Hours is the frequency of this rule.
message_type : message_type option;The type of notification that triggers Config to run an evaluation for a rule. You can specify the following notification types:
ConfigurationItemChangeNotification - Triggers an evaluation when Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification - Triggers an evaluation when Config delivers an oversized configuration item. Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.ScheduledNotification - Triggers a periodic evaluation at the frequency specified for MaximumExecutionFrequency.ConfigurationSnapshotDeliveryCompleted - Triggers a periodic evaluation when Config delivers a configuration snapshot.If you want your custom rule to be triggered by configuration changes, specify two SourceDetail objects, one for ConfigurationItemChangeNotification and one for OversizedConfigurationItemChangeNotification.
event_source : event_source option;The source of the event, such as an Amazon Web Services service, that triggers Config to evaluate your Amazon Web Services resources.
*)}Provides the source and the message types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic. You can specify the parameter values for SourceDetail only for custom rules.
type nonrec source_details = source_detail listtype nonrec custom_policy_details = {enable_debug_log_delivery : boolean_ option;The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
policy_text : policy_text;The policy definition containing the logic for your Config Custom Policy rule.
*)policy_runtime : policy_runtime;The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
*)}Provides the runtime system, policy definition, and whether debug logging enabled. You can specify the following CustomPolicyDetails parameter values only for Config Custom Policy rules.
type nonrec source = {custom_policy_details : custom_policy_details option;Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY.
source_details : source_details option;Provides the source and the message types that cause Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
If the owner is set to CUSTOM_POLICY, the only acceptable values for the Config rule trigger message type are ConfigurationItemChangeNotification and OversizedConfigurationItemChangeNotification.
source_identifier : string_with_char_limit256 option;For Config Managed rules, a predefined identifier from a list. For example, IAM_PASSWORD_POLICY is a managed rule. To reference a managed rule, see List of Config Managed Rules.
For Config Custom Lambda rules, the identifier is the Amazon Resource Name (ARN) of the rule's Lambda function, such as arn:aws:lambda:us-east-2:123456789012:function:custom_rule_name.
For Config Custom Policy rules, this field will be ignored.
*)owner : owner;Indicates whether Amazon Web Services or the customer owns and manages the Config rule.
Config Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide.
Config Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Lambda (CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
}Provides the CustomPolicyDetails, the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your Amazon Web Services resources.
type nonrec evaluation_mode_configuration = {mode : evaluation_mode option;The mode of an evaluation. The valid values are Detective or Proactive.
*)}The configuration object for Config rule evaluation mode. The supported valid values are Detective or Proactive.
type nonrec evaluation_modes = evaluation_mode_configuration listtype nonrec config_rule = {evaluation_modes : evaluation_modes option;The modes the Config rule can be evaluated in. The valid values are distinct objects. By default, the value is Detective evaluation mode only.
*)created_by : string_with_char_limit256 option;Service principal name of the service that created the rule.
The field is populated only if the service-linked rule is created by a service. The field is empty if you create your own rule.
*)config_rule_state : config_rule_state option;Indicates whether the Config rule is active or is currently being deleted by Config. It can also indicate the evaluation status for the Config rule.
Config sets the state of the rule to EVALUATING temporarily after you use the StartConfigRulesEvaluation request to evaluate your resources against the Config rule.
Config sets the state of the rule to DELETING_RESULTS temporarily after you use the DeleteEvaluationResults request to delete the current evaluation results for the Config rule.
Config temporarily sets the state of a rule to DELETING after you use the DeleteConfigRule request to delete the rule. After Config deletes the rule, the rule and all of its evaluations are erased and are no longer available.
maximum_execution_frequency : maximum_execution_frequency option;The maximum frequency with which Config runs evaluations for a rule. You can specify a value for MaximumExecutionFrequency when:
ConfigSnapshotDeliveryProperties.By default, rules with a periodic trigger are evaluated every 24 hours. To change the frequency, specify a valid value for the MaximumExecutionFrequency parameter.
input_parameters : string_with_char_limit1024 option;A string, in JSON format, that is passed to the Config rule Lambda function.
*)source : source;Provides the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your Amazon Web Services resources.
scope : scope option;Defines which resources can trigger an evaluation for the rule. The scope can include one or more resource types, a combination of one resource type and one resource ID, or a combination of a tag key and value. Specify a scope to constrain the resources that can trigger an evaluation for the rule. If you do not specify a scope, evaluations are triggered when any resource in the recording group changes.
The scope can be empty.
*)description : emptiable_string_with_char_limit256 option;The description that you provide for the Config rule.
*)config_rule_id : string_with_char_limit64 option;The ID of the Config rule.
*)config_rule_arn : string_with_char_limit256 option;The Amazon Resource Name (ARN) of the Config rule.
*)config_rule_name : config_rule_name option;The name that you assign to the Config rule. The name is required if you are adding a new rule.
*)}Config rules evaluate the configuration settings of your Amazon Web Services resources. A rule can run when Config detects a configuration change to an Amazon Web Services resource or at a periodic frequency that you choose (for example, every 24 hours). There are two types of rules: Config Managed Rules and Config Custom Rules.
Config Managed Rules are predefined, customizable rules created by Config. For a list of managed rules, see List of Config Managed Rules.
Config Custom Rules are rules that you create from scratch. There are two ways to create Config custom rules: with Lambda functions (Lambda Developer Guide) and with Guard (Guard GitHub Repository), a policy-as-code language. Config custom rules created with Lambda are called Config Custom Lambda Rules and Config custom rules created with Guard are called Config Custom Policy Rules.
For more information about developing and using Config rules, see Evaluating Resource with Config Rules in the Config Developer Guide.
You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create a rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
type nonrec put_config_rule_request = {config_rule : config_rule;The rule that you want to add to your account.
*)}An object that represents the authorizations granted to aggregator accounts and regions.
type nonrec list_stored_queries_response = {next_token : string_ option;If the previous paginated request didn't return all of the remaining results, the response object's NextToken parameter value is set to a token. To retrieve the next set of results, call this operation again and assign that token to the request object's NextToken parameter. If there are no remaining results, the previous response object's NextToken parameter is set to null.
stored_query_metadata : stored_query_metadata_list option;A list of StoredQueryMetadata objects.
}type nonrec invalid_time_range_exception = {message : error_message option;Error executing the command
*)}The specified time range is not valid. The earlier time is not chronologically before the later time.
type nonrec resource_evaluation = {evaluation_start_timestamp : date option;The starting time of an execution.
*)evaluation_mode : evaluation_mode option;The mode of an evaluation. The valid values are Detective or Proactive.
*)resource_evaluation_id : resource_evaluation_id option;The ResourceEvaluationId of a evaluation.
*)}Returns details of a resource evaluation.
type nonrec resource_evaluations = resource_evaluation listtype nonrec list_resource_evaluations_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
resource_evaluations : resource_evaluations option;Returns a ResourceEvaluations object.
}type nonrec resource_evaluation_filters = {evaluation_context_identifier : evaluation_context_identifier option;Filters evaluations for a given infrastructure deployment. For example: CFN Stack.
*)time_window : time_window option;Returns a TimeWindow object.
evaluation_mode : evaluation_mode option;Filters all resource evaluations results based on an evaluation mode.
Currently, DECTECTIVE is not supported as a valid value. Ignore other documentation stating otherwise.
}Returns details of a resource evaluation based on the selected filter.
type nonrec list_resource_evaluations_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : list_resource_evaluations_page_item_limit option;The maximum number of evaluations returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)filters : resource_evaluation_filters option;Returns a ResourceEvaluationFilters object.
}type nonrec resource_identifier = {resource_deletion_time : resource_deletion_time option;The time that the resource was deleted.
*)resource_name : resource_name option;The custom name of the resource (if available).
*)resource_id : resource_id option;The ID of the resource (for example, sg-xxxxxx).
resource_type : resource_type option;The type of resource.
*)}The details that identify a resource that is discovered by Config, including the resource type, ID, and (if available) the custom resource name.
type nonrec resource_identifier_list = resource_identifier listtype nonrec list_discovered_resources_response = {next_token : next_token option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)resource_identifiers : resource_identifier_list option;The details that identify a resource that is discovered by Config, including the resource type, ID, and (if available) the custom resource name.
*)}type nonrec resource_id_list = resource_id listtype nonrec list_discovered_resources_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
include_deleted_resources : boolean_ option;Specifies whether Config includes deleted resources in the results. By default, deleted resources are not included.
*)limit : limit option;The maximum number of resource identifiers returned on each page. The default is 100. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)resource_name : resource_name option;The custom name of only those resources that you want Config to list in the response. If you do not specify this parameter, Config lists all resources of the specified type that it has discovered.
*)resource_ids : resource_id_list option;The IDs of only those resources that you want Config to list in the response. If you do not specify this parameter, Config lists all resources of the specified type that it has discovered. You can list a minimum of 1 resourceID and a maximum of 20 resourceIds.
*)resource_type : resource_type;The type of resources that you want Config to list in the response.
*)}type nonrec conformance_pack_compliance_score = {last_updated_time : last_updated_time option;The time that the conformance pack compliance score was last updated.
*)conformance_pack_name : conformance_pack_name option;The name of the conformance pack.
*)score : compliance_score option;Compliance score for the conformance pack. Conformance packs with no evaluation results will have a compliance score of INSUFFICIENT_DATA.
}A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack. This metric provides you with a high-level view of the compliance state of your conformance packs. You can use it to identify, investigate, and understand the level of compliance in your conformance packs.
type nonrec conformance_pack_compliance_scores =
conformance_pack_compliance_score listtype nonrec list_conformance_pack_compliance_scores_response = {conformance_pack_compliance_scores : conformance_pack_compliance_scores;A list of ConformancePackComplianceScore objects.
next_token : next_token option;The nextToken string that you can use to get the next page of results in a paginated response.
}type nonrec conformance_pack_name_filter = conformance_pack_name listtype nonrec conformance_pack_compliance_scores_filters = {conformance_pack_names : conformance_pack_name_filter;The names of the conformance packs whose compliance scores you want to include in the conformance pack compliance score result set. You can include up to 25 conformance packs in the ConformancePackNames array of strings, each with a character limit of 256 characters for the conformance pack name.
}A list of filters to apply to the conformance pack compliance score result set.
type nonrec list_conformance_pack_compliance_scores_request = {next_token : next_token option;The nextToken string in a prior request that you can use to get the paginated response for the next set of conformance pack compliance scores.
limit : page_size_limit option;The maximum number of conformance pack compliance scores returned on each page.
*)sort_by : sort_by option;Sorts your conformance pack compliance scores in either ascending or descending order, depending on SortOrder.
By default, conformance pack compliance scores are sorted in alphabetical order by name of the conformance pack. Enter SCORE, to sort conformance pack compliance scores by the numerical value of the compliance score.
sort_order : sort_order option;Determines the order in which conformance pack compliance scores are sorted. Either in ascending or descending order.
By default, conformance pack compliance scores are sorted in alphabetical order by name of the conformance pack. Conformance pack compliance scores are sorted in reverse alphabetical order if you enter DESCENDING.
You can sort conformance pack compliance scores by the numerical value of the compliance score by entering SCORE in the SortBy action. When compliance scores are sorted by SCORE, conformance packs with a compliance score of INSUFFICIENT_DATA will be last when sorting by ascending order and first when sorting by descending order.
filters : conformance_pack_compliance_scores_filters option;Filters the results based on the ConformancePackComplianceScoresFilters.
}type nonrec configuration_recorder_summary = {recording_scope : recording_scope;Indicates whether the ConfigurationItems in scope for the configuration recorder are recorded for free (INTERNAL) or if you are charged a service fee for recording (PAID).
service_principal : service_principal option;For service-linked configuration recorders, indicates which Amazon Web Services service the configuration recorder is linked to.
*)name : recorder_name;The name of the configuration recorder.
*)arn : amazon_resource_name;The Amazon Resource Name (ARN) of the configuration recorder.
*)}A summary of a configuration recorder, including the arn, name, servicePrincipal, and recordingScope.
type nonrec configuration_recorder_summaries =
configuration_recorder_summary listtype nonrec list_configuration_recorders_response = {next_token : next_token option;The NextToken string returned on a previous page that you use to get the next page of results in a paginated response.
configuration_recorder_summaries : configuration_recorder_summaries;A list of ConfigurationRecorderSummary objects that includes.
}type nonrec configuration_recorder_filter_values =
configuration_recorder_filter_value listtype nonrec configuration_recorder_filter = {filter_value : configuration_recorder_filter_values option;The value of the filter. For recordingScope, valid values include: INTERNAL and PAID.
INTERNAL indicates that the ConfigurationItems in scope for the configuration recorder are recorded for free.
PAID indicates that the ConfigurationItems in scope for the configuration recorder impact the costs to your bill.
filter_name : configuration_recorder_filter_name option;The name of the type of filter. Currently, only recordingScope is supported.
}Filters configuration recorders by recording scope.
type nonrec configuration_recorder_filter_list =
configuration_recorder_filter listtype nonrec list_configuration_recorders_request = {next_token : next_token option;The NextToken string returned on a previous page that you use to get the next page of results in a paginated response.
max_results : max_results option;The maximum number of results to include in the response.
*)filters : configuration_recorder_filter_list option;Filters the results based on a list of ConfigurationRecorderFilter objects that you specify.
}type nonrec discovered_resource_identifier_list =
aggregate_resource_identifier listtype nonrec list_aggregate_discovered_resources_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
resource_identifiers : discovered_resource_identifier_list option;Returns a list of ResourceIdentifiers objects.
}type nonrec resource_filters = {region : aws_region option;The source region.
*)resource_name : resource_name option;The name of the resource.
*)resource_id : resource_id option;The ID of the resource.
*)account_id : account_id option;The 12-digit source account ID.
*)}Filters the results by resource account ID, region, resource ID, and resource name.
type nonrec list_aggregate_discovered_resources_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of resource identifiers returned on each page. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)filters : resource_filters option;Filters the results based on the ResourceFilters object.
resource_type : resource_type;The type of resources that you want Config to list in the response.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec get_stored_query_response = {stored_query : stored_query option;Returns a StoredQuery object.
}type nonrec evaluation_status = {failure_reason : string_with_char_limit1024 option;An explanation for failed execution status.
*)status : resource_evaluation_status;The status of an execution. The valid values are In_Progress, Succeeded or Failed.
*)}Returns status details of an evaluation.
type nonrec get_resource_evaluation_summary_response = {resource_details : resource_details option;Returns a ResourceDetails object.
evaluation_context : evaluation_context option;Returns an EvaluationContext object.
compliance : compliance_type option;The compliance status of the resource evaluation summary.
*)evaluation_start_timestamp : date option;The start timestamp when Config rule starts evaluating compliance for the provided resource details.
*)evaluation_status : evaluation_status option;Returns an EvaluationStatus object.
evaluation_mode : evaluation_mode option;Lists results of the mode that you requested to retrieve the resource evaluation summary. The valid values are Detective or Proactive.
*)resource_evaluation_id : resource_evaluation_id option;The unique ResourceEvaluationId of Amazon Web Services resource execution for which you want to retrieve the evaluation summary.
}type nonrec get_resource_evaluation_summary_request = {resource_evaluation_id : resource_evaluation_id;The unique ResourceEvaluationId of Amazon Web Services resource execution for which you want to retrieve the evaluation summary.
}type nonrec resource_not_discovered_exception = {message : error_message option;Error executing the command
*)}You have specified a resource that is either unknown or has not been discovered.
type nonrec relationship = {relationship_name : relationship_name option;The type of relationship with the related resource.
*)resource_name : resource_name option;The custom name of the related resource, if available.
*)resource_id : resource_id option;The ID of the related resource (for example, sg-xxxxxx).
resource_type : resource_type option;The resource type of the related resource.
*)}The relationship of the related resource to the main resource.
type nonrec relationship_list = relationship listtype nonrec configuration_item = {configuration_item_delivery_time : configuration_item_delivery_time option;The time when configuration changes for the resource were delivered.
This field is optional and is not guaranteed to be present in a configuration item (CI). If you are using daily recording, this field will be populated. However, if you are using continuous recording, this field will be omitted since the delivery time is instantaneous as the CI is available right away. For more information on daily recording and continuous recording, see Recording Frequency in the Config Developer Guide.
*)recording_frequency : recording_frequency option;The recording frequency that Config uses to record configuration changes for the resource.
*)supplementary_configuration : supplementary_configuration option;Configuration attributes that Config returns for certain resource types to supplement the information returned for the configuration parameter.
configuration : configuration option;The description of the resource configuration.
*)relationships : relationship_list option;A list of related Amazon Web Services resources.
*)resource_creation_time : resource_creation_time option;The time stamp when the resource was created.
*)availability_zone : availability_zone option;The Availability Zone associated with the resource.
*)aws_region : aws_region option;The region where the resource resides.
*)resource_name : resource_name option;The custom name of the resource, if available.
*)resource_id : resource_id option;The ID of the resource (for example, sg-xxxxxx).
resource_type : resource_type option;The type of Amazon Web Services resource.
*)arn : ar_n option;Amazon Resource Name (ARN) associated with the resource.
*)configuration_item_md5_hash : configuration_item_md5_hash option;Unique MD5 hash that represents the configuration item's state.
You can use MD5 hash to compare the states of two or more configuration items that are associated with the same resource.
*)configuration_state_id : configuration_state_id option;An identifier that indicates the ordering of the configuration items of a resource.
*)configuration_item_status : configuration_item_status option;The configuration item status. Valid values include:
configuration_item_capture_time : configuration_item_capture_time option;The time when the recording of configuration changes was initiated for the resource.
*)account_id : account_id option;The 12-digit Amazon Web Services account ID associated with the resource.
*)version : version option;The version number of the resource configuration.
*)}A list that contains detailed configurations of a specified resource.
type nonrec configuration_item_list = configuration_item listtype nonrec get_resource_config_history_response = {next_token : next_token option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)configuration_items : configuration_item_list option;A list that contains the configuration history of one or more resources.
*)}The output for the GetResourceConfigHistory action.
type nonrec get_resource_config_history_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of configuration items returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)chronological_order : chronological_order option;The chronological order for configuration items listed. By default, the results are listed in reverse chronological order.
*)earlier_time : earlier_time option;The chronologically earliest time in the time range for which the history requested. If not specified, the action returns paginated results that contain configuration items that start when the first configuration item was recorded.
*)later_time : later_time option;The chronologically latest time in the time range for which the history requested. If not specified, current time is taken.
*)resource_id : resource_id;The ID of the resource (for example., sg-xxxxxx).
resource_type : resource_type;The resource type.
*)}The input for the GetResourceConfigHistory action.
type nonrec no_such_organization_config_rule_exception = {message : error_message option;Error executing the command
*)}The Config rule in the request is not valid. Verify that the rule is an organization Config Process Check rule, that the rule name is correct, and that valid Amazon Resouce Names (ARNs) are used before trying again.
type nonrec get_organization_custom_rule_policy_response = {policy_text : policy_text option;The policy definition containing the logic for your organization Config Custom Policy rule.
*)}type nonrec get_organization_custom_rule_policy_request = {organization_config_rule_name : organization_config_rule_name;The name of your organization Config Custom Policy rule.
*)}type nonrec no_such_organization_conformance_pack_exception = {message : error_message option;Error executing the command
*)}Config organization conformance pack that you passed in the filter does not exist.
For DeleteOrganizationConformancePack, you tried to delete an organization conformance pack that does not exist.
type nonrec organization_conformance_pack_detailed_status = {last_update_time : date option;The timestamp of the last status update.
*)error_message : string_ option;An error message indicating that conformance pack account creation or deletion has failed due to an error in the member account.
*)error_code : string_ option;An error code that is returned when conformance pack creation or deletion failed in the member account.
*)status : organization_resource_detailed_status;Indicates deployment status for conformance pack in a member account. When management account calls PutOrganizationConformancePack action for the first time, conformance pack status is created in the member account. When management account calls PutOrganizationConformancePack action for the second time, conformance pack status is updated in the member account. Conformance pack status is deleted when the management account deletes OrganizationConformancePack and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the conformance pack to:
CREATE_SUCCESSFUL when conformance pack has been created in the member account.CREATE_IN_PROGRESS when conformance pack is being created in the member account.CREATE_FAILED when conformance pack creation has failed in the member account.DELETE_FAILED when conformance pack deletion has failed in the member account.DELETE_IN_PROGRESS when conformance pack is being deleted in the member account.DELETE_SUCCESSFUL when conformance pack has been deleted in the member account.UPDATE_SUCCESSFUL when conformance pack has been updated in the member account.UPDATE_IN_PROGRESS when conformance pack is being updated in the member account.UPDATE_FAILED when conformance pack deletion has failed in the member account.conformance_pack_name : string_with_char_limit256;The name of conformance pack deployed in the member account.
*)account_id : account_id;The 12-digit account ID of a member account.
*)}Organization conformance pack creation or deletion status in each member account. This includes the name of the conformance pack, the status, error code and error message when the conformance pack creation or deletion failed.
type nonrec organization_conformance_pack_detailed_statuses =
organization_conformance_pack_detailed_status listtype nonrec get_organization_conformance_pack_detailed_status_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)organization_conformance_pack_detailed_statuses : organization_conformance_pack_detailed_statuses
option;A list of OrganizationConformancePackDetailedStatus objects.
}type nonrec organization_resource_detailed_status_filters = {status : organization_resource_detailed_status option;Indicates deployment status for conformance pack in a member account. When management account calls PutOrganizationConformancePack action for the first time, conformance pack status is created in the member account. When management account calls PutOrganizationConformancePack action for the second time, conformance pack status is updated in the member account. Conformance pack status is deleted when the management account deletes OrganizationConformancePack and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the conformance pack to:
CREATE_SUCCESSFUL when conformance pack has been created in the member account.CREATE_IN_PROGRESS when conformance pack is being created in the member account.CREATE_FAILED when conformance pack creation has failed in the member account.DELETE_FAILED when conformance pack deletion has failed in the member account.DELETE_IN_PROGRESS when conformance pack is being deleted in the member account.DELETE_SUCCESSFUL when conformance pack has been deleted in the member account.UPDATE_SUCCESSFUL when conformance pack has been updated in the member account.UPDATE_IN_PROGRESS when conformance pack is being updated in the member account.UPDATE_FAILED when conformance pack deletion has failed in the member account.account_id : account_id option;The 12-digit account ID of the member account within an organization.
*)}Status filter object to filter results based on specific member account ID or status type for an organization conformance pack.
type nonrec get_organization_conformance_pack_detailed_status_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)limit : cosmos_page_limit option;The maximum number of OrganizationConformancePackDetailedStatuses returned on each page. If you do not specify a number, Config uses the default. The default is 100.
filters : organization_resource_detailed_status_filters option;An OrganizationResourceDetailedStatusFilters object.
organization_conformance_pack_name : organization_conformance_pack_name;The name of organization conformance pack for which you want status details for member accounts.
*)}type nonrec member_account_status = {last_update_time : date option;The timestamp of the last status update.
*)error_message : string_ option;An error message indicating that Config rule account creation or deletion has failed due to an error in the member account.
*)error_code : string_ option;An error code that is returned when Config rule creation or deletion failed in the member account.
*)member_account_rule_status : member_account_rule_status;Indicates deployment status for Config rule in the member account. When management account calls PutOrganizationConfigRule action for the first time, Config rule status is created in the member account. When management account calls PutOrganizationConfigRule action for the second time, Config rule status is updated in the member account. Config rule status is deleted when the management account deletes OrganizationConfigRule and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the rule to:
CREATE_SUCCESSFUL when Config rule has been created in the member account.CREATE_IN_PROGRESS when Config rule is being created in the member account.CREATE_FAILED when Config rule creation has failed in the member account.DELETE_FAILED when Config rule deletion has failed in the member account.DELETE_IN_PROGRESS when Config rule is being deleted in the member account.DELETE_SUCCESSFUL when Config rule has been deleted in the member account.UPDATE_SUCCESSFUL when Config rule has been updated in the member account.UPDATE_IN_PROGRESS when Config rule is being updated in the member account.UPDATE_FAILED when Config rule deletion has failed in the member account.config_rule_name : string_with_char_limit64;The name of Config rule deployed in the member account.
*)account_id : account_id;The 12-digit account ID of a member account.
*)}Organization Config rule creation or deletion status in each member account. This includes the name of the rule, the status, error code and error message when the rule creation or deletion failed.
type nonrec organization_config_rule_detailed_status =
member_account_status listtype nonrec get_organization_config_rule_detailed_status_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
organization_config_rule_detailed_status : organization_config_rule_detailed_status
option;A list of MemberAccountStatus objects.
}type nonrec get_organization_config_rule_detailed_status_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : cosmos_page_limit option;The maximum number of OrganizationConfigRuleDetailedStatus returned on each page. If you do not specify a number, Config uses the default. The default is 100.
filters : status_detail_filters option;A StatusDetailFilters object.
organization_config_rule_name : organization_config_rule_name;The name of your organization Config rule for which you want status details for member accounts.
*)}type nonrec resource_count = {count : long option;The number of resources.
*)resource_type : resource_type option;The resource type (for example, "AWS::EC2::Instance").
}An object that contains the resource type and the number of resources.
type nonrec resource_counts = resource_count listtype nonrec get_discovered_resource_counts_response = {next_token : next_token option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)resource_counts : resource_counts option;The list of ResourceCount objects. Each object is listed in descending order by the number of resources.
total_discovered_resources : long option;The total number of resources that Config is recording in the region for your account. If you specify resource types in the request, Config returns only the total number of resources for those resource types.
Example
GetDiscoveredResourceCounts action and specify the resource type, "AWS::EC2::Instances", in the request.totalDiscoveredResources.}type nonrec resource_types = string_with_char_limit256 listtype nonrec get_discovered_resource_counts_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of ResourceCount objects returned on each page. The default is 100. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
resource_types : resource_types option;The comma-separated list that specifies the resource types that you want Config to return (for example, "AWS::EC2::Instance", "AWS::IAM::User").
If a value for resourceTypes is not specified, Config returns all resource types that Config is recording in the region for your account.
If the configuration recorder is turned off, Config returns an empty list of ResourceCount objects. If the configuration recorder is not recording a specific resource type (for example, S3 buckets), that resource type is not returned in the list of ResourceCount objects.
}type nonrec get_custom_rule_policy_response = {policy_text : policy_text option;The policy definition containing the logic for your Config Custom Policy rule.
*)}type nonrec get_custom_rule_policy_request = {config_rule_name : config_rule_name option;The name of your Config Custom Policy rule.
*)}type nonrec no_such_conformance_pack_exception = {message : error_message option;Error executing the command
*)}You specified one or more conformance packs that do not exist.
type nonrec conformance_pack_compliance_summary = {conformance_pack_compliance_status : conformance_pack_compliance_type;The status of the conformance pack.
*)conformance_pack_name : conformance_pack_name;The name of the conformance pack name.
*)}Summary includes the name and status of the conformance pack.
type nonrec conformance_pack_compliance_summary_list =
conformance_pack_compliance_summary listtype nonrec get_conformance_pack_compliance_summary_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)conformance_pack_compliance_summary_list : conformance_pack_compliance_summary_list
option;A list of ConformancePackComplianceSummary objects.
}type nonrec conformance_pack_names_to_summarize_list =
conformance_pack_name listtype nonrec get_conformance_pack_compliance_summary_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)limit : page_size_limit option;The maximum number of conformance packs returned on each page.
*)conformance_pack_names : conformance_pack_names_to_summarize_list;Names of conformance packs.
*)}type nonrec no_such_config_rule_in_conformance_pack_exception = {message : error_message option;Error executing the command
*)}Config rule that you passed in the filter does not exist.
type nonrec evaluation_result_qualifier = {evaluation_mode : evaluation_mode option;The mode of an evaluation. The valid values are Detective or Proactive.
*)resource_id : base_resource_id option;The ID of the evaluated Amazon Web Services resource.
*)resource_type : string_with_char_limit256 option;The type of Amazon Web Services resource that was evaluated.
*)config_rule_name : config_rule_name option;The name of the Config rule that was used in the evaluation.
*)}Identifies an Config rule that evaluated an Amazon Web Services resource, and provides the type and ID of the resource that the rule evaluated.
type nonrec evaluation_result_identifier = {resource_evaluation_id : resource_evaluation_id option;A Unique ID for an evaluation result.
*)ordering_timestamp : date option;The time of the event that triggered the evaluation of your Amazon Web Services resources. The time can indicate when Config delivered a configuration item change notification, or it can indicate when Config delivered the configuration snapshot, depending on which event triggered the evaluation.
*)evaluation_result_qualifier : evaluation_result_qualifier option;Identifies an Config rule used to evaluate an Amazon Web Services resource, and provides the type and ID of the evaluated resource.
*)}Uniquely identifies an evaluation result.
type nonrec conformance_pack_evaluation_result = {annotation : annotation option;Supplementary information about how the evaluation determined the compliance.
*)result_recorded_time : date;The time when Config recorded the evaluation result.
*)config_rule_invoked_time : date;The time when Config rule evaluated Amazon Web Services resource.
*)evaluation_result_identifier : evaluation_result_identifier;compliance_type : conformance_pack_compliance_type;The compliance type. The allowed values are COMPLIANT and NON_COMPLIANT. INSUFFICIENT_DATA is not supported.
}The details of a conformance pack evaluation. Provides Config rule and Amazon Web Services resource type that was evaluated, the compliance of the conformance pack, related time stamps, and supplementary information.
type nonrec conformance_pack_rule_evaluation_results_list =
conformance_pack_evaluation_result listtype nonrec get_conformance_pack_compliance_details_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
conformance_pack_rule_evaluation_results : conformance_pack_rule_evaluation_results_list
option;Returns a list of ConformancePackEvaluationResult objects.
conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}type nonrec conformance_pack_config_rule_names = string_with_char_limit64 listtype nonrec conformance_pack_compliance_resource_ids =
string_with_char_limit256 listtype nonrec conformance_pack_evaluation_filters = {resource_ids : conformance_pack_compliance_resource_ids option;Filters the results by resource IDs.
This is valid only when you provide resource type. If there is no resource type, you will see an error.
*)resource_type : string_with_char_limit256 option;Filters the results by the resource type (for example, "AWS::EC2::Instance").
compliance_type : conformance_pack_compliance_type option;Filters the results by compliance.
The allowed values are COMPLIANT and NON_COMPLIANT. INSUFFICIENT_DATA is not supported.
config_rule_names : conformance_pack_config_rule_names option;Filters the results by Config rule names.
*)}Filters a conformance pack by Config rule names, compliance types, Amazon Web Services resource types, and resource IDs.
type nonrec get_conformance_pack_compliance_details_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : get_conformance_pack_compliance_details_limit option;The maximum number of evaluation results returned on each page. If you do no specify a number, Config uses the default. The default is 100.
*)filters : conformance_pack_evaluation_filters option;A ConformancePackEvaluationFilters object.
conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}type nonrec compliance_contributor_count = {cap_exceeded : boolean_ option;Indicates whether the maximum count is reached.
*)capped_count : integer option;The number of Amazon Web Services resources or Config rules responsible for the current compliance of the item.
*)}The number of Amazon Web Services resources or Config rules responsible for the current compliance of the item, up to a maximum number.
type nonrec compliance_summary = {compliance_summary_timestamp : date option;The time that Config created the compliance summary.
*)non_compliant_resource_count : compliance_contributor_count option;The number of Config rules or Amazon Web Services resources that are noncompliant, up to a maximum of 25 for rules and 100 for resources.
*)compliant_resource_count : compliance_contributor_count option;The number of Config rules or Amazon Web Services resources that are compliant, up to a maximum of 25 for rules and 100 for resources.
*)}The number of Config rules or Amazon Web Services resources that are compliant and noncompliant.
type nonrec compliance_summary_by_resource_type = {compliance_summary : compliance_summary option;The number of Amazon Web Services resources that are compliant or noncompliant, up to a maximum of 100 for each.
*)resource_type : string_with_char_limit256 option;The type of Amazon Web Services resource.
*)}The number of Amazon Web Services resources of a specific type that are compliant or noncompliant, up to a maximum of 100 for each.
type nonrec compliance_summaries_by_resource_type =
compliance_summary_by_resource_type listtype nonrec get_compliance_summary_by_resource_type_response = {compliance_summaries_by_resource_type : compliance_summaries_by_resource_type
option;The number of resources that are compliant and the number that are noncompliant. If one or more resource types were provided with the request, the numbers are returned for each resource type. The maximum number returned is 100.
*)}type nonrec get_compliance_summary_by_resource_type_request = {resource_types : resource_types option;Specify one or more resource types to get the number of resources that are compliant and the number that are noncompliant for each resource type.
For this request, you can specify an Amazon Web Services resource type such as AWS::EC2::Instance. You can specify that the resource type is an Amazon Web Services account by specifying AWS::::Account.
}type nonrec get_compliance_summary_by_config_rule_response = {compliance_summary : compliance_summary option;The number of Config rules that are compliant and the number that are noncompliant, up to a maximum of 25 for each.
*)}type nonrec evaluation_result = {result_token : string_ option;An encrypted token that associates an evaluation with an Config rule. The token identifies the rule, the Amazon Web Services resource being evaluated, and the event that triggered the evaluation.
*)annotation : string_with_char_limit256 option;Supplementary information about how the evaluation determined the compliance.
*)config_rule_invoked_time : date option;The time when the Config rule evaluated the Amazon Web Services resource.
*)result_recorded_time : date option;The time when Config recorded the evaluation result.
*)compliance_type : compliance_type option;Indicates whether the Amazon Web Services resource complies with the Config rule that evaluated it.
For the EvaluationResult data type, Config supports only the COMPLIANT, NON_COMPLIANT, and NOT_APPLICABLE values. Config does not support the INSUFFICIENT_DATA value for the EvaluationResult data type.
evaluation_result_identifier : evaluation_result_identifier option;Uniquely identifies the evaluation result.
*)}The details of an Config evaluation. Provides the Amazon Web Services resource that was evaluated, the compliance of the resource, related time stamps, and supplementary information.
type nonrec evaluation_results = evaluation_result listtype nonrec get_compliance_details_by_resource_response = {next_token : string_ option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)evaluation_results : evaluation_results option;Indicates whether the specified Amazon Web Services resource complies each Config rule.
*)}type nonrec compliance_types = compliance_type listtype nonrec get_compliance_details_by_resource_request = {resource_evaluation_id : resource_evaluation_id option;The unique ID of Amazon Web Services resource execution for which you want to retrieve evaluation results.
You need to only provide either a ResourceEvaluationID or a ResourceID and ResourceType.
next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
compliance_types : compliance_types option;Filters the results by compliance.
INSUFFICIENT_DATA is a valid ComplianceType that is returned when an Config rule cannot be evaluated. However, INSUFFICIENT_DATA cannot be used as a ComplianceType for filtering results.
resource_id : base_resource_id option;The ID of the Amazon Web Services resource for which you want compliance information.
*)resource_type : string_with_char_limit256 option;The type of the Amazon Web Services resource for which you want compliance information.
*)}type nonrec get_compliance_details_by_config_rule_response = {next_token : next_token option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)evaluation_results : evaluation_results option;Indicates whether the Amazon Web Services resource complies with the specified Config rule.
*)}type nonrec get_compliance_details_by_config_rule_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of evaluation results returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)compliance_types : compliance_types option;Filters the results by compliance.
INSUFFICIENT_DATA is a valid ComplianceType that is returned when an Config rule cannot be evaluated. However, INSUFFICIENT_DATA cannot be used as a ComplianceType for filtering results.
config_rule_name : string_with_char_limit64;The name of the Config rule for which you want compliance information.
*)}type nonrec oversized_configuration_item_exception = {message : error_message option;Error executing the command
*)}The configuration item size is outside the allowable range.
type nonrec get_aggregate_resource_config_response = {configuration_item : configuration_item option;Returns a ConfigurationItem object.
}type nonrec get_aggregate_resource_config_request = {resource_identifier : aggregate_resource_identifier;An object that identifies aggregate resource.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec grouped_resource_count = {resource_count : long;The number of resources in the group.
*)group_name : string_with_char_limit256;The name of the group that can be region, account ID, or resource type. For example, region1, region2 if the region was chosen as GroupByKey.
}The count of resources that are grouped by the group name.
type nonrec grouped_resource_count_list = grouped_resource_count listtype nonrec get_aggregate_discovered_resource_counts_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
grouped_resource_counts : grouped_resource_count_list option;Returns a list of GroupedResourceCount objects.
*)group_by_key : string_with_char_limit256 option;The key passed into the request object. If GroupByKey is not provided, the result will be empty.
total_discovered_resources : long;The total number of resources that are present in an aggregator with the filters that you provide.
*)}type nonrec resource_count_filters = {region : aws_region option;The region where the account is located.
*)account_id : account_id option;The 12-digit ID of the account.
*)resource_type : resource_type option;The type of the Amazon Web Services resource.
*)}Filters the resource count based on account ID, region, and resource type.
type nonrec get_aggregate_discovered_resource_counts_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : group_by_api_limit option;The maximum number of GroupedResourceCount objects returned on each page. The default is 1000. You cannot specify a number greater than 1000. If you specify 0, Config uses the default.
group_by_key : resource_count_group_key option;The key to group the resource counts.
*)filters : resource_count_filters option;Filters the results based on the ResourceCountFilters object.
configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec aggregate_conformance_pack_compliance_count = {non_compliant_conformance_pack_count : integer option;Number of noncompliant conformance packs.
*)compliant_conformance_pack_count : integer option;Number of compliant conformance packs.
*)}The number of conformance packs that are compliant and noncompliant.
type nonrec aggregate_conformance_pack_compliance_summary = {group_name : string_with_char_limit256 option;Groups the result based on Amazon Web Services account ID or Amazon Web Services Region.
*)compliance_summary : aggregate_conformance_pack_compliance_count option;Returns an AggregateConformancePackComplianceCount object.
}Provides a summary of compliance based on either account ID or region.
type nonrec aggregate_conformance_pack_compliance_summary_list =
aggregate_conformance_pack_compliance_summary listtype nonrec get_aggregate_conformance_pack_compliance_summary_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
group_by_key : string_with_char_limit256 option;Groups the result based on Amazon Web Services account ID or Amazon Web Services Region.
*)aggregate_conformance_pack_compliance_summaries : aggregate_conformance_pack_compliance_summary_list
option;Returns a list of AggregateConformancePackComplianceSummary object.
}type nonrec aggregate_conformance_pack_compliance_summary_filters = {aws_region : aws_region option;The source Amazon Web Services Region from where the data is aggregated.
*)account_id : account_id option;The 12-digit Amazon Web Services account ID of the source account.
*)}Filters the results based on account ID and region.
type nonrec get_aggregate_conformance_pack_compliance_summary_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of results returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)group_by_key : aggregate_conformance_pack_compliance_summary_group_key option;Groups the result based on Amazon Web Services account ID or Amazon Web Services Region.
*)filters : aggregate_conformance_pack_compliance_summary_filters option;Filters the results based on the AggregateConformancePackComplianceSummaryFilters object.
configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec aggregate_compliance_count = {compliance_summary : compliance_summary option;The number of compliant and noncompliant Config rules.
*)group_name : string_with_char_limit256 option;The 12-digit account ID or region based on the GroupByKey value.
*)}Returns the number of compliant and noncompliant rules for one or more accounts and regions in an aggregator.
type nonrec aggregate_compliance_count_list = aggregate_compliance_count listtype nonrec get_aggregate_config_rule_compliance_summary_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
aggregate_compliance_counts : aggregate_compliance_count_list option;Returns a list of AggregateComplianceCounts object.
*)group_by_key : string_with_char_limit256 option;Groups the result based on ACCOUNT_ID or AWS_REGION.
*)}type nonrec config_rule_compliance_summary_filters = {aws_region : aws_region option;The source region where the data is aggregated.
*)account_id : account_id option;The 12-digit account ID of the source account.
*)}Filters the results based on the account IDs and regions.
type nonrec get_aggregate_config_rule_compliance_summary_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : group_by_api_limit option;The maximum number of evaluation results returned on each page. The default is 1000. You cannot specify a number greater than 1000. If you specify 0, Config uses the default.
*)group_by_key : config_rule_compliance_summary_group_key option;Groups the result based on ACCOUNT_ID or AWS_REGION.
*)filters : config_rule_compliance_summary_filters option;Filters the results based on the ConfigRuleComplianceSummaryFilters object.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec aggregate_evaluation_result = {aws_region : aws_region option;The source region from where the data is aggregated.
*)account_id : account_id option;The 12-digit account ID of the source account.
*)annotation : string_with_char_limit256 option;Supplementary information about how the agrregate evaluation determined the compliance.
*)config_rule_invoked_time : date option;The time when the Config rule evaluated the Amazon Web Services resource.
*)result_recorded_time : date option;The time when Config recorded the aggregate evaluation result.
*)compliance_type : compliance_type option;The resource compliance status.
For the AggregationEvaluationResult data type, Config supports only the COMPLIANT and NON_COMPLIANT. Config does not support the NOT_APPLICABLE and INSUFFICIENT_DATA value.
evaluation_result_identifier : evaluation_result_identifier option;Uniquely identifies the evaluation result.
*)}The details of an Config evaluation for an account ID and region in an aggregator. Provides the Amazon Web Services resource that was evaluated, the compliance of the resource, related time stamps, and supplementary information.
type nonrec aggregate_evaluation_result_list = aggregate_evaluation_result listtype nonrec get_aggregate_compliance_details_by_config_rule_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
aggregate_evaluation_results : aggregate_evaluation_result_list option;Returns an AggregateEvaluationResults object.
*)}type nonrec get_aggregate_compliance_details_by_config_rule_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of evaluation results returned on each page. The default is 50. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)compliance_type : compliance_type option;The resource compliance status.
For the GetAggregateComplianceDetailsByConfigRuleRequest data type, Config supports only the COMPLIANT and NON_COMPLIANT. Config does not support the NOT_APPLICABLE and INSUFFICIENT_DATA values.
aws_region : aws_region;The source region from where the data is aggregated.
*)account_id : account_id;The 12-digit account ID of the source account.
*)config_rule_name : config_rule_name;The name of the Config rule for which you want compliance information.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec disassociate_resource_types_response = {configuration_recorder : configuration_recorder;}type nonrec disassociate_resource_types_request = {resource_types : resource_type_list;The list of resource types you want to remove from the recording group of the specified configuration recorder.
*)configuration_recorder_arn : amazon_resource_name;The Amazon Resource Name (ARN) of the specified configuration recorder.
*)}type nonrec no_such_retention_configuration_exception = {message : error_message option;Error executing the command
*)}You have specified a retention configuration that does not exist.
type nonrec retention_configuration_list = retention_configuration listtype nonrec describe_retention_configurations_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
retention_configurations : retention_configuration_list option;Returns a retention configuration object.
*)}type nonrec retention_configuration_name_list =
retention_configuration_name listtype nonrec describe_retention_configurations_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
retention_configuration_names : retention_configuration_name_list option;A list of names of retention configurations for which you want details. If you do not specify a name, Config returns details for all the retention configurations for that account.
Currently, Config supports only one retention configuration per region in your account.
*)}type nonrec remediation_execution_step = {stop_time : date option;The time when the step stopped.
*)start_time : date option;The time when the step started.
*)error_message : string_ option;An error message if the step was interrupted during execution.
*)state : remediation_execution_step_state option;The valid status of the step.
*)name : string_ option;The details of the step.
*)}Name of the step from the SSM document.
type nonrec remediation_execution_steps = remediation_execution_step listtype nonrec remediation_execution_status = {last_updated_time : date option;The time when the remediation execution was last updated.
*)invocation_time : date option;Start time when the remediation was executed.
*)step_details : remediation_execution_steps option;Details of every step.
*)state : remediation_execution_state option;ENUM of the values.
*)resource_key : resource_key option;}Provides details of the current status of the invoked remediation action for that resource.
type nonrec remediation_execution_statuses = remediation_execution_status listtype nonrec describe_remediation_execution_status_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
remediation_execution_statuses : remediation_execution_statuses option;Returns a list of remediation execution statuses objects.
*)}type nonrec describe_remediation_execution_status_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of RemediationExecutionStatuses returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)resource_keys : resource_keys option;A list of resource keys to be processed with the current request. Each element in the list consists of the resource type and resource ID.
*)config_rule_name : config_rule_name;The name of the Config rule.
*)}type nonrec describe_remediation_exceptions_response = {next_token : string_ option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
remediation_exceptions : remediation_exceptions option;Returns a list of remediation exception objects.
*)}type nonrec describe_remediation_exceptions_request = {next_token : string_ option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : limit option;The maximum number of RemediationExceptionResourceKey returned on each page. The default is 25. If you specify 0, Config uses the default.
*)resource_keys : remediation_exception_resource_keys option;An exception list of resource exception keys to be processed with the current request. Config adds exception for each resource key. For example, Config adds 3 exceptions for 3 resource keys.
*)config_rule_name : config_rule_name;The name of the Config rule.
*)}type nonrec describe_remediation_configurations_response = {remediation_configurations : remediation_configurations option;Returns a remediation configuration object.
*)}type nonrec config_rule_names = config_rule_name listtype nonrec describe_remediation_configurations_request = {config_rule_names : config_rule_names;A list of Config rule names of remediation configurations for which you want details.
*)}type nonrec pending_aggregation_request = {requester_aws_region : aws_region option;The region requesting to aggregate data.
*)requester_account_id : account_id option;The 12-digit account ID of the account requesting to aggregate data.
*)}An object that represents the account ID and region of an aggregator account that is requesting authorization but is not yet authorized.
type nonrec pending_aggregation_request_list = pending_aggregation_request listtype nonrec describe_pending_aggregation_requests_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
pending_aggregation_requests : pending_aggregation_request_list option;Returns a PendingAggregationRequests object.
*)}type nonrec describe_pending_aggregation_requests_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : describe_pending_aggregation_requests_limit option;The maximum number of evaluation results returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)}type nonrec organization_conformance_pack_status = {last_update_time : date option;The timestamp of the last update.
*)error_message : string_ option;An error message indicating that organization conformance pack creation or deletion failed due to an error.
*)error_code : string_ option;An error code that is returned when organization conformance pack creation or deletion has failed in a member account.
*)status : organization_resource_status;Indicates deployment status of an organization conformance pack. When management account calls PutOrganizationConformancePack for the first time, conformance pack status is created in all the member accounts. When management account calls PutOrganizationConformancePack for the second time, conformance pack status is updated in all the member accounts. Additionally, conformance pack status is updated when one or more member accounts join or leave an organization. Conformance pack status is deleted when the management account deletes OrganizationConformancePack in all the member accounts and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the conformance pack to:
CREATE_SUCCESSFUL when an organization conformance pack has been successfully created in all the member accounts.CREATE_IN_PROGRESS when an organization conformance pack creation is in progress.CREATE_FAILED when an organization conformance pack creation failed in one or more member accounts within that organization.DELETE_FAILED when an organization conformance pack deletion failed in one or more member accounts within that organization.DELETE_IN_PROGRESS when an organization conformance pack deletion is in progress.DELETE_SUCCESSFUL when an organization conformance pack has been successfully deleted from all the member accounts.UPDATE_SUCCESSFUL when an organization conformance pack has been successfully updated in all the member accounts.UPDATE_IN_PROGRESS when an organization conformance pack update is in progress.UPDATE_FAILED when an organization conformance pack update failed in one or more member accounts within that organization.organization_conformance_pack_name : organization_conformance_pack_name;The name that you assign to organization conformance pack.
*)}Returns the status for an organization conformance pack in an organization.
type nonrec organization_conformance_pack_statuses =
organization_conformance_pack_status listtype nonrec describe_organization_conformance_pack_statuses_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)organization_conformance_pack_statuses : organization_conformance_pack_statuses
option;A list of OrganizationConformancePackStatus objects.
}type nonrec organization_conformance_pack_names =
organization_conformance_pack_name listtype nonrec describe_organization_conformance_pack_statuses_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)limit : cosmos_page_limit option;The maximum number of OrganizationConformancePackStatuses returned on each page. If you do no specify a number, Config uses the default. The default is 100.
*)organization_conformance_pack_names : organization_conformance_pack_names
option;The names of organization conformance packs for which you want status details. If you do not specify any names, Config returns details for all your organization conformance packs.
*)}type nonrec organization_conformance_pack = {last_update_time : date;Last time when organization conformation pack was updated.
*)excluded_accounts : excluded_accounts option;A comma-separated list of accounts excluded from organization conformance pack.
*)conformance_pack_input_parameters : conformance_pack_input_parameters option;A list of ConformancePackInputParameter objects.
delivery_s3_key_prefix : delivery_s3_key_prefix option;Any folder structure you want to add to an Amazon S3 bucket.
This field is optional.
*)delivery_s3_bucket : delivery_s3_bucket option;The name of the Amazon S3 bucket where Config stores conformance pack templates.
This field is optional.
*)organization_conformance_pack_arn : string_with_char_limit256;Amazon Resource Name (ARN) of organization conformance pack.
*)organization_conformance_pack_name : organization_conformance_pack_name;The name you assign to an organization conformance pack.
*)}An organization conformance pack that has information about conformance packs that Config creates in member accounts.
type nonrec organization_conformance_packs = organization_conformance_pack listtype nonrec describe_organization_conformance_packs_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)organization_conformance_packs : organization_conformance_packs option;Returns a list of OrganizationConformancePacks objects.
*)}type nonrec describe_organization_conformance_packs_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
*)limit : cosmos_page_limit option;The maximum number of organization config packs returned on each page. If you do no specify a number, Config uses the default. The default is 100.
*)organization_conformance_pack_names : organization_conformance_pack_names
option;The name that you assign to an organization conformance pack.
*)}type nonrec organization_config_rule_status = {last_update_time : date option;The timestamp of the last update.
*)error_message : string_ option;An error message indicating that organization Config rule creation or deletion failed due to an error.
*)error_code : string_ option;An error code that is returned when organization Config rule creation or deletion has failed.
*)organization_rule_status : organization_rule_status;Indicates deployment status of an organization Config rule. When management account calls PutOrganizationConfigRule action for the first time, Config rule status is created in all the member accounts. When management account calls PutOrganizationConfigRule action for the second time, Config rule status is updated in all the member accounts. Additionally, Config rule status is updated when one or more member accounts join or leave an organization. Config rule status is deleted when the management account deletes OrganizationConfigRule in all the member accounts and disables service access for config-multiaccountsetup.amazonaws.com.
Config sets the state of the rule to:
CREATE_SUCCESSFUL when an organization Config rule has been successfully created in all the member accounts.CREATE_IN_PROGRESS when an organization Config rule creation is in progress.CREATE_FAILED when an organization Config rule creation failed in one or more member accounts within that organization.DELETE_FAILED when an organization Config rule deletion failed in one or more member accounts within that organization.DELETE_IN_PROGRESS when an organization Config rule deletion is in progress.DELETE_SUCCESSFUL when an organization Config rule has been successfully deleted from all the member accounts.UPDATE_SUCCESSFUL when an organization Config rule has been successfully updated in all the member accounts.UPDATE_IN_PROGRESS when an organization Config rule update is in progress.UPDATE_FAILED when an organization Config rule update failed in one or more member accounts within that organization.organization_config_rule_name : organization_config_rule_name;The name that you assign to organization Config rule.
*)}Returns the status for an organization Config rule in an organization.
type nonrec organization_config_rule_statuses =
organization_config_rule_status listtype nonrec describe_organization_config_rule_statuses_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
organization_config_rule_statuses : organization_config_rule_statuses option;A list of OrganizationConfigRuleStatus objects.
}type nonrec organization_config_rule_names = string_with_char_limit64 listtype nonrec describe_organization_config_rule_statuses_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : cosmos_page_limit option;The maximum number of OrganizationConfigRuleStatuses returned on each page. If you do no specify a number, Config uses the default. The default is 100.
organization_config_rule_names : organization_config_rule_names option;The names of organization Config rules for which you want status details. If you do not specify any names, Config returns details for all your organization Config rules.
*)}type nonrec organization_custom_policy_rule_metadata_no_policy = {debug_log_delivery_accounts : debug_log_delivery_accounts option;A list of accounts that you can enable debug logging for your organization Config Custom Policy rule. List is null when debug logging is enabled for all accounts.
*)policy_runtime : policy_runtime option;The runtime system for your organization Config Custom Policy rules. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
*)tag_value_scope : string_with_char_limit256 option;The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
*)tag_key_scope : string_with_char_limit128 option;One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
*)resource_id_scope : string_with_char_limit768 option;The ID of the Amazon Web Services resource that was evaluated.
*)resource_types_scope : resource_types_scope option;The type of the Amazon Web Services resource that was evaluated.
*)maximum_execution_frequency : maximum_execution_frequency option;The maximum frequency with which Config runs evaluations for a rule. Your Config Custom Policy rule is triggered when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
input_parameters : string_with_char_limit2048 option;A string, in JSON format, that is passed to your organization Config Custom Policy rule.
*)organization_config_rule_trigger_types : organization_config_rule_trigger_type_no_s_ns
option;The type of notification that triggers Config to run an evaluation for a rule. For Config Custom Policy rules, Config supports change triggered notification types:
ConfigurationItemChangeNotification - Triggers an evaluation when Config delivers a configuration item as a result of a resource change.OversizedConfigurationItemChangeNotification - Triggers an evaluation when Config delivers an oversized configuration item. Config may generate this notification type when a resource changes and the notification exceeds the maximum size allowed by Amazon SNS.description : string_with_char_limit256_min0 option;The description that you provide for your organization Config Custom Policy rule.
*)}metadata for your organization Config Custom Policy rule including the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that trigger Config to evaluate Amazon Web Services resources against a rule.
type nonrec organization_config_rule = {organization_custom_policy_rule_metadata : organization_custom_policy_rule_metadata_no_policy
option;An object that specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
*)last_update_time : date option;The timestamp of the last update.
*)excluded_accounts : excluded_accounts option;A comma-separated list of accounts excluded from organization Config rule.
*)organization_custom_rule_metadata : organization_custom_rule_metadata option;An OrganizationCustomRuleMetadata object.
organization_managed_rule_metadata : organization_managed_rule_metadata option;An OrganizationManagedRuleMetadata object.
organization_config_rule_arn : string_with_char_limit256;Amazon Resource Name (ARN) of organization Config rule.
*)organization_config_rule_name : organization_config_rule_name;The name that you assign to organization Config rule.
*)}An organization Config rule that has information about Config rules that Config creates in member accounts.
type nonrec organization_config_rules = organization_config_rule listtype nonrec describe_organization_config_rules_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
organization_config_rules : organization_config_rules option;Returns a list of OrganizationConfigRule objects.
}type nonrec describe_organization_config_rules_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : cosmos_page_limit option;The maximum number of organization Config rules returned on each page. If you do no specify a number, Config uses the default. The default is 100.
*)organization_config_rule_names : organization_config_rule_names option;The names of organization Config rules for which you want details. If you do not specify any names, Config returns details for all your organization Config rules.
*)}type nonrec no_such_delivery_channel_exception = {message : error_message option;Error executing the command
*)}You have specified a delivery channel that does not exist.
type nonrec config_export_delivery_info = {next_delivery_time : date option;The time that the next delivery occurs.
*)last_successful_time : date option;The time of the last successful delivery.
*)last_attempt_time : date option;The time of the last attempted delivery.
*)last_error_message : string_ option;The error message from the last attempted delivery.
*)last_error_code : string_ option;The error code from the last attempted delivery.
*)last_status : delivery_status option;Status of the last attempted delivery.
*)}Provides status of the delivery of the snapshot or the configuration history to the specified Amazon S3 bucket. Also provides the status of notifications about the Amazon S3 delivery to the specified Amazon SNS topic.
type nonrec config_stream_delivery_info = {last_status_change_time : date option;The time from the last status change.
*)last_error_message : string_ option;The error message from the last attempted delivery.
*)last_error_code : string_ option;The error code from the last attempted delivery.
*)last_status : delivery_status option;Status of the last attempted delivery.
Note Providing an SNS topic on a DeliveryChannel for Config is optional. If the SNS delivery is turned off, the last status will be Not_Applicable.
*)}A list that contains the status of the delivery of the configuration stream notification to the Amazon SNS topic.
type nonrec delivery_channel_status = {config_stream_delivery_info : config_stream_delivery_info option;A list containing the status of the delivery of the configuration stream notification to the specified Amazon SNS topic.
*)config_history_delivery_info : config_export_delivery_info option;A list that contains the status of the delivery of the configuration history to the specified Amazon S3 bucket.
*)config_snapshot_delivery_info : config_export_delivery_info option;A list containing the status of the delivery of the snapshot to the specified Amazon S3 bucket.
*)name : string_ option;The name of the delivery channel.
*)}The status of a specified delivery channel.
Valid values: Success | Failure
type nonrec delivery_channel_status_list = delivery_channel_status listtype nonrec describe_delivery_channel_status_response = {delivery_channels_status : delivery_channel_status_list option;A list that contains the status of a specified delivery channel.
*)}The output for the DescribeDeliveryChannelStatus action.
type nonrec delivery_channel_name_list = channel_name listtype nonrec describe_delivery_channel_status_request = {delivery_channel_names : delivery_channel_name_list option;A list of delivery channel names.
*)}The input for the DeliveryChannelStatus action.
type nonrec delivery_channel_list = delivery_channel listtype nonrec describe_delivery_channels_response = {delivery_channels : delivery_channel_list option;A list that contains the descriptions of the specified delivery channel.
*)}The output for the DescribeDeliveryChannels action.
type nonrec describe_delivery_channels_request = {delivery_channel_names : delivery_channel_name_list option;A list of delivery channel names.
*)}The input for the DescribeDeliveryChannels action.
type nonrec conformance_pack_status_detail = {last_update_completed_time : date option;Last time when conformation pack creation and update was successful.
*)last_update_requested_time : date;Last time when conformation pack creation and update was requested.
*)conformance_pack_status_reason : conformance_pack_status_reason option;The reason of conformance pack creation failure.
*)stack_arn : stack_arn;Amazon Resource Name (ARN) of CloudFormation stack.
*)conformance_pack_state : conformance_pack_state;Indicates deployment status of conformance pack.
Config sets the state of the conformance pack to:
conformance_pack_arn : conformance_pack_arn;Amazon Resource Name (ARN) of comformance pack.
*)conformance_pack_id : conformance_pack_id;ID of the conformance pack.
*)conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}Status details of a conformance pack.
type nonrec conformance_pack_status_details_list =
conformance_pack_status_detail listtype nonrec describe_conformance_pack_status_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
conformance_pack_status_details : conformance_pack_status_details_list option;A list of ConformancePackStatusDetail objects.
}type nonrec conformance_pack_names_list = conformance_pack_name listtype nonrec describe_conformance_pack_status_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : page_size_limit option;The maximum number of conformance packs status returned on each page.
*)conformance_pack_names : conformance_pack_names_list option;Comma-separated list of conformance pack names.
*)}type nonrec conformance_pack_detail = {template_ssm_document_details : template_ssm_document_details option;An object that contains the name or Amazon Resource Name (ARN) of the Amazon Web Services Systems Manager document (SSM document) and the version of the SSM document that is used to create a conformance pack.
*)created_by : string_with_char_limit256 option;The Amazon Web Services service that created the conformance pack.
*)last_update_requested_time : date option;The last time a conformation pack update was requested.
*)conformance_pack_input_parameters : conformance_pack_input_parameters option;A list of ConformancePackInputParameter objects.
delivery_s3_key_prefix : delivery_s3_key_prefix option;The prefix for the Amazon S3 bucket.
This field is optional.
*)delivery_s3_bucket : delivery_s3_bucket option;The name of the Amazon S3 bucket where Config stores conformance pack templates.
This field is optional.
*)conformance_pack_id : conformance_pack_id;ID of the conformance pack.
*)conformance_pack_arn : conformance_pack_arn;Amazon Resource Name (ARN) of the conformance pack.
*)conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}Returns details of a conformance pack. A conformance pack is a collection of Config rules and remediation actions that can be easily deployed in an account and a region.
type nonrec conformance_pack_detail_list = conformance_pack_detail listtype nonrec describe_conformance_packs_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
conformance_pack_details : conformance_pack_detail_list option;Returns a list of ConformancePackDetail objects.
}type nonrec describe_conformance_packs_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : page_size_limit option;The maximum number of conformance packs returned on each page.
*)conformance_pack_names : conformance_pack_names_list option;Comma-separated list of conformance pack names for which you want details. If you do not specify any names, Config returns details for all your conformance packs.
*)}type nonrec controls_list = string_with_char_limit128 listtype nonrec conformance_pack_rule_compliance = {controls : controls_list option;Controls for the conformance pack. A control is a process to prevent or detect problems while meeting objectives. A control can align with a specific compliance regime or map to internal controls defined by an organization.
*)compliance_type : conformance_pack_compliance_type option;Compliance of the Config rule.
*)config_rule_name : config_rule_name option;Name of the Config rule.
*)}Compliance information of one or more Config rules within a conformance pack. You can filter using Config rule names and compliance types.
type nonrec conformance_pack_rule_compliance_list =
conformance_pack_rule_compliance listtype nonrec describe_conformance_pack_compliance_response = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
conformance_pack_rule_compliance_list : conformance_pack_rule_compliance_list;Returns a list of ConformancePackRuleCompliance objects.
conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}type nonrec conformance_pack_compliance_filters = {compliance_type : conformance_pack_compliance_type option;Filters the results by compliance.
The allowed values are COMPLIANT and NON_COMPLIANT. INSUFFICIENT_DATA is not supported.
config_rule_names : conformance_pack_config_rule_names option;Filters the results by Config rule names.
*)}Filters the conformance pack by compliance types and Config rule names.
type nonrec describe_conformance_pack_compliance_request = {next_token : next_token option;The nextToken string returned in a previous request that you use to request the next page of results in a paginated response.
limit : describe_conformance_pack_compliance_limit option;The maximum number of Config rules within a conformance pack are returned on each page.
*)filters : conformance_pack_compliance_filters option;A ConformancePackComplianceFilters object.
conformance_pack_name : conformance_pack_name;Name of the conformance pack.
*)}type nonrec configuration_recorder_status = {service_principal : service_principal option;For service-linked configuration recorders, the service principal of the linked Amazon Web Services service.
*)last_status_change_time : date option;The time of the latest change in status of an recording event processed by the recorder.
*)last_error_message : string_ option;The latest error message from when the recorder last failed.
*)last_error_code : string_ option;The latest error code from when the recorder last failed.
*)last_status : recorder_status option;The status of the latest recording event processed by the recorder.
*)recording : boolean_ option;Specifies whether or not the recorder is currently recording.
*)last_stop_time : date option;The time the recorder was last stopped.
*)last_start_time : date option;The time the recorder was last started.
*)name : string_ option;The name of the configuration recorder.
*)arn : amazon_resource_name option;The Amazon Resource Name (ARN) of the configuration recorder.
*)}The current status of the configuration recorder.
For a detailed status of recording events over time, add your Config events to CloudWatch metrics and use CloudWatch metrics.
type nonrec configuration_recorder_status_list =
configuration_recorder_status listtype nonrec describe_configuration_recorder_status_response = {configuration_recorders_status : configuration_recorder_status_list option;A list that contains status of the specified recorders.
*)}The output for the DescribeConfigurationRecorderStatus action, in JSON format.
type nonrec configuration_recorder_name_list = recorder_name listtype nonrec describe_configuration_recorder_status_request = {arn : amazon_resource_name option;The Amazon Resource Name (ARN) of the configuration recorder that you want to specify.
*)service_principal : service_principal option;For service-linked configuration recorders, you can use the service principal of the linked Amazon Web Services service to specify the configuration recorder.
*)configuration_recorder_names : configuration_recorder_name_list option;The name of the configuration recorder. If the name is not specified, the opertation returns the status for the customer managed configuration recorder configured for the account, if applicable.
When making a request to this operation, you can only specify one configuration recorder.
*)}The input for the DescribeConfigurationRecorderStatus action.
type nonrec configuration_recorder_list = configuration_recorder listtype nonrec describe_configuration_recorders_response = {configuration_recorders : configuration_recorder_list option;A list that contains the descriptions of the specified configuration recorders.
*)}The output for the DescribeConfigurationRecorders action.
type nonrec describe_configuration_recorders_request = {arn : amazon_resource_name option;The Amazon Resource Name (ARN) of the configuration recorder that you want to specify.
*)service_principal : service_principal option;For service-linked configuration recorders, you can use the service principal of the linked Amazon Web Services service to specify the configuration recorder.
*)configuration_recorder_names : configuration_recorder_name_list option;A list of names of the configuration recorders that you want to specify.
*)}The input for the DescribeConfigurationRecorders action.
type nonrec aggregated_source_status = {last_error_message : string_ option;The message indicating that the source account aggregation failed due to an error.
*)last_error_code : string_ option;The error code that Config returned when the source account aggregation last failed.
*)last_update_time : date option;The time of the last update.
*)last_update_status : aggregated_source_status_type option;Filters the last updated status type.
aws_region : aws_region option;The region authorized to collect aggregated data.
*)source_type : aggregated_source_type option;The source account or an organization.
*)source_id : string_ option;The source account ID or an organization.
*)}The current sync status between the source and the aggregator account.
type nonrec aggregated_source_status_list = aggregated_source_status listtype nonrec describe_configuration_aggregator_sources_status_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
aggregated_source_status_list : aggregated_source_status_list option;Returns an AggregatedSourceStatus object.
*)}type nonrec aggregated_source_status_type_list =
aggregated_source_status_type listtype nonrec describe_configuration_aggregator_sources_status_request = {limit : limit option;The maximum number of AggregatorSourceStatus returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
update_status : aggregated_source_status_type_list option;Filters the status type.
configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec configuration_aggregator_list = configuration_aggregator listtype nonrec describe_configuration_aggregators_response = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
configuration_aggregators : configuration_aggregator_list option;Returns a ConfigurationAggregators object.
*)}type nonrec configuration_aggregator_name_list =
configuration_aggregator_name listtype nonrec describe_configuration_aggregators_request = {limit : limit option;The maximum number of configuration aggregators returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
configuration_aggregator_names : configuration_aggregator_name_list option;The name of the configuration aggregators.
*)}type nonrec config_rules = config_rule listtype nonrec describe_config_rules_response = {next_token : string_ option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)config_rules : config_rules option;The details about your Config rules.
*)}type nonrec describe_config_rules_filters = {evaluation_mode : evaluation_mode option;The mode of an evaluation. The valid values are Detective or Proactive.
*)}Returns a filtered list of Detective or Proactive Config rules. By default, if the filter is not defined, this API returns an unfiltered list. For more information on Detective or Proactive Config rules, see Evaluation Mode in the Config Developer Guide.
type nonrec describe_config_rules_request = {filters : describe_config_rules_filters option;Returns a list of Detective or Proactive Config rules. By default, this API returns an unfiltered list. For more information on Detective or Proactive Config rules, see Evaluation Mode in the Config Developer Guide.
*)next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
config_rule_names : config_rule_names option;The names of the Config rules for which you want details. If you do not specify any names, Config returns details for all your rules.
*)}type nonrec config_rule_evaluation_status = {last_debug_log_delivery_time : date option;The time Config last attempted to deliver a debug log for your Config Custom Policy rules.
*)last_debug_log_delivery_status_reason : string_ option;The reason Config was not able to deliver a debug log. This is for the last failed attempt to retrieve a debug log for your Config Custom Policy rules.
*)last_debug_log_delivery_status : string_ option;The status of the last attempted delivery of a debug log for your Config Custom Policy rules. Either Successful or Failed.
first_evaluation_started : boolean_ option;Indicates whether Config has evaluated your resources against the rule at least once.
true - Config has evaluated your Amazon Web Services resources against the rule at least once.false - Config has not finished evaluating your Amazon Web Services resources against the rule at least once.last_error_message : string_ option;The error message that Config returned when the rule last failed.
*)last_error_code : string_ option;The error code that Config returned when the rule last failed.
*)last_deactivated_time : date option;The time that you last turned off the Config rule.
*)first_activated_time : date option;The time that you first activated the Config rule.
*)last_failed_evaluation_time : date option;The time that Config last failed to evaluate your Amazon Web Services resources against the rule.
*)last_successful_evaluation_time : date option;The time that Config last successfully evaluated your Amazon Web Services resources against the rule.
*)last_failed_invocation_time : date option;The time that Config last failed to invoke the Config rule to evaluate your Amazon Web Services resources.
*)last_successful_invocation_time : date option;The time that Config last successfully invoked the Config rule to evaluate your Amazon Web Services resources.
*)config_rule_id : string_ option;The ID of the Config rule.
*)config_rule_arn : string_ option;The Amazon Resource Name (ARN) of the Config rule.
*)config_rule_name : config_rule_name option;The name of the Config rule.
*)}Status information for your Config Managed rules and Config Custom Policy rules. The status includes information such as the last time the rule ran, the last time it failed, and the related error for the last failure.
This operation does not return status information about Config Custom Lambda rules.
type nonrec config_rule_evaluation_status_list =
config_rule_evaluation_status listtype nonrec describe_config_rule_evaluation_status_response = {next_token : string_ option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)config_rules_evaluation_status : config_rule_evaluation_status_list option;Status information about your Config managed rules.
*)}type nonrec describe_config_rule_evaluation_status_request = {limit : rule_limit option;The number of rule evaluation results that you want returned.
This parameter is required if the rule limit for your account is more than the default of 1000 rules.
For information about requesting a rule limit increase, see Config Limits in the Amazon Web Services General Reference Guide.
*)next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
config_rule_names : config_rule_names option;The name of the Config managed rules for which you want status information. If you do not specify any names, Config returns status information for all Config managed rules that you use.
*)}type nonrec compliance = {compliance_contributor_count : compliance_contributor_count option;The number of Amazon Web Services resources or Config rules that cause a result of NON_COMPLIANT, up to a maximum number.
compliance_type : compliance_type option;Indicates whether an Amazon Web Services resource or Config rule is compliant.
A resource is compliant if it complies with all of the Config rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
A rule is compliant if all of the resources that the rule evaluates comply with it. A rule is noncompliant if any of these resources do not comply.
Config returns the INSUFFICIENT_DATA value when no evaluation results are available for the Amazon Web Services resource or Config rule.
For the Compliance data type, Config supports only COMPLIANT, NON_COMPLIANT, and INSUFFICIENT_DATA values. Config does not support the NOT_APPLICABLE value for the Compliance data type.
}Indicates whether an Amazon Web Services resource or Config rule is compliant and provides the number of contributors that affect the compliance.
type nonrec compliance_by_resource = {compliance : compliance option;Indicates whether the Amazon Web Services resource complies with all of the Config rules that evaluated it.
*)resource_id : base_resource_id option;The ID of the Amazon Web Services resource that was evaluated.
*)resource_type : string_with_char_limit256 option;The type of the Amazon Web Services resource that was evaluated.
*)}Indicates whether an Amazon Web Services resource that is evaluated according to one or more Config rules is compliant. A resource is compliant if it complies with all of the rules that evaluate it. A resource is noncompliant if it does not comply with one or more of these rules.
type nonrec compliance_by_resources = compliance_by_resource listtype nonrec describe_compliance_by_resource_response = {next_token : next_token option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)compliance_by_resources : compliance_by_resources option;Indicates whether the specified Amazon Web Services resource complies with all of the Config rules that evaluate it.
*)}type nonrec describe_compliance_by_resource_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of evaluation results returned on each page. The default is 10. You cannot specify a number greater than 100. If you specify 0, Config uses the default.
*)compliance_types : compliance_types option;Filters the results by compliance.
*)resource_id : base_resource_id option;The ID of the Amazon Web Services resource for which you want compliance information. You can specify only one resource ID. If you specify a resource ID, you must also specify a type for ResourceType.
resource_type : string_with_char_limit256 option;The types of Amazon Web Services resources for which you want compliance information (for example, AWS::EC2::Instance). For this operation, you can specify that the resource type is an Amazon Web Services account by specifying AWS::::Account.
}type nonrec compliance_by_config_rule = {compliance : compliance option;Indicates whether the Config rule is compliant.
*)config_rule_name : string_with_char_limit64 option;The name of the Config rule.
*)}Indicates whether an Config rule is compliant. A rule is compliant if all of the resources that the rule evaluated comply with it. A rule is noncompliant if any of these resources do not comply.
type nonrec compliance_by_config_rules = compliance_by_config_rule listtype nonrec describe_compliance_by_config_rule_response = {next_token : string_ option;The string that you use in a subsequent request to get the next page of results in a paginated response.
*)compliance_by_config_rules : compliance_by_config_rules option;Indicates whether each of the specified Config rules is compliant.
*)}type nonrec describe_compliance_by_config_rule_request = {next_token : string_ option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
compliance_types : compliance_types option;Filters the results by compliance.
*)config_rule_names : config_rule_names option;Specify one or more Config rule names to filter the results by rule.
*)}type nonrec aggregation_authorization_list = aggregation_authorization listtype nonrec aggregate_conformance_pack_compliance = {total_rule_count : integer option;Total number of compliant rules, noncompliant rules, and the rules that do not have any applicable resources to evaluate upon resulting in insufficient data.
*)non_compliant_rule_count : integer option;The number of noncompliant Config Rules.
*)compliant_rule_count : integer option;The number of compliant Config Rules.
*)compliance_type : conformance_pack_compliance_type option;The compliance status of the conformance pack.
*)}Provides the number of compliant and noncompliant rules within a conformance pack. Also provides the compliance status of the conformance pack and the total rule count which includes compliant rules, noncompliant rules, and rules that cannot be evaluated due to insufficient data.
A conformance pack is compliant if all of the rules in a conformance packs are compliant. It is noncompliant if any of the rules are not compliant. The compliance status of a conformance pack is INSUFFICIENT_DATA only if all rules within a conformance pack cannot be evaluated due to insufficient data. If some of the rules in a conformance pack are compliant but the compliance status of other rules in that same conformance pack is INSUFFICIENT_DATA, the conformance pack shows compliant.
type nonrec aggregate_compliance_by_conformance_pack = {aws_region : aws_region option;The source Amazon Web Services Region from where the data is aggregated.
*)account_id : account_id option;The 12-digit Amazon Web Services account ID of the source account.
*)compliance : aggregate_conformance_pack_compliance option;The compliance status of the conformance pack.
*)conformance_pack_name : conformance_pack_name option;The name of the conformance pack.
*)}Provides aggregate compliance of the conformance pack. Indicates whether a conformance pack is compliant based on the name of the conformance pack, account ID, and region.
A conformance pack is compliant if all of the rules in a conformance packs are compliant. It is noncompliant if any of the rules are not compliant. The compliance status of a conformance pack is INSUFFICIENT_DATA only if all rules within a conformance pack cannot be evaluated due to insufficient data. If some of the rules in a conformance pack are compliant but the compliance status of other rules in that same conformance pack is INSUFFICIENT_DATA, the conformance pack shows compliant.
type nonrec aggregate_compliance_by_conformance_pack_list =
aggregate_compliance_by_conformance_pack listtype nonrec describe_aggregate_compliance_by_conformance_packs_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
aggregate_compliance_by_conformance_packs : aggregate_compliance_by_conformance_pack_list
option;Returns the AggregateComplianceByConformancePack object.
}type nonrec aggregate_conformance_pack_compliance_filters = {aws_region : aws_region option;The source Amazon Web Services Region from where the data is aggregated.
*)account_id : account_id option;The 12-digit Amazon Web Services account ID of the source account.
*)compliance_type : conformance_pack_compliance_type option;The compliance status of the conformance pack.
*)conformance_pack_name : conformance_pack_name option;The name of the conformance pack.
*)}Filters the conformance packs based on an account ID, region, compliance type, and the name of the conformance pack.
type nonrec describe_aggregate_compliance_by_conformance_packs_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : limit option;The maximum number of conformance packs compliance details returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)filters : aggregate_conformance_pack_compliance_filters option;Filters the result by AggregateConformancePackComplianceFilters object.
configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec aggregate_compliance_by_config_rule = {aws_region : aws_region option;The source region from where the data is aggregated.
*)account_id : account_id option;The 12-digit account ID of the source account.
*)compliance : compliance option;Indicates whether an Amazon Web Services resource or Config rule is compliant and provides the number of contributors that affect the compliance.
*)config_rule_name : config_rule_name option;The name of the Config rule.
*)}Indicates whether an Config rule is compliant based on account ID, region, compliance, and rule name.
A rule is compliant if all of the resources that the rule evaluated comply with it. It is noncompliant if any of these resources do not comply.
type nonrec aggregate_compliance_by_config_rule_list =
aggregate_compliance_by_config_rule listtype nonrec describe_aggregate_compliance_by_config_rules_response = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
aggregate_compliance_by_config_rules : aggregate_compliance_by_config_rule_list
option;Returns a list of AggregateComplianceByConfigRule object.
*)}type nonrec config_rule_compliance_filters = {aws_region : aws_region option;The source region where the data is aggregated.
*)account_id : account_id option;The 12-digit account ID of the source account.
*)compliance_type : compliance_type option;The rule compliance status.
For the ConfigRuleComplianceFilters data type, Config supports only COMPLIANT and NON_COMPLIANT. Config does not support the NOT_APPLICABLE and the INSUFFICIENT_DATA values.
config_rule_name : config_rule_name option;The name of the Config rule.
*)}Filters the compliance results based on account ID, region, compliance type, and rule name.
type nonrec describe_aggregate_compliance_by_config_rules_request = {next_token : next_token option;The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
limit : group_by_api_limit option;The maximum number of evaluation results returned on each page. The default is maximum. If you specify 0, Config uses the default.
*)filters : config_rule_compliance_filters option;Filters the results by ConfigRuleComplianceFilters object.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec deliver_config_snapshot_response = {config_snapshot_id : string_ option;The ID of the snapshot that is being created.
*)}The output for the DeliverConfigSnapshot action, in JSON format.
type nonrec deliver_config_snapshot_request = {delivery_channel_name : channel_name;The name of the delivery channel through which the snapshot is delivered.
*)}The input for the DeliverConfigSnapshot action.
type nonrec delete_stored_query_request = {query_name : query_name;The name of the query that you want to delete.
*)}type nonrec delete_service_linked_configuration_recorder_response = {name : recorder_name;The name of the specified configuration recorder.
*)arn : amazon_resource_name;The Amazon Resource Name (ARN) of the specified configuration recorder.
*)}type nonrec delete_service_linked_configuration_recorder_request = {service_principal : service_principal;The service principal of the Amazon Web Services service for the service-linked configuration recorder that you want to delete.
*)}type nonrec delete_retention_configuration_request = {retention_configuration_name : retention_configuration_name;The name of the retention configuration to delete.
*)}type nonrec delete_resource_config_request = {resource_id : resource_id;Unique identifier of the resource.
*)resource_type : resource_type_string;The type of the resource.
*)}type nonrec no_such_remediation_exception_exception = {message : error_message option;Error executing the command
*)}You tried to delete a remediation exception that does not exist.
type nonrec failed_delete_remediation_exceptions_batch = {failed_items : remediation_exception_resource_keys option;Returns remediation exception resource key object of the failed items.
*)failure_message : string_ option;Returns a failure message for delete remediation exception. For example, Config creates an exception due to an internal error.
*)}List of each of the failed delete remediation exceptions with specific reasons.
type nonrec failed_delete_remediation_exceptions_batches =
failed_delete_remediation_exceptions_batch listtype nonrec delete_remediation_exceptions_response = {failed_batches : failed_delete_remediation_exceptions_batches option;Returns a list of failed delete remediation exceptions batch objects. Each object in the batch consists of a list of failed items and failure messages.
*)}type nonrec delete_remediation_exceptions_request = {resource_keys : remediation_exception_resource_keys;An exception list of resource exception keys to be processed with the current request. Config adds exception for each resource key. For example, Config adds 3 exceptions for 3 resource keys.
*)config_rule_name : config_rule_name;The name of the Config rule for which you want to delete remediation exception configuration.
*)}type nonrec remediation_in_progress_exception = {message : error_message option;Error executing the command
*)}Remediation action is in progress. You can either cancel execution in Amazon Web Services Systems Manager or wait and try again later.
type nonrec delete_remediation_configuration_request = {resource_type : string_ option;The type of a resource.
*)config_rule_name : config_rule_name;The name of the Config rule for which you want to delete remediation configuration.
*)}type nonrec delete_pending_aggregation_request_request = {requester_aws_region : aws_region;The region requesting to aggregate data.
*)requester_account_id : account_id;The 12-digit account ID of the account requesting to aggregate data.
*)}type nonrec delete_organization_conformance_pack_request = {organization_conformance_pack_name : organization_conformance_pack_name;The name of organization conformance pack that you want to delete.
*)}type nonrec delete_organization_config_rule_request = {organization_config_rule_name : organization_config_rule_name;The name of organization Config rule that you want to delete.
*)}type nonrec delete_evaluation_results_request = {config_rule_name : string_with_char_limit64;The name of the Config rule for which you want to delete the evaluation results.
*)}type nonrec last_delivery_channel_delete_failed_exception = {message : error_message option;Error executing the command
*)}You cannot delete the delivery channel you specified because the customer managed configuration recorder is running.
type nonrec delete_delivery_channel_request = {delivery_channel_name : channel_name;The name of the delivery channel that you want to delete.
*)}The input for the DeleteDeliveryChannel action. The action accepts the following data, in JSON format.
type nonrec delete_conformance_pack_request = {conformance_pack_name : conformance_pack_name;Name of the conformance pack you want to delete.
*)}type nonrec delete_configuration_recorder_request = {configuration_recorder_name : recorder_name;The name of the customer managed configuration recorder that you want to delete. You can retrieve the name of your configuration recorders by using the DescribeConfigurationRecorders operation.
*)}The request object for the DeleteConfigurationRecorder operation.
type nonrec delete_configuration_aggregator_request = {configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec delete_config_rule_request = {config_rule_name : config_rule_name;The name of the Config rule that you want to delete.
*)}type nonrec base_configuration_item = {configuration_item_delivery_time : configuration_item_delivery_time option;The time when configuration changes for the resource were delivered.
This field is optional and is not guaranteed to be present in a configuration item (CI). If you are using daily recording, this field will be populated. However, if you are using continuous recording, this field will be omitted since the delivery time is instantaneous as the CI is available right away. For more information on daily recording and continuous recording, see Recording Frequency in the Config Developer Guide.
*)recording_frequency : recording_frequency option;The recording frequency that Config uses to record configuration changes for the resource.
*)supplementary_configuration : supplementary_configuration option;Configuration attributes that Config returns for certain resource types to supplement the information returned for the configuration parameter.
*)configuration : configuration option;The description of the resource configuration.
*)resource_creation_time : resource_creation_time option;The time stamp when the resource was created.
*)availability_zone : availability_zone option;The Availability Zone associated with the resource.
*)aws_region : aws_region option;The region where the resource resides.
*)resource_name : resource_name option;The custom name of the resource, if available.
*)resource_id : resource_id option;The ID of the resource (for example., sg-xxxxxx).
*)resource_type : resource_type option;The type of Amazon Web Services resource.
*)arn : ar_n option;The Amazon Resource Name (ARN) of the resource.
*)configuration_state_id : configuration_state_id option;An identifier that indicates the ordering of the configuration items of a resource.
*)configuration_item_status : configuration_item_status option;The configuration item status. Valid values include:
configuration_item_capture_time : configuration_item_capture_time option;The time when the recording of configuration changes was initiated for the resource.
*)account_id : account_id option;The 12-digit Amazon Web Services account ID associated with the resource.
*)version : version option;The version number of the resource configuration.
*)}The detailed configurations of a specified resource.
type nonrec base_configuration_items = base_configuration_item listtype nonrec batch_get_resource_config_response = {unprocessed_resource_keys : resource_keys option;A list of resource keys that were not processed with the current response. The unprocessesResourceKeys value is in the same form as ResourceKeys, so the value can be directly provided to a subsequent BatchGetResourceConfig operation. If there are no unprocessed resource keys, the response contains an empty unprocessedResourceKeys list.
*)base_configuration_items : base_configuration_items option;A list that contains the current configuration of one or more resources.
*)}type nonrec batch_get_resource_config_request = {resource_keys : resource_keys;A list of resource keys to be processed with the current request. Each element in the list consists of the resource type and resource ID.
*)}type nonrec batch_get_aggregate_resource_config_response = {unprocessed_resource_identifiers : unprocessed_resource_identifier_list option;A list of resource identifiers that were not processed with current scope. The list is empty if all the resources are processed.
*)base_configuration_items : base_configuration_items option;A list that contains the current configuration of one or more resources.
*)}type nonrec resource_identifiers_list = aggregate_resource_identifier listtype nonrec batch_get_aggregate_resource_config_request = {resource_identifiers : resource_identifiers_list;A list of aggregate ResourceIdentifiers objects.
*)configuration_aggregator_name : configuration_aggregator_name;The name of the configuration aggregator.
*)}type nonrec associate_resource_types_request = {resource_types : resource_type_list;The list of resource types you want to add to the recording group of the specified configuration recorder.
*)configuration_recorder_arn : amazon_resource_name;The Amazon Resource Name (ARN) of the specified configuration recorder.
*)}