Class AmazonConfigClient

  • All Implemented Interfaces:
    AmazonConfig
    Direct Known Subclasses:
    AmazonConfigAsyncClient

    @ThreadSafe
    public class AmazonConfigClient
    extends AmazonWebServiceClient
    implements AmazonConfig
    Client for accessing Config Service. All service calls made using this client are blocking, and will not return until the service call completes.

    AWS Config

    AWS Config provides a way to keep track of the configurations of all the AWS resources associated with your AWS account. You can use AWS Config to get the current and historical configurations of each AWS resource and also to get information about the relationship between the resources. An AWS resource can be an Amazon Compute Cloud (Amazon EC2) instance, an Elastic Block Store (EBS) volume, an Elastic network Interface (ENI), or a security group. For a complete list of resources currently supported by AWS Config, see Supported AWS Resources.

    You can access and manage AWS Config through the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS Config API, or the AWS SDKs for AWS Config

    This reference guide contains documentation for the AWS Config API and the AWS CLI commands that you can use to manage AWS Config.

    The AWS Config API uses the Signature Version 4 protocol for signing requests. For more information about how to sign a request with this protocol, see Signature Version 4 Signing Process.

    For detailed information about AWS Config features and their associated actions or commands, as well as how to work with AWS Management Console, see What Is AWS Config? in the AWS Config Developer Guide.

    • Field Detail

      • configFactory

        protected static final ClientConfigurationFactory configFactory
        Client configuration factory providing ClientConfigurations tailored to this client
    • Constructor Detail

      • AmazonConfigClient

        public AmazonConfigClient()
        Constructs a new client to invoke service methods on Config Service. A credentials provider chain will be used that searches for credentials in this order:
        • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
        • Java System Properties - aws.accessKeyId and aws.secretKey
        • Instance profile credentials delivered through the Amazon EC2 metadata service

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        See Also:
        DefaultAWSCredentialsProviderChain
      • AmazonConfigClient

        public AmazonConfigClient​(ClientConfiguration clientConfiguration)
        Constructs a new client to invoke service methods on Config Service. A credentials provider chain will be used that searches for credentials in this order:
        • Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
        • Java System Properties - aws.accessKeyId and aws.secretKey
        • Instance profile credentials delivered through the Amazon EC2 metadata service

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        clientConfiguration - The client configuration options controlling how this client connects to Config Service (ex: proxy settings, retry counts, etc.).
        See Also:
        DefaultAWSCredentialsProviderChain
      • AmazonConfigClient

        public AmazonConfigClient​(AWSCredentials awsCredentials)
        Constructs a new client to invoke service methods on Config Service using the specified AWS account credentials.

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        awsCredentials - The AWS credentials (access key ID and secret key) to use when authenticating with AWS services.
      • AmazonConfigClient

        public AmazonConfigClient​(AWSCredentials awsCredentials,
                                  ClientConfiguration clientConfiguration)
        Constructs a new client to invoke service methods on Config Service using the specified AWS account credentials and client configuration options.

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        awsCredentials - The AWS credentials (access key ID and secret key) to use when authenticating with AWS services.
        clientConfiguration - The client configuration options controlling how this client connects to Config Service (ex: proxy settings, retry counts, etc.).
      • AmazonConfigClient

        public AmazonConfigClient​(AWSCredentialsProvider awsCredentialsProvider)
        Constructs a new client to invoke service methods on Config Service using the specified AWS account credentials provider.

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        awsCredentialsProvider - The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
      • AmazonConfigClient

        public AmazonConfigClient​(AWSCredentialsProvider awsCredentialsProvider,
                                  ClientConfiguration clientConfiguration)
        Constructs a new client to invoke service methods on Config Service using the specified AWS account credentials provider and client configuration options.

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        awsCredentialsProvider - The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
        clientConfiguration - The client configuration options controlling how this client connects to Config Service (ex: proxy settings, retry counts, etc.).
      • AmazonConfigClient

        public AmazonConfigClient​(AWSCredentialsProvider awsCredentialsProvider,
                                  ClientConfiguration clientConfiguration,
                                  RequestMetricCollector requestMetricCollector)
        Constructs a new client to invoke service methods on Config Service using the specified AWS account credentials provider, client configuration options, and request metric collector.

        All service calls made using this new client object are blocking, and will not return until the service call completes.

        Parameters:
        awsCredentialsProvider - The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
        clientConfiguration - The client configuration options controlling how this client connects to Config Service (ex: proxy settings, retry counts, etc.).
        requestMetricCollector - optional request metric collector
    • Method Detail

      • deleteConfigRule

        public DeleteConfigRuleResult deleteConfigRule​(DeleteConfigRuleRequest deleteConfigRuleRequest)

        Deletes the specified AWS Config rule and all of its evaluation results.

        AWS Config sets the state of a rule to DELETING until the deletion is complete. You cannot update a rule while it is in this state. If you make a PutConfigRule or DeleteConfigRule request for the rule, you will receive a ResourceInUseException.

        You can check the state of a rule by using the DescribeConfigRules request.

        Specified by:
        deleteConfigRule in interface AmazonConfig
        Parameters:
        deleteConfigRuleRequest -
        Returns:
        Result of the DeleteConfigRule operation returned by the service.
        Throws:
        NoSuchConfigRuleException - One or more AWS Config rules in the request are invalid. Verify that the rule names are correct and try again.
        ResourceInUseException - The rule is currently being deleted. Wait for a while and try again.
      • deliverConfigSnapshot

        public DeliverConfigSnapshotResult deliverConfigSnapshot​(DeliverConfigSnapshotRequest deliverConfigSnapshotRequest)

        Schedules delivery of a configuration snapshot to the Amazon S3 bucket in the specified delivery channel. After the delivery has started, AWS Config sends following notifications using an Amazon SNS topic that you have specified.

        • Notification of starting the delivery.
        • Notification of delivery completed, if the delivery was successfully completed.
        • Notification of delivery failure, if the delivery failed to complete.
        Specified by:
        deliverConfigSnapshot in interface AmazonConfig
        Parameters:
        deliverConfigSnapshotRequest - The input for the DeliverConfigSnapshot action.
        Returns:
        Result of the DeliverConfigSnapshot operation returned by the service.
        Throws:
        NoSuchDeliveryChannelException - You have specified a delivery channel that does not exist.
        NoAvailableConfigurationRecorderException - There are no configuration recorders available to provide the role needed to describe your resources. Create a configuration recorder.
        NoRunningConfigurationRecorderException - There is no configuration recorder running.
      • describeComplianceByConfigRule

        public DescribeComplianceByConfigRuleResult describeComplianceByConfigRule​(DescribeComplianceByConfigRuleRequest describeComplianceByConfigRuleRequest)

        Indicates whether the specified AWS Config rules are compliant. If a rule is noncompliant, this action returns the number of AWS resources that do not comply with the rule.

        A rule is compliant if all of the evaluated resources comply with it, and it is noncompliant if any of these resources do not comply.

        If AWS Config has no current evaluation results for the rule, it returns INSUFFICIENT_DATA. This result might indicate one of the following conditions:

        • AWS Config has never invoked an evaluation for the rule. To check whether it has, use the DescribeConfigRuleEvaluationStatus action to get the LastSuccessfulInvocationTime and LastFailedInvocationTime.
        • The rule's AWS Lambda function is failing to send evaluation results to AWS Config. Verify that the role that you assigned to your configuration recorder includes the config:PutEvaluations permission. If the rule is a customer managed rule, verify that the AWS Lambda execution role includes the config:PutEvaluations permission.
        • The rule's AWS Lambda function has returned NOT_APPLICABLE for all evaluation results. This can occur if the resources were deleted or removed from the rule's scope.

        Specified by:
        describeComplianceByConfigRule in interface AmazonConfig
        Parameters:
        describeComplianceByConfigRuleRequest -
        Returns:
        Result of the DescribeComplianceByConfigRule operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
        NoSuchConfigRuleException - One or more AWS Config rules in the request are invalid. Verify that the rule names are correct and try again.
      • describeComplianceByResource

        public DescribeComplianceByResourceResult describeComplianceByResource​(DescribeComplianceByResourceRequest describeComplianceByResourceRequest)

        Indicates whether the specified AWS resources are compliant. If a resource is noncompliant, this action returns the number of AWS Config rules that the resource does not comply with.

        A resource is compliant if it complies with all the AWS Config rules that evaluate it. It is noncompliant if it does not comply with one or more of these rules.

        If AWS Config has no current evaluation results for the resource, it returns INSUFFICIENT_DATA. This result might indicate one of the following conditions about the rules that evaluate the resource:

        • AWS Config has never invoked an evaluation for the rule. To check whether it has, use the DescribeConfigRuleEvaluationStatus action to get the LastSuccessfulInvocationTime and LastFailedInvocationTime.
        • The rule's AWS Lambda function is failing to send evaluation results to AWS Config. Verify that the role that you assigned to your configuration recorder includes the config:PutEvaluations permission. If the rule is a customer managed rule, verify that the AWS Lambda execution role includes the config:PutEvaluations permission.
        • The rule's AWS Lambda function has returned NOT_APPLICABLE for all evaluation results. This can occur if the resources were deleted or removed from the rule's scope.

        Specified by:
        describeComplianceByResource in interface AmazonConfig
        Parameters:
        describeComplianceByResourceRequest -
        Returns:
        Result of the DescribeComplianceByResource operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
        InvalidNextTokenException - The specified next token is invalid. Specify the nextToken string that was returned in the previous response to get the next page of results.
      • describeConfigRuleEvaluationStatus

        public DescribeConfigRuleEvaluationStatusResult describeConfigRuleEvaluationStatus​(DescribeConfigRuleEvaluationStatusRequest describeConfigRuleEvaluationStatusRequest)

        Returns status information for each of your AWS managed Config rules. The status includes information such as the last time AWS Config invoked the rule, the last time AWS Config failed to invoke the rule, and the related error for the last failure.

        Specified by:
        describeConfigRuleEvaluationStatus in interface AmazonConfig
        Parameters:
        describeConfigRuleEvaluationStatusRequest -
        Returns:
        Result of the DescribeConfigRuleEvaluationStatus operation returned by the service.
        Throws:
        NoSuchConfigRuleException - One or more AWS Config rules in the request are invalid. Verify that the rule names are correct and try again.
      • getComplianceDetailsByConfigRule

        public GetComplianceDetailsByConfigRuleResult getComplianceDetailsByConfigRule​(GetComplianceDetailsByConfigRuleRequest getComplianceDetailsByConfigRuleRequest)

        Returns the evaluation results for the specified AWS Config rule. The results indicate which AWS resources were evaluated by the rule, when each resource was last evaluated, and whether each resource complies with the rule.

        Specified by:
        getComplianceDetailsByConfigRule in interface AmazonConfig
        Parameters:
        getComplianceDetailsByConfigRuleRequest -
        Returns:
        Result of the GetComplianceDetailsByConfigRule operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
        InvalidNextTokenException - The specified next token is invalid. Specify the nextToken string that was returned in the previous response to get the next page of results.
        NoSuchConfigRuleException - One or more AWS Config rules in the request are invalid. Verify that the rule names are correct and try again.
      • getComplianceDetailsByResource

        public GetComplianceDetailsByResourceResult getComplianceDetailsByResource​(GetComplianceDetailsByResourceRequest getComplianceDetailsByResourceRequest)

        Returns the evaluation results for the specified AWS resource. The results indicate which AWS Config rules were used to evaluate the resource, when each rule was last used, and whether the resource complies with each rule.

        Specified by:
        getComplianceDetailsByResource in interface AmazonConfig
        Parameters:
        getComplianceDetailsByResourceRequest -
        Returns:
        Result of the GetComplianceDetailsByResource operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
      • getComplianceSummaryByResourceType

        public GetComplianceSummaryByResourceTypeResult getComplianceSummaryByResourceType​(GetComplianceSummaryByResourceTypeRequest getComplianceSummaryByResourceTypeRequest)

        Returns the number of resources that are compliant and the number that are noncompliant. You can specify one or more resource types to get these numbers for each resource type. The maximum number returned is 100.

        Specified by:
        getComplianceSummaryByResourceType in interface AmazonConfig
        Parameters:
        getComplianceSummaryByResourceTypeRequest -
        Returns:
        Result of the GetComplianceSummaryByResourceType operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
      • getResourceConfigHistory

        public GetResourceConfigHistoryResult getResourceConfigHistory​(GetResourceConfigHistoryRequest getResourceConfigHistoryRequest)

        Returns a list of configuration items for the specified resource. The list contains details about each state of the resource during the specified time interval.

        The response is paginated, and by default, AWS Config returns a limit of 10 configuration items per page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.

        Each call to the API is limited to span a duration of seven days. It is likely that the number of records returned is smaller than the specified limit. In such cases, you can make another call, using the nextToken.

        Specified by:
        getResourceConfigHistory in interface AmazonConfig
        Parameters:
        getResourceConfigHistoryRequest - The input for the GetResourceConfigHistory action.
        Returns:
        Result of the GetResourceConfigHistory operation returned by the service.
        Throws:
        ValidationException - The requested action is not valid.
        InvalidTimeRangeException - The specified time range is not valid. The earlier time is not chronologically before the later time.
        InvalidLimitException - The specified limit is outside the allowable range.
        InvalidNextTokenException - The specified next token is invalid. Specify the nextToken string that was returned in the previous response to get the next page of results.
        NoAvailableConfigurationRecorderException - There are no configuration recorders available to provide the role needed to describe your resources. Create a configuration recorder.
        ResourceNotDiscoveredException - You have specified a resource that is either unknown or has not been discovered.
      • listDiscoveredResources

        public ListDiscoveredResourcesResult listDiscoveredResources​(ListDiscoveredResourcesRequest listDiscoveredResourcesRequest)

        Accepts a resource type and returns a list of resource identifiers for the resources of that type. A resource identifier includes the resource type, ID, and (if available) the custom resource name. The results consist of resources that AWS Config has discovered, including those that AWS Config is not currently recording. You can narrow the results to include only resources that have specific resource IDs or a resource name.

        You can specify either resource IDs or a resource name but not both in the same request.

        The response is paginated, and by default AWS Config lists 100 resource identifiers on each page. You can customize this number with the limit parameter. The response includes a nextToken string, and to get the next page of results, run the request again and enter this string for the nextToken parameter.

        Specified by:
        listDiscoveredResources in interface AmazonConfig
        Parameters:
        listDiscoveredResourcesRequest -
        Returns:
        Result of the ListDiscoveredResources operation returned by the service.
        Throws:
        ValidationException - The requested action is not valid.
        InvalidLimitException - The specified limit is outside the allowable range.
        InvalidNextTokenException - The specified next token is invalid. Specify the nextToken string that was returned in the previous response to get the next page of results.
        NoAvailableConfigurationRecorderException - There are no configuration recorders available to provide the role needed to describe your resources. Create a configuration recorder.
      • putConfigRule

        public PutConfigRuleResult putConfigRule​(PutConfigRuleRequest putConfigRuleRequest)

        Adds or updates an AWS Config rule for evaluating whether your AWS resources comply with your desired configurations.

        You can use this action for customer managed Config rules and AWS managed Config rules. A customer managed Config rule is a custom rule that you develop and maintain. An AWS managed Config rule is a customizable, predefined rule that is provided by AWS Config.

        If you are adding a new customer managed Config rule, you must first create the AWS Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to AWS Config, you must specify the Amazon Resource Name (ARN) that AWS Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.

        If you are adding a new AWS managed Config rule, specify the rule's identifier for the SourceIdentifier key. To reference AWS managed Config rule identifiers, see Using AWS Managed Config Rules.

        For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by AWS Config for new rules.

        If you are updating a rule that you have added previously, specify the rule's ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.

        The maximum number of rules that AWS Config supports is 25.

        For more information about developing and using AWS Config rules, see Evaluating AWS Resource Configurations with AWS Config in the AWS Config Developer Guide.

        Specified by:
        putConfigRule in interface AmazonConfig
        Parameters:
        putConfigRuleRequest -
        Returns:
        Result of the PutConfigRule operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
        MaxNumberOfConfigRulesExceededException - Failed to add the AWS Config rule because the account already contains the maximum number of 25 rules. Consider deleting any deactivated rules before adding new rules.
        ResourceInUseException - The rule is currently being deleted. Wait for a while and try again.
        InsufficientPermissionsException - Indicates one of the following errors:

        • The rule cannot be created because the IAM role assigned to AWS Config lacks permissions to perform the config:Put* action.
        • The AWS Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
      • putConfigurationRecorder

        public PutConfigurationRecorderResult putConfigurationRecorder​(PutConfigurationRecorderRequest putConfigurationRecorderRequest)

        Creates a new configuration recorder to record the selected resource configurations.

        You can use this action to change the role roleARN and/or the recordingGroup of an existing recorder. To change the role, call the action on the existing configuration recorder and specify a role.

        Currently, you can specify only one configuration recorder per account.

        If ConfigurationRecorder does not have the recordingGroup parameter specified, the default is to record all supported resource types.

        Specified by:
        putConfigurationRecorder in interface AmazonConfig
        Parameters:
        putConfigurationRecorderRequest - The input for the PutConfigurationRecorder action.
        Returns:
        Result of the PutConfigurationRecorder operation returned by the service.
        Throws:
        MaxNumberOfConfigurationRecordersExceededException - You have reached the limit on the number of recorders you can create.
        InvalidConfigurationRecorderNameException - You have provided a configuration recorder name that is not valid.
        InvalidRoleException - You have provided a null or empty role ARN.
        InvalidRecordingGroupException - AWS Config throws an exception if the recording group does not contain a valid list of resource types. Invalid values could also be incorrectly formatted.
      • putDeliveryChannel

        public PutDeliveryChannelResult putDeliveryChannel​(PutDeliveryChannelRequest putDeliveryChannelRequest)

        Creates a new delivery channel object to deliver the configuration information to an Amazon S3 bucket, and to an Amazon SNS topic.

        You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.

        Currently, you can specify only one delivery channel per account.

        Specified by:
        putDeliveryChannel in interface AmazonConfig
        Parameters:
        putDeliveryChannelRequest - The input for the PutDeliveryChannel action.
        Returns:
        Result of the PutDeliveryChannel operation returned by the service.
        Throws:
        MaxNumberOfDeliveryChannelsExceededException - You have reached the limit on the number of delivery channels you can create.
        NoAvailableConfigurationRecorderException - There are no configuration recorders available to provide the role needed to describe your resources. Create a configuration recorder.
        InvalidDeliveryChannelNameException - The specified delivery channel name is not valid.
        NoSuchBucketException - The specified Amazon S3 bucket does not exist.
        InvalidS3KeyPrefixException - The specified Amazon S3 key prefix is not valid.
        InvalidSNSTopicARNException - The specified Amazon SNS topic does not exist.
        InsufficientDeliveryPolicyException - Your Amazon S3 bucket policy does not permit AWS Config to write to it.
      • putEvaluations

        public PutEvaluationsResult putEvaluations​(PutEvaluationsRequest putEvaluationsRequest)

        Used by an AWS Lambda function to deliver evaluation results to AWS Config. This action is required in every AWS Lambda function that is invoked by an AWS Config rule.

        Specified by:
        putEvaluations in interface AmazonConfig
        Parameters:
        putEvaluationsRequest -
        Returns:
        Result of the PutEvaluations operation returned by the service.
        Throws:
        InvalidParameterValueException - One or more of the specified parameters are invalid. Verify that your parameters are valid and try again.
        InvalidResultTokenException - The result token is invalid.
        NoSuchConfigRuleException - One or more AWS Config rules in the request are invalid. Verify that the rule names are correct and try again.
      • getCachedResponseMetadata

        public ResponseMetadata getCachedResponseMetadata​(AmazonWebServiceRequest request)
        Returns additional metadata for a previously executed successful, request, typically used for debugging issues where a service isn't acting as expected. This data isn't considered part of the result data returned by an operation, so it's available through this separate, diagnostic interface.

        Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic information for an executed request, you should use this method to retrieve it as soon as possible after executing the request.

        Specified by:
        getCachedResponseMetadata in interface AmazonConfig
        Parameters:
        request - The originally executed request
        Returns:
        The response metadata for the specified request, or null if none is available.