Security Hub controls for Amazon Amplify
These Security Hub controls evaluate the Amazon Amplify service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.
[Amplify.1] Amplify apps should be tagged
Category: Identify > Inventory > Tagging
Severity: Low
Resource type:
AWS::Amplify::App
Amazon Config rule: amplify-app-tagged
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
requiredKeyTags |
A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet Amazon requirements. | No default value |
This control checks whether an Amazon Amplify app has the tag keys specified by the
requiredKeyTags parameter. The control fails if the app doesn't
have any tag keys, or it doesn't have all the keys specified by the
requiredKeyTags parameter. If you don't specify any values for
the requiredKeyTags parameter, the control checks only for the
existence of a tag key and fails if the app doesn't have any tag keys. The control
ignores system tags, which are applied automatically and have the aws:
prefix.
A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see Define permissions based on attributes with ABAC authorization in the IAM User Guide. For more information about tags, see the Tagging Amazon Resources and Tag Editor User Guide.
Note
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data.
Remediation
For information about adding tags to an Amazon Amplify app, see Resource tagging support in the Amazon Amplify Hosting User Guide.
[Amplify.2] Amplify branches should be tagged
Category: Identify > Inventory > Tagging
Severity: Low
Resource type:
AWS::Amplify::Branch
Amazon Config rule: amplify-branch-tagged
Schedule type: Change triggered
Parameters:
| Parameter | Description | Type | Allowed custom values | Security Hub default value |
|---|---|---|---|---|
requiredKeyTags |
A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet Amazon requirements. | No default value |
This control checks whether an Amazon Amplify branch has the tag keys specified by the
requiredKeyTags parameter. The control fails if the branch
doesn't have any tag keys, or it doesn't have all the keys specified by the
requiredKeyTags parameter. If you don't specify any values for
the requiredKeyTags parameter, the control checks only for the
existence of a tag key and fails if the branch doesn't have any tag keys. The control
ignores system tags, which are applied automatically and have the aws:
prefix.
A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see Define permissions based on attributes with ABAC authorization in the IAM User Guide. For more information about tags, see the Tagging Amazon Resources and Tag Editor User Guide.
Note
Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data.
Remediation
For information about adding tags to an Amazon Amplify branch, see Resource tagging support in the Amazon Amplify Hosting User Guide.