Resource attributes
Here are descriptions and examples for the Resources object in the Amazon Security Finding Format (ASFF). For
more information about these fields, see Resources.
DataClassification
The DataClassification field provides information about sensitive data that was detected on the resource.
Example
"DataClassification": { "DetailedResultsLocation": "Path_to_Folder_Or_File", "Result": { "MimeType": "text/plain", "SizeClassified": 2966026, "AdditionalOccurrences": false, "Status": { "Code": "COMPLETE", "Reason": "Unsupportedfield" }, "SensitiveData": [ { "Category": "PERSONAL_INFORMATION", "Detections": [ { "Count": 34, "Type": "GE_PERSONAL_ID", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 10, "StartColumn": 20 } ], "Pages": [], "Records": [], "Cells": [] } }, { "Count": 59, "Type": "EMAIL_ADDRESS", "Occurrences": { "Pages": [ { "PageNumber": 1, "OffsetRange": { "Start": 1, "End": 100, "StartColumn": 10 }, "LineRange": { "Start": 1, "End": 100, "StartColumn": 10 } } ] } }, { "Count": 2229, "Type": "URL", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 13 } ] } }, { "Count": 13826, "Type": "NameDetection", "Occurrences": { "Records": [ { "RecordIndex": 1, "JsonPath": "$.ssn.value" } ] } }, { "Count": 32, "Type": "AddressDetection" } ], "TotalCount": 32 } ], "CustomDataIdentifiers": { "Detections": [ { "Arn": "1712be25e7c7f53c731fe464f1c869b8", "Name": "1712be25e7c7f53c731fe464f1c869b8", "Count": 2, } ], "TotalCount": 2 } } }
Details
The Details field provides additional information about a
single resource using the appropriate objects. Each resource must be provided in a
separate resource object in the Resources object.
Note that if the finding size exceeds the maximum of 240 KB, then the
Details object is removed from the finding. For control findings that
use Amazon Config rules, you can view the resource details on the Amazon Config console.
Security Hub provides a set of available resource details for its supported resource types.
These details correspond to values of the Type object. Use the provided
types whenever possible.
For example, if the resource is an S3 bucket, then set the resource Type
to AwsS3Bucket and provide the resource details in the AwsS3Bucket
object.
The Other object allows
you to provide custom fields and values. You use the Other object in the
following cases:
-
The resource type (the value of the resource
Type) does not have a corresponding details object. To provide details for the resource, you use the Other object. -
The object for the resource type does not include all of the fields that you want to populate. In this case, use the details object for the resource type to populate the available fields. Use the
Otherobject to populate the fields that are not in the type-specific object. -
The resource type is not one of the provided types. In this case, set
Resource.TypetoOther, and use theOtherobject to populate the details.
Example
"Details": { "AwsEc2Instance": { "IamInstanceProfileArn": "arn:aws-cn:iam::123456789012:role/IamInstanceProfileArn", "ImageId": "ami-79fd7eee", "IpV4Addresses": ["1.1.1.1"], "IpV6Addresses": ["2001:db8:1234:1a2b::123"], "KeyName": "testkey", "LaunchedAt": "2018-09-29T01:25:54Z", "MetadataOptions": { "HttpEndpoint": "enabled", "HttpProtocolIpv6": "enabled", "HttpPutResponseHopLimit": 1, "HttpTokens": "optional", "InstanceMetadataTags": "disabled" }, "NetworkInterfaces": [ { "NetworkInterfaceId": "eni-e5aa89a3" } ], "SubnetId": "PublicSubnet", "Type": "i3.xlarge", "VirtualizationType": "hvm", "VpcId": "TestVPCIpv6" }, "AwsS3Bucket": { "OwnerId": "da4d66eac431652a4d44d490a00500bded52c97d235b7b4752f9f688566fe6de", "OwnerName": "acmes3bucketowner" }, "Other": { "LightPen": "blinky", "SerialNo": "1234abcd"} }
Id
The identifier for the given resource type.
For Amazon resources that are identified by Amazon Resource Names (ARNs), this is the ARN.
For Amazon resources that lack ARNs, this is the identifier as defined by the Amazon service that created the resource.
For non-Amazon resources, this is a unique identifier that is associated with the resource.
Example
"Id": "arn:aws-cn:s3:::example-bucket"
Partition
The partition in which the resource is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
The following partitions are supported:
aws– Amazon Web Services Regionsaws-cn– China Regionsaws-us-gov– Amazon GovCloud (US) Region
Example
"Partition": "aws"
Region
The code for the Amazon Web Services Region where this resource is located. For a list of Region codes, see Regional endpoints.
Example
"Region": "us-west-2"
ResourceRole
Identifies the role of the resource in the finding. A resource is either the target of the finding activity or the actor that performed the activity.
Example
"ResourceRole": "target"
Tags
You can add resource tags to findings that are ingested into Security Hub, including findings from integrated
Amazon Web Services and third-party products. You can tag resources that the GetResources
operation of the Amazon Resource Groups Tagging API supports. For a list of supported resources, see
Services that support the Resource Groups Tagging API.
Adding tags tells you the
tags that were associated with a resource at the time the finding was processed.
You can include the Tags attribute only for resources that have an associated
tag. If a resource has no associated tag, don't include a Tags attribute in
the finding.
The inclusion of resource tags in findings eliminates the need to build data enrichment pipelines or manually enrich the metadata of security findings. You can also use tags to search or filter findings and insights and create automation rules.
For information about restrictions that apply to tags, see Tag naming limits and requirements.
You can only provide tags that exist on an Amazon resource in this field. To
provide data that isn't defined in the Amazon Security Finding Format, use the
Other details subfield.
Example
"Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" }
Type
The type of resource that you are providing details for.
Whenever possible, use one of the provided resource types, such as
AwsEc2Instance or AwsS3Bucket.
If the resource type does not match any of the provided resource types, then set the
resource Type to Other, and use the Other details
subfield to populate the details.
Supported values are listed under Resources.
Example
"Type": "AwsS3Bucket"