Amazon Config resources required to generate control findings
Amazon Security Hub generates control findings by performing security checks against Security Hub controls. Some controls use Amazon Config rules that evaluate compliance with specific resources. For Security Hub to generate findings for controls that have a change triggered schedule type, you must turn on recording for required resources in Amazon Config. You don't need to record resources for most controls that have a periodic schedule type. However, some periodic controls require resource recording to detect changes in compliance.
This page provides a list of required resources across standards and a list of required resources divided by standard. The first table also lists which Security Hub controls use each resource.
If a finding is generated by a security check that is based on an Amazon Config rule, the finding details include a Rules link to the associated Amazon Config rule. To navigate to the Amazon Config rule, your account must have IAM permissions to view Amazon Config rules.
Note
In Amazon Web Services Regions where a control isn't available, the corresponding resource isn't available in Amazon Config. For a list of Regional limits on Security Hub controls, see Availability of controls by Region.
Amazon Config resources required for all controls
For Security Hub to generate findings for enabled Security Hub change triggered controls that use a Amazon Config rule, you must record these resources in Amazon Config. This table also indicates which controls require a particular resource. A control may require more than one resource.
Service | Required resource | Related controls |
---|---|---|
Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway.1 APIGateway.2 APIGateway.3 APIGateway.4 APIGateway.5 |
AWS::ApiGatewayV2::Stage |
APIGateway.1 APIGateway.9 |
|
Amazon AppSync | AWS::AppSync::GraphQLApi
|
AppSync.2 AppSync.4 AppSync.5 |
Amazon Backup (Amazon Backup) | AWS::Backup::RecoveryPoint
|
Backup.1 |
Amazon Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 | |
Amazon CloudFormation | AWS::CloudFormation::Stack |
CloudFormation.2 |
Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront.1 CloudFront.3 CloudFront.4 CloudFront.5 CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 |
Amazon CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
Amazon CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact.1 |
Amazon CodeBuild | AWS::CodeBuild::Project
|
CodeBuild.1 CodeBuild.2 CodeBuild.3 CodeBuild.4 |
Amazon Detective | AWS::Detective::Graph
|
Detective.1 |
Amazon Database Migration Service (Amazon DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 | |
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.2 DynamoDB.6 |
Amazon Elastic Compute Cloud (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC2.4 EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 |
|
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC2.2 EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 Lambda.5 |
|
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC2.3 EC2.45 |
|
AWS::EC2::VPC |
EC2.46 | |
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnector |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 | |
AWS::EC2::VPNGateway |
EC2.50 | |
Amazon EC2 Auto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling.1 AutoScaling.2 AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling.3 Autoscaling.5 |
|
Amazon EC2 Systems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 |
|
Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 |
|
Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
Amazon Elastic Kubernetes Service (Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
Amazon Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk.1 ElasticBeanstalk.2 ElasticBeanstalk.3 |
Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
Amazon EventBridge | AWS::Events::EventBus |
EventBridge.2 EventBridge.3 |
AWS::Events::Endpoint |
EventBridge.4 |
|
Amazon FSx |
AWS::FSx::FileSystem |
FSx.1 |
Amazon Global Accelerator |
AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator.1 |
Amazon Glue |
AWS::Glue::Job |
Glue.1 |
Amazon GuardDuty |
AWS::GuardDuty::Detector |
GuardDuty.4 |
AWS::GuardDuty::Filter |
GuardDuty.2 |
|
AWS::GuardDuty::IPSet |
GuardDuty.3 |
|
Amazon Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.18 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.18 IAM.24 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.18 IAM.25 KMS.2 |
|
Amazon Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
Amazon IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
Amazon Key Management Service (Amazon KMS) | AWS::KMS::Key |
KMS.3 |
Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 |
Amazon Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 |
Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
Amazon MQ | AWS::AmazonMQ::Broker |
MQ.4 MQ.5 MQ.6 |
Amazon Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall.1 NetworkFirewall.7 NetworkFirewall.9 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
Amazon OpenSearch Service | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 Opensearch.9 OpenSearch.10 |
Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
DocumentDB.3 RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11 |
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
Amazon Simple Storage Service (Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::Bucket |
S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
Amazon Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager.1 SecretsManager.2 SecretsManager.5 |
Amazon Simple Email Service (Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 |
AWS::SES::ContactList
|
SES.1 |
|
Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 |
Amazon Simple Queue Service (Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 |
Amazon SageMaker | AWS::SageMaker::NotebookInstance
|
SageMaker.2 SageMaker.3 |
Amazon Step Functions | AWS::StepFunctions::StateMachine
|
StepFunctions.1 StepFunctions.2 |
Amazon Transfer Family | AWS::Transfer::Workflow
|
Transfer.1 |
Amazon WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 |
Required resources for FSBP standard
For Security Hub to accurately report findings for enabled Amazon Foundational Security Best Practices (FSBP) change triggered controls that use a Amazon Config rule, you must record these resources in Amazon Config. For more information about this standard, see Amazon Foundational Security Best Practices (FSBP) standard.
Service | Required resources |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFront |
|
Amazon CodeBuild |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon Elastic File System (Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon FSx |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MSK |
|
Amazon Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon SageMaker |
|
Amazon Secrets Manager |
|
Amazon Step Functions |
|
Amazon WAF |
|
Required resources for CIS Amazon Foundations Benchmark
To run security checks for enabled controls that apply to the Center for Internet
Security (CIS) Amazon Foundations Benchmark v1.2.0 and v1.4.0, Security Hub either runs through
the exact audit steps prescribed for the checks in Securing
Amazon Web Services
For more information about this standard, see Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0 and v1.4.0.
Required resources for CIS v1.4.0
For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a Amazon Config rule, you must record these resources in Amazon Config.
Service | Required resources |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Simple Storage Service (Amazon S3) |
|
Required resources for CIS v1.2.0
For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a Amazon Config rule, you must record these resources in Amazon Config.
Service | Required resources |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Required resources for NIST SP 800-53 Rev. 5
For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a Amazon Config rule, you must record these resources in Amazon Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
Service | Required resources |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
Amazon CodeBuild |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon Elastic File System (Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon EventBridge |
|
Amazon FSx |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MSK |
|
Amazon MQ |
|
Amazon Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon SageMaker |
|
Amazon Secrets Manager |
|
Amazon WAF |
|
Required resources for PCI DSS v3.2.1
For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a Amazon Config rule, you must record these resources in Amazon Config. For more information about this standard, see Payment Card Industry Data Security Standard (PCI DSS).
Service | Required resources |
---|---|
Amazon CodeBuild |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Lambda |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon EC2 Systems Manager (SSM) |
|
Required resources for Amazon Resource Tagging Standard
All controls in the Amazon Resource Tagging Standard are change triggered and use a Amazon Config rule. For Security Hub to accurately report findings for these controls, you must record the following resources in Amazon Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see Amazon Resource Tagging Standard.
Service | Required resources |
---|---|
Amazon Certificate Manager (ACM) |
|
Amazon AppSync |
|
Amazon EC2 Auto Scaling |
|
Amazon Athena |
|
Amazon EC2 Auto Scaling |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudTrail |
|
Amazon CodeArtifact |
|
Amazon Detective |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon Elastic File System (Amazon EFS) |
|
Amazon Elastic Kubernetes Service (Amazon EKS) |
|
Amazon Elastic Beanstalk (Elastic Beanstalk) |
|
ElasticSearch |
|
Amazon EventBridge |
|
Amazon Global Accelerator |
|
Amazon Glue |
|
Amazon GuardDuty |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Identity and Access Management Access Analyzer (IAM Access Analyzer) |
|
Amazon IoT |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MQ |
|
Amazon Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service |
|
Amazon Redshift |
|
Amazon Secrets Manager |
|
Amazon Simple Email Service (Amazon SES) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon Step Functions |
|
Amazon Transfer Family |
|
Required resources for Service-Managed Standard: Amazon Control Tower
For Security Hub to accurately report findings for enabled Service-Managed Standard: Amazon Control Tower change triggered controls that use a Amazon Config rule, you must record the following resources in Amazon Config. For more information about this standard, see Service-Managed Standard: Amazon Control Tower.
Service | Required resources |
---|---|
Amazon API Gateway |
|
Amazon Certificate Manager (ACM) |
|
Amazon CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon Elastic File System (Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon Secrets Manager |
|
Amazon WAF |
|