Required resources for all Security Hub controls Required resources for the Amazon Foundational Security Best Practices standard Required resources for the CIS Amazon Foundations Benchmark Required resources for the NIST SP 800-53 Revision 5 standard Required resources for the NIST SP 800-171 Revision 2 standard Required resources for PCI DSS v3.2.1 Required resources for the Amazon Resource Tagging standard Required resources for the Amazon Control Tower service-managed standard

Required Amazon Config resources for Security Hub control findings

Some Amazon Security Hub controls use service-linked Amazon Config rules that detect configuration changes in your Amazon resources. For Security Hub to generate accurate findings for these controls, you must enable Amazon Config and turn on resource recording in Amazon Config. For information about how Security Hub uses Amazon Config rules and how to enable and configure Amazon Config, see Enabling and configuring Amazon Config for Security Hub. For detailed information about resource recording, see Working with the configuration recorder in the Amazon Config Developer Guide.

To receive accurate control findings, you must turn on Amazon Config resource recording for enabled controls with a change triggered schedule type. Some controls with a periodic schedule type also require resource recording. This page lists the required resources for these Security Hub controls.

Security Hub controls can rely on managed Amazon Config rules or custom Security Hub rules. Make sure there aren't any Amazon Identity and Access Management (IAM) policies or Amazon Organizations managed policies that prevent Amazon Config from having permission to record your resources. Security Hub controls evaluate resource configurations directly and don’t take Amazon Organizations policies into account.

Note

In Amazon Web Services Regions where a control isn't available, the corresponding resource isn't available in Amazon Config. For a list of these limits, see Regional limits on Security Hub controls.

Topics

Required resources for all Security Hub controls
Required resources for the Amazon Foundational Security Best Practices standard
Required resources for the CIS Amazon Foundations Benchmark
Required resources for the NIST SP 800-53 Revision 5 standard
Required resources for the NIST SP 800-171 Revision 2 standard
Required resources for PCI DSS v3.2.1
Required resources for the Amazon Resource Tagging standard
Required resources for the Amazon Control Tower service-managed standard

Required resources for all Security Hub controls

For Security Hub to generate findings for change triggered controls that are enabled and use an Amazon Config rule, you must record the following types of resources in Amazon Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource.

Amazon Web Services service	Resource types	Related controls
Amazon Amplify	`AWS::Amplify::App`	Amplify.1
Amazon Amplify	`AWS::Amplify::Branch`	Amplify.2
Amazon API Gateway	`AWS::ApiGateway::Stage`	APIGateway.1 APIGateway.2 APIGateway.3 APIGateway.4 APIGateway.5
Amazon API Gateway	`AWS::ApiGatewayV2::Stage`	APIGateway.1 APIGateway.9
Amazon AppConfig	`AWS::AppConfig::Application`	AppConfig.1
	`AWS::AppConfig::ConfigurationProfile`	AppConfig.2
	`AWS::AppConfig::Environment`	AppConfig.3
	`AWS::AppConfig::ExtensionAssociation`	AppConfig.4
Amazon AppFlow	`AWS::AppFlow::Flow`	AppFlow.1
Amazon App Runner	`AWS::AppRunner::Service`	AppRunner.1
Amazon App Runner	`AWS::AppRunner::VpcConnector`	AppRunner.2
Amazon AppSync	`AWS::AppSync::GraphQLApi`	AppSync.2 AppSync.4 AppSync.5
Amazon AppSync	`AWS::AppSync::ApiCache`	AppSync.1 AppSync.6
Amazon Backup	`AWS::Backup::BackupPlan`	Backup.5
	`AWS::Backup::BackupVault`	Backup.3
	`AWS::Backup::RecoveryPoint`	Backup.1 Backup.2
	`AWS::Backup::ReportPlan`	Backup.4
Amazon Batch	`AWS::Batch::ComputeEnvironment`	Batch.3 Batch.4
	`AWS::Batch::JobQueue`	Batch.1
	`AWS::Batch::SchedulingPolicy`	Batch.2
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`	ACM.1 ACM.2 ACM.3
Amazon Athena	`AWS::Athena::DataCatalog`	Athena.2
Amazon Athena	`AWS::Athena::WorkGroup`	Athena.3 Athena.4
Amazon CloudFormation	`AWS::CloudFormation::Stack`	CloudFormation.2
Amazon CloudFront	`AWS::CloudFront::Distribution`	CloudFront.1 CloudFront.3 CloudFront.4 CloudFront.5 CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14
Amazon CloudTrail	`AWS::CloudTrail::Trail`	CloudTrail.9
Amazon CloudWatch	`AWS::CloudWatch::Alarm`	CloudWatch.15 CloudWatch.17
Amazon CodeArtifact	`AWS::CodeArtifact::Repository`	CodeArtifact.1
Amazon CodeBuild	`AWS::CodeBuild::Project`	CodeBuild.1 CodeBuild.2 CodeBuild.3 CodeBuild.4
Amazon CodeBuild	`AWS::CodeBuild::ReportGroup`	CodeBuild.7
Amazon CodeGuru Profiler	`AWS::CodeGuruProfiler::ProfilingGroup`	CodeGuruProfiler.1
Amazon CodeGuru Reviewer	`AWS::CodeGuruReviewer::RepositoryAssociation`	CodeGuruReviewer.1
Amazon Cognito	`AWS::Cognito::UserPool`	Cognito.1
Amazon Connect	`AWS::CustomerProfiles::ObjectType`	Connect.1
Amazon Connect	`AWS::Connect::Instance`	Connect.2
Amazon DataSync	`AWS::DataSync::Task`	DataSync.1 DataSync.2
Amazon Detective	`AWS::Detective::Graph`	Detective.1
Amazon Database Migration Service (Amazon DMS)	`AWS::DMS::Certificate`	DMS.2
	`AWS::DMS::Endpoint`	DMS.9 DMS.10 DMS.11 DMS.12
	`AWS::DMS::EventSubscription`	DMS.3
	`AWS::DMS::ReplicationInstance`	DMS.4 DMS.6
	`AWS::DMS::ReplicationSubnetGroup`	DMS.5
	`AWS::DMS::ReplicationTask`	DMS.7 DMS.8
Amazon DynamoDB	`AWS::DynamoDB::Table`	DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamoDB.6
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::ClientVpnEndpoint`	EC2.51
	`AWS::EC2::CustomerGateway`	EC2.36
	`AWS::EC2::DHCPOptions`	EC2.174
	`AWS::EC2::EIP`	EC2.12 EC2.37
	`AWS::EC2::FlowLog`	EC2.48
	`AWS::EC2::Instance`	EC2.4 EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1
	`AWS::EC2::InternetGateway`	EC2.39
	`AWS::EC2::LaunchTemplate`	EC2.25 EC2.170 EC2.175
	`AWS::EC2::NatGateway`	EC2.40
	`AWS::EC2::NetworkAcl`	EC2.16 EC2.21 EC2.41
	`AWS::EC2::NetworkInterface`	EC2.22 EC2.35
	`AWS::EC2::PrefixList`	EC2.176
	`AWS::EC2::RouteTable`	EC2.42
	`AWS::EC2::SecurityGroup`	EC2.2 EC2.13 EC2.14 EC2.18 EC2.19 EC2.43
	`AWS::EC2::SpotFleet`	EC2.173
	`AWS::EC2::Subnet`	EC2.15 EC2.44 ElastiCache.7
	`AWS::EC2::TrafficMirrorFilter`	EC2.178
	`AWS::EC2::TrafficMirrorSession`	EC2.177
	`AWS::EC2::TrafficMirrorTarget`	EC2.179
	`AWS::EC2::TransitGateway`	EC2.23 EC2.52
	`AWS::EC2::TransitGatewayAttachment`	EC2.33
	`AWS::EC2::TransitGatewayRouteTable`	EC2.34
	`AWS::EC2::Volume`	EC2.3 EC2.45
	`AWS::EC2::VPC`	EC2.6 EC2.46
	`AWS::EC2::VPCBlockPublicAccessOptions`	EC2.172
	`AWS::EC2::VPCEndpointService`	EC2.47
	`AWS::EC2::VPCPeeringConnection`	EC2.49
	`AWS::EC2::VPNConnection`	EC2.20 EC2.171
	`AWS::EC2::VPNGateway`	EC2.50
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`	AutoScaling.1 AutoScaling.2 AutoScaling.6 AutoScaling.9 AutoScaling.10
Amazon EC2 Auto Scaling	`AWS::AutoScaling::LaunchConfiguration`	AutoScaling.3 Autoscaling.5
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance`	SSM.3
	`AWS::SSM::ManagedInstanceInventory`	SSM.1
	`AWS::SSM::PatchCompliance`	SSM.2
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::PublicRepository`	ECR.4
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`	ECR.2 ECR.3 ECR.5
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster`	ECS.12 ECS.14
	`AWS::ECS::Service`	ECS.2 ECS.10 ECS.13
	`AWS::ECS::TaskDefinition`	ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17
	`AWS::ECS::TaskSet`	ECS.16
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::AccessPoint`	EFS.3 EFS.4 EFS.5
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::FileSystem`	EFS.7 EFS.8
Amazon Elastic Kubernetes Service (Amazon EKS)	`AWS::EKS::Cluster`	EKS.2 EKS.6 EKS.8
Amazon Elastic Kubernetes Service (Amazon EKS)	`AWS::EKS::IdentityProviderConfig`	EKS.7
Amazon Elastic Beanstalk	`AWS::ElasticBeanstalk::Environment`	ElasticBeanstalk.1 ElasticBeanstalk.2 ElasticBeanstalk.3
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer`	ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14
	`AWS::ElasticLoadBalancingV2::Listener`	ELB.17
	`AWS::ElasticLoadBalancingV2::LoadBalancer`	ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16
ElasticSearch	`AWS::Elasticsearch::Domain`	ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9
Amazon EMR	`AWS::EMR::SecurityConfiguration`	EMR.3 EMR.4
Amazon EventBridge	`AWS::Events::EventBus`	EventBridge.2 EventBridge.3
Amazon EventBridge	`AWS::Events::Endpoint`	EventBridge.4
Amazon Fraud Detector	`AWS::FraudDetector::EntityType`	FraudDetector.1
	`AWS::FraudDetector::Label`	FraudDetector.2
	`AWS::FraudDetector::Outcome`	FraudDetector.3
	`AWS::FraudDetector::Variable`	FraudDetector.4
Amazon Global Accelerator	`AWS::GlobalAccelerator::Accelerator`	GlobalAccelerator.1
Amazon Glue	`AWS::Glue::Job`	Glue.1 Glue.4
Amazon Glue	`AWS::Glue::MLTransform`	Glue.3
Amazon GuardDuty	`AWS::GuardDuty::Detector`	GuardDuty.4
	`AWS::GuardDuty::Filter`	GuardDuty.2
	`AWS::GuardDuty::IPSet`	GuardDuty.3
Amazon Identity and Access Management (IAM)	`AWS::IAM::Group`	IAM.27 KMS.2
	`AWS::IAM::Policy`	IAM.1 IAM.21 KMS.1
	`AWS::IAM::Role`	IAM.24 IAM.27 KMS.2
	`AWS::IAM::User`	IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2
Amazon Identity and Access Management Access Analyzer	`AWS::AccessAnalyzer::Analyzer`	IAM.23
Amazon Interactive Video Service (Amazon IVS)	`AWS::IVS::PlaybackKeyPair`	IVS.1
	`AWS::IVS::RecordingConfiguration`	IVS.2
	`AWS::IVS::Channel`	IVS.3
Amazon IoT	`AWS::IoT::Authorizer`	IoT.4
	`AWS::IoT::Dimension`	IoT.3
	`AWS::IoT::MitigationAction`	IoT.2
	`AWS::IoT::Policy`	IoT.6
	`AWS::IoT::RoleAlias`	IoT.5
	`AWS::IoT::SecurityProfile`	IoT.1
Amazon IoT Events	`AWS::IoTEvents::AlarmModel`	IoTEvents.3
	`AWS::IoTEvents::DetectorModel`	IoTEvents.2
	`AWS::IoTEvents::Input`	IoTEvents.1
Amazon IoT SiteWise	`AWS::IoTSiteWise::AssetModel`	IoTSiteWise.1
	`AWS::IoTSiteWise::Dashboard`	IoTSiteWise.2
	`AWS::IoTSiteWise::Gateway`	IoTSiteWise.3
	`AWS::IoTSiteWise::Portal`	IoTSiteWise.4
	`AWS::IoTSiteWise::Project`	IoTSiteWise.5
Amazon IoT TwinMaker	`AWS::IoTTwinMaker::Entity`	IoTTwinMaker.4
	`AWS::IoTTwinMaker::Scene`	IoTTwinMaker.3
	`AWS::IoTTwinMaker::SyncJob`	IoTTwinMaker.1
	`AWS::IoTTwinMaker::Workspace`	IoTTwinMaker.2
Amazon IoT Wireless	`AWS::IoTWireless::MulticastGroup`	IoTWireless.1
	`AWS::IoTWireless::ServiceProfile`	IoTWireless.2
	`AWS::IoTWireless::FuotaTask`	IoTWireless.3
Amazon Keyspaces (for Apache Cassandra)	`AWS::Cassandra::Keyspace`	Keyspaces.1
Amazon Kinesis	`AWS::Kinesis::Stream`	Kinesis.1 Kinesis.2 Kinesis.3
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Alias`	S3.17
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Key`	KMS.3 KMS.5 S3.17
Amazon Lambda	`AWS::Lambda::Function`	Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6
Amazon MSK	`AWS::MSK::Cluster`	MSK.1 MSK.2
Amazon MSK	`AWS::KafkaConnect::Connector`	MSK.3
Amazon MQ	`AWS::AmazonMQ::Broker`	MQ.2 MQ.3 MQ.4 MQ.5 MQ.6
Amazon Network Firewall	`AWS::NetworkFirewall::Firewall`	NetworkFirewall.1 NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10
	`AWS::NetworkFirewall::FirewallPolicy`	NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 NetworkFirewall.8
	`AWS::NetworkFirewall::RuleGroup`	NetworkFirewall.6
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`	Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 Opensearch.9 Opensearch.10 Opensearch.11
Amazon Private CA	`AWS::ACMPCA::CertificateAuthority`	PCA.2
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster`	DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37
	`AWS::RDS::DBClusterSnapshot`	DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29
	`AWS::RDS::DBInstance`	RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.40
	`AWS::RDS::DBSecurityGroup`	RDS.31
	`AWS::RDS::DBSnapshot`	RDS.1 RDS.4 RDS.32
	`AWS::RDS::DBSubnetGroup`	RDS.33
	`AWS::RDS::EventSubscription`	RDS.19 RDS.20 RDS.21 RDS.22
Amazon Redshift	`AWS::Redshift::Cluster`	Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11
	`AWS::Redshift::ClusterParameterGroup`	Redshift.2 Redshift.17
	`AWS::Redshift::ClusterSnapshot`	Redshift.13
	`AWS::Redshift::ClusterSubnetGroup`	Redshift.14 Redshift.16
	`AWS::Redshift::EventSubscription`	Redshift.12
Amazon Route 53	`AWS::Route53::HostedZone`	Route53.2
Amazon Route 53	`AWS::Route53::HealthCheck`	Route53.1
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::AccessPoint`	S3.19
	`AWS::S3::AccountPublicAccessBlock`	S3.2 S3.3
	`AWS::S3::Bucket`	CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20
	`AWS::S3::MultiRegionAccessPoint`	S3.24
Amazon SageMaker AI	`AWS::SageMaker::AppImageConfig`	SageMaker.6
	`AWS::SageMaker::Image`	SageMaker.7
	`AWS::SageMaker::Model`	SageMaker.5
	`AWS::SageMaker::NotebookInstance`	SageMaker.2 SageMaker.3
Amazon Secrets Manager	`AWS::SecretsManager::Secret`	SecretsManager.1 SecretsManager.2 SecretsManager.5
Amazon Service Catalog	`AWS::ServiceCatalog::Portfolio`	ServiceCatalog.1
Amazon Simple Email Service (Amazon SES)	`AWS::SES::ConfigurationSet`	SES.2
Amazon Simple Email Service (Amazon SES)	`AWS::SES::ContactList`	SES.1
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`	SNS.1 SNS.3 SNS.4
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`	SQS.1 SQS.2 SQS.3
Amazon Step Functions	`AWS::StepFunctions::StateMachine`	StepFunctions.1
Amazon Step Functions	`AWS::StepFunctions::Activity`	StepFunctions.2
Amazon Systems Manager (SSM)	`AWS::SSM::Document`	SSM.5
Amazon Transfer Family	`AWS::Transfer::Agreement`	Transfer.4
	`AWS::Transfer::Certificate`	Transfer.5
	`AWS::Transfer::Connector`	Transfer.3 Transfer.6
	`AWS::Transfer::Profile`	Transfer.7
	`AWS::Transfer::Workflow`	Transfer.1
Amazon WAF	`AWS::WAF::Rule`	WAF.6
	`AWS::WAF::RuleGroup`	WAF.7
	`AWS::WAF::WebACL`	WAF.1 WAF.8
	`AWS::WAFRegional::Rule`	WAF.2
	`AWS::WAFRegional::RuleGroup`	WAF.3
	`AWS::WAFRegional::WebACL`	WAF.4
	`AWS::WAFv2::RuleGroup`	WAF.12
	`AWS::WAFv2::WebACL`	WAF.10 WAF.11
Amazon WorkSpaces	`AWS::WorkSpaces::WorkSpace`	WorkSpaces.1 WorkSpaces.2

Required resources for the Amazon Foundational Security Best Practices standard

For Security Hub to accurately report findings for change triggered controls that apply to the Amazon Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see Amazon Foundational Security Best Practices standard in Security Hub.

Amazon Web Services service	Resource types
Amazon API Gateway	`AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage`
Amazon AppSync	`AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi`
Amazon Backup	`AWS::Backup::RecoveryPoint`
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CodeBuild	`AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup`
Amazon Cognito	`AWS::Cognito::UserPool`
Amazon Connect	`AWS::Connect::Instance`
Amazon DataSync	`AWS::DataSync::Task`
Amazon Database Migration Service (Amazon DMS)	`AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance`
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume`
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet`
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem`
Amazon Elastic Kubernetes Service (Amazon EKS)	`AWS::EKS::Cluster`
Amazon Elastic Beanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
Amazon EMR	`AWS::EMR::SecurityConfiguration`
Amazon Glue	`AWS::Glue::Job`, `AWS::Glue::MLTransform`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User`
Amazon Kinesis	`AWS::Kinesis::Stream`
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Key`
Amazon Lambda	`AWS::Lambda::Function`
Amazon Managed Streaming for Apache Kafka (Amazon MSK)	`AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector`
Amazon Network Firewall	`AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup`
Amazon Redshift Serverless	`AWS::RedshiftServerless::Workgroup`
Amazon Route 53	`AWS::Route53::HostedZone`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`
Amazon SageMaker AI	`AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon Secrets Manager	`AWS::SecretsManager::Secret`
Amazon Step Functions	`AWS::StepFunctions::StateMachine`
Amazon Transfer Family	`AWS::Transfer::Connector`
Amazon WAF	`AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL`
Amazon WorkSpaces	`AWS::WorkSpaces::WorkSpace`

Required resources for the CIS Amazon Foundations Benchmark

To run security checks for enabled controls that apply to the Center for Internet Security (CIS) Amazon Foundations Benchmark, Security Hub either runs through the exact audit steps prescribed for the checks or uses specific Amazon Config managed rules. For information about this standard in Security Hub, see CIS Amazon Foundations Benchmark in Security Hub.

Required resources for CIS v3.0.0

For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config.

Amazon Web Services service	Resource types
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBInstance`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Bucket`

Required resources for CIS v1.4.0

For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config.

Amazon Web Services service	Resource types
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Policy`, `AWS::IAM::User`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBInstance`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Bucket`

Required resources for CIS v1.2.0

For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config.

Amazon Web Services service	Resource types
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::SecurityGroup`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Policy`, `AWS::IAM::User`

Required resources for the NIST SP 800-53 Revision 5 standard

For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see NIST SP 800-53 Revision 5 in Security Hub.

Amazon Web Services service	Resource types
Amazon API Gateway	`AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage`
Amazon AppSync	`AWS::AppSync::GraphQLApi`
Amazon Backup	`AWS::Backup::RecoveryPoint`
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CloudWatch	`AWS::CloudWatch::Alarm`
Amazon CodeBuild	`AWS::CodeBuild::Project`
Amazon Database Migration Service (Amazon DMS)	`AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume`
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::AccessPoint`
Amazon Elastic Kubernetes Service (Amazon EKS)	`AWS::EKS::Cluster`
Amazon Elastic Beanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer`
Amazon ElasticSearch	`AWS::Elasticsearch::Domain`
Amazon EMR	`AWS::EMR::SecurityConfiguration`
Amazon EventBridge	`AWS::Events::Endpoint`, `AWS::Events::EventBus`
Amazon Glue	`AWS::Glue::Job`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User`
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Alias`, `AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
Amazon Lambda	`AWS::Lambda::Function`
Amazon Managed Streaming for Apache Kafka (Amazon MSK)	`AWS::MSK::Cluster`
Amazon MQ	`AWS::AmazonMQ::Broker`
Amazon Network Firewall	`AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup`
Amazon Route 53	`AWS::Route53::HostedZone`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`
Amazon Service Catalog	`AWS::ServiceCatalog::Portfolio`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance`
Amazon SageMaker AI	`AWS::SageMaker::NotebookInstance`
Amazon Secrets Manager	`AWS::SecretsManager::Secret`
Amazon Transfer Family	`AWS::Transfer::Connector`
Amazon WAF	`AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL`

Required resources for the NIST SP 800-171 Revision 2 standard

For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see NIST SP 800-171 Revision 2 in Security Hub.

Amazon Web Services service	Resource types
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon API Gateway	`AWS::ApiGateway::Stage`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CloudWatch	`AWS::CloudWatch::Alarm`
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Policy`, `AWS::IAM::User`
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Alias`, `AWS::KMS::Key`
Amazon Network Firewall	`AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Systems Manager (SSM)	`AWS::SSM::PatchCompliance`
Amazon WAF	`AWS::WAFv2::RuleGroup`

Required resources for PCI DSS v3.2.1

For Security Hub to accurately report findings for controls that apply to v3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS), are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see PCI DSS in Security Hub.

Amazon Web Services service	Resource types
Amazon CodeBuild	`AWS::CodeBuild::Project`
Amazon Elastic Compute Cloud (Amazon EC2)	`AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup`
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Policy`, `AWS::IAM::User`
Amazon Lambda	`AWS::Lambda::Function`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance`

Required resources for the Amazon Resource Tagging standard

All the controls that apply to the Amazon Resource Tagging standard are change triggered and use an Amazon Config rule. For Security Hub to accurately report findings for these controls, you must record the following types of resources in Amazon Config. For information about this standard, see Amazon Resource Tagging standard in Security Hub.

Amazon Web Services service	Resource types
Amazon Amplify	`AWS::Amplify::App`, `AWS::Amplify::Branch`
Amazon AppFlow	`AWS::AppFlow::Flow`
Amazon App Runner	`AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector`
Amazon AppConfig	`AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation`
Amazon AppSync	`AWS::AppSync::GraphQLApi`
Amazon Athena	`AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup`
Amazon Backup	`AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan`
Amazon Batch	`AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy`
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CloudTrail	`AWS::CloudTrail::Trail`
Amazon CodeArtifact	`AWS::CodeArtifact::Repository`
Amazon CodeGuru	`AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation`
Amazon Connect	`AWS::CustomerProfiles::ObjectType`
Amazon Database Migration Service (Amazon DMS)	`AWS::DMS::Certificate`, `AWS::DMS::EventSubscription` `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup`
Amazon DataSync	`AWS::DataSync::Task`
Amazon Detective	`AWS::Detective::Graph`
Amazon DynamoDB	`AWS::DynamoDB::Trail`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway`
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::PublicRepository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::AccessPoint`
Amazon Elastic Kubernetes Service (Amazon EKS)	`AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig`
Amazon Elastic Beanstalk	`AWS::ElasticBeanstalk::Environment`
ElasticSearch	`AWS::Elasticsearch::Domain`
Amazon EventBridge	`AWS::Events::EventBus`
Amazon Fraud Detector	`AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label` `AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable`
Amazon Global Accelerator	`AWS::GlobalAccelerator::Accelerator`
Amazon Glue	`AWS::Glue::Job`
Amazon GuardDuty	`AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Role`, `AWS::IAM::User`
Amazon Identity and Access Management Access Analyzer (IAM Access Analyzer)	`AWS::AccessAnalyzer::Analyzer`
Amazon IoT	`AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile`
Amazon IoT Events	`AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input`
Amazon IoT SiteWise	`AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project`
Amazon IoT TwinMaker	`AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace`
Amazon IoT Wireless	`AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile`
Amazon Interactive Video Service (Amazon IVS)	`AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration`
Amazon Keyspaces (for Apache Cassandra)	`AWS::Cassandra::Keyspace`
Amazon Kinesis	`AWS::Kinesis::Stream`
Amazon Lambda	`AWS::Lambda::Function`
Amazon MQ	`AWS::AmazonMQ::Broker`
Amazon Network Firewall	`AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Private Certificate Authority	`AWS::ACMPCA::CertificateAuthority`
Amazon Relational Database Service	`AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup`
Amazon Redshift	`AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription`
Amazon Route 53	`AWS::Route53::HealthCheck`
Amazon SageMaker AI	`AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image`
Amazon Secrets Manager	`AWS::SecretsManager::Secret`
Amazon Simple Email Service (Amazon SES)	`AWS::SES::ConfigurationSet`, `AWS::SES::ContactList`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon Step Functions	`AWS::StepFunctions::Activity`
Amazon Systems Manager (SSM)	`AWS::SSM::Document`
Amazon Transfer Family	`AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow`

Required resources for the Amazon Control Tower service-managed standard

For Security Hub to accurately report findings for change triggered controls that apply to the Amazon Control Tower service-managed standard, are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see Service-Managed Standard: Amazon Control Tower.

Amazon Web Services service	Resource types
Amazon API Gateway	`AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`
Amazon Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon CodeBuild	`AWS::CodeBuild::Project`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::Instance` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`
Amazon EC2 Auto Scaling	`AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`
Amazon Elastic File System (Amazon EFS)	`AWS::EFS::AccessPoint`
Amazon EKS	`AWS::EKS::Cluster`
ElasticBeanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
Amazon Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
Amazon Key Management Service (Amazon KMS)	`AWS::KMS::Alias` `AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
Amazon Lambda	`AWS::Lambda::Function`
Amazon Network Firewall	`AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::AccountPublicAccessBlock` `AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon Secrets Manager	`AWS::SecretsManager::Secret`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::ManagedInstanceInventory` `AWS::SSM::PatchCompliance`
Amazon WAF	`AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL` `AWS::WAFv2::WebACL`

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Security checks and scores

Schedule for running security checks