NIST SP 800-53 Revision 5 in Security Hub - Amazon Security Hub
Configuring resource recording for the standardDetermining which controls apply to the standard
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

NIST SP 800-53 Revision 5 in Security Hub

NIST Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides a catalog of security and privacy requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. U.S. federal government agencies and contractors must comply with these requirements to protect their systems and organizations. Private organizations can also voluntarily use the requirements as a guiding framework for reducing cybersecurity risk. For more information about the framework and its requirements, see NIST SP 800-53 Rev. 5 in the NIST Computer Security Resource Center.

Amazon Security Hub provides security controls that support a subset of NIST SP 800-53 Revision 5 requirements. The controls perform automated security checks for certain Amazon Web Services services and resources. To enable and manage these controls, you can enable the NIST SP 800-53 Revision 5 framework as a standard in Security Hub. Note that the controls don't support NIST SP 800-53 Revision 5 requirements that require manual checks.

Unlike other frameworks, the NIST SP 800-53 Revision 5 framework isn't prescriptive about how its requirements should be evaluated. Instead, the framework provides guidelines. In Security Hub, the NIST SP 800-53 Revision 5 standard and controls represent the service's understanding of these guidelines.

Configuring resource recording for controls that apply to the standard

To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in Amazon Config before you enable the NIST SP 800-53 Revision 5 standard in Amazon Security Hub. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. This is primarily for controls that have a change triggered schedule type. However, some controls with a periodic schedule type also require resource recording. If resource recording isn't enabled or configured correctly, Security Hub might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard.

For information about how Security Hub uses resource recording in Amazon Config, see Enabling and configuring Amazon Config for Security Hub. For information about configuring resource recording in Amazon Config, see Working with the configuration recorder in the Amazon Config Developer Guide.

The following table specifies the types of resources to record for controls that apply to the NIST SP 800-53 Revision 5 standard in Security Hub.

Amazon Web Services service Resource types

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

Amazon AppSync

AWS::AppSync::GraphQLApi

Amazon Backup

AWS::Backup::RecoveryPoint

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

Amazon Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

Amazon ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon EventBridge

AWS::Events::Endpoint, AWS::Events::EventBus

Amazon Glue

AWS::Glue::Job

Amazon Identity and Access Management (IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias, AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

Amazon Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket

Amazon Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon SageMaker AI

AWS::SageMaker::NotebookInstance

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon Transfer Family

AWS::Transfer::Connector

Amazon WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

Determining which controls apply to the standard

The following list specifies the controls that support NIST SP 800-53 Revision 5 requirements and apply to the NIST SP 800-53 Revision 5 standard in Amazon Security Hub. For details about specific requirements that a control supports, choose the control. Then refer to the Related requirements field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement.