Amazon Resource Tagging standard in Security Hub
The Amazon Resource Tagging standard, developed by Amazon Security Hub, helps you determine whether your Amazon resources are missing tags. Tags are key‐value pairs that act as metadata for organizing Amazon resources. With most Amazon resources, you have the option of adding tags to a resource when you create the resource or after you create the resource. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in Amazon Secrets Manager. Tags can help you manage, identify, organize, search for, and filter Amazon resources.
Each tag has two parts:
-
A tag key—for example,
CostCenter,Environment, orProject. Tag keys are case sensitive. -
A tag value—for example,
111122223333orProduction. Like tag keys, tag values are case sensitive.
You can use tags to categorize resources by purpose, owner, environment, or other criteria. For information about adding tags to Amazon resources, see the Tagging Amazon Resources and Tag Editor User Guide.
For each control that applies to the Amazon Resource Tagging standard in Security Hub, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key, and fails if a resource doesn't have any tag keys.
Before you enable the Amazon Resource Tagging standard, it's important to first enable and configure resource recording in Amazon Config. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. Otherwise, Security Hub might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, including a list of the types of resources to record, see Required Amazon Config resources for control findings.
Note
The Amazon Resource Tagging standard isn't available in the Canada West (Calgary), China, and Amazon GovCloud (US) Regions.
After you enable the Amazon Resource Tagging standard, you begin receiving findings for controls that apply to the standard. Note that it can take up to 18 hours for Security Hub to generate findings for controls that use the same Amazon Config service-linked rule as controls that apply to other enabled standards. For more information, see Schedule for running security checks.
The Amazon Resource Tagging standard has the following Amazon Resource Name (ARN):
arn:aws-cn:securityhub:.
You can also use the GetEnabledStandards operation of the Security Hub API to find the ARN of an enabled
standard.region::standards/aws-resource-tagging-standard/v/1.0.0
Controls that apply to the standard
The following list specifies which Amazon Security Hub controls apply to the Amazon Resource Tagging standard (v1.0.0). To review the details of a control, choose the control.
-
[AppConfig.1] Amazon AppConfig applications should be tagged
-
[AppConfig.2] Amazon AppConfig configuration profiles should be tagged
-
[AppConfig.3] Amazon AppConfig environments should be tagged
-
[AppConfig.4] Amazon AppConfig extension associations should be tagged
-
[Batch.4] Compute resources properties in managed Batch compute environments should be tagged
-
[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged
-
[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged
-
[Connect.1] Amazon Connect Customer Profiles object types should be tagged
-
[EKS.7] EKS identity provider configurations should be tagged
-
[FraudDetector.1] Amazon Fraud Detector entity types should be tagged
-
[FraudDetector.2] Amazon Fraud Detector labels should be tagged
-
[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged
-
[FraudDetector.4] Amazon Fraud Detector variables should be tagged
-
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
-
[IoT.1] Amazon IoT Device Defender security profiles should be tagged
-
[IoTEvents.2] Amazon IoT Events detector models should be tagged
-
[IoTEvents.3] Amazon IoT Events alarm models should be tagged
-
[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged
-
[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged
-
[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged
-
[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged
-
[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged
-
[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged
-
[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged
-
[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged
-
[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged
-
[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged
-
[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged
-
[NetworkFirewall.7] Network Firewall firewalls should be tagged
-
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
-
[PCA.2] Amazon Private CA certificate authorities should be tagged
-
[Redshift.12] Redshift event notification subscriptions should be tagged
-
[Redshift.14] Redshift cluster subnet groups should be tagged
-
[Redshift.17] Redshift cluster parameter groups should be tagged
-
[SageMaker.6] SageMaker app image configurations should be tagged
-
[StepFunctions.2] Step Functions activities should be tagged
-
[Transfer.1] Amazon Transfer Family workflows should be tagged