# Introduction to Amazon Security Hub CSPM Amazon Security Hub CSPM Amazon Security Hub Cloud Security Posture Management (Amazon Security Hub CSPM) provides you with a comprehensive view of your security state in Amazon and helps you assess your Amazon environment against security industry standards and best practices. Amazon Security Hub CSPM collects security data across Amazon Web Services accounts, Amazon Web Services services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues. To help you manage the security state of your organization, Security Hub CSPM supports multiple security standards. These include the Amazon Foundational Security Best Practices (FSBP) standard developed by Amazon, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub CSPM runs checks against security controls and generates control findings to help you assess your compliance against security best practices. In addition to generating control findings, Security Hub CSPM also receives findings from other Amazon Web Services services—such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie— and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub CSPM findings to other Amazon Web Services services and supported third-party products. Security Hub CSPM offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings. **Topics** + [ ## Benefits of Security Hub CSPM ](#securityhub-benefits) + [ ## Accessing Security Hub CSPM ](#securityhub-get-started) + [ ## Related services ](#securityhub-related-services) + [ ## Security Hub CSPM free trial and pricing ](#securityhub-free-trial) + [ # Concepts and terminology in Security Hub CSPM ](securityhub-concepts.md) + [ # Enabling Security Hub CSPM ](securityhub-settingup.md) + [ # Managing administrator and member accounts in Security Hub CSPM ](securityhub-accounts.md) + [ # Understanding cross-Region aggregation in Security Hub CSPM ](finding-aggregation.md) + [ # Understanding security standards in Security Hub CSPM ](standards-view-manage.md) + [ # Understanding security controls in Security Hub CSPM ](controls-view-manage.md) + [ # Understanding integrations in Security Hub CSPM ](securityhub-findings-providers.md) + [ # Creating and updating findings in Security Hub CSPM ](securityhub-findings.md) + [ # Viewing insights in Security Hub CSPM ](securityhub-insights.md) + [ # Automatically modifying and acting on findings in Security Hub CSPM ](automations.md) + [ # Working with the dashboard in Security Hub CSPM ](dashboard.md) + [ # Regional limits for Security Hub CSPM ](securityhub-regions.md) + [ # Creating Security Hub CSPM resources with CloudFormation ](creating-resources-with-cloudformation.md) + [ # Subscribing to Security Hub CSPM announcements with Amazon SNS ](securityhub-announcements.md) + [ # Disabling Security Hub CSPM ](securityhub-disable.md) + [ # Security in Amazon Security Hub CSPM ](security.md) + [ # Logging Security Hub API calls with CloudTrail ](securityhub-ct.md) ## Benefits of Security Hub CSPM Benefits of Security Hub CSPM Here are some of the key ways that Security Hub CSPM helps you monitor your compliance and security posture across your Amazon environment. **Reduced effort to collect and prioritize findings** Security Hub CSPM reduces the effort to collect and prioritize security findings across accounts from integrated Amazon Web Services services and Amazon partner products. Security Hub CSPM processes finding data using the Amazon Security Finding Format (ASFF), a standard finding format. This eliminates the need to manage findings from myriad sources in multiple formats. Security Hub CSPM also correlates findings across providers to help you prioritize the most important ones. **Automatic security checks against best practices and standards** Security Hub CSPM automatically runs continuous, account-level configuration and security checks based on Amazon best practices and industry standards. Security Hub CSPM uses the results of these checks to calculate security scores, and identifies specific accounts and resources that require attention. **Consolidated view of findings across accounts and providers** Security Hub CSPM consolidates your security findings across accounts and provider products and displays results on the Security Hub CSPM console. You can also retrieve findings through the Security Hub CSPM API, Amazon CLI, or SDKs. With a holistic view of your current security status, you can spot trends, identify potential issues, and take necessary remediation steps. **Ability to automate finding updates and remediation** You can create automation rules that modify or suppress findings based on your defined criteria. Security Hub CSPM also supports an integration with Amazon EventBridge. To automate the remediation of specific findings, you can define custom actions to take when a finding is generated. For example, you can configure custom actions to send findings to a ticketing system or to an automated remediation system. ## Accessing Security Hub CSPM Security Hub CSPM is available in most Amazon Web Services Regions. For a list of Regions where Security Hub CSPM is currently available, see [Amazon Security Hub CSPM endpoints and quotas](https://docs.amazonaws.cn/general/latest/gr/sechub.html) in the *Amazon Web Services General Reference*. For information about managing Amazon Web Services Regions for your Amazon Web Services account, see [Specifying which Amazon Web Services Regions your account can use](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html) in the *Amazon Account Management Reference Guide*. In each Region, you can access and use Security Hub CSPM in any of the following ways: **Security Hub CSPM console** The Amazon Web Services Management Console is a browser-based interface that you can use to create and manage Amazon resources. As part of that console, the Security Hub CSPM console provides access to your Security Hub CSPM account, data, and resources. You can perform Security Hub CSPM tasks by using the Security Hub CSPM console—view findings, create automation rules, create an aggregation Region, and more. **Security Hub CSPM API** The Security Hub CSPM API gives you programmatic access to your Security Hub CSPM account, data, and resources. With the API, you can send HTTPS requests directly to Security Hub CSPM. For information about the API, see the *[Amazon Security Hub API Reference](https://docs.amazonaws.cn/securityhub/1.0/APIReference/)*. **Amazon CLI** With the Amazon CLI, you can run commands at your system's command line to perform Security Hub CSPM tasks. In some cases, using the command line can be faster and more convenient than using the console. The command line is also useful if you want to build scripts that perform tasks. For information about installing and using the Amazon CLI, see the [Amazon Command Line Interface User Guide](https://docs.amazonaws.cn/cli/latest/userguide/cli-chap-welcome.html). **Amazon SDKs** Amazon provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C\$1\$1, and .NET. The SDKs provide convenient, programmatic access to Security Hub CSPM and other Amazon Web Services services in your preferred language. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon SDKs, see [Tools to Build on Amazon](https://www.amazonaws.cn/developertools/). **Important** Security Hub CSPM only detects and consolidates findings that are generated after you enable Security Hub CSPM. It doesn't retroactively detect and consolidate security findings that were generated before you enabled Security Hub CSPM. Security Hub CSPM only receives and processes findings in the Region where you enabled Security Hub CSPM in your account. For full compliance with CIS Amazon Foundations Benchmark security checks, you must enable Security Hub CSPM in all supported Amazon Regions. ## Related services To further secure your Amazon environment, consider using other Amazon Web Services services in combination with Security Hub CSPM. Some Amazon Web Services services send their findings to Security Hub CSPM, and Security Hub CSPM normalizes the findings into a standard format. Some Amazon Web Services services can also receive findings from Security Hub CSPM. For a list of other Amazon Web Services services that send or receive Security Hub CSPM findings, see [Amazon Web Services service integrations with Security Hub CSPM](securityhub-internal-providers.md). Security Hub CSPM uses service-linked rules from Amazon Config to run security checks for most controls. Controls refer to specific Amazon Web Services services and Amazon resources. For a list of Security Hub CSPM controls, see [Control reference for Security Hub CSPM](securityhub-controls-reference.md). You must enable Amazon Config and record resources in Amazon Config for Security Hub CSPM to generate most control findings. For more information, see [Considerations before enabling and configuring Amazon Config](securityhub-setup-prereqs.md#securityhub-prereq-config). ## Security Hub CSPM free trial and pricing Security Hub CSPM free trial, usage, and pricing When you enable Security Hub CSPM in an Amazon Web Services account for the first time, that account is automatically enrolled in a 30-day Security Hub CSPM free trial. When you use Security Hub CSPM during the free trial, you are charged for usage of other services that Security Hub CSPM interacts with, such as Amazon Config items. You are not charged for Amazon Config rules that are activated only by Security Hub CSPM security standards. You are not charged for using Security Hub CSPM until your free trial ends. ### Viewing usage details Security Hub CSPM provides usage information, including the number of security checks and findings processed by your account. The usage details also include the time remaining in the free trial. This information can help you understand your Security Hub CSPM usage after the free trial ends. The usage information is also available after the free trial ends. **To display usage information (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Usage** under **Settings**. The usage information is only for the current account and current Region. In an aggregation Region, the usage information doesn't include linked Regions. For more information about linked Regions, see [Types of data that are aggregated](finding-aggregation.md#finding-aggregation-overview). To view cost details for your account, use the [Amazon Billing console](https://console.aws.amazon.com/billing/). ### Pricing details For more information about how Security Hub CSPM charges for ingested findings and security checks, see [Security Hub CSPM pricing](https://www.amazonaws.cn/security-hub/pricing/). # Concepts and terminology in Security Hub CSPM Concepts In Amazon Security Hub CSPM, we build on common Amazon concepts and terminology and use these additional terms. **Account** A standard Amazon Web Services (Amazon) account that contains your Amazon resources. You can sign in to Amazon with your account and enable Security Hub CSPM. An account can invite other accounts to enable Security Hub CSPM and become associated with that account in Security Hub CSPM. Accepting a membership invitation is optional. If the invitations are accepted, the account becomes an administrator account, and the added accounts are member accounts. Administrator accounts can view findings in their member accounts. If you are enrolled in Amazon Organizations, then your organization designates a Security Hub CSPM administrator account for the organization. The Security Hub CSPM administrator account can enable other organization accounts as member accounts. An account cannot be both an administrator account and a member account at the same time. An account can only have one administrator account. For more information, see [Managing administrator and member accounts in Security Hub CSPM](securityhub-accounts.md). **Administrator account** An account in Security Hub CSPM that is granted access to view findings for associated member accounts. An account becomes an administrator account in one of the following ways: + The account invites other accounts to become associated with it in Security Hub CSPM. When those accounts accept the invitation, they become member accounts, and the inviting account becomes their administrator account. + The account is designated by an organization management account as the Security Hub CSPM administrator account. The Security Hub CSPM administrator account can enable any organization account as a member account, and can also invite other accounts to be member accounts. An account can only have one administrator account. An account cannot be both an administrator account and a member account at the same time. **Aggregation Region** Setting an aggregation Region allows you to view security findings from multiple Amazon Web Services Regions in a single pane of glass. The aggregation Region is the Region from which you view and manage findings. Findings are aggregated to the aggregation Region from linked Regions. Updates to findings are replicated across Regions. In the aggregation Region, the **Security standards**, **Insights**, and **Findings** pages include data from all linked Regions. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). **Archived finding** A finding whose record state (`RecordState`) is `ARCHIVED`. Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. Record state is different from workflow status, which tracks the status of the investigation into a finding. Finding providers can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to archive findings that they created. Security Hub CSPM automatically archives control findings that meet certain criteria. For more information, see [Generating, updating, and archiving control findings](controls-findings-create-update.md#securityhub-standards-results-updating). On the Security Hub CSPM console, default filter settings exclude archived findings from finding lists and tables. You can update the settings to include archived findings. If you retrieve findings by using the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API, the operation retrieves both archived and active findings. To exclude archived findings, you can filter the results. For example: ``` "RecordState": [ { "Comparison": "EQUALS", "Value": "ARCHIVED" } ], ``` **Amazon Security Finding Format (ASFF)** A standardized format for the contents of findings that Security Hub CSPM aggregates or generates. The Amazon Security Finding Format enables you to use Security Hub CSPM to view and analyze findings that are generated by Amazon security services, third-party solutions, or Security Hub CSPM itself from running security checks. For more information, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). **Control** A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. A security standard is associated with a collection of controls. The term *security control* refers to controls that have a single control ID and title across standards. The term *standard control* refers to controls that have standard-specific control IDs and titles. Currently, Security Hub CSPM supports standard controls only in the China Regions and Amazon GovCloud (US) Regions. Security controls are supported in all other Regions. **Custom action** A Security Hub CSPM mechanism for sending selected findings to EventBridge. A custom action is created in Security Hub CSPM. It is then linked to an EventBridge rule. The rule defines a specific action to take when a finding is received that is associated with the custom action ID. Custom actions can be used, for example, to send a specific finding, or a small set of findings, to a response or remediation workflow. For more information, see [Creating a custom action](securityhub-cwe-configure.md). **Delegated administrator account (Organizations)** In Amazon Organizations, the delegated administrator account for a service is able to manage the use of a service for the organization. In Security Hub CSPM, the Security Hub CSPM administrator account is also the delegated administrator account for Security Hub CSPM. When the organization management account first designates a Security Hub CSPM administrator account, Security Hub CSPM calls Organizations to make that account the delegated administrator account. The organization management account must then choose the delegated administrator account as the Security Hub CSPM administrator account in all Regions. **Finding** The observable record of a security check or security-related detection. Security Hub CSPM generates and updates findings after completing security checks for controls. These are called *control findings*. Findings can also come from integrations with other Amazon Web Services services and third-party products. For more information, see [Creating and updating findings in Security Hub CSPM](securityhub-findings.md). **Cross-Region aggregation** The aggregation of findings, insights, control compliance statuses, and security scores from linked Regions to an aggregation Region. You can then view all of your data from the aggregation Region and update findings and insights from the aggregation Region. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). **Finding ingestion** The import of findings into Security Hub CSPM from other Amazon services and from third-party partner providers. Finding ingestion events include both new findings and updates to existing findings. **Insight** A collection of related findings defined by an aggregation statement and optional filters. An insight identifies a security area that requires attention and intervention. Security Hub CSPM offers several managed (default) insights that you can't modify. You can also create custom Security Hub CSPM insights to track security issues that are unique to your Amazon environment and usage. For more information, see [Viewing insights in Security Hub CSPM](securityhub-insights.md). **Linked Region** When you enable cross-Region aggregation, a linked Region is a region that aggregates findings, insights, control compliance statuses, and security scores to the aggregation Region. In a linked Region, the **Findings** and **Insights** pages contain findings only from that Region. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). **Member account** An account that has granted permission to an administrator account to view and take action on their findings. An account becomes a member account in one of the following ways: + The account accepts an invitation from another account. + For an organization account, the Security Hub CSPM administrator account enables the account as a member account. **Related requirements** A set of industry or regulatory requirements that are mapped to a control. **Rule** A set of automated criteria that is used to assess whether a control is being adhered to. When a rule is evaluated, it can pass or fail. If the evaluation cannot determine whether rule passes or fails, then the rule is in a warning state. If the rule cannot be evaluated, then it is in a not available state. **Security check** A specific point-in-time evaluation of a rule against a single resource resulting in a `PASSED`, `FAILED`, `WARNING`, or `NOT_AVAILABLE` state. Running a security check produces a finding. **Security Hub CSPM administrator account** An organization account that manages Security Hub CSPM membership for an organization. The organization management account designates the Security Hub CSPM administrator account in each Region. The organization management account must choose the same Security Hub CSPM administrator account in all Regions. The Security Hub CSPM administrator account is also the delegated administrator account for Security Hub CSPM in Organizations. The Security Hub CSPM administrator account can enable any organization account as a member account. The Security Hub CSPM administrator account can also invite other accounts to be member accounts. **Security standard** A published statement on a topic specifying the characteristics, usually measurable and in the form of controls, that must be satisfied or achieved for compliance. Security standards can be based on regulatory frameworks, best practices, or internal company policies. A control may be associated with one or more supported standards in Security Hub CSPM. To learn more about security standards in Security Hub CSPM, see [Understanding security standards in Security Hub CSPM](standards-view-manage.md). **Severity** The severity assigned to a Security Hub CSPM control identifies the importance of the control. The severity of a control can be **Critical**, **High**, **Medium**, **Low**, or **Informational**. The severity assigned to control findings is equal to the severity of the control itself. To learn about how Security Hub CSPM assigns severity to a control, see [Severity levels for control findings](controls-findings-create-update.md#control-findings-severity). **Workflow status** The status of an investigation into a finding. This is tracked using the `Workflow.Status` attribute. The workflow status is initially `NEW`. If you notified the resource owner to take action on the finding, you can set the workflow status to `NOTIFIED`. If the finding is not an issue, and does not require any action, set the workflow status to `SUPPRESSED`. After you review and remediate a finding, set the workflow status to `RESOLVED`. By default, most finding lists only include findings with a workflow status of `NEW` or `NOTIFIED`. Finding lists for controls also include `RESOLVED` findings. For the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation, you can include a filter for the workflow status. ``` "WorkflowStatus": [ { "Comparison": "EQUALS", "Value": "RESOLVED" } ], ``` The Security Hub CSPM console provides an option to set the workflow status for findings. Customers (or SIEM, ticketing, incident management, or SOAR tools working on behalf of a customer to update findings from finding providers) can also use [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) to update the workflow status. # Enabling Security Hub CSPM Enabling Security Hub CSPM There are two ways to enable Amazon Security Hub CSPM, by integrating with Amazon Organizations or manually. We strongly recommend integrating with Organizations for multi-account and multi-Region environments. If you have a standalone account, it's necessary to set up Security Hub CSPM manually. ## Verifying necessary permissions After you sign up for Amazon Web Services (Amazon), you must enable Security Hub CSPM to use its capabilities and features. To enable Security Hub CSPM, you first have to set up permissions that allow you to access the Security Hub CSPM console and API operations. You or your Amazon administrator can do this by using Amazon Identity and Access Management (IAM) to attach the Amazon managed policy called `AWSSecurityHubFullAccess` to your IAM identity. To enable and manage Security Hub CSPM through the Organizations integration, you also should attach the Amazon managed policy called `AWSSecurityHubOrganizationsAccess`. For more information, see [Amazon managed policies for Security Hub](security-iam-awsmanpol.md). ## Enabling Security Hub CSPM with Organizations integration To start using Security Hub CSPM with Amazon Organizations, the Amazon Organizations management account for the organization designates an account as the delegated Security Hub CSPM administrator account for the organization. Security Hub CSPM is automatically enabled in the delegated administrator account in the current Region. Choose your preferred method, and follow the steps to designate the delegated administrator. ------ #### [ Security Hub CSPM console ] **To designate the delegated Security Hub CSPM administrator when onboarding** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Go to Security Hub CSPM**. You're prompted to sign in to the Organizations management account. 1. On the **Designate delegated administrator** page, in the **Delegated administrator account** section, specify the delegated administrator account. We recommend choosing the same delegated administrator that you have set for other Amazon security and compliance services. 1. Choose **Set delegated administrator**. ------ #### [ Security Hub CSPM API ] Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html) API from the Organizations management account. Provide the Amazon Web Services account ID of the Security Hub CSPM delegated administrator account. ------ #### [ Amazon CLI ] Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-organization-admin-account.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-organization-admin-account.html) command from the Organizations management account. Provide the Amazon Web Services account ID of the Security Hub CSPM delegated administrator account. **Example command:** ``` aws securityhub enable-organization-admin-account --admin-account-id 777788889999 ``` ------ For more information about the integration with Organizations, see [Integrating Security Hub CSPM with Amazon Organizations](designate-orgs-admin-account.md). ### Central configuration When you integrate Security Hub CSPM and Organizations, you have the option to use a feature called [central configuration](central-configuration-intro.md) to set up and manage Security Hub CSPM for your organization. We strongly recommend using central configuration because it lets the administrator customize security coverage for the organization. Where appropriate, the delegated administrator can allow a member account to configure its own security coverage settings. Central configuration lets the delegated administrator configure Security Hub CSPM across accounts, OUs, and Amazon Web Services Regions. The delegated administrator configures Security Hub CSPM by creating configuration policies. Within a configuration policy, you can specify the following settings: + Whether Security Hub CSPM is enabled or disabled + Which security standards are enabled and disabled + Which security controls are enabled and disabled + Whether to customize parameters for select controls As the delegated administrator, you can create a single configuration policy for your entire organization or different configuration policies for your various accounts and OUs. For example, test accounts and production accounts can use different configuration policies. Member accounts and OUs that use a configuration policy are *centrally managed * and can be configured only by the delegated administrator. The delegated administrator can designate specific member accounts and OUs as *self-managed* to give the member the ability to configure its own settings on a Region-by-Region basis. If you don't use central configuration, you must largely configure Security Hub CSPM separately in each account and Region. This is called [local configuration](local-configuration.md). Under local configuration, the delegated administrator can automatically enable Security Hub CSPM and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies. ## Enabling Security Hub CSPM manually You must enable Security Hub CSPM manually if you have a standalone account, or if you don't integrate with Amazon Organizations. Standalone accounts can't integrate with Amazon Organizations and must use manual enablement. When you enable Security Hub CSPM manually, you designate a Security Hub CSPM administrator account and invite other accounts to become member accounts. The administrator-member relationship is established when a prospective member account accepts the invitation. Choose your preferred method, and follow the steps to enable Security Hub CSPM. When you enable Security Hub CSPM from the console, you also have the option to enable the supported security standards. ------ #### [ Security Hub CSPM console ] 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. When you open the Security Hub CSPM console for the first time, choose **Go to Security Hub CSPM**. 1. On the welcome page, the **Security standards** section lists the security standards that Security Hub CSPM supports. Select the check box for a standard to enable it, and clear the check box to disable it. You can enable or disable a standard or its individual controls at any time. For information about managing security standards, see [Understanding security standards in Security Hub CSPM](standards-view-manage.md). 1. Choose **Enable Security Hub**. ------ #### [ Security Hub CSPM API ] Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_EnableSecurityHub.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_EnableSecurityHub.html) API. When you enable Security Hub CSPM from the API, it automatically enables the following default security standards: + Amazon Foundational Security Best Practices + Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0 If you do not want to enable these standards, then set `EnableDefaultStandards` to `false`. You can also use the `Tags` parameter to assign tag values to the hub resource. ------ #### [ Amazon CLI ] Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-security-hub.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-security-hub.html) command. To enable the default standards, include `--enable-default-standards`. To not enable the default standards, include `--no-enable-default-standards`. The default security standards are as follows: + Amazon Foundational Security Best Practices + Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0 ``` aws securityhub enable-security-hub [--tags ] [--enable-default-standards | --no-enable-default-standards] ``` **Example** ``` aws securityhub enable-security-hub --enable-default-standards --tags '{"Department": "Security"}' ``` ------ ### Multi-account enablement script **Note** Instead of this script, we recommend using central configuration to enable and configure Security Hub CSPM across multiple accounts and Regions. The [Security Hub CSPM multi-account enablement script in GitHub](https://github.com/awslabs/aws-securityhub-multiaccount-scripts) allows you to enable Security Hub CSPM across accounts and Regions. The script also automates the process of sending invitations to member accounts and enabling Amazon Config. The script automatically enables Amazon Config resource recording for all resources, including global resources, in all Regions. It does not limit recording of global resources to a single Region. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this should be your home Region. For more information, see [Recording resources in Amazon Config](securityhub-setup-prereqs.md#config-resource-recording). There is a corresponding script to disable Security Hub CSPM across accounts and Regions. ## Next steps: Posture management and integrations After enabling Security Hub CSPM, we recommend enabling security standards and controls to monitor your security posture. After you enable controls, Security Hub CSPM begins running security checks and generating control findings that help you detect misconfigurations in your Amazon environment. To receive control findings, you must enable and configure Amazon Config for Security Hub CSPM. For more information, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). After enabling Security Hub CSPM, you can also leverage integrations between Security Hub CSPM and other Amazon Web Services services and third-party solutions to see their findings in Security Hub CSPM. Security Hub CSPM aggregates findings from different sources and ingests them in a consistent format. For more information, see [Understanding integrations in Security Hub CSPM](securityhub-findings-providers.md). # Enabling and configuring Amazon Config for Security Hub CSPM Configuring Amazon Config Amazon Security Hub CSPM uses Amazon Config rules to run security checks and generate findings for most controls. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon Web Services account. It uses rules to establish a baseline configuration for your resources and a configuration recorder to detect whether a particular resource violates the conditions of a rule. Some rules, referred to as Amazon Config managed rules, are predefined and developed by Amazon Config. Other rules are custom Amazon Config rules that Security Hub CSPM develops. Amazon Config rules that Security Hub CSPM uses for controls are referred to as *service-linked rules*. Service-linked rules allow Amazon Web Services services such as Security Hub CSPM to create Amazon Config rules in your account. To receive control findings in Security Hub CSPM, you must enable Amazon Config for your account. You must also turn on resource recording for the types of resources that enabled controls evaluate. Security Hub CSPM can then create the appropriate Amazon Config rules for the controls and begin to run security checks and generate findings for the controls. **Topics** + [ ## Considerations before enabling and configuring Amazon Config ](#securityhub-prereq-config) + [ ## Recording resources in Amazon Config ](#config-resource-recording) + [ ## Ways to enable and configure Amazon Config ](#config-how-to-enable) + [ ## Understanding the Config.1 control ](#config-1-overview) + [ ## Generating service-linked rules ](#securityhub-standards-generate-awsconfigrules) + [ ## Cost considerations ](#config-cost-considerations) ## Considerations before enabling and configuring Amazon Config To receive control findings in Security Hub CSPM, Amazon Config must be enabled for your account in each Amazon Web Services Region where Security Hub CSPM is enabled. If you use Security Hub CSPM for a multi-account environment, Amazon Config must be enabled in each Region for the administrator account and all member accounts. We strongly recommend that you turn on resource recording in Amazon Config *before* you enable any Security Hub CSPM standards and controls. This helps you ensure that your control findings are accurate. To turn on resource recording in Amazon Config, you must have sufficient permissions to record resources in the Amazon Identity and Access Management (IAM) role that's attached to the configuration recorder. In addition, ensure that no IAM policies or Amazon Organizations policies prevent Amazon Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don’t take Amazon Organizations policies into account. For more information about Amazon Config recording, see [Working with the configuration recorder](https://docs.amazonaws.cn/config/latest/developerguide/stop-start-recorder.html) in the *Amazon Config Developer Guide*. If you enable a standard in Security Hub CSPM but haven't enabled Amazon Config, Security Hub CSPM tries to create service-linked Amazon Config rules according to the following schedule: + On the day that you enable the standard. + The day after you enable the standard. + 3 days after you enable the standard. + 7 days after you enable the standard, and continuously every 7 days thereafter. If you use central configuration, Security Hub CSPM also tries to create service-linked Amazon Config rules each time you associate a configuration policy that enables one or more standards with accounts, organizational units (OUs), or the root. ## Recording resources in Amazon Config When you enable Amazon Config, you must specify which Amazon resources you want the Amazon Config configuration recorder to record. Through the service-linked rules, the configuration recorder allows Security Hub CSPM to detect changes to your resource configurations. For Security Hub CSPM to generate accurate control findings, you must turn on recording in Amazon Config for the types of resources that correspond to your enabled controls. It's primarily enabled controls with a *change triggered* schedule type that require resource recording. Some controls with a *periodic* schedule type also require resource recording. For a list of these controls and their corresponding resources, see [Required Amazon Config resources for control findings](controls-config-resources.md). **Warning** If you don't configure Amazon Config recording correctly for Security Hub CSPM controls, it can result in inaccurate control findings, particularly in the following instances: You never recorded the resource for a given control, or you disabled recording of a resource before creating that type of resource. In these cases, you receive a `WARNING` finding for the control at issue, even though you might have created resources in scope of the control after you disabled recording. This `WARNING` finding is a default finding that doesn't actually evaluate the configuration state of the resource. You disable recording for a resource that's evaluated by a particular control. In this case, Security Hub CSPM retains the control findings that were generated before you disabled recording, even though the control isn't evaluating new or updated resources. Security Hub CSPM also changes the compliance status of the findings to `WARNING`. These retained findings might not accurately reflect a resource's current configuration state. By default, Amazon Config records all supported *Regional resources* that it discovers in the Amazon Web Services Region in which it is running. To receive all Security Hub CSPM control findings, you must also configure Amazon Config to record *global resources*. To conserve costs, we recommend recording global resources in a single Region only. If you use central configuration or cross-Region aggregation, this Region should be your home Region. In Amazon Config, you can choose between *continuous recording* and *daily recording* of changes in resource state. If you choose daily recording, Amazon Config delivers resource configuration data at the end of each 24–hour period if there are changes in resource state. If there are no changes, no data is delivered. This can delay the generation of Security Hub CSPM findings for change-triggered controls until a 24–hour period is complete. For more information about Amazon Config recording, see [Recording Amazon resources](https://docs.amazonaws.cn/config/latest/developerguide/select-resources.html) in the *Amazon Config Developer Guide*. ## Ways to enable and configure Amazon Config You can enable Amazon Config and turn on resource recording in any of the following ways: + **Amazon Config console** – You can enable Amazon Config for an account by using the Amazon Config console. For instructions, see [Setting up Amazon Config with the console](https://docs.amazonaws.cn/config/latest/developerguide/gs-console.html) in the *Amazon Config Developer Guide*. + **Amazon CLI or SDKs** – You can enable Amazon Config for an account by using the Amazon Command Line Interface (Amazon CLI). For instructions, see [Setting up Amazon Config with the Amazon CLI](https://docs.amazonaws.cn/config/latest/developerguide/gs-cli.html) in the *Amazon Config Developer Guide*. Amazon software development kits (SDKs) are also available for many programming languages. + **CloudFormation template** – To enable Amazon Config for many accounts, we recommend using the Amazon CloudFormation template named **Enable Amazon Config**. To access this template, see [Amazon CloudFormation StackSet sample templates](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/stacksets-sampletemplates.html) in the *Amazon CloudFormation User Guide*. By default, this template excludes recording for IAM global resources. Ensure that you turn on recording for IAM global resources in only one Amazon Web Services Region to conserve recording costs. If you have cross-Region aggregation enabled, this should be your [Security Hub CSPM home Region](finding-aggregation.md). Otherwise, it can be any Region that Security Hub CSPM is available in that supports recording of IAM global resources. We recommend running one StackSet to record all resources, including IAM global resources, in the home Region or other selected Region. Then, run a second StackSet to record all resources except IAM global resources in other Regions. + **GitHub script** – Security Hub CSPM offers a [GitHub script](https://github.com/awslabs/aws-securityhub-multiaccount-scripts) that enables Security Hub CSPM and Amazon Config for multiple accounts across Regions. This script is useful if you haven't integrated with Amazon Organizations, or you have some member accounts that aren't part of an organization. For more information, see the following blog post on the *Amazon Security blog*: [Optimize Amazon Config for Amazon Security Hub CSPM to effectively manage your cloud security posture](https://amazonaws-china.com/blogs/security/optimize-aws-config-for-aws-security-hub-to-effectively-manage-your-cloud-security-posture/). ## Understanding the Config.1 control In Security Hub CSPM, the [Config.1](config-controls.md#config-1) control generates `FAILED` findings in your account if Amazon Config is disabled. It also generates `FAILED` findings in your account if Amazon Config is enabled but resource recording isn't turned on. If Amazon Config is enabled and resource recording is turned on, but resource recording isn't turned on for a type of resource that an enabled control checks, Security Hub CSPM generates a `FAILED` finding for the Config.1 control. In addition to this `FAILED` finding, Security Hub CSPM generates `WARNING` findings for the enabled control and the types of resources that the control checks. For example, if you enable the [KMS.5](kms-controls.md#kms-5) control and resource recording isn't turned on for Amazon KMS keys, Security Hub CSPM generates a `FAILED` finding for the Config.1 control. Security Hub CSPM also generates `WARNING` findings for the KMS.5 control and your KMS keys. To receive a `PASSED` finding for the Config.1 control, turn on resource recording for all the resource types that correspond to enabled controls. Also disable controls that aren't required for your organization. This helps ensure that you don't have configuration gaps in your security control checks. It also helps ensure that you receive accurate findings about misconfigured resources. If you're the delegated Security Hub CSPM administrator for an organization, Amazon Config recording must be configured correctly for your account and your member accounts. If you use cross-Region aggregation, Amazon Config recording must be configured correctly in the home Region and all linked Regions. Global resources do not need to be recorded in linked Regions. ## Generating service-linked rules For every control that uses a service-linked Amazon Config rule, Security Hub CSPM creates instances of the required rule in your Amazon environment. These service-linked rules are specific to Security Hub CSPM. Security Hub CSPM creates these service-linked rules even if other instances of the same rules already exist. The service-linked rule adds `securityhub` before the original rule name and a unique identifier after the rule name. For example, for the Amazon Config managed rule `vpc-flow-logs-enabled`, the service-linked rule name might be `securityhub-vpc-flow-logs-enabled-12345`. There are quotas for the number of Amazon Config managed rules that can be used to evaluate controls. Amazon Config rules that Security Hub CSPM creates don't count towards those quotas. You can enable a security standard even if you've already reached the Amazon Config quota for managed rules in your account. To learn more about quotas for Amazon Config rules, see [Service limits for Amazon Config](https://docs.amazonaws.cn/config/latest/developerguide/configlimits.html) in the *Amazon Config Developer Guide*. ## Cost considerations Security Hub CSPM can impact your Amazon Config configuration recorder costs by updating the `AWS::Config::ResourceCompliance` configuration item. Updates can occur each time a Security Hub CSPM control associated with an Amazon Config rule changes compliance state, is enabled or disabled, or has parameter updates. If you use the Amazon Config configuration recorder only for Security Hub CSPM, and don't use this configuration item for other purposes, we recommend turning off recording for it in Amazon Config. This can reduce your Amazon Config costs. You don't need to record `AWS::Config::ResourceCompliance` for security checks to work in Security Hub CSPM. For information about the costs associated with resource recording, see [Amazon Security Hub CSPM pricing](https://www.amazonaws.cn/security-hub/pricing/) and [Amazon Config pricing](https://www.amazonaws.cn/config/pricing/). # Understanding local configuration in Security Hub CSPM Local configuration Local configuration is the default way that an Amazon organization is configured in Security Hub CSPM. If you don't opt in to and enable central configuration, your organization uses local configuration by default. Under local configuration, the delegated Security Hub CSPM administrator account has limited control over configuration settings. The only settings that the delegated administrator can enforce are automatically enabling Security Hub CSPM and default security standards in new organization accounts. These settings apply only in the Region in which you designated the delegated administrator account. The default security standards are Amazon Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0. Local configuration settings don't apply to existing organization accounts or to Regions other than the one in which the delegated administrator account was designated. Aside from enabling Security Hub CSPM and default standards in new organization accounts in a single Region, you must configure other Security Hub CSPM settings, including standards and controls, separately in each Region and account. Because this can be a duplicative process, we recommend using central configuration for a multi-account environment if one or more of the following applies to you: + You want different configuration settings for various parts of your organization (for example, different enabled standards or controls for different teams). + You operate in multiple Regions and want to reduce the time and complexity of configuring the service across these Regions. + You want new accounts to use specific configuration settings when they join the organization. + You want organization accounts to inherit specific configuration settings from a parent account or root. For information about central configuration, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). # Understanding central configuration in Security Hub CSPM Central configuration Central configuration is an Amazon Security Hub CSPM feature that helps you set up and manage Security Hub CSPM across multiple Amazon Web Services accounts and Amazon Web Services Regions. To use central configuration, you must first integrate Security Hub CSPM and Amazon Organizations. You can integrate the services by creating an organization and designating a delegated Security Hub CSPM administrator account for the organization. From the delegated Security Hub CSPM administrator account, you can enable Security Hub CSPM for your organization’s accounts and organizational units (OUs) across Regions. You can also enable, configure, and disable individual security standards and security controls for accounts and OUs across Regions. You can configure these settings in just a few steps from one primary Region, referred to as the *home Region*. When you use central configuration, the delegated administrator can choose which accounts and OUs to configure. If the delegated administrator designates a member account or OU as *self-managed*, the member can configure its own settings separately in each Region. If the delegated administrator designates a member account or OU as *centrally managed*, only the delegated administrator can configure the member account or OU across Regions. You can designate all accounts and OUs in your organization as centrally managed, all self-managed, or a combination of both. To configure centrally managed accounts, the delegated administrator uses Security Hub CSPM configuration policies. Configuration policies let the delegated administrator specify whether Security Hub CSPM is enabled or disabled, and which standards and controls are enabled or disabled. They can also be used to customize parameters for certain controls. Configuration policies take effect in the home Region and all linked Regions. The delegated administrator specifies the organization's home Region and linked Regions before starting to use central configuration. Specifying linked Regions is optional. The delegated administrator can create a single configuration policy for the whole organization, or create multiple configuration policies to configure variable settings for different accounts and OUs. **Tip** If you don't use central configuration, you must largely configure Security Hub CSPM separately in each account and Region. This is called *local configuration*. Under local configuration, the delegated administrator can automatically enable Security Hub CSPM and a limited set of security standards in new organization accounts in the current Region. Local configuration doesn't apply to existing organization accounts or to Regions other than the current Region. Local configuration also doesn't support the use of configuration policies. This section provides an overview of central configuration. ## Benefits of using central configuration Benefits of central configuration include the following: **Simplify configuration of the Security Hub CSPM service and capabilities** When you use central configuration, Security Hub CSPM guides you through the process of configuring security best practices for your organization. It also deploys the resulting configuration policies to specified accounts and OUs automatically. If you have existing Security Hub CSPM settings, such as automatically enabling new security controls, you can use those as a starting point for your configuration policies. In addition, the **Configuration** page on the Security Hub CSPM console displays a real-time summary of your configuration policies and which accounts and OUs use each policy. **Configure across accounts and Regions** You can use central configuration to configure Security Hub CSPM across multiple accounts and Regions. This helps ensure that each part of your organization maintains a consistent configuration and adequate security coverage. **Accommodate different configurations in different accounts and OUs** With central configuration, you can choose to configure your organization's accounts and OUs in different ways. For example, your test accounts and production accounts might require different configurations. You can also create a configuration policy that covers new accounts when they join the organization. **Prevent configuration drift** Configuration drift occurs when a user makes a change to a service or feature that conflicts with the delegated administrator's selections. Central configuration prevents this drift. When you designate an account or OU as centrally managed, it's configurable only by the delegated administrator for the organization. If you prefer a specific account or OU to configure its own settings, you can designate it as self-managed. ## When to use central configuration? Central configuration is most beneficial for Amazon environments that include multiple Security Hub CSPM accounts. It's designed to help you centrally manage Security Hub CSPM for multiple accounts. You can use central configuration to configure the Security Hub CSPM service, security standards, and security controls. You can also use it to customize parameters of certain controls. For more information about security standards, see [Understanding security standards in Security Hub CSPM](standards-view-manage.md). For more information about security controls, see [Understanding security controls in Security Hub CSPM](controls-view-manage.md). ## Central configuration terms and concepts Understanding the following key terms and concepts can help you use Security Hub CSPM central configuration. **Central configuration** A Security Hub CSPM feature that helps the delegated Security Hub CSPM administrator account for an organization configure the Security Hub CSPM service, security standards, and security controls across multiple accounts and Regions. To configure these settings, the delegated administrator creates and manages Security Hub CSPM configuration policies for centrally managed accounts in their organization. Self-managed accounts can configure their own settings separately in each Region. To use central configuration, you must integrate Security Hub CSPM and Amazon Organizations. **Home Region** The Amazon Web Services Region from which the delegated administrator centrally configures Security Hub CSPM, by creating and managing configuration policies. Configuration policies take effect in the home Region and all linked Regions. The home Region also serves as the Security Hub CSPM aggregation Region, receiving findings, insights, and other data from linked Regions. Regions that Amazon introduced on or after March 20, 2019 are known as opt-in Regions. An opt-in Region can't be the home Region, but it can be a linked Region. For a list of opt-in Regions, see [Considerations before enabling and disabling Regions](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-considerations) in the *Amazon Account Management Reference Guide*. **Linked Region** An Amazon Web Services Region that is configurable from the home Region. Configuration policies are created by the delegated administrator in the home Region. The policies take effect in the home Region and all linked Regions. Specifying linked Regions is optional. A linked Region also sends findings, insights, and other data to the home Region. Regions that Amazon introduced on or after March 20, 2019 are known as opt-in Regions. You must enable such a Region for an account before a configuration policy can be applied to it. The Organizations management account can enable opt-in Regions for a member account. For more information, see [Specify which Amazon Web Services Regions your account can use](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#rande-manage-enable) in the *Amazon Account Management Reference Guide*. **Target** An Amazon Web Services account, organizational unit (OU), or the organization root. **Security Hub CSPM configuration policy** A collection of Security Hub CSPM settings that the delegated administrator can configure for centrally managed targets. This includes: + Whether to enable or disable Security Hub CSPM. + Whether to enable one or more [security standards](standards-reference.md). + Which [security controls](securityhub-controls-reference.md) to enable across the enabled standards. The delegated administrator can do this by providing a list of specific controls that should be enabled, and Security Hub CSPM disables all other controls (including new controls when they are released). Alternatively, the delegated administrator can provide a list of specific controls that should be disabled, and Security Hub CSPM enables all other controls (including new controls when they are released). + Optionally, [customize parameters](custom-control-parameters.md) for select enabled controls across the enabled standards. A configuration policy takes effect in the home Region and all linked Regions after it's associated with at least one account, organizational unit (OU), or the root. On the Security Hub CSPM console, the delegated administrator can choose the Security Hub CSPM recommended configuration policy or create custom configuration policies. With the Security Hub CSPM API and Amazon CLI, the delegated administrator can only create custom configuration policies. The delegated administrator can create a maximum of 20 custom configuration policies. In the recommended configuration policy, Security Hub CSPM, the Amazon Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls are enabled. Controls that accept parameters use the default values. The recommended configuration policy applies to the entire organization. To apply different settings to the organization, or apply different configuration policies to different accounts and OUs, create a custom configuration policy. **Local configuration** The default configuration type for an organization, after integrating Security Hub CSPM and Amazon Organizations. With local configuration, the delegated administrator can choose to automatically enable Security Hub CSPM and [default security standards](securityhub-auto-enabled-standards.md) in *new* organization accounts in the current Region. If the delegated administrator automatically enables default standards, all controls that are part of these standards are also automatically enabled with default parameters for new organization accounts. These settings don't apply to existing accounts, so configuration drift is possible after an account joins the organization. Disabling specific controls that are part of the default standards, and configuring additional standards and controls, must be done separately in each account and Region. Local configuration doesn't support the use of configuration policies. To use configuration policies, you must switch to central configuration. **Manual account management** If you don't integrate Security Hub CSPM with Amazon Organizations or you have a standalone account, you must specify settings for each account separately in each Region. Manual account management doesn't support the use of configuration policies. **Central configuration APIs** Security Hub CSPM operations that only the Security Hub CSPM delegated Security Hub CSPM administrator can use in the home Region to manage configuration policies for centrally managed accounts. The operations include: + `CreateConfigurationPolicy` + `DeleteConfigurationPolicy` + `GetConfigurationPolicy` + `ListConfigurationPolicies` + `UpdateConfigurationPolicy` + `StartConfigurationPolicyAssociation` + `StartConfigurationPolicyDisassociation` + `GetConfigurationPolicyAssociation` + `BatchGetConfigurationPolicyAssociations` + `ListConfigurationPolicyAssociations` **Account-specific APIs** Security Hub CSPM operations that can be used to enable or disable Security Hub CSPM, standards, and controls on an account-by-account basis. These operations are used in each individual Region. Self-managed accounts can use account-specific operations to configure their own settings. Centrally managed accounts can't use the following account-specific operations in the home Region and linked Regions. In those Regions, only the delegated administrator can configure centrally managed accounts through central configuration operations and configuration policies. + `BatchDisableStandards` + `BatchEnableStandards` + `BatchUpdateStandardsControlAssociations` + `DisableSecurityHub` + `EnableSecurityHub` + `UpdateStandardsControl` To check account status, the owner of a centrally managed account *can* use any `Get` or `Describe` operations of the Security Hub CSPM API. If you use local configuration or manual account management, instead of central configuration, these account-specific operations can be used. Self-managed accounts can also use `*Invitations` and `*Members` operations. However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account has its own members that are part of a different organization than the delegated administrator's. **Organizational unit (OU)** In Amazon Organizations and Security Hub CSPM, a container for a group of Amazon Web Services accounts. An organizational unit (OU) also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a parent OU at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. An OU can have exactly one parent, and each organization account can be a member of exactly one OU. You can manage OUs in Amazon Organizations or Amazon Control Tower. For more information, see [Managing organizational units](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_ous.html) in the *Amazon Organizations User Guide* or [Govern organizations and accounts with Amazon Control Tower](https://docs.amazonaws.cn/controltower/latest/userguide/existing-orgs.html) in the *Amazon Control Tower User Guide*. The delegated administrator can associate configuration policies with specific accounts or OUs, or with the root to cover all accounts and OUs in an organization. **Centrally managed** A target that only the delegated administrator can configure across Regions by using configuration policies. The delegated administrator account specifies whether a target is centrally managed. The delegated administrator can also change a target's status from centrally managed to self-managed, or the other way around. **Self-managed** A target that manages its own Security Hub CSPM settings. A self-managed target uses account-specific operations to configure Security Hub CSPM for itself separately in each Region. This is in contrast to centrally managed targets, which are configurable only by the delegated administrator across Regions through configuration policies. The delegated administrator account specifies whether a target is self-managed. The delegated administrator can apply self-managed behavior to a target. Alternatively, an account or OU can inherit self-managed behavior from a parent. The delegated administrator account can itself be a self-managed account.The delegated administrator account can change a target's status from self-managed to centrally managed, or the other way around. **Configuration policy association** A link between a configuration policy and an account, organizational unit (OU), or root. When a policy association exists, the account, OU, or root uses the settings defined by the configuration policy. An association exists in either of these cases: + When the delegated administrator directly applies a configuration policy to an account, OU, or root + When an account or OU inherits a configuration policy from a parent OU or the root An association exists until a different configuration is applied or inherited. **Applied configuration policy** A type of configuration policy association in which the delegated administrator directly applies a configuration policy to target accounts, OUs, or the root. Targets are configured in the way that the configuration policy defines, and only the delegated administrator can change their configuration. If applied to root, the configuration policy affects all accounts and OUs in the organization that don't use a different configuration through application or inheritance from the closest parent. The delegated administrator can also apply a self-managed configuration to specific accounts, OUs, or the root. **Inherited configuration policy** A type of configuration policy association in which an account or OU adopts the configuration of the closest parent OU or the root. If a configuration policy isn't directly applied to an account or OU, it inherits the configuration of the closest parent. All elements of a policy are inherited. In other words, an account or OU can't choose to selectively inherit only parts of a policy. If the closest parent is self-managed, the child account or OU inherits the self-managed behavior of the parent. Inheritance can't override an applied configuration. That is, if a configuration policy or self-managed configuration is directly applied to an account or OU, it uses that configuration and doesn't inherit the configuration of the parent. **Root** In Amazon Organizations and Security Hub CSPM, the top-level parent node in an organization. If the delegated administrator applies a configuration policy to root, the policy is associated with all accounts and OUs in the organization unless they use a different policy, through application or inheritance, or are designated as self-managed. If the administrator designates the root as self-managed, all accounts and OUs in the organization are self-managed unless they use a configuration policy through application or inheritance. If the root is self-managed and no configuration policies currently exist, all new accounts in the organization retain their current settings. New accounts that join an organization fall under the root until they are assigned to a specific OU. If a new account isn't assigned to an OU, it inherits the root configuration unless the delegated administrator designates it as a self-managed account. # Enabling central configuration in Security Hub CSPM Enabling central configuration The delegated Amazon Security Hub CSPM administrator account can use central configuration to configure Security Hub CSPM, standards, and controls for multiple accounts and organizational units (OUs) across Amazon Web Services Regions. For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). This section explains prerequisites for central configuration and how to begin using it. ## Prerequisites for central configuration Before you can start using central configuration, you must integrate Security Hub CSPM with Amazon Organizations and designate a home Region. If you use the Security Hub CSPM console, these prerequisites are included in the opt-in workflow for central configuration. ### Integrate with Organizations You must integrate Security Hub CSPM and Organizations to use central configuration. To integrate these services, you begin by creating an organization in Organizations. From the Organizations management account, you then designate a Security Hub CSPM delegated administrator account. For instructions, see [Integrating Security Hub CSPM with Amazon Organizations](designate-orgs-admin-account.md). Ensure that you designate your delegated administrator in your **intended home Region**. When you start using central configuration, the same delegated administrator is automatically set in all linked Regions as well. The Organizations management account *cannot* be set as the delegated administrator account. **Important** When you use central configuration, you can't use the Security Hub CSPM console or Security Hub CSPM APIs to change or remove the delegated administrator account. If the Organizations management account uses Amazon Organizations APIs to change or remove the Security Hub CSPM delegated administrator, Security Hub CSPM automatically stops central configuration. Your configuration policies are also disassociated and deleted. Member accounts retain the configuration that they had before the delegated administrator was changed or removed. ### Designate a home Region You must designate a home Region to use central configuration. The home Region is the Region from which the delegated administrator configures the organization. **Note** The home Region cannot be a Region that Amazon has designated as an opt-in Region. An opt-in Region is disabled by default. For a list of opt-in Regions, see [Considerations before enabling and disabling Regions](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-considerations) in the *Amazon Account Management Reference Guide*. Optionally, you can specify one or more linked Regions that are configurable from the home Region. The delegated administrator can create and manage configuration policies only from the home Region. Configuration policies take effect in the home Region and all linked Regions. You can't create a configuration policy that applies only to a subset of these Regions, and not others. The exception to this is controls that involve global resources. If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. For more information, see [Controls that use global resources](controls-to-disable.md#controls-to-disable-global-resources). The home Region is also your Security Hub CSPM aggregation Region that receives findings, insights, and other data from linked Regions. If you have already set an aggregation Region for cross-Region aggregation, then that's your default home Region for central configuration. You can change the home Region before you start to use central configuration by deleting your current finding aggregator and creating a new one in your desired home Region. A finding aggregator is a Security Hub CSPM resource that specifies the home Region and linked Regions. To designate a home Region, see [the steps for setting an aggregation Region](finding-aggregation-enable.md). If you already have a home Region, you can invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindingAggregator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindingAggregator.html) API to see details about it, including which Regions currently are linked to it. ## Instructions for enabling central configuration Choose your preferred method, and follow the steps to enable central configuration for your organization. ------ #### [ Security Hub CSPM console ] **To enable central configuration (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. On the navigation pane, choose **Settings** and **Configuration**. Then, choose **Start central configuration**. If you're onboarding to Security Hub CSPM, choose **Go to Security Hub CSPM**. 1. On the **Designate delegated administrator** page, select your delegated administrator account or enter its account ID. If applicable, we recommend choosing the same delegated administrator that you have set for other Amazon security and compliance services. Choose **Set delegated administrator**. 1. On the **Centralize organization** page, in the **Regions** section, select your home Region. You must be signed in to the home Region to proceed. If you've already set an aggregation Region for cross-Region aggregation, it's displayed as the home Region. To change the home Region, choose **Edit Region settings**. You can then select your preferred home Region and return to this workflow. 1. Select at least one Region to link to the home Region. Optionally, choose whether you want to automatically link future supported Regions to the home Region. The Regions you select here will be configurable from the home Region by the delegated administrator. Configuration policies take effect in your home Region and all linked Regions. 1. Choose **Confirm and continue**. 1. You can now use central configuration. Continue following the console prompts to create your first configuration policy. If you're not ready to create a configuration policy yet, choose **I'm not ready to configure yet**. You can create a policy later by choosing **Settings** and **Configuration** in the navigation pane. For instructions on creating a configuration policy, see [Creating and associating configuration policies](create-associate-policy.md). ------ #### [ Security Hub CSPM API ] **To enable central configuration (API)** 1. Using the credentials of the delegated administrator account, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) API from the home Region. 1. Set the `AutoEnable` field to `false`. 1. Set the `ConfigurationType` field in the `OrganizationConfiguration` object to `CENTRAL`. This action has the following impact: + Designates the calling account as the Security Hub CSPM delegated administrator in all linked Regions. + Enables Security Hub CSPM in the delegated administrator account in all linked Regions. + Designates the calling account as the Security Hub CSPM delegated administrator for new and existing accounts that use Security Hub CSPM and belong to the organization. This occurs in the home Region and all linked Regions. The calling account is set as the delegated administrator for new organization accounts only if they are associated with a configuration policy that has Security Hub CSPM enabled. The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub CSPM enabled. + Sets [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html#securityhub-UpdateOrganizationConfiguration-request-AutoEnable](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html#securityhub-UpdateOrganizationConfiguration-request-AutoEnable) to `false` in all linked Regions, and sets [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html#securityhub-UpdateOrganizationConfiguration-request-AutoEnableStandards](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html#securityhub-UpdateOrganizationConfiguration-request-AutoEnableStandards) to `NONE` in the home Region and all linked Regions. These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can automatically enable Security Hub CSPM and default security standards in organization accounts through the use of configuration policies. 1. You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub CSPM in your organization. For instructions on creating a configuration policy, see [Creating and associating configuration policies](create-associate-policy.md). **Example API request:** ``` { "AutoEnable": false, "OrganizationConfiguration": { "ConfigurationType": "CENTRAL" } } ``` ------ #### [ Amazon CLI ] **To enable central configuration (Amazon CLI)** 1. Using the credentials of the delegated administrator account, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html) command from the home Region. 1. Include the `no-auto-enable` parameter. 1. Set the `ConfigurationType` field in the `organization-configuration` object to `CENTRAL`. This action has the following impact: + Designates the calling account as the Security Hub CSPM delegated administrator in all linked Regions. + Enables Security Hub CSPM in the delegated administrator account in all linked Regions. + Designates the calling account as the Security Hub CSPM delegated administrator for new and existing accounts that use Security Hub CSPM and belong to the organization. This occurs in the home Region and all linked Regions. The calling account is set as the delegated administrator for new organization accounts only if they are associated with a configuration policy that has Security Hub enabled. The calling account is set as the delegated administrator for existing organization accounts only if they already have Security Hub CSPM enabled. + Sets the auto-enablement option to [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html#options](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html#options) in all linked Regions, and sets [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html#options](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html#options) to `NONE` in the home Region and all linked Regions. These parameters aren't relevant in the home and linked Regions when you use central configuration, but you can automatically enable Security Hub CSPM and default security standards in organization accounts through the use of configuration policies. 1. You can now use central configuration. The delegated administrator can create configuration policies to configure Security Hub CSPM in your organization. For instructions on creating a configuration policy, see [Creating and associating configuration policies](create-associate-policy.md). **Example command:** ``` aws securityhub --region us-east-1 update-organization-configuration \ --no-auto-enable \ --organization-configuration '{"ConfigurationType": "CENTRAL"}' ``` ------ # Centrally managed versus self-managed targets Centrally managed versus self-managed When you enable central configuration, the delegated Amazon Security Hub CSPM administrator can designate each organization account, organizational unit (OU), and the root as *centrally managed* or *self-managed*. The management type of a target determines how you can specify its Security Hub CSPM settings. For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). This section explains the differences between a centrally managed and self-managed designation and how to choose the management type of an account, OU, or the root. **Self-managed** The owner of a self-managed account, OU, or root must configure its settings separately in each Amazon Web Services Region. The delegated administrator can't create configuration policies for self-managed targets. **Centrally managed** Only the delegated Security Hub CSPM administrator can configure settings for centrally managed accounts, OUs, or the root across the home Region and linked Regions. Configuration policies can be associated with centrally managed accounts and OUs. The delegated administrator can switch the status of a target between self-managed and centrally managed. By default, all accounts and OU are self-managed when you start central configuration through the Security Hub CSPM API. In the console, management type depends on your first configuration policy. Accounts and OUs that you associate with your first policy are centrally managed. Other accounts and OUs are self-managed by default. If you associate a configuration policy with a previously self-managed account, the policy settings override the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy. If you change a centrally managed account to a self-managed account, the settings that were previously applied to the account through a configuration policy remain in place. For example, a centrally managed account could initially be associated with a policy that enabled Security Hub CSPM, enabled Amazon Foundational Security Best Practices, and disabled CloudTrail.1. If you then designate the account as self-managed, all of the settings remain unchanged. However, the account owner can independently change the settings for the account going forward. Child accounts and OUs can inherit self-managed behavior from a self-managed parent, in the same way that child accounts and OUs can inherit configuration policies from a centrally managed parent. For more information, see [Policy association through application and inheritance](configuration-policies-overview.md#policy-association). A self-managed account or OU can't inherit a configuration policy from a parent node or from the root. For example, if you want all accounts and OUs in your organization to inherit a configuration policy from the root, you must change the management type of self-managed nodes to centrally managed. ## Options to configure settings in self-managed accounts Self-managed accounts must configure their own settings separately in each Region. Owners of self-managed accounts can invoke the following operations of the Security Hub CSPM API in each Region to configure their settings: + `EnableSecurityHub` and `DisableSecurityHub` to enable or disable the Security Hub CSPM service (if a self-managed account has a delegated Security Hub CSPM administrator, the administrator must [disassociate the account](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateMembers.html) before the account owner can disable Security Hub CSPM). + `BatchEnableStandards` and `BatchDisableStandards` to enable or disable standards + `BatchUpdateStandardsControlAssociations` or `UpdateStandardsControl` to enable or disable controls Self-managed accounts can also use `*Invitations` and `*Members` operations. However, we recommend that self-managed accounts don't use these operations. Policy associations can fail if a member account has its own members that are part of a different organization than the delegated administrator's. For descriptions of Security Hub CSPM API actions, see the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html). Self-managed accounts can also use the Security Hub CSPM console or Amazon CLI to configure their settings in each Region. Self-managed accounts can't invoke any APIs related to Security Hub CSPM configuration policies and policy associations. Only the delegated administrator can invoke central configuration APIs and use configuration policies to configure centrally managed accounts. ## Choosing the management type of a target Choosing the management type Choose your preferred method, and follow the steps to designate an account or OU as centrally managed or self-managed in Amazon Security Hub CSPM. ------ #### [ Security Hub CSPM console ] **To choose the management type of an account or OU** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. Choose **Configuration**. 1. On the **Organization** tab, select the target account or OU. Choose **Edit**. 1. On the **Define configuration** page, for **Management type**, choose **Centrally managed** if you want the delegated administrator to configure the target account or OU. Then, choose **Apply a specific policy** if you want to associate an existing configuration policy with the target. Choose **Inherit from my organization** if you want the target to inherit the configuration of its closest parent. Choose **Self-managed** if you want the account or OU to configure its own settings. 1. Choose **Next**. Review your changes, and choose **Save**. ------ #### [ Security Hub CSPM API ] **To choose the management type of an account or OU** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. For the `ConfigurationPolicyIdentifier` field, provide `SELF_MANAGED_SECURITY_HUB` if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU. 1. For the `Target` field, provide the Amazon Web Services account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy. **Example API request to designate a self-managed account:** ``` { "ConfigurationPolicyIdentifier": "SELF_MANAGED_SECURITY_HUB", "Target": {"AccountId": "123456789012"} } ``` ------ #### [ Amazon CLI ] **To choose the management type of an account or OU** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. For `configuration-policy-identifier` field, provide `SELF_MANAGED_SECURITY_HUB` if you want the account or OU to control its own settings. Provide the Amazon Resource Name (ARN) or ID of the relevant configuration policy if you want the delegated administrator to control settings for the account or OU.. 1. For the `target` field, provide the Amazon Web Services account ID, OU ID, or root ID of the target whose management type you want to change. This associates the self-managed behavior or specified configuration policy with the target. Child accounts of the target may inherit the self-managed behavior or configuration policy. **Example command to designate a self-managed account:** ``` aws securityhub --region us-east-1 start-configuration-policy-association \ --configuration-policy-identifier "SELF_MANAGED_SECURITY_HUB" \ --target '{"AccountId": "123456789012"}' ``` ------ # How configuration policies work in Security Hub CSPM How configuration policies work The delegated Amazon Security Hub CSPM administrator can create configuration policies to configure Security Hub CSPM, security standards, and security controls for an organization. After creating a configuration policy, the delegated administrator can associate it with specific accounts, organizational units (OUs), or the root. The policy then takes effect in the specified accounts, OUs, or the root. For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). This section provides a detailed overview of configuration policies. ## Policy considerations Policy considerations Before you create a configuration policy in Security Hub CSPM, consider the following details. + **Configuration policies must be associated to take effect** – After you create a configuration policy, you can associate it with one or more accounts, organizational units (OUs), or the root. A configuration policy can be associated with accounts or OUs through direct application, or through inheritance from a parent OU. + **An account or OU can be associated with only one configuration policy** – To prevent conflicting settings, an account or OU can only be associated with one configuration policy at any given time. Alternatively, an account or OU can be self-managed. + **Configuration policies are complete** – Configuration policies provide a complete specification of settings. For example, a child account can't accept settings for some controls from one policy and settings for other controls from another policy. When you associate a policy with a child account, ensure that the policy specifies all of the settings that you want the child account to use. + **Configuration policies can't be reverted** – There's no option to revert a configuration policy after you associate it with accounts or OUs. For example, if you associate a configuration policy that disables CloudWatch controls with a specific account, and then dissociate that policy, the CloudWatch controls continue to be disabled in that account. To enable CloudWatch controls again, you can associate the account with a new policy that enables the controls. Alternatively, you can change the account to self-managed and enable each CloudWatch control in the account. + **Configuration policies take effect in your home Region and all linked Regions** – A configuration policy affects all associated accounts in the home Region and all linked Regions. You can't create a configuration policy that takes effect in only some of these Regions and not others. The exception to this is [controls that use global resources](controls-to-disable.md#controls-to-disable-global-resources). Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Regions that Amazon introduced on or after March 20, 2019 are known as opt-in Regions. You must enable such a Region for an account before a configuration policy takes effect there. The Organizations management account can enable opt-in Regions for a member account. For instructions on enabling opt-in Regions, see [ Specify which Amazon Web Services Regions your account can use](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#rande-manage-enable) in the *Amazon Account Management Reference Guide*. If your policy configures a control that isn't available in the home Region or one or more linked Regions, Security Hub CSPM skips the control configuration in unavailable Regions but applies the configuration in Regions where the control is available. You lack coverage for a control that isn't available in the home Region or any of the linked Regions. + **Configuration policies are resources** – As a resource, a configuration policy has an Amazon Resource Name (ARN) and a universally unique identifier (UUID). The ARN uses the following format: `arn:partition:securityhub:region:delegated administrator account ID:configuration-policy/configuration policy UUID`. A self-managed configuration has no ARN or UUID. The identifier for a self-managed configuration is `SELF_MANAGED_SECURITY_HUB`. ## Types of configuration policies Each configuration policy specifies the following settings: + Enable or disable Security Hub CSPM. + Enable one or more [security standards](standards-reference.md). + Indicate which [security controls](securityhub-controls-reference.md) are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub CSPM disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub CSPM enables all other controls, including new controls when they are released. + Optionally, [customize parameters](https://docs.amazonaws.cn/securityhub/latest/userguide/custom-control-parameters.html) for select enabled controls across enabled standards. Central configuration policies don't include Amazon Config recorder settings. You must separately enable Amazon Config and turn on recording for required resources in order for Security Hub CSPM to generate control findings. For more information, see [Considerations before enabling and configuring Amazon Config](securityhub-setup-prereqs.md#securityhub-prereq-config). If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your Amazon Config recorder settings and turn off global resource recording in all Regions except the home Region. If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions. For a list of controls that involve global resources, see [Controls that use global resources](controls-to-disable.md#controls-to-disable-global-resources). ### Recommended configuration policy When creating a configuration policy for the *first time in the Security Hub CSPM console*, you have the option to choose the Security Hub CSPM recommended policy. The recommended policy enables Security Hub CSPM, the Amazon Foundational Security Best Practices (FSBP) standard, and all existing and new FSBP controls. Controls that accept parameters use the default values. The recommended policy applies to root (all accounts and OUs, both new and existing). After creating the recommended policy for your organization, you can modify it from the delegated administrator account. For example, you can enable additional standards or controls or disable specific FSBP controls. For instructions on modifying a configuration policy, see [Updating configuration policies](update-policy.md). ### Custom configuration policy Instead of the recommended policy, the delegated administrator can create up to 20 custom configuration policies. You can associate a single custom policy with your entire organization or different custom policies with different accounts and OUs. For a custom configuration policy, you specify your desired settings. For example, you can create a custom policy that enables FSBP, the Center for Internet Security (CIS) Amazon Foundations Benchmark v1.4.0, and all controls in those standards except Amazon Redshift controls. The level of granularity that you use in custom configuration policies depends on the intended scope of security coverage throughout your organization. **Note** You can't associate a configuration policy that disables Security Hub CSPM with the delegated administrator account. Such a policy can be associated with other accounts but skips association with the delegated administrator. The delegated administrator account retains its current configuration. After creating a custom configuration policy, you can switch to the recommended configuration policy by updating your configuration policy to reflect the recommended configuration. However, you don't see the choice to create the recommended configuration policy in the Security Hub CSPM console after your first policy is created. ## Policy association through application and inheritance When you first opt in to central configuration, your organization has no associations and behaves in the same way that it did prior to opt-in. The delegated administrator can then establish associations between a configuration policy or self-managed behavior and accounts, OUs, or the root. Associations can be established through *application* or *inheritance*. From the delegated administrator account, you can directly apply a configuration policy to an account, OU, or the root. Alternatively, the delegated administrator can directly apply a self-managed designation to an account, OU, or the root. In the absence of direct application, an account or OU inherits the settings of the closest parent that has a configuration policy or self-managed behavior. If the closest parent is associated with a configuration policy, the child inherits that policy and is configurable only by the delegated administrator from the home Region. If the closest parent is self-managed, the child inherits the self-managed behavior and has the ability to specify its own settings in each Amazon Web Services Region. Application takes precedence over inheritance. In other words, inheritance doesn't override a configuration policy or self-managed designation that the delegated administrator has directly applied to an account or OU. If you directly apply a configuration policy to a self-managed account, the policy overrides the self-managed designation. The account becomes centrally managed and adopts the settings reflected in the configuration policy. We recommend directly applying a configuration policy to the root. If you apply a policy to the root, then new accounts that join your organization will automatically inherit the root policy unless you associate them with a different policy or designate them as self-managed. Only one configuration policy can be associated with an account or OU at a given time, either through application or inheritance. This is designed to prevent conflicting settings. The following diagram illustrates how policy application and inheritance work in central configuration. ![\[Applying and inheriting Security Hub CSPM configuration policies\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/sechub-diagram-central-configuration-association.png) In this example, a node highlighted in green has a configuration policy that's been applied to it. A node highlighted in blue has no configuration policy that's been applied to it. A node highlighted in yellow has been designated as self-managed. Each account and OU uses the following configuration: + **OU:Root (Green)** – This OU uses the configuration policy that's been applied to it. + **OU:Prod (Blue)** – This OU inherits the configuration policy from OU:Root. + **OU:Applications (Green)** – This OU uses the configuration policy that's been applied to it. + **Account 1 (Green)** – This account uses the configuration policy that's been applied to it. + **Account 2 (Blue)** – This account inherits the configuration policy from OU:Applications. + **OU:Dev (Yellow)** – This OU is self-managed. + **Account 3 (Green)** – This account uses the configuration policy that's been applied to it. + **Account 4 (Blue)** – This account inherits self-managed behavior from OU:Dev. + **OU:Test (Blue)** – This account inherits the configuration policy from OU:Root. + **Account 5 (Blue)** – This account inherits the configuration policy from OU:Root since its immediate parent, OU:Test, isn't associated with a configuration policy. ## Testing a configuration policy To make sure you understand how configuration policies work, we recommend creating one policy and associating it with a test account or OU. **To test a configuration policy** 1. Create a custom configuration policy, and verify that the specified settings for Security Hub CSPM enablement, standards, and controls are correct. For instructions, see [Creating and associating configuration policies](create-associate-policy.md). 1. Apply the configuration policy to a test account or OU that doesn't have any child accounts or OUs. 1. Verify that the test account or OU uses the configuration policy in the expected way in your home Region and all linked Regions. You can also verify that all other accounts and OUs in your organization remain self-managed and can change their own settings in each Region. After you've tested a configuration policy in a single account or OU, you can associate it with other accounts and OUs. # Creating and associating configuration policies The delegated Amazon Security Hub CSPM administrator account can create configuration policies that specify how Security Hub CSPM, standards, and controls are configured in specified accounts and organizational units (OUs). A configuration policy takes effect only after the delegated administrator associates it with at least one account or organizational unit (OUs), or the root. The delegated administrator can also associate a self-managed configuration with accounts, OUs, or the root. If this is your first time creating a configuration policy, we recommend first reviewing [How configuration policies work in Security Hub CSPM](configuration-policies-overview.md). Choose your preferred access method, and follow the steps to create and associate a configuration policy or self-managed configuration. When using the Security Hub CSPM console, you can associate a configuration with multiple accounts or OUs at the same time. When using the Security Hub CSPM API or Amazon CLI, you can associate a configuration with only one account or OU in each request. **Note** If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your Amazon Config recorder settings and turn off global resource recording in all Regions except the home Region. If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions. For a list of controls that involve global resources, see [Controls that use global resources](controls-to-disable.md#controls-to-disable-global-resources). ------ #### [ Security Hub CSPM console ] **To create and associate configuration policies** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Configuration** and the **Policies** tab. Then, choose **Create policy**. 1. On the **Configure organization** page, if this is your first time creating an configuration policy, you see three options under **Configuration type**. If you've already created at least one configuration policy, you only see the **Custom policy** option. + Choose **Use the Amazon recommended Security Hub CSPM configuration across my entire organization** to use our recommended policy. The recommended policy enables Security Hub CSPM in all organization accounts, enables the Amazon Foundational Security Best Practices (FSBP) standard, and enables all new and existing FSBP controls. The controls use default parameter values. + Choose **I'm not ready to configure yet** to create a configuration policy later. + Choose **Custom policy** to create a custom configuration policy. Specify whether to enable or disable Security Hub CSPM, which standards to enable, and which controls to enable across those standards. Optionally, specify [custom parameter values](custom-control-parameters.md) for one or more enabled controls that support custom parameters. 1. In the **Accounts** section, choose which target accounts, OUs, or the root that you want your configuration policy to apply to. + Choose **All accounts** if you want to apply the configuration policy to the root. This includes all accounts and OUs in the organization that don't have another policy applied to them or inherited. + Choose **Specific accounts** if you want to apply the configuration policy to specific accounts or OUs. Enter the account IDs, or select the accounts and OUs from the organization structure. You can apply the policy to a maximum of 15 targets (accounts, OUs, or root) when you create it. To specify a larger number, edit your policy after creation, and apply it to additional targets. + Choose **The delegated administrator only** to apply the configuration policy to the current delegated administrator account. 1. Choose **Next**. 1. On the **Review and apply** page, review your configuration policy details. Then, choose **Create policy and apply**. In your home Region and linked Regions, this action overrides the existing configuration settings of accounts that are associated with this configuration policy. Accounts may be associated with the configuration policy through application, or inheritance from a parent node. Child accounts and OUs of the applied targets will automatically inherit this configuration policy unless they are specifically excluded, self-managed, or use a different configuration policy. ------ #### [ Security Hub CSPM API ] **To create and associate configuration policies** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateConfigurationPolicy.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. For `Name`, provide a unique name for the configuration policy. Optionally, for `Description`, provide a description for the configuration policy. 1. For the `ServiceEnabled` field, specify if you want Security Hub CSPM to be enabled or disabled in this configuration policy. 1. For the `EnabledStandardIdentifiers` field, specify which Security Hub CSPM standards you want to enable in this configuration policy. 1. For the `SecurityControlsConfiguration` object, specify which controls you want to enable or disable in this configuration policy. Choosing `EnabledSecurityControlIdentifiers` means that the specified controls are enabled. Other controls that are part of your enabled standards (including newly released controls) are disabled. Choosing `DisabledSecurityControlIdentifiers` means that the specified controls are disabled. Other controls that are part of your enabled standards (including newly released controls) are enabled. 1. Optionally, for the `SecurityControlCustomParameters` field, specify enabled controls for which you want to customize parameters. Provide `CUSTOM` for the `ValueType` field and the custom parameter value for the `Value` field. The value must be the correct data type and within valid ranges specified by Security Hub CSPM. Only select controls support custom parameter values. For more information, see [Understanding control parameters in Security Hub CSPM](custom-control-parameters.md). 1. To apply your configuration policy to accounts or OUs, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. For the `ConfigurationPolicyIdentifier` field, provide the Amazon Resource Name (ARN) or universally unique identifier (UUID) of the policy. The ARN and UUID are returned by the `CreateConfigurationPolicy` API. For a self-managed configuration, the `ConfigurationPolicyIdentifier` field is equal to `SELF_MANAGED_SECURITY_HUB`. 1. For the `Target` field, provide the OU, account, or the root ID to which you want this configuration policy to apply. You can only provide one target in each API request. Child accounts and OUs of the selected target will automatically inherit this configuration policy unless they are self-managed or use a different configuration policy. **Example API request to create a configuration policy:** ``` { "Name": "SampleConfigurationPolicy", "Description": "Configuration policy for production accounts", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } } ``` **Example API request to associate a configuration policy:** ``` { "ConfigurationPolicyIdentifier": "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Target": {"OrganizationalUnitId": "ou-examplerootid111-exampleouid111"} } ``` ------ #### [ Amazon CLI ] **To create and associate configuration policies** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-configuration-policy.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-configuration-policy.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. For `name`, provide a unique name for the configuration policy. Optionally, for `description`, provide a description for the configuration policy. 1. For the `ServiceEnabled` field, specify if you want Security Hub CSPM to be enabled or disabled in this configuration policy. 1. For the `EnabledStandardIdentifiers` field, specify which Security Hub CSPM standards you want to enable in this configuration policy. 1. For the `SecurityControlsConfiguration` field, specify which controls you want to enable or disable in this configuration policy. Choosing `EnabledSecurityControlIdentifiers` means that the specified controls are enabled. Other controls that are part of your enabled standards (including newly released controls) are disabled. Choosing `DisabledSecurityControlIdentifiers` means that the specified controls are disabled. Other controls that apply to your enabled standards (including newly released controls) are enabled. 1. Optionally, for the `SecurityControlCustomParameters` field, specify enabled controls for which you want to customize parameters. Provide `CUSTOM` for the `ValueType` field and the custom parameter value for the `Value` field. The value must be the correct data type and within valid ranges specified by Security Hub CSPM. Only select controls support custom parameter values. For more information, see [Understanding control parameters in Security Hub CSPM](custom-control-parameters.md). 1. To apply your configuration policy to accounts or OUs, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. For the `configuration-policy-identifier` field, provide the Amazon Resource Name (ARN) or ID of the configuration policy. This ARN and ID are returned by the `create-configuration-policy` command. 1. For the `target` field, provide the OU, account, or the root ID to which you want this configuration policy to apply. You can only provide one target each time you run the command. Children of the selected target will automatically inherit this configuration policy unless they are self-managed or use a different configuration policy. **Example command to create a configuration policy:** ``` aws securityhub --region us-east-1 create-configuration-policy \ --name "SampleConfigurationPolicy" \ --description "Configuration policy for production accounts" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' ``` **Example command to associate a configuration policy:** ``` aws securityhub --region us-east-1 start-configuration-policy-association \ --configuration-policy-identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --target '{"OrganizationalUnitId": "ou-examplerootid111-exampleouid111"}' ``` ------ The `StartConfigurationPolicyAssociation` API returns a field called `AssociationStatus`. This field tells you whether a policy association is pending or in a state of success or failure. It can take up to 24 hours for the status to change from `PENDING` to `SUCCESS` or `FAILURE`. For more information about association status, see [Reviewing the association status of a configuration policy](view-policy.md#configuration-association-status). # Reviewing the status and details of configuration policies Reviewing the status and details of configuration policies The delegated Amazon Security Hub CSPM administrator can view configuration policies for an organization and their details. This includes which accounts and organizational units (OUs) a policy is associated with. For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). Choose your preferred method, and follow the steps to view your configuration policies. ------ #### [ Security Hub CSPM console ] **To view configuration policies (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. Choose the **Policies** tab for an overview of your configuration policies. 1. Select a configuration policy, and choose **View details** to see additional details about it, including which accounts and OUs it's associated with. ------ #### [ Security Hub CSPM API ] To view a summary list of all your configuration policies, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListConfigurationPolicies.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListConfigurationPolicies.html) operation of the Security Hub CSPM API. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-configuration-policies.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-configuration-policies.html) command. The delegated Security Hub CSPM administrator account should invoke the operation in the home Region. ``` $ aws securityhub list-configuration-policies \ --max-items 5 \ --starting-token U2FsdGVkX19nUI2zoh+Pou9YyutlYJHWpn9xnG4hqSOhvw3o2JqjI23QDxdf ``` To view details about a specific configuration policy, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetConfigurationPolicy.html) operation. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-configuration-policy.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-configuration-policy.html). The delegated administrator account should invoke the operation in the home Region. Provide the Amazon Resource Name (ARN) or ID of the configuration policy whose details you want to see. ``` $ aws securityhub get-configuration-policy \ --identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` To view a summary list of all your configuration policies and their account associations, use the use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListConfigurationPolicyAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListConfigurationPolicyAssociations.html) operation. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-configuration-policy-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-configuration-policy-associations.html) command. The delegated administrator account should invoke the operation in the home Region. Optionally, you can provide pagination parameters or filter the results by a specific policy ID, association type, or association status. ``` $ aws securityhub list-configuration-policy-associations \ --filters '{"AssociationType": "APPLIED"}' ``` To view associations for a specific account, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetConfigurationPolicyAssociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetConfigurationPolicyAssociation.html) operation. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-configuration-policy-association.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-configuration-policy-association.html) command. The delegated administrator account should invoke the operation in the home Region. For `target`, provide the account number, OU ID, or root ID. ``` $ aws securityhub get-configuration-policy-association \ --target '{"AccountId": "123456789012"}' ``` ------ ## Reviewing the association status of a configuration policy The following central configuration API operations return a field called `AssociationStatus`: + `BatchGetConfigurationPolicyAssociations` + `GetConfigurationPolicyAssociation` + `ListConfigurationPolicyAssociations` + `StartConfigurationPolicyAssociation` This field is returned both when the underlying configuration is a configuration policy and when it's self-managed behavior. The value of `AssociationStatus` tells you whether a policy association is pending or in a state of success or failure for a specific account. It can take up to 24 hours for the status to change from `PENDING` to `SUCCESS` or `FAILED`. A status of `SUCCESS` means that all settings specified in the configuration policy are associated with the account. A status of `FAILED` means that one or more settings specified in the configuration policy failed to associate with the account. Despite a `FAILED` status, the account could be partially configured in accordance with the policy. For example, you might try to associate an account with a configuration policy that enables Security Hub CSPM, enables Amazon Foundational Security Best Practices, and disables CloudTrail.1. The initial two settings could succeed, but the CloudTrail.1 setting could fail. In this example, the association status is `FAILED` even though some settings were correctly configured. The association status of a parent OU or the root depends on the status of its children. If the association status of all the children is `SUCCESS`, the association status of the parent is `SUCCESS`. If the association status of one or more children is `FAILED`, the association status of the parent is `FAILED`. The value of `AssociationStatus` depends on the association status of the policy in all relevant Regions. If the association succeeds in the home Region and all linked Regions, the value of `AssociationStatus` is `SUCCESS`. If the association fails in one or more of these Regions, the value of `AssociationStatus` is `FAILED`. The following behavior also impacts the value of `AssociationStatus`: + If the target is a parent OU or the root, it has an `AssociationStatus` of `SUCCESS` or `FAILED` only when all of the children have a `SUCCESS` or `FAILED` status. If the association status of a child account or OU changes (for example, when a linked Region is added or removed) after you first associate the parent with a configuration, the change doesn't update the association status of the parent unless you invoke the `StartConfigurationPolicyAssociation` API again. + If the target is an account, it has an `AssociationStatus` of `SUCCESS` or `FAILED` only if the association has a result of `SUCCESS` or `FAILED` in the home Region and all linked Regions. If the association status of a target account changes (for example, when a linked Region is added or removed) after you first associate it with a configuration, its association status is updated. However, the change doesn't update the association status of the parent unless you invoke the `StartConfigurationPolicyAssociation` API again. If you add a new linked Region, Security Hub CSPM replicates your existing associations that are in a `PENDING`, `SUCCESS`, or `FAILED` state in the new Region. Even when the association status is `SUCCESS`, the enablement status of a standard that is part of the policy can transition into an incomplete state. In that case, Security Hub CSPM can't generate findings for the standard's controls. For more information, see [Checking the status of a standard](enable-standards.md#standard-subscription-status). ## Troubleshooting association failure In Amazon Security Hub CSPM, a configuration policy association might fail for the following common reasons. + **Organizations management account isn't a member** – If you want to associate a configuration policy with the Organizations management account, that account must already have Amazon Security Hub CSPM enabled. This makes the management account a member account in the organization. + **Amazon Config isn't enabled or properly configured** – To enable standards in a configuration policy, Amazon Config must be enabled and configured to record relevant resources. + **Must associate from delegated administrator account** – You can only associate a policy with target accounts and OUs when you're signed in to the delegated Security Hub CSPM administrator account. + **Must associate from home Region** – You can only associate a policy with target accounts and OUs when you're signed in to your home Region. + **Opt-in Region not enabled** – Policy association fails for a member account or OU in a linked Region if it's an opt-in Region that the delegated administrator hasn't enabled. You can retry after enabling the Region from the delegated administrator account. + **Member account suspended** – Policy association fails if you try to associate a policy with a suspended member account. # Updating configuration policies After creating a configuration policy, the delegated Amazon Security Hub CSPM administrator account can update the policy details and policy associations. When policy details are updated, accounts that are associated with the configuration policy automatically start using the updated policy. For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). The delegated administrator can update the following policy settings: + Enable or disable Security Hub CSPM. + Enable one or more [security standards](standards-reference.md). + Indicate which [security controls](securityhub-controls-reference.md) are enabled across enabled standards. You can do this by providing a list of specific controls that should be enabled, and Security Hub CSPM disables all other controls, including new controls when they are released. Alternatively, you can provide a list of specific controls that should be disabled, and Security Hub CSPM enables all other controls, including new controls when they are released. + Optionally, [customize parameters](https://docs.amazonaws.cn/securityhub/latest/userguide/custom-control-parameters.html) for select enabled controls across enabled standards. Choose your preferred method, and follow the steps to update a configuration policy. **Note** If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your Amazon Config recorder settings and turn off global resource recording in all Regions except the home Region. If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions. For a list of controls that involve global resources, see [Controls that use global resources](controls-to-disable.md#controls-to-disable-global-resources). ------ #### [ Console ] **To update configuration policies** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. Choose the **Policies** tab. 1. Select the configuration policy that you want to edit, and choose **Edit**. If desired, edit the policy settings. Leave this section as is if you want to keep the policy settings unchanged. 1. Choose **Next**.If desired, edit the policy associations. Leave this section as is if you want to keep the policy associations unchanged. You can associate or disassociate the policy with a maximum of 15 targets (accounts, OUs, or root) when you update it. 1. Choose **Next**. 1. Review your changes, and choose **Save and apply**. In your home Region and linked Regions, this action overrides the existing configuration settings of accounts that are associated with this configuration policy. Accounts may be associated with a configuration policy through application, or inheritance from a parent node. ------ #### [ API ] **To update configuration policies** 1. To update the settings in a configuration policy, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update. 1. Provide updated values for the fields under `ConfigurationPolicy`. Optionally, you can also provide a reason for the update. 1. To add new associations for this configuration policy, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyAssociation.html) API from the Security Hub CSPM delegated administrator account in the home Region. To remove one or more current associations, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyDisassociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyDisassociation.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. For the `ConfigurationPolicyIdentifier` field, provide the ARN or ID of the configuration policy whose associations you want to update. 1. For the `Target` field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts. **Note** When you invoke the `UpdateConfigurationPolicy` API, Security Hub CSPM performs a full list replacement for the `EnabledStandardIdentifiers`, `EnabledSecurityControlIdentifiers`, `DisabledSecurityControlIdentifiers`, and `SecurityControlCustomParameters` fields. Each time you invoke this API, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for. **Example API request to update a configuration policy:** ``` { "Identifier": "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description": "Updated configuration policy", "UpdatedReason": "Disabling CloudWatch.1", "ConfigurationPolicy": { "SecurityHub": { "ServiceEnabled": true, "EnabledStandardIdentifiers": [ "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" ], "SecurityControlsConfiguration": { "DisabledSecurityControlIdentifiers": [ "CloudTrail.2", "CloudWatch.1" ], "SecurityControlCustomParameters": [ { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 15 } } } } ] } } } } ``` ------ #### [ Amazon CLI ] **To update configuration policies** 1. To update the settings in a configuration policy, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-configuration-policy.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-configuration-policy.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update. 1. Provide updated values for the fields under `configuration-policy`. Optionally, you can also provide a reason for the update. 1. To add new associations for this configuration policy, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html) command from the Security Hub CSPM delegated administrator account in the home Region. To remove one or more current associations, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-association.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. For the `configuration-policy-identifier` field, provide the ARN or ID of the configuration policy whose associations you want to update. 1. For the `target` field, provide the accounts, OUs, or root ID that you want to associate or disassociate. This action overrides previous policy associations for the specified OUs or accounts. **Note** When you run the `update-configuration-policy` command, Security Hub CSPM performs a full list replacement for the `EnabledStandardIdentifiers`, `EnabledSecurityControlIdentifiers`, `DisabledSecurityControlIdentifiers`, and `SecurityControlCustomParameters` fields. Each time you run this command, provide the full list of standards that you want to enable and the full list of controls that you want to enable or disable and customize parameters for. **Example command to update a configuration policy:** ``` aws securityhub update-configuration-policy \ --region us-east-1 \ --identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --description "Updated configuration policy" \ --updated-reason "Disabling CloudWatch.1" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2","CloudWatch.1"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}}]}}}' ``` ------ The `StartConfigurationPolicyAssociation` API returns a field called `AssociationStatus`. This field tells you whether a policy association is pending or in a state of success or failure. It can take up to 24 hours for the status to change from `PENDING` to `SUCCESS` or `FAILURE`. For more information about association status, see [Reviewing the association status of a configuration policy](view-policy.md#configuration-association-status). # Deleting configuration policies Deleting configuration policies After creating a configuration policy, the delegated Amazon Security Hub CSPM administrator can delete it. Alternatively, the delegated administrator can retain the policy, but disassociate it from specific accounts or organizational units (OUs), or from the root. For instructions on disassociating a policy, see [Disassociating a configuration from its targets](disassociate-policy.md). For background information about the benefits of central configuration and how it works, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). This section explains how to delete configuration policies. When you delete a configuration policy, it no longer exists for your organization. Target accounts, OUs, and the organization root can no longer use the configuration policy. Targets that were associated with a deleted configuration policy inherit the configuration policy of the closest parent, or become self-managed if the closest parent is self-managed. If you want a target to use a different configuration, you can associate the target with a new configuration policy. For more information, see [Creating and associating configuration policies](create-associate-policy.md). We recommend creating and associating at least one configuration policy with your organization to provide adequate security coverage. Before you can delete a configuration policy, you must disassociate the policy from any accounts, OUs, or the root to which it currently applies. Choose your preferred method, and follow the steps to delete a configuration policy. ------ #### [ Console ] **To delete a configuration policy** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. Choose the **Policies** tab. Select the configuration policy that you want to delete, and choose **Delete**. If the configuration policy is still associated with any accounts or OUs, you're prompted to first disassociate the policy from those targets before you can delete it. 1. Review the confirmation message. Enter **confirm**, and choose **Delete**. ------ #### [ API ] **To delete a configuration policy** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteConfigurationPolicy.html) API from the Security Hub CSPM delegated administrator account in the home Region. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a `ConflictException` error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it. **Example API request to delete a configuration policy:** ``` { "Identifier": "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ``` ------ #### [ Amazon CLI ] **To delete a configuration policy** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-configuration-policy.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-configuration-policy.html) command from the Security Hub CSPM delegated administrator account in the home Region. Provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to delete. If you receive a `ConflictException` error, the configuration policy still applies to accounts or OUs in your organization. To resolve the error, disassociate the configuration policy from these accounts or OUs before trying to delete it. ``` aws securityhub --region us-east-1 delete-configuration-policy \ --identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` ------ # Disassociating a configuration from its targets Disassociating a configuration From the delegated Amazon Security Hub CSPM administrator account, you can disassociate a configuration policy or self-managed configuration from an account, OU, or root. Disassociation retains the policy for future use, but removes existing associations from specific accounts, OUs, or the root.You can disassociate only a directly applied configuration, not an inherited configuration. To change an inherited configuration, you can apply a configuration policy or self-managed behavior to the affected account or OU. You can also apply a new configuration policy, which includes your desired modifications, to the closest parent. Disassociation *doesn't* delete a configuration policy. The policy is retained in your account, so you can associate it with other targets in your organization. For instructions on deleting a configuration policy, see [Deleting configuration policies](delete-policy.md). When disassociation is complete, an affected target inherits the configuration policy or self-managed behavior of the closest parent. If there's no inheritable configuration, a target retains the settings it had prior to disassociation but becomes self-managed. Choose your preferred method, and follow the steps to disassociate an account, OU, or root from its current configuration. ------ #### [ Console ] **To disassociate an account or OU from its current configuration** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. On the **Organizations** tab, select the account, OU, or the root that you want to disassociate from its current configuration. Choose **Edit**. 1. On the **Define configuration** page, for **Management**, choose **Policy applied** if you want the delegated administrator to be able to apply policies directly to the target. Choose **Inherited** if you want the target to inherit the configuration of its closest parent. In either of these cases, the delegated administrator controls settings for the target. Choose **Self-managed** if you want the account or OU to control its own settings. 1. After reviewing your changes, choose **Next** and **Apply**. This action overrides existing configurations of any accounts or OUs that are in scope, if those configurations conflict with your current selections. ------ #### [ API ] **To disassociate an account or OU from its current configuration** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyDisassociation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StartConfigurationPolicyDisassociation.html) API from the Security Hub CSPM delegated administrator account in the home Region. 1. For `ConfigurationPolicyIdentifier`, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide `SELF_MANAGED_SECURITY_HUB` for this field to disassociate self-managed behavior. 1. For `Target`, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy. **Example API request to disassociate a configuration policy:** ``` { "ConfigurationPolicyIdentifier": "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Target": {"RootId": "r-f6g7h8i9j0example"} } ``` ------ #### [ Amazon CLI ] **To disassociate an account or OU from its current configuration** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-disassociation.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/start-configuration-policy-disassociation.html) command from the Security Hub CSPM delegated administrator account in the home Region. 1. For `configuration-policy-identifier`, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to disassociate. Provide `SELF_MANAGED_SECURITY_HUB` for this field to disassociate self-managed behavior. 1. For `target`, provide the accounts, OUs, or the root that you want to dissociate from this configuration policy. **Example command to disassociate a configuration policy:** ``` aws securityhub --region us-east-1 start-configuration-policy-disassociation \ --configuration-policy-identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --target '{"RootId": "r-f6g7h8i9j0example"}' ``` ------ # Configuring a standard or control in context In-context configuration When you use [central configuration](central-configuration-intro.md) in Amazon Security Hub CSPM, the delegated Security Hub CSPM administrator can create configuration policies that specify how Security Hub CSPM, security standards, and security controls are configured for an organization. The delegated administrator can associate policies with specific accounts and organizational units (OU). The policies take effect in your home Region and all linked Regions. The delegated administrator can update configuration policies as necessary. On the Security Hub CSPM console, the delegated administrator can update configuration policies in two ways—from the **Configuration** page, or in context with existing workflows. The latter can be beneficial because, as you view security findings, you can discover which standards and controls are most relevant to your environment and configure them at the same time. In-context configuration is available only on the Security Hub CSPM console. Programmatically, the delegated administrator must invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html) operation of the Security Hub CSPM API to change how specific standards or controls are configured in the organization. Follow these steps to configure a Security Hub CSPM standard or control in context. **To configure a standard or control in context (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose one of the follow options: + To configure a standard, choose **Security standards**, and choose a specific standard. + To configure a control, choose **Controls**, and choose a specific control. 1. The console lists your existing Security Hub CSPM configuration policies and the status of the selected standard or control in each one. Choose the options to enable or disable the standard or control in each existing configuration policy. For controls, you can also choose to customize [control parameters](custom-control-parameters.md). You can't create a new policy during in-context configuration. To create a new policy, you must go to the **Configuration** page, choose the **Policies** tab, and then choose **Create policy**. 1. After making your changes, choose **Next**. 1. Review your changes, and choose **Apply**. The updates affect all accounts and OUs that are associated with a changed configuration policy. The updates also take effect in the home Region and all linked Regions. # Disabling central configuration in Security Hub CSPM Disabling central configuration When you disable central configuration in Amazon Security Hub CSPM, the delegated administrator loses the ability to configure Security Hub CSPM, security standards, and security controls across multiple Amazon Web Services accounts, organizational units (OUs), and Amazon Web Services Regions. Instead, you must configure most settings separately for each account in each Region. **Important** Before you can disable central configuration, you must first [disassociate your accounts and OUs](disassociate-policy.md) from their current configuration, whether that's a configuration policy or self-managed behavior. Before you can disable central configuration, you must also [delete existing configuration policies](delete-policy.md). When you disable central configuration, the following changes occur: + The delegated administrator can no longer create configuration policies for the organization. + Accounts that had an applied or inherited configuration policy retain their current settings, but become self-managed. + Your organization switches to *local configuration*. Under local configuration, the majority of Security Hub CSPM settings must be configured separately in each organization account and Region. The delegated administrator can choose to automatically enable Security Hub CSPM, [default security standards](securityhub-auto-enabled-standards.md), and all controls that are part of the default standards in new organization accounts. The default standards are Amazon Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0. These settings take effect in the current Region only and impact new organization accounts only. The delegated administrator can't change which standards are default. Local configuration doesn't support the use of configuration policies or configuration at the OU level. The identity of the delegated administrator account remains the same when you stop using central configuration. Your home Region and linked Regions also remain the same (your home Region is now called the aggregation Region, and can be used for finding aggregation). Choose your preferred method, and follow the steps to stop using central configuration and switch to local configuration. ------ #### [ Security Hub CSPM console ] **To disable central configuration (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. On the navigation pane, choose **Settings** and **Configuration**. 1. In the **Overview** section, choose **Edit**. 1. In the **Edit organization configuration** box, choose **Local configuration**. If you haven't already, you're prompted to disassociate and delete your current configuration policies before you can stop central configuration. Accounts or OUs that are designated as self-managed must be disassociated from their self-managed configuration. You can do this in the console by [changing the management type](central-configuration-management-type.md#choose-management-type) of each self-managed account or OU to **Centrally managed** and **Inherit from my organization**. 1. Optionally, select the local configuration default settings for new organization accounts. 1. Choose **Confirm**. ------ #### [ Security Hub CSPM API ] **To disable central configuration (API)** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) API. 1. Set the `ConfigurationType` field in the `OrganizationConfiguration` object to `LOCAL`. The API returns an error if you have existing configuration policies or policy associations. To disassociate a configuration policy, invoke the `StartConfigurationPolicyDisassociation` API. To delete a configuration policy, invoke the `DeleteConfigurationPolicy` API. 1. If you want to automatically enable Security Hub CSPM in new organization accounts, set the `AutoEnable` field to `true`. By default, the value of this field is `false`, and Security Hub CSPM isn't automatically enabled in new organization accounts. Optionally, if you want to automatically enable default security standards in new organization accounts, set the `AutoEnableStandards` field to `DEFAULT`. This the default value. If you don't want to automatically enable default security standards in new organization accounts, set the `AutoEnableStandards` field to `NONE`. **Example API request:** ``` { "AutoEnable": true, "OrganizationConfiguration": { "ConfigurationType" : "LOCAL" } } ``` ------ #### [ Amazon CLI ] **To disable central configuration (Amazon CLI)** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html) command. 1. Set the `ConfigurationType` field in the `organization-configuration` object to `LOCAL`. The command returns an error if you have existing configuration policies or policy associations. To disassociate a configuration policy, run the `start-configuration-policy-disassociation` command. To delete a configuration policy, run the `delete-configuration-policy` command. 1. If you want to automatically enable Security Hub CSPM in new organization accounts, include the `auto-enable` parameter. By default, the value of this parameter is `no-auto-enable`, and Security Hub CSPM isn't automatically enabled in new organization accounts. Optionally, if you want to automatically enable default security standards in new organization accounts, set the `auto-enable-standards` field to `DEFAULT`. This the default value. If you don't want to automatically enable default security standards in new organization accounts, set the `auto-enable-standards` field to `NONE`. ``` aws securityhub --region us-east-1 update-organization-configuration \ --auto-enable \ --organization-configuration '{"ConfigurationType": "LOCAL"}' ``` ------ # Managing administrator and member accounts in Security Hub CSPM Managing multiple accounts If your Amazon environment has multiple accounts, you can treat the accounts that use Amazon Security Hub CSPM as member accounts and associate them with a single administrator account. The administrator can monitor your overall security posture and take [allowed actions](securityhub-accounts-allowed-actions.md) on member accounts. The administrator can also perform various account management and administration tasks at scale, such as monitoring estimated usage costs and assessing account quotas. You can associate member accounts with an administrator in two ways, by integrating Security Hub CSPM with Amazon Organizations or by manually sending and accepting membership invitations in Security Hub CSPM. ## Managing accounts with Amazon Organizations Amazon Organizations is a global account management service that lets Amazon administrators to consolidate and manage multiple Amazon Web Services accounts. It provides account management and consolidated billing features that are designed to support budgetary, security, and compliance needs. It's offered at no additional charge, and it integrates with multiple Amazon Web Services services, including Amazon Security Hub CSPM, Amazon Macie, and Amazon GuardDuty. For more information, see the [https://docs.amazonaws.cn/organizations/latest/userguide/orgs_introduction.html](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_introduction.html). When you integrate Security Hub CSPM and Amazon Organizations, the Organizations management account designates a Security Hub CSPM delegated administrator. Security Hub CSPM is automatically enabled in the delegated administrator account in the Amazon Web Services Region in which it was designated. After designating a delegated administrator, we recommend managing accounts in Security Hub CSPM with [central configuration](central-configuration-intro.md). This is the most efficient way to customize Security Hub CSPM and ensure adequate security coverage for your organization. Central configuration lets the delegated administrator customize Security Hub CSPM across multiple organization accounts and Regions rather than configuring Region-by-Region. You can create a configuration policy for your entire organization, or create different configuration policies for different accounts and OUs. The policies specify whether Security Hub CSPM is enabled or disabled in associated accounts and which security standards and controls are enabled. The delegated administrator can designate accounts as centrally managed or self-managed. Centrally managed accounts are configurable only by the delegated administrator. Self-managed accounts can specify their own settings. If you don't opt in to central configuration, the delegated administrator has a more limited ability to configure Security Hub CSPM, called *local configuration*. Under local configuration, the delegated administrator can automatically enable Security Hub CSPM and [default security standards](securityhub-auto-enabled-standards.md) in new organization accounts in the current Region. However, existing accounts don't use these settings, so configuration drift can occur after an account joins the organization. Aside from these new account settings, local configuration is account-specific and Region-specific. Each organization account must configure the Security Hub CSPM service, standards, and controls separately in each Region. Local configuration also doesn't support the use of configuration policies. ## Managing accounts manually by invitation You must manually manage member accounts by invitation in Security Hub CSPM if you have a standalone account or if you don't integrate with Organizations. A standalone account can't integrate with Organizations, so it's necessary to manage it manually. We recommend integrating with Amazon Organizations and using central configuration if you add additional accounts in the future. When you use manual account management, you designate an account to be the Security Hub CSPM administrator. The administrator account can view data in member accounts and take certain actions on member account findings. The Security Hub CSPM administrator invites other accounts to be member accounts, and the administrator-member relationship is established when a prospective member account accepts the invitation. Manual account management doesn't support the use of configuration policies. Without configuration policies, the administrator can't centrally customize Security Hub CSPM by configuring variable settings for different accounts. Instead, each organization account must enable and configure Security Hub CSPM for itself separately in each Region. This can make it more difficult and time consuming to ensure adequate security coverage across all of the accounts and Regions in which you use Security Hub CSPM. It can also cause configuration drift as member accounts can specify their own settings without input from the administrator. To manage accounts by invitation, see [Managing accounts by invitation in Security Hub CSPM](account-management-manual.md). # Recommendations for managing multiple accounts in Security Hub CSPM Recommendations for multi-account environments The following section summarizes some restrictions and recommendations to keep in mind when managing member accounts in Amazon Security Hub CSPM. ## Maximum number of member accounts If you use the integration with Amazon Organizations, Security Hub CSPM supports up to 10,000 member accounts per delegated administrator account in each Amazon Web Services Region. If you enable and manage Security Hub CSPM manually, Security Hub CSPM supports up to 1,000 member account invitations per administrator account in each Region. ## Creating administrator-member relationships **Note** If you use the Security Hub CSPM integration with Amazon Organizations, and haven't manually invited any member accounts, this section doesn't apply to you. An account can't be an administrator account and a member account at the same time. A member account can only be associated with one administrator account. If an organization account is enabled by the Security Hub CSPM administrator account, the account cannot accept an invitation from another account. If an account has already accepted an invitation, the account cannot be enabled by the Security Hub CSPM administrator account for the organization. It also cannot receive invitations from other accounts. For the manual invitation process, accepting a membership invitation is optional. ### Membership through Amazon Organizations If you integrate Security Hub CSPM with Amazon Organizations, the Organizations management account can designate a delegated administrator (DA) account for Security Hub CSPM. The organization management account can't be set as the DA in Organizations. While this is permitted in Security Hub CSPM, we recommend that the Organizations management account should *not* be the DA. We recommend that you choose the same DA account in all Regions. If you use [central configuration](central-configuration-intro.md), then Security Hub CSPM sets the same DA account in all Regions in which you configure Security Hub CSPM for your organization. We also recommend that you choose the same DA account across Amazon security and compliance services to help you manage security-related issues in a single pane of glass. ### Membership by invitation For member accounts created by invitation, the administrator-member account association is created only in the Region that the invitation is sent from. The administrator account must enable Security Hub CSPM in each Region that you want to use it in. The administrator account then invites each account to become a member account in that Region. **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. ## Coordinating administrator accounts across services Security Hub CSPM aggregates findings from various Amazon services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. Security Hub CSPM also allows users to pivot from a GuardDuty finding to start an investigation in Amazon Detective. However, the administrator-member relationships that you set up in these other services do not automatically apply to Security Hub CSPM. Security Hub CSPM recommends that you use the same account as the administrator account for all of these services. This administrator account should be an account that is responsible for security tools. The same account should also be the aggregator account for Amazon Config. For example, a user from the GuardDuty administrator account A can see findings for GuardDuty member accounts B and C on the GuardDuty console. If account A then enables Security Hub CSPM, users from account A do *not* automatically see GuardDuty findings for accounts B and C in Security Hub CSPM. A Security Hub CSPM administrator-member relationship is also required for these accounts. To do this, make account A the Security Hub CSPM administrator account and enable accounts B and C to become Security Hub CSPM member accounts. # Managing Security Hub CSPM for multiple accounts with Amazon Organizations Managing accounts with Amazon Organizations You can integrate Amazon Security Hub CSPM with Amazon Organizations, and then manage Security Hub CSPM for accounts in your organization. To integrate Security Hub CSPM with Amazon Organizations, you create an organization in Amazon Organizations. The Organizations management account designates one account as the Security Hub CSPM delegated administrator for the organization. The delegated administrator can then enable Security Hub CSPM for other accounts in the organization, add those accounts as Security Hub CSPM member accounts, and take allowed actions on the member accounts. The Security Hub CSPM delegated administrator can enable and manage Security Hub CSPM for up to 10,000 member accounts. The extent of the delegated administrator's configuration abilities depend on whether you use [central configuration](central-configuration-intro.md). With central configuration enabled, you don't need to configure Security Hub CSPM separately in each member account and Amazon Web Services Region. The delegated administrator can enforce specific Security Hub CSPM settings in specified member accounts and organizational units (OUs) across Regions. The Security Hub CSPM delegated administrator account can perform the following actions on member accounts: + If using central configuration, centrally configure Security Hub CSPM for member accounts and OUs by creating Security Hub CSPM configuration policies. Configuration policies can be used to enable and disable Security Hub CSPM, enable and disable standards, and enable and disable controls. + Automatically treat *new* accounts as Security Hub CSPM member accounts when they join the organization. If you use central configuration, a configuration policy that is associated with an OU includes existing and new accounts that are part of the OU. + Treat *existing* organization accounts as Security Hub CSPM member accounts. This happens automatically if you use central configuration. + Disassociate member accounts that belong to the organization. If you use central configuration, you can disassociate a member account only after designating it as self-managed. Alternatively, you can associate a configuration policy that disables Security Hub CSPM with specific centrally managed member accounts. If you don't opt in to central configuration, your organization uses the default configuration type called local configuration. Under local configuration, the delegated administrator has a more limited ability to enforce settings in member accounts. For more information, see [Understanding local configuration in Security Hub CSPM](local-configuration.md). For a full list of actions that the delegated administrator can perform on member accounts, see [Allowed actions by administrator and member accounts in Security Hub CSPM](securityhub-accounts-allowed-actions.md). The topics in this section explain how to integrate Security Hub CSPM with Amazon Organizations and how to manage Security Hub CSPM for accounts in an organization. Where relevant, each section identifies management benefits and differences for users of central configuration. **Topics** + [ # Integrating Security Hub CSPM with Amazon Organizations ](designate-orgs-admin-account.md) + [ # Automatically enabling Security Hub CSPM in new organization accounts ](accounts-orgs-auto-enable.md) + [ # Manually enabling Security Hub CSPM in new organization accounts ](orgs-accounts-enable.md) + [ # Disassociating Security Hub CSPM member accounts from your organization ](accounts-orgs-disassociate.md) # Integrating Security Hub CSPM with Amazon Organizations Integrating with Amazon Organizations To integrate Amazon Security Hub CSPM and Amazon Organizations, you create an organization in Organizations and use the organization management account to designate a delegated Security Hub CSPM administrator account. This enables Security Hub CSPM as a trusted service in Organizations. It also enables Security Hub CSPM in the current Amazon Web Services Region for the delegated administrator account, and it allows the delegated administrator to enable Security Hub CSPM for member accounts, view data in member accounts, and perform other [allowed actions](securityhub-accounts-allowed-actions.md) on member accounts. If you use [central configuration](central-configuration-intro.md), then the delegated administrator can also create Security Hub CSPM configuration policies that specify how the Security Hub CSPM service, standards, and controls should be configured in organization accounts. ## Creating an organization An organization is an entity that you create to consolidate your Amazon Web Services accounts so that you can administer them as a single unit. You can create an organization by using either the Amazon Organizations console or by using a command from the Amazon CLI or one of the SDK APIs. For detailed instructions, see [Create an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_create.html) in the *Amazon Organizations User Guide*. You can use Amazon Organizations to centrally view and manage all of the accounts within your organization. An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units (OUs) nested under the root. Each account can be directly under the root, or placed in one of the OUs in the hierarchy. An OU is a container for specific accounts. For example, you can create a finance OU that includes all accounts related to financial operations. ## Recommendations for choosing the delegated Security Hub CSPM administrator If you have an administrator account in place from the manual invitation process and are transitioning to account management with Amazon Organizations, we recommend designating that account as the delegated Security Hub CSPM administrator. Although the Security Hub CSPM APIs and console allow the organization management account to be the delegated Security Hub CSPM administrator, we recommend choosing two different accounts. This is because users who have access to the organization management account to manage billing are likely to be different from users who need access to Security Hub CSPM for security management. We recommend using the same delegated administrator across Regions. If you opt in to central configuration, Security Hub CSPM automatically designates the same delegated administrator in your home Region and any linked Regions. ## Verify permissions to configure the delegated administrator To designate and remove a delegated Security Hub CSPM administrator account, the organization management account must have permissions for the `EnableOrganizationAdminAccount` and `DisableOrganizationAdminAccount` actions in Security Hub CSPM. The Organizations management account must also have administrative permissions for Organizations. To grant all of the required permissions, attach the following Security Hub CSPM managed policies to the IAM principal for the organization management account: + [https://docs.amazonaws.cn/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubfullaccess](https://docs.amazonaws.cn/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhubfullaccess) + [https://docs.amazonaws.cn/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess](https://docs.amazonaws.cn/securityhub/latest/userguide/security-iam-awsmanpol.html#security-iam-awsmanpol-awssecurityhuborganizationsaccess) ## Designating the delegated administrator To designate the delegated Security Hub CSPM administrator account, you can use the Security Hub CSPM console, Security Hub CSPM API, or Amazon CLI. Security Hub CSPM sets the delegated administrator in the current Amazon Web Services Region only, and you must repeat the action in other Regions. If you start using central configuration, then Security Hub CSPM automatically sets the same delegated administrator in the home Region and linked Regions. The organization management account doesn't have to enable Security Hub CSPM in order to designate the delegated Security Hub CSPM administrator account. We recommend that the organization management account is not the delegated Security Hub CSPM administrator account. However, if you do choose the organization management account as the Security Hub CSPM delegated administrator, the management account must have Security Hub CSPM enabled. If the management account does not have Security Hub CSPM enabled, you must enable Security Hub CSPM for it manually. Security Hub CSPM can't be enabled automatically for the organization management account. You must designate the delegated Security Hub CSPM administrator using one of the following methods. Designating the delegated Security Hub CSPM administrator with Organizations APIs doesn't reflect in Security Hub CSPM. Choose your preferred method, and follow the steps to designate the delegated Security Hub CSPM administrator account. ------ #### [ Security Hub CSPM console ] **To designate the delegated administrator while onboarding** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Go to Security Hub CSPM**. You're prompted to sign in to the organization management account. 1. On the **Designate delegated administrator** page, in the **Delegated administrator account** section, specify the delegated administrator account. We recommend choosing the same delegated administrator that you have set for other Amazon security and compliance services. 1. Choose **Set delegated administrator**. You're prompted to sign in to the delegated administrator account (if you're not already) to continue onboarding with central configuration. If you don't want to start central configuration, choose **Cancel**. Your delegated administrator is set, but you aren't yet using central configuration. **To designate the delegated administrator from the **Settings** page** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the Security Hub CSPM navigation pane, choose **Settings**. Then choose **General**. 1. If a Security Hub CSPM administrator account is currently assigned, then before you can designate a new account, you must remove the current account. Under **Delegated Administrator**, to remove the current account, choose **Remove**. 1. Enter the account ID of the account you want to designate as the **Security Hub CSPM** administrator account. You must designate the same Security Hub CSPM administrator account in all Regions. If you designate an account that is different from the account designated in other Regions, the console returns an error. 1. Choose **Delegate**. ------ #### [ Security Hub CSPM API, Amazon CLI ] From the organization management account, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_EnableOrganizationAdminAccount.html) operation of the Security Hub CSPM API. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-organization-admin-account.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-organization-admin-account.html) command. Provide the Amazon Web Services account ID of the delegated Security Hub CSPM administrator. The following example designates the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub enable-organization-admin-account --admin-account-id 123456789012 ``` ------ # Removing or changing the delegated administrator Only the organization management account can remove the delegated Security Hub CSPM administrator account. To change the delegated Security Hub CSPM administrator, you must first remove the current delegated administrator account and then designate a new one. **Warning** When you use [central configuration](central-configuration-intro.md), you can't use the Security Hub CSPM console or Security Hub CSPM APIs to change or remove the delegated administrator account. If the organization management account uses the Amazon Organizations console or Amazon Organizations APIs to change or remove the delegated Security Hub CSPM administrator, Security Hub CSPM automatically stops central configuration, and deletes your configuration policies and policy associations. Member accounts retain the configurations they had before the delegated administrator was changed or removed. If you use the Security Hub CSPM console to remove the delegated administrator in one Region, it is automatically removed in all Regions. The Security Hub CSPM API only removes the delegated Security Hub CSPM administrator account from the Region where the API call or command is issued. You must repeat the action in other Regions. If you use the Organizations API to remove the delegated Security Hub CSPM administrator account, it is automatically removed in all Regions. ## Removing the delegated administrator (Organizations API, Amazon CLI) You can use Organizations to remove the delegated Security Hub CSPM administrator in all Regions. If you use central configuration to manage accounts, removing the delegated administrator account results in the deletion of your configuration policies and policy associations. Member accounts retain the configurations that they had before the delegated administrator was changed or removed. However, these accounts can't be managed by the removed delegated administrator account anymore. They become self-managed accounts that must be configured separately in each Region. Choose your preferred method, and follow the instructions to remove the delegated Security Hub CSPM administrator account with Amazon Organizations. ------ #### [ Organizations API, Amazon CLI ] **To remove the delegated Security Hub CSPM administrator** From the organization management account, use the [https://docs.amazonaws.cn/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html](https://docs.amazonaws.cn/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) operation of the Organizations API. If you're using the Amazon CLI, run the [deregister-delegated-administrator](https://docs.amazonaws.cn/cli/latest/reference/organizations/deregister-delegated-administrator.html) command. Provide the account ID of the delegated administrator, and the service principal for Security Hub CSPM, which is `securityhub.amazonaws.com`. The following example removes the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws organizations deregister-delegated-administrator --account-id 123456789012 --service-principal securityhub.amazonaws.com ``` ------ ## Removing the delegated administrator (Security Hub CSPM console) You can use the Security Hub CSPM console to remove the delegated Security Hub CSPM administrator in all Regions. When the delegated Security Hub CSPM administrator account is removed, the member accounts are disassociated from the removed delegated Security Hub CSPM administrator account. Security Hub CSPM is still enabled in the member accounts. They become standalone accounts until a new Security Hub CSPM administrator enables them as member accounts. If the organization management account isn't an enabled account in Security Hub CSPM, then use the option on the **Welcome to Security Hub CSPM** page. **To remove the delegated Security Hub CSPM administrator account from the **Welcome to Security Hub CSPM** page** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Go to Security Hub**. 1. Under **Delegated Administrator**, choose **Remove**. If the organization management account is an enabled account in **Security Hub**, then use the option on the **General** tab of the **Settings** page. **To remove the delegated Security Hub CSPM administrator account from the **Settings** page** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the Security Hub CSPM navigation pane, choose **Settings**. Then choose **General**. 1. Under **Delegated Administrator**, choose **Remove**. ## Removing the delegated administrator (Security Hub CSPM API, Amazon CLI) You can use the Security Hub CSPM API or Security Hub CSPM operations for the Amazon CLI to remove the delegated Security Hub CSPM administrator. When you remove the delegated administrator with one of these methods, it is only removed in the Region where the API call or command was issued. Security Hub CSPM doesn't update other Regions, and it doesn't remove the delegated administrator account in Amazon Organizations. Choose your preferred method, and follow these steps to remove the delegated Security Hub CSPM administrator account with Security Hub CSPM. ------ #### [ Security Hub CSPM API, Amazon CLI ] **To remove the delegated Security Hub CSPM administrator** From the organization management account, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisableOrganizationAdminAccount.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisableOrganizationAdminAccount.html) operation of the Security Hub CSPM API. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/disable-organization-admin-account.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disable-organization-admin-account.html) command. Provide the account ID of the delegated Security Hub CSPM administrator. The following example removes the delegated Security Hub CSPM administrator. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub disable-organization-admin-account --admin-account-id 123456789012 ``` ------ # Disabling Security Hub CSPM integration with Amazon Organizations Disabling integration with Organizations After an Amazon Organizations organization is integrated with Amazon Security Hub CSPM, the Organizations management account can subsequently disable the integration. As a user of the Organizations management account, you can do this by disabling trusted access for Security Hub CSPM in Amazon Organizations. When you disable trusted access for Security Hub CSPM, the following occurs: + Security Hub CSPM loses its status as a trusted service in Amazon Organizations. + The Security Hub CSPM delegated administrator account loses access to Security Hub CSPM settings, data, and resources for all Security Hub CSPM member accounts in all Amazon Web Services Regions. + If you were using [central configuration](central-configuration-intro.md), Security Hub CSPM automatically stops using it for your organization. Your configuration policies and policy associations are deleted. Accounts retain the configurations that they had before you disabled trusted access. + All Security Hub CSPM member accounts become standalone accounts and retain their current settings. If Security Hub CSPM was enabled for a member account in one or more Regions, Security Hub CSPM continues to be enabled for the account in those Regions. Enabled standards and controls are also unchanged. You can change these settings separately in each account and Region. However, the account is no longer associated with a delegated administrator in any Region. For additional information about the results of disabling trusted service access, see [Using Amazon Organizations with other Amazon Web Services services](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_integrate_services.html) in the *Amazon Organizations User Guide*. To disable trusted access, you can use the Amazon Organizations console, Organizations API, or the Amazon CLI. Only a user of the Organizations management account can disable trusted service access for Security Hub CSPM. For details about the permissions that you need, see [Permissions required to disable trusted access](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_disable_perms) in the *Amazon Organizations User Guide*. Before you disable trusted access, we recommend working with the delegated administrator for your organization to disable Security Hub CSPM in member accounts and to clean up Security Hub CSPM resources in those accounts. Choose your preferred method, and follow the steps to disable trusted access for Security Hub CSPM. ------ #### [ Organizations console ] **To disable trusted access for Security Hub CSPM** 1. Sign in to the Amazon Web Services Management Console using the credentials of the Amazon Organizations management account. 1. Open the Organizations console at [https://console.amazonaws.cn/organizations/](https://console.amazonaws.cn/organizations/). 1. In the navigation pane, choose **Services**. 1. Under **Integrated services**, choose **Amazon Security Hub CSPM**. 1. Choose **Disable trusted access**. 1. Confirm that you want to disable trusted access. ------ #### [ Organizations API ] **To disable trusted access for Security Hub CSPM** Invoke the [DisableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_DisableAWSServiceAccess.html) operation of the Amazon Organizations API. For the `ServicePrincipal` parameter, specify the Security Hub CSPM service principal (`securityhub.amazonaws.com`). ------ #### [ Amazon CLI ] **To disable trusted access for Security Hub CSPM** Run the [disable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/disable-aws-service-access.html) command of the Amazon Organizations API. For the `service-principal` parameter, specify the Security Hub CSPM service principal (`securityhub.amazonaws.com`). **Example:** ``` aws organizations disable-aws-service-access --service-principal securityhub.amazonaws.com ``` ------ # Automatically enabling Security Hub CSPM in new organization accounts Automatically enabling Security Hub CSPM in new accounts When new accounts join your organization, they are added to the list on the **Accounts** page of the Amazon Security Hub CSPM console. For organization accounts, **Type** is **By organization**. By default, new accounts don't become Security Hub CSPM members when they join the organization. Their status is **Not a member**. The delegated administrator account can automatically add new accounts as members and enable Security Hub CSPM in these accounts when they join the organization. **Note** Although many Amazon Web Services Regions are active by default for your Amazon Web Services account, you must activate certain Regions manually. These Regions are called opt-in Regions in this document. To automatically enable Security Hub CSPM in a new account in an opt-in Region, the account must have that Region activated first. Only the account owner can activate the opt-in Region. For more information about opt-in Regions, see [Specify which Amazon Web Services Regions your account can use](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html). This process is different based on whether you use central configuration (recommended) or local configuration. ## Automatically enabling new organization accounts (central configuration) If you use [central configuration](central-configuration-intro.md), you can automatically enable Security Hub CSPM in new and existing organization accounts by creating a configuration policy in which Security Hub CSPM is enabled. You can then associate the policy with the organization root or specific organizational units (OUs). If you associate a configuration policy in which Security Hub CSPM is enabled with a specific OU, Security Hub CSPM is automatically enabled in all accounts (existing and new) that belong to that OU. New accounts that don't belong to the OU are self-managed and don't automatically have Security Hub CSPM enabled. If you associate a configuration policy in which Security Hub CSPM is enabled with the root, Security Hub CSPM is automatically enabled in all accounts (existing and new) that join the organization. The exceptions are if an account uses a different policy through application or inheritance, or is self-managed. In your configuration policy, you can also define which security standards and controls should be enabled in the OU. To generate control findings for enabled standards, the accounts in the OU must have Amazon Config enabled and configured to record required resources. For more information about Amazon Config recording, see [Enabling and configuring Amazon Config](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-prereq-config.html). For instructions on creating a configuration policy, see [Creating and associating configuration policies](create-associate-policy.md). ## Automatically enabling new organization accounts (local configuration) When you use local configuration and turn on automatic enablement of default standards, Security Hub CSPM adds *new* organization accounts as members and enables Security Hub CSPM in them in the current Region. Other Regions aren't affected. In addition, turning on automatic enablement doesn't enable Security Hub CSPM in *existing* organization accounts unless they were already added as member accounts. After turning on automatic enablement, default security standards are enabled for new member accounts in the current Region when they join the organization. The default standards are Amazon Foundational Security Best Practices (FSBP) and Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0. You can't change the default standards. If you want to enable other standards throughout your organization, or enable standards for select accounts and OUs, we recommend using central configuration. To generate control findings for the default standards (and other enabled standards), accounts in your organization must have Amazon Config enabled and configured to record required resources. For more information about Amazon Config recording, see [Enabling and configuring Amazon Config](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-prereq-config.html). Choose your preferred method, and follow the steps to automatically enable Security Hub CSPM in new organization accounts. These instructions apply only if you use local configuration. ------ #### [ Security Hub CSPM console ] **To automatically enable new organization accounts as Security Hub CSPM members** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign is using the credentials of the delegated administrator account. 1. In the Security Hub CSPM navigation pane, under **Settings**, choose **Configuration**. 1. In the **Accounts** section, turn on **Auto-enable accounts**. ------ #### [ Security Hub CSPM API ] **To automatically enable new organization accounts as Security Hub CSPM members** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) API from the delegated administrator account. Set the `AutoEnable` field to `true` to automatically enable Security Hub CSPM in new organization accounts. ------ #### [ Amazon CLI ] **To automatically enable new organization accounts as Security Hub CSPM members** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html) command from the delegated administrator account. Include the `auto-enable` parameter to automatically enable Security Hub CSPM in new organization accounts. ``` aws securityhub update-organization-configuration --auto-enable ``` ------ # Manually enabling Security Hub CSPM in new organization accounts Manually enabling Security Hub CSPM in new accounts If you don't automatically enable Security Hub CSPM in new organization accounts when they join the organization, then you can add those accounts as members and enable Security Hub CSPM in them manually after they join the organization. You must also manually enable Security Hub CSPM in Amazon Web Services accounts that you previously disassociated from an organization. **Note** This section doesn't apply to you if you use [central configuration](central-configuration-intro.md). If you use central configuration, you can create configuration policies that enable Security Hub CSPM in specified member accounts and organizational units (OUs). You can also enable specific standards and controls in those accounts and OUs. You can't enable Security Hub CSPM in an account if it is already a member account within a different organization. You also can't enable Security Hub CSPM in an account that is currently suspended. If you try to enable the service in a suspended account, the account status changes to **Account Suspended**. + If the account doesn't have Security Hub CSPM enabled, Security Hub CSPM is enabled in that account. The Amazon Foundational Security Best Practices (FSBP) standard and CIS Amazon Foundations Benchmark v1.2.0 also are enabled in the account unless your turn off default security standards. The exception to this is the Organizations management account. Security Hub CSPM cannot be enabled automatically in the Organizations management account. You must manually enable Security Hub CSPM in the Organizations management account before you can add it as a member account. + If the account already has Security Hub CSPM enabled, Security Hub CSPM doesn't make any other changes to the account. It only enables the membership. In order for Security Hub CSPM to generate control findings, member accounts must have Amazon Config enabled and configured to record required resources. For more information, see [Enabling and configuring Amazon Config](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-prereq-config.html). Choose your preferred method, and follow the steps to enable an organization account as a Security Hub CSPM member account. ------ #### [ Security Hub CSPM console ] **To manually enable organization accounts as Security Hub CSPM members** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated administrator account. 1. In the Security Hub CSPM navigation pane, under **Settings**, choose **Configuration**. 1. In the **Accounts** list, select each organization account that you want to enable. 1. Choose **Actions**, and then choose **Add member**. ------ #### [ Security Hub CSPM API ] **To manually enable organization accounts as Security Hub CSPM members** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateMembers.html) API from the delegated administrator account. For each account to enable, provide the account ID. Unlike the manual invitation process, when you invoke `CreateMembers` to enable an organization account, you don't need to send an invitation. ------ #### [ Amazon CLI ] **To manually enable organization accounts as Security Hub CSPM members** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-members.html) command from the delegated administrator account. For each account to enable, provide the account ID. Unlike the manual invitation process, when you run `create-members` to enable an organization account, you don't need to send an invitation. ``` aws securityhub create-members --account-details '[{"AccountId": ""}]' ``` **Example** ``` aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]' ``` ------ # Disassociating Security Hub CSPM member accounts from your organization Disassociating organization member accounts To stop receiving and viewing findings from an Amazon Security Hub CSPM member account, you can disassociate the member account from your organization. **Note** If you use [central configuration](central-configuration-intro.md), disassociation works differently. You can create a configuration policy that disables Security Hub CSPM in one or more centrally managed member accounts. After that, these accounts are still part of the organization, but won't generate Security Hub CSPM findings. If you use central configuration but also have manually-invited member accounts, you can disassociate one or more manually-invited accounts. Member accounts that are managed using Amazon Organizations can't disassociate their accounts from the administrator account. Only the administrator account can disassociate a member account. Disassociating a member account does not close the account. Instead, it removes the member account from the organization. The disassociated member account becomes a standalone Amazon Web Services account that is no longer managed by the Security Hub CSPM integration with Amazon Organizations. Choose your preferred method, and follow the steps to disassociate a member account from the organization. ------ #### [ Security Hub CSPM console ] **To disassociate a member account from the organization** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated administrator account. 1. In the navigation pane, under **Settings**, choose **Configuration**. 1. In the **Accounts** section, select the accounts that you want to disassociate. If you use central configuration, you can select a manually-invited account to disassociate from the `Invitation accounts` tab. This tab is visible only if you use central configuration. 1. Choose **Actions**, and then choose **Disassociate account**. ------ #### [ Security Hub CSPM API ] **To disassociate a member account from the organization** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateMembers.html) API from the delegated administrator account. You must provide the Amazon Web Services account IDs for the member accounts to disassociate. To view a list of member accounts, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html) API. ------ #### [ Amazon CLI ] **To disassociate a member account from the organization** Run the [ >`disassociate-members`](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disassociate-members.html) command from the delegated administrator account. You must provide the Amazon Web Services account IDs for the member accounts to disassociate. To view a list of member accounts, run the [ >`list-members`](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-members.html) command. ``` aws securityhub disassociate-members --account-ids "" ``` **Example** ``` aws securityhub disassociate-members --account-ids "123456789111" "123456789222" ``` ------ You can also use the Amazon Organizations console, Amazon CLI, or Amazon SDKs to disassociate a member account from your organization. For more information, see [Removing a member account from your organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_accounts_remove.html) in the *Amazon Organizations User Guide*. # Managing accounts by invitation in Security Hub CSPM Managing accounts by invitation You can centrally manage multiple Amazon Security Hub CSPM accounts in two ways, by integrating Security Hub CSPM with Amazon Organizations or by manually sending and accepting membership invitations. You must use the manual process if you have a standalone account or you don't integrate with Amazon Organizations. In manual account management, the Security Hub CSPM administrator invites accounts to become members. The administrator-member relationship is established when a prospective member accepts the invitation. A Security Hub CSPM administrator account can manage Security Hub CSPM for up 1,000 invitation-based member accounts. **Note** If you create an invitation-based organization in Security Hub CSPM, you can subsequently [transition to using Amazon Organizations](accounts-transition-to-orgs.md) instead. If you have more than one member account, we recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). Cross-Region aggregation of findings and other data is available for accounts that you invite through the manual invitation process. However, the administrator must invite the member account from the aggregation Region and all linked Regions in order for cross-Region aggregation to work. In addition, the member account must have Security Hub CSPM enabled in the aggregation Region and all linked Regions to give the administrator the ability to view findings from the member account. Configuration policies aren't supported for manually-invited member accounts. Instead, you must configure Security Hub CSPM settings separately in each member account and Amazon Web Services Region when you use the manual invitation process. You must also use the manual invitation-based process for accounts that don't belong to your organization. For example, you might not include a test account in your organization. Or, you might want to consolidate accounts from multiple organizations under a single Security Hub CSPM administrator account. The Security Hub CSPM administrator account must send invitations to accounts that belong to other organizations. On the **Configuration** page of the Security Hub CSPM console, accounts that were added by invitation are listed in the **Invitation accounts** tab. If you use [central configuration](central-configuration-intro.md), but also invite accounts outside of your organization, you can view findings from invitation-based accounts in this tab. However, the Security Hub CSPM administrator can't configure invitation-based accounts across Regions through the use of configuration policies. The topics in this section explain how to manage member accounts through invitations. **Topics** + [ # Adding and inviting member accounts in Security Hub CSPM ](securityhub-accounts-add-invite.md) + [ # Responding to an invitation to be a Security Hub CSPM member account ](securityhub-invitation-respond.md) + [ # Disassociating member accounts in Security Hub CSPM ](securityhub-disassociate-members.md) + [ # Deleting member accounts in Security Hub CSPM ](securityhub-delete-member-accounts.md) + [ # Disassociating from a Security Hub CSPM administrator account ](securityhub-disassociate-from-admin.md) + [ # Transitioning to Organizations to manage accounts in Security Hub CSPM ](accounts-transition-to-orgs.md) # Adding and inviting member accounts in Security Hub CSPM Adding and inviting member accounts **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). Your account becomes the Amazon Security Hub CSPM administrator for accounts that accept your invitation to become a Security Hub CSPM member account. When you accept an invitation from another account, your account becomes a member account, and that account becomes your administrator. If your account is an administrator account, you can't accept an invitation to become a member account. Adding a member account consists of the following steps: 1. The administrator account adds the member account to their list of member accounts. 1. The administrator account sends an invitation to the member account. 1. The member account accepts the invitation. ## Adding member accounts From the Security Hub CSPM console, you can add accounts to your list of member accounts. In the Security Hub CSPM console, you can select accounts individually, or upload a `.csv` file that contains the account information. For each account, you must provide the account ID and an email address. The email address should be the email address to contact about security issues in the account. It is not used to verify the account. Choose your preferred method, and follow the steps to add member accounts. ------ #### [ Security Hub CSPM console ] **To add accounts to your list of member accounts** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the administrator account. 1. In the left pane, choose **Settings**. 1. On the **Settings** page, choose **Accounts** and then choose **Add accounts**. You can then either add accounts individually or upload a `.csv` file containing the list of accounts. 1. To select the accounts, do one of the following: + To add the accounts individually, under **Enter accounts**, enter the account ID and email address of the account to add, and then choose **Add**. Repeat this process for each account. + To use a comma-separated values (.csv) file to add multiple accounts, first create the file. The file must contain the account ID and email address for each account to add. In your `.csv` list, accounts must appear one per line. The first line of the `.csv` file must contain the header. In the header, the first column is **Account ID** and the second column is **Email**. Each subsequent line must contain a valid account ID and email address for the account to add. Here is an example of a `.csv` file when viewed in a text editor. ``` Account ID,Email 111111111111,user@example.com ``` In a spreadsheet program, the fields appear in separate columns. The underlying format is still comma-separated. You must format the account IDs as non-decimal numbers. For example, the account ID 444455556666 cannot be formatted as 444455556666.0. Also make sure that the number formatting does not remove any leading zeros from the account ID. To select the file, on the console, choose **Upload list (.csv)**. Then choose **Browse**. After you select the file, choose **Add accounts**. 1. After you finish adding accounts, under **Accounts to be added**, choose **Next**. ------ #### [ Security Hub CSPM API ] **To add accounts to your list of member accounts** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateMembers.html) API from the administrator account. For each member account to add, you must provide the Amazon Web Services account ID. ------ #### [ Amazon CLI ] **To add accounts to your list of member accounts** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-members.html) command from the administrator account. For each member account to add, you must provide the Amazon Web Services account ID. ``` aws securityhub create-members --account-details '[{"AccountId": ""}]' ``` **Example** ``` aws securityhub create-members --account-details '[{"AccountId": "123456789111"}, {"AccountId": "123456789222"}]' ``` ------ ## Inviting member accounts After you add the member accounts, you send an invitation to the member account. You can also resend an invitation to an account that you disassociated from the administrator. ------ #### [ Security Hub CSPM console ] **To invite prospective member accounts** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the administrator account. 1. In the navigation pane, choose **Settings**, and then choose **Accounts**. 1. For the account to invite, choose **Invite** in the **Status** column. 1. When prompted to confirm, choose **Invite**. **Note** To resend invitations to disassociated accounts, select each disassociated account on the **Accounts** page. For **Actions**, choose **Resend invitation**. ------ #### [ Security Hub CSPM API ] **To invite prospective member accounts** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_InviteMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_InviteMembers.html) API from the administrator account. For each account to invite, you must provide the Amazon Web Services account ID. ------ #### [ Amazon CLI ] **To invite prospective member accounts** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/invite-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/invite-members.html) command from the administrator account. For each account to invite, you must provide the Amazon Web Services account ID. ``` aws securityhub invite-members --account-ids ``` **Example** ``` aws securityhub invite-members --account-ids "123456789111" "123456789222" ``` ------ # Responding to an invitation to be a Security Hub CSPM member account Responding to an invitation **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). You can accept or decline an invitation to be an Amazon Security Hub CSPM member account. If you accept an invitation, your account becomes a Security Hub CSPM member account. The account that sent the invitation becomes your Security Hub CSPM administrator account. The administrator account user can view findings for your member account in Security Hub CSPM. If you decline the invitation, then your account is marked as **Resigned** on the administrator account's list of member accounts. You can only accept one invitation to be a member account. Before you can accept or decline an invitation, you must enable Security Hub CSPM. Remember that all Security Hub CSPM accounts must have Amazon Config enabled and configured to record all resources. For details on the requirement for Amazon Config, see [Enabling and configuring Amazon Config](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-prereq-config.html). ## Accepting an invitation You can send an invitation to be a Security Hub CSPM member account from the administrator account. You can then accept the invitation after signing in to the member account. Choose your preferred method, and follow the steps to accept an invitation to be a member account. ------ #### [ Security Hub CSPM console ] **To accept a membership invitation** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Settings**, and then choose **Accounts**. 1. In the **Administrator account** section, turn on **Accept**, and then choose **Accept invitation**. ------ #### [ Security Hub CSPM API ] **To accept a membership invitation** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AcceptAdministratortInvitation.html) API. You must provide the invitation identifier and the Amazon Web Services account ID of the administrator account. To retrieve details about the invitation, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListInvitations.html) operation. ------ #### [ Amazon CLI ] **To accept a membership invitation** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/accept-administrator-invitation.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/accept-administrator-invitation.html) command. You must provide the invitation identifier and the Amazon Web Services account ID of the administrator account. To retrieve details about the invitation, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-invitations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-invitations.html) command. ``` aws securityhub accept-administrator-invitation --administrator-id --invitation-id ``` **Example** ``` aws securityhub accept-administrator-invitation --administrator-id 123456789012 --invitation-id 7ab938c5d52d7904ad09f9e7c20cc4eb ``` ------ **Note** The Security Hub CSPM console continues to use `AcceptInvitation`. It will eventually change to use `AcceptAdministratorInvitation`. Any IAM policies that specifically control access to this function must continue to use `AcceptInvitation`. You should also add `AcceptAdministratorInvitation` to your policies to ensure that the correct permissions are in place after the console begins to use `AcceptAdministratorInvitation`. ## Declining an invitation You can decline an invitation to be a Security Hub CSPM member account. When you decline an invitation in the Security Hub CSPM console, your account is marked as **Resigned** on the administrator account's list of member accounts. The **Resigned** status appears only when you sign in to the Security Hub CSPM console using the administrator account. However, the invitation remains unchanged in the console for the member account until you sign in to the administrator account and delete the invitation. To decline an invitation, you must sign in to the member account that received the invitation. Choose your preferred method, and follow the steps to decline an invitation to be a member account. ------ #### [ Security Hub CSPM console ] **To decline a membership invitation** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Settings**, and then choose **Accounts**. 1. In the **Administrator account** section, choose **Decline invitation**. ------ #### [ Security Hub CSPM API ] **To decline a membership invitation** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeclineInvitations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeclineInvitations.html) API. You must provide the Amazon Web Services account ID of the administrator account that issued the invitation. To view information about your invitations, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListInvitations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListInvitations.html) operation. ------ #### [ Amazon CLI ] **To decline a membership invitation** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/decline-invitations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/decline-invitations.html) command. You must provide the Amazon Web Services account ID of the administrator account that issued the invitation. To view information about your invitations, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-invitations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-invitations.html) command. ``` aws securityhub decline-invitations --account-ids "" ``` **Example** ``` aws securityhub decline-invitations --account-ids "123456789012" ``` ------ # Disassociating member accounts in Security Hub CSPM Disassociating member accounts **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). An Amazon Security Hub CSPM administrator account can disassociate a member account to stop receiving and viewing findings from that account. You must disassociate a member account before you can delete it. When you disassociate a member account, it remains in your list of member accounts with a status of **Removed (Disassociated)**. Your account is removed from the administrator account information for the member account. To resume receiving findings for the account, you can resend the invitation. To remove the member account entirely, you can delete the member account. Choose your preferred method, and follow the steps to disassociate a manually-invited member account from the administrator account. ------ #### [ Security Hub CSPM console ] **To disassociate a manually-invited member account** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the administrator account. 1. In the navigation pane, under **Settings**, choose **Configuration**. 1. In the **Accounts** section, select the accounts that you want to disassociate. 1. Choose **Actions**, and then choose **Disassociate account**. ------ #### [ Security Hub CSPM API ] **To disassociate a manually-invited member account** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateMembers.html) API from the administrator account. You must provide the Amazon Web Services account IDs of the member accounts that you want to disassociate. To view a list of member accounts, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html) operation. ------ #### [ Amazon CLI ] **To disassociate a manually-invited member account** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/disassociate-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disassociate-members.html) command from the administrator account. You must provide the Amazon Web Services account IDs of the member accounts that you want to disassociate. To view a list of member accounts, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-members.html) command. ``` aws securityhub disassociate-members --account-ids ``` **Example** ``` aws securityhub disassociate-members --account-ids "123456789111" "123456789222" ``` ------ # Deleting member accounts in Security Hub CSPM Deleting member accounts **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). As an Amazon Security Hub CSPM administrator account, you can delete member accounts that were added by invitation. Before you can delete an enabled account, you must disassociate it. When you delete a member account, it is completely removed from the list. To restore the account's membership, you must add and invite it again as if it were a completely new member account. You can't delete accounts that belong to an organization and that are managed using the integration with Amazon Organizations. Choose your preferred method, and follow the steps to delete manually-invited member accounts. ------ #### [ Security Hub CSPM console ] **To delete a manually-invited member account** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the administrator account. 1. In the navigation pane, choose **Settings**, and then choose **Configuration**. 1. Choose the **Invitation accounts** tab. Then, select the accounts to delete. 1. Choose **Actions**, and then choose **Delete**. This option is available only if you have disassociated the account. You must disassociate a member account before it can be deleted. ------ #### [ Security Hub CSPM API ] **To delete a manually-invited member account** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteMembers.html) API from the administrator account. You must provide the Amazon Web Services account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListMembers.html) API. ------ #### [ Amazon CLI ] **To delete a manually-invited member account** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-members.html) command from the administrator account. You must provide the Amazon Web Services account IDs of the member accounts that you want to delete. To retrieve the list of member accounts, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-members.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-members.html) command. ``` aws securityhub delete-members --account-ids ``` **Example** ``` aws securityhub delete-members --account-ids "123456789111" "123456789222" ``` ------ # Disassociating from a Security Hub CSPM administrator account Disassociating from an administrator account **Note** We recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). If your account was added as an Amazon Security Hub CSPM member account by invitation, you can disassociate the member account from the administrator account. After you disassociate a member account, Security Hub CSPM doesn't send findings from the account to the administrator account. Member accounts that are managed using the integration with Amazon Organizations can't disassociate their accounts from the administrator account. Only the Security Hub CSPM delegated administrator can disassociate member accounts that are managed with Organizations. When you disassociate from your administrator account, your account remains in the administrator account's member list with a status of **Resigned**. However, the administrator account does not receive any findings for your account. After you disassociate yourself from the administrator account, the invitation to be a member still remains. You can accept the invitation again in the future. ------ #### [ Security Hub CSPM console ] **To disassociate from your administrator account** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Settings**, and then choose **Accounts**. 1. In the **Administrator account** section, turn off **Accept**, and then choose **Update**. ------ #### [ Security Hub CSPM API ] **To disassociate from your administrator account** Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisassociateFromAdministratorAccount.html) API. ------ #### [ Amazon CLI ] **To disassociate from your administrator account** Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/disassociate-from-administrator-account.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disassociate-from-administrator-account.html) command. ``` aws securityhub disassociate-from-administrator-account ``` ------ **Note** The Security Hub CSPM console continues to use `DisassociateFromMasterAccount`. It will eventually change to use `DisassociateFromAdministratorAccount`. Any IAM policies that specifically control access to this function must continue to use `DisassociateFromMasterAccount`. You should also add `DisassociateFromAdministratorAccount` to your policies to ensure that the correct permissions are in place after the console begins to use `DisassociateFromAdministratorAccount`. # Transitioning to Organizations to manage accounts in Security Hub CSPM Transitioning to Amazon Organizations When you manage accounts manually in Amazon Security Hub CSPM, you must invite prospective member accounts and configure each member account separately in each Amazon Web Services Region. By integrating Security Hub CSPM and Amazon Organizations, you can eliminate the need to send invitations and gain more control over how Security Hub CSPM is configured and customized in your organization. For this reason, we recommend using Amazon Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). It's possible to use a combined approach in which you use the Amazon Organizations integration, but also manually invite accounts outside of your organization. However, we recommend exclusively using the Organizations integration. [Central configuration](central-configuration-intro.md), a feature which helps you manage Security Hub CSPM across multiple accounts and Regions, is only available when you integrate with Organizations. This section covers how you can transition from manual invitation-based account management to managing accounts with Amazon Organizations. ## Integrating Security Hub CSPM with Amazon Organizations First, you must integrate Security Hub CSPM and Amazon Organizations. You can integrate these services by completing the following steps: + Create an organization in Amazon Organizations. For instructions, see [Create an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_create.html#create-org) in the *Amazon Organizations User Guide*. + From the Organizations management account, designate a Security Hub CSPM delegated administrator account. **Note** The organization management account *cannot* be set as the DA account. For detailed instructions, see [Integrating Security Hub CSPM with Amazon Organizations](designate-orgs-admin-account.md). By completing the preceding steps, you grant [trusted access](https://docs.amazonaws.cn/organizations/latest/userguide/services-that-can-integrate-securityhub.html#integrate-enable-ta-securityhub) for Security Hub CSPM in Amazon Organizations. This also enables Security Hub CSPM in the current Amazon Web Services Region for the delegated administrator account. The delegated administrator can manage the organization in Security Hub CSPM, primarily by adding the organization’s accounts as Security Hub CSPM member accounts. The administrator can also access certain Security Hub CSPM settings, data, and resources for those accounts. When you transition to account management using Organizations, invitation-based accounts don't automatically become Security Hub CSPM members. Only the accounts that you add to your new organization can become Security Hub CSPM members. After activating the integration, you can manage accounts with Organizations. For information, see [Managing Security Hub CSPM for multiple accounts with Amazon Organizations](securityhub-accounts-orgs.md). Account management varies based on your organization's configuration type. # Allowed actions by administrator and member accounts in Security Hub CSPM Allowed actions by administrator and member accounts Administrator and member accounts have access to Amazon Security Hub CSPM actions noted in the following tables. In the tables, the values have the following meanings: + **Any –** The account can perform the action for any member account under the same administrator. + **Current –** The account can perform the action only for itself (the account that you're currently signed in to). + **Dash –** Indicates that the account cannot perform the action. As noted in the tables, allowed actions differ based on whether you integrate with Amazon Organizations and which configuration type your organization uses. For information about the difference between central and local configuration, see [Managing accounts with Amazon Organizations](securityhub-accounts.md#securityhub-orgs-account-management-overview). Security Hub CSPM doesn't copy member account findings into the administrator account. In Security Hub CSPM, all findings are ingested into a specific Region for a specific account. In each Region, the administrator account can view and manage findings for their member accounts in that Region. If you set an aggregation Region, the administrator account can view and manage member account findings from linked Regions that are replicated to the aggregation Region. For more information about cross-Region aggregation, see [Cross-Region aggregation](https://docs.amazonaws.cn/securityhub/latest/userguide/finding-aggregation.html). The following tables specify the default permissions for administrator and member accounts. You can use custom IAM policies to further restrict access to Security Hub CSPM features and functions. For guidance and examples, see the blog post[ Aligning IAM policies to user personas for Amazon Security Hub CSPM](https://amazonaws-china.com/blogs/security/aligning-iam-policies-to-user-personas-for-aws-security-hub/). ## Allowed actions if you integrate with Organizations and use central configuration Administrator and member accounts can access Security Hub CSPM actions as follows if you integrate with Organizations and use central configuration. | Action | Security Hub CSPM delegated administrator account | Centrally managed member account | Self-managed member account | | --- | --- | --- | --- | | Create and manage Security Hub CSPM configuration policies | For self and centrally managed accounts | – | – | | View organization accounts | Any | – | – | | Disassociate member account | Any | – | – | | Delete member account | Any non-organization account | – | – | | Disable Security Hub CSPM | For current account and centrally managed accounts | – | Current (must be disassociated from the administrator account) | | View findings and finding history | Any | Current | Current | | Update findings | Any | Current | Current | | View insight results | Any | Current | Current | | View control details | Any | Current | Current | | Turn consolidated control findings on or off | Any | – | – | | Enable and disable standards | For current account and centrally managed accounts | – | Current | | Enable and disable controls | For current account and centrally managed accounts | – | Current | | Enable and disable integrations | Current | Current | Current | | Configure cross-Region aggregation | Any | – | – | | Select home Region and linked Regions | Any (must stop and restart central configuration to change home Region) | – | – | | Configure custom actions | Current | Current | Current | | Configure automation rules | Any | – | – | | Configure custom insights | Current | Current | Current | ## Allowed actions if you integrate with Organizations and use local configuration Administrator and member accounts can access Security Hub CSPM actions as follows if you integrate with Organizations and use local configuration. | Action | Security Hub CSPM delegated administrator account | Member account | | --- | --- | --- | | Create and manage Security Hub CSPM configuration policies | – | – | | View organization accounts | Any | – | | Disassociate member account | Any | – | | Delete member account | – | – | | Disable Security Hub CSPM | – | Current (if account is disassociated from delegated administrator) | | View findings and finding history | Any | Current | | Update findings | Any | Current | | View insight results | Any | Current | | View control details | Any | Current | | Turn consolidated control findings on or off | Any | – | | Enable and disable standards | Current | Current | | Automatically enable Security Hub CSPM and default standards in new organization accounts | For current account and new organization accounts | – | | Enable and disable controls | Current | Current | | Enable and disable integrations | Current | Current | | Configure cross-Region aggregation | Any | – | | Configure custom actions | Current | Current | | Configure automation rules | Any | – | | Configure custom insights | Current | Current | ## Allowed actions for invitation-based accounts Administrator and member accounts can access Security Hub CSPM actions as follows if you use the invitation-based method to manually manage accounts instead of integrating with Amazon Organizations. | Action | Security Hub CSPM administrator account | Member account | | --- | --- | --- | | Create and manage Security Hub CSPM configuration policies | – | – | | View organization accounts | Any | – | | Disassociate member account | Any | Current | | Delete member account | Any | – | | Disable Security Hub CSPM | Current (if there are no enabled member accounts) | Current (if account is disassociated from administrator account) | | View findings and finding history | Any | Current | | Update findings | Any | Current | | View insight results | Any | Current | | View control details | Any | Current | | Turn consolidated control findings on or off | Any | – | | Enable and disable standards | Current | Current | | Automatically enable Security Hub CSPM and default standards in new organization accounts | – | – | | Enable and disable controls | Current | Current | | Enable and disable integrations | Current | Current | | Configure cross-Region aggregation | Any | – | | Configure custom actions | Current | Current | | Configure automation rules | Any | – | | Configure custom insights | Current | Current | # Effect of account actions on Security Hub CSPM data Effect of account actions on data These account actions have the following effects on Amazon Security Hub CSPM data. ## Security Hub CSPM disabled If you use [central configuration](central-configuration-intro.md), the delegated administrator (DA) can create Security Hub CSPM configuration policies that disable Amazon Security Hub CSPM in specific accounts and organizational units (OUs). In this case, Security Hub CSPM is disabled in the specified accounts and OUs in your home Region and any linked Regions. If you don't use central configuration, you must disable Security Hub CSPM separately in each account and Region where you enabled it. You can't use central configuration if Security Hub CSPM is disabled in the DA account. No findings are generated or updated for the administrator account if Security Hub CSPM is disabled in the administrator account. Existing archived findings are deleted after 30 days. Existing active findings are deleted after 90 days. Integrations with other Amazon Web Services services are removed. Enabled security standards and controls are disabled. Other Security Hub CSPM data and settings, including custom actions, insights, and subscriptions to third-party products are retained for 90 days. ## Member account disassociated from administrator account When a member account is disassociated from the administrator account, the administrator account loses permission to view findings in the member account. However, Security Hub CSPM is still enabled in both accounts. If you use central configuration, the DA can't configure Security Hub CSPM for a member account that's disassociated from the DA account. Custom settings or integrations that are defined for the administrator account are not applied to findings from the former member account. For example, after the accounts are disassociated, you might have a custom action in the administrator account used as the event pattern in an Amazon EventBridge rule. However, this custom action cannot be used in the member account. In the **Accounts** list for the Security Hub CSPM administrator account, a removed account has a status of **Disassociated**. ## Member account is removed from an organization When a member account is removed from an organization, the Security Hub CSPM administrator account loses permission to view findings in the member account. However, Security Hub CSPM is still enabled in both accounts with the same settings they had before removal. If you use central configuration, you can't configure Security Hub CSPM for a member account after it's removed from the organization to which the delegated administrator belongs. However, the account retains the settings it had prior to removal unless you manually change them. In the **Accounts** list for the Security Hub CSPM administrator account, a removed account has a status of **Deleted**. ## Account is suspended When an Amazon Web Services account is suspended, the account loses permission to view their findings in Security Hub CSPM. No findings are generated or updated for that account. The administrator account for a suspended account can view existing findings for the account. For an organization account, the member account status can also change to **Account Suspended**. This happens if the account is suspended at the same time that the administrator account attempts to enable the account. The administrator account for an **Account Suspended** account cannot view findings for that account. Otherwise, the suspended status doesn't affect the member account status. If you use central configuration, policy association fails if the delegated administrator tries to associate a configuration policy with a suspended account. After 90 days, the account is either terminated or reactivated. When the account is reactivated, its Security Hub CSPM permissions are restored. If the member account status is **Account Suspended**, the administrator account must enable the account manually. ## Account is closed When an Amazon Web Services account is closed, Security Hub CSPM responds to the closure as follows. If the account is a Security Hub CSPM administrator account, it is removed as an administrator account and all the member accounts are removed. If the account is a member account, it is disassociated and removed as a member from the Security Hub CSPM administrator account. Security Hub CSPM retains existing archived findings in the account for 30 days. For a control finding, the calculation of 30 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 30-day period, Security Hub CSPM permanently deletes the finding from the account. Security Hub CSPM retains existing active findings in the account for 90 days. For a control finding, the calculation of 90 days is based on the value for the `UpdatedAt` field of the finding. For another type of finding, the calculation is based on the value for the `UpdatedAt` or `ProcessedAt` field of the finding, whichever date is latest. At the end of this 90-day period, Security Hub CSPM permanently deletes the finding from the account. For longer-term retention of existing findings, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). **Important** For customers in Amazon GovCloud (US) Regions, back up and then delete your policy data and other account resources before you close your account. You won't have access to the resources and data after you close your account. For more information, see [Close an Amazon Web Services account](https://docs.amazonaws.cn/awsaccountbilling/latest/aboutv2/close-account.html) in the *Amazon Account Management Reference Guide*. # Understanding cross-Region aggregation in Security Hub CSPM Aggregating data across Regions **Note** The *aggregation Region* is now called the *home Region*. Some Security Hub CSPM API operations still use the older term aggregation Region. By using cross-Region aggregation in Amazon Security Hub CSPM, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from multiple Amazon Web Services Regions to a single home Region. You can then manage all of this data from the home Region. Suppose you set US East (N. Virginia) as the home Region, and US West (Oregon) and US West (N. California) as the linked Regions. When you view the **Findings** page in US East (N. Virginia), you see the findings from all three Regions. Updates to those findings are also reflected in all three Regions. **Note** In Amazon GovCloud (US), cross-Region aggregation is supported only for findings, finding updates, and insights across Amazon GovCloud (US). Specifically, you can only aggregate findings, finding updates, and insights between Amazon GovCloud (US-East) and Amazon GovCloud (US-West). In the China Regions, cross-Region aggregation is supported only for findings, finding updates, and insights across the China Regions. Specifically, you can only aggregate findings, finding updates, and insights between China (Beijing) and China (Ningxia). If a control is enabled in a linked Region but disabled in the home Region, you can see the compliance status of the control from the home Region, but you can't enable or disable that control from the home Region. The exception is if you use [central configuration](central-configuration-intro.md). If you use central configuration, the delegated Security Hub CSPM administrator can configure controls in the home Region and linked Regions from the home Region. If you have set an home Region, [security scores](standards-security-score.md) account for control statuses in all
 linked Regions. To view cross-Region security scores and compliance statuses, add the following permissions to your IAM role that uses Security Hub CSPM: + `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)` + `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetStandardsControlAssociations.html)` + `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)` ## Types of data that are aggregated When cross-Region aggregation is enabled with one or more linked Regions, Security Hub CSPM replicates the following data from the linked Regions to the home Region. This occurs in every account that has cross-Region aggregation enabled. + Findings + Insights + Control compliance statuses + Security scores In addition to new data in the previous list, Security Hub CSPM also replicates updates to this data between the linked Regions and the home Region. Updates that occur in a linked Region are replicated to the home Region. Updates that occur in the home Region are replicated back to the linked Region. If there are conflicting updates in the home Region and the linked Region, then the most recent update is used. ![\[When cross-Region aggregation is enabled, Security Hub CSPM replicates new and updated findings between the linked Regions and home Region.\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/diagram-finding-aggregation.png) Cross-Region aggregation does not add to the cost of Security Hub CSPM. You are not charged when Security Hub CSPM replicates new data or updates. In the home Region, the **Summary** page provides a view of your active findings across linked Regions. For information, see [Viewing a cross-Region summary of findings by severity](https://docs.amazonaws.cn/securityhub/latest/userguide/findings-view-summary.html). Other **Summary** page panels that analyze findings also display information from across the linked Regions. Your security scores in the home Region are calculated by comparing the number of passed controls to the number of enabled controls in all linked Regions. In addition, if a control is enabled in at least one linked Region, it is visible on the **Security standards** details pages of the home Region. The compliance status of controls on the standards details pages reflects findings across linked Regions. If a security check associated with a control fails in one or more linked Regions, the compliance status of that control shows as **Failed** on the standards details pages of the home Region. The number of security checks includes findings from all linked Regions. Security Hub CSPM only aggregates data from Regions where an account has Security Hub CSPM enabled. Security Hub CSPM is not automatically enabled for an account based on the cross-Region aggregation configuration. It's possible to have cross-Region aggregation enabled without any linked Regions selected. In this case, no data replication occurs. ## Aggregation for administrator and member accounts Standalone accounts, member accounts, and administrator accounts can configure cross-Region aggregation. If configured by an administrator, the presence of the administrator account is essential for cross-Region aggregation to work in administered accounts. If the administrator account is removed or disassociated from a member account, cross-Region aggregation for the member account stops. This is true even if the account had cross-Region aggregation enabled before the administrator-member relationship begins. When an administrator account enables cross-Region aggregation, Security Hub CSPM replicates the data that the administrator account generates in all linked Regions to the home Region. In addition, Security Hub CSPM identifies the member accounts that are associated with that administrator, and each member account inherits the cross-Region aggregation settings of the administrator. Security Hub CSPM replicates the data that a member account generates in all linked Regions to the home Region. The administrator can access and manage security findings from all member accounts within the administered regions. However, as a Security Hub CSPM administrator, you must be signed in to the home Region to view aggregated data from all member accounts and linked Regions. As a Security Hub CSPM member account, you must be signed in to the home Region to view aggregated data from your account from all linked Regions. Member accounts don't have permissions to view data from other member accounts. An administrator account may manually invite member accounts or serve as the delegated administrator of an organization that is integrated with Amazon Organizations. For a [manually-invited member account](account-management-manual.md), the administrator must invite the account from the home Region and all linked Regions in order for cross-Region aggregation to work. In addition, the member account must have Security Hub CSPM enabled in the home Region and all linked Regions to give the administrator the ability to view findings from the member account. If you don't use the home Region for other purposes, you can disable Security Hub CSPM standards and integrations in that Region to prevent charges. If you plan to use cross-Region aggregation, and have multiple administrator accounts, we recommend following these best practices: + Each administrator account has different member accounts. + Each administrator account has the same member accounts across Regions. + Each administrator account uses a different home Region. **Note** To understand how cross-Region aggregation impacts central configuration, see [Impact of central configuration on cross-Region aggregation](aggregation-central-configuration.md). # Impact of central configuration on cross-Region aggregation Central configuration and aggregation Central configuration is an opt-in feature in Amazon Security Hub CSPM that you can use if you integrate with Amazon Organizations. If you use central configuration, the delegated administrator account can configure the Security Hub CSPM service, standards, and controls for accounts and organizational units (OU) in the organization. To configure accounts and OUs, the delegated administrator creates Security Hub CSPM configuration policies. Configuration policies can be used to define whether Security Hub CSPM is enabled or disabled, and which standards and controls are enabled. The delegated administrator associates configuration policies with specific accounts, OUs, or the root (the entire organization). The delegated administrator can create and manage configuration policies for the organization only from the home Region. In addition, configuration policies take effect in the home Region and all linked Regions. You can't create a configuration policy that applies only in some linked Regions and not others. For information about cross-Region aggregation, see [Cross-Region aggregation](https://docs.amazonaws.cn/securityhub/latest/userguide/finding-aggregation.html). To use central configuration, you must designate a home Region. Optionally, you can choose one or more Regions as linked Regions. You can also choose to designate a home Region without any linked Regions. Changing your cross-Region aggregation settings can impact your configuration policies. When you add a linked Region, your configuration policies take effect in that Region. If the Region is an [opt-in Region](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html), the Region must be enabled in order for your configuration policies to take effect there. Conversely, when you remove a linked Region, configuration policies no longer take effect in that Region. In that Region, accounts maintain the settings they had when the linked Region was removed. You can change those settings, but must do so separately in each account and Region. If you remove or change the home Region, your configuration policies and policy associations are deleted. You can no longer use central configuration or create configuration policies in any Region. Accounts maintain the settings they had before the home Region was changed or removed. You can change those settings at any time, but since you no longer use central configuration, settings must be modified separately in each account and Region. You can use central configuration and create configuration policies again if you designate a new home Region. For more information about central configuration, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). # Enabling cross-Region aggregation Enabling aggregation **Note** The *aggregation Region* is now called the *home Region*. Some Security Hub CSPM API operations still use the older term aggregation Region. You must enable cross-Region aggregation from the Amazon Web Services Region that you want to designate as the home Region. To enable cross-Region aggregation, you create a Security Hub CSPM resource called a finding aggregator. The finding aggregator resource specifies your home Region and linked Regions (if any). You can't use an Amazon Web Services Region that is disabled by default as your home Region. For a list of Regions that are disabled by default, see [Enabling a Region](https://docs.amazonaws.cn/general/latest/gr/rande-manage.html#rande-manage-enable) in the *Amazon Web Services General Reference*. When you enable cross-Region aggregation, you choose to specify one or more linked Regions if you wish. You can also choose whether to automatically link new Regions when Security Hub CSPM begins to support them and you have opted into them. ------ #### [ Security Hub CSPM console ] **To enable cross-Region aggregation** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Using the Amazon Web Services Region selector, sign in to the Region that you want to use as the aggregation Region. 1. In the Security Hub CSPM navigation menu, choose **Settings** and then **Regions**. 1. For **Finding aggregation**, choose **Configure finding aggregation**. By default, the home Region is set to **No aggregation Region**. 1. Under **Aggregation Region**, select the option to designate the current Region as the home Region. 1. Optionally, for **Linked Regions**, select the Regions to aggregate data from. 1. To automatically aggregate data from new Regions in the partition as Security Hub CSPM supports them and you opt into them, select **Link future Regions**. 1. Choose **Save**. ------ #### [ Security Hub CSPM API ] From the Region that you want to use as the home Region, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateFindingAggregator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateFindingAggregator.html) operation of the Security Hub CSPM API. If you use the Amazon CLI, run the [create-finding-aggregator](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-finding-aggregator.html) command. For `RegionLinkingMode`, choose one of the following options: + `ALL_REGIONS` – Security Hub CSPM aggregates data from all Regions. Security Hub CSPM also aggregates data from new Regions as they are supported and you opt into them. + `ALL_REGIONS_EXCEPT_SPECIFIED` – Security Hub CSPM aggregates data from all Regions except for Regions that you want to exclude. Security Hub CSPM also aggregates data from new Regions as they are supported and you opt into them. Use `Regions` to provide the list of Regions to exclude from aggregation. + `SPECIFIED_REGIONS` – Security Hub CSPM aggregates data from a selected list of Regions. Security Hub CSPM does not aggregate data automatically from new Regions. Use `Regions` to provide the list of Regions to aggregate from. + `NO_REGIONS` – Security Hub CSPM doesn't aggregate data because you don't select any linked Regions. The following example configures cross-Region aggregation. The home Region is US East (N. Virginia). The linked Regions are US West (N. California) and US West (Oregon). This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-finding-aggregator --region us-east-1 --region-linking-mode SPECIFIED_REGIONS --regions us-west-1 us-west-2 ``` ------ # Reviewing cross-Region aggregation settings Reviewing aggregation settings **Note** The *aggregation Region* is now called the *home Region*. Some Security Hub CSPM API operations still use the older term aggregation Region. You can view the current cross-Region aggregation configuration in Amazon Security Hub CSPM from any Amazon Web Services Region. The configuration includes the home Region, the linked Regions (if any), and whether to automatically link new Regions as Security Hub CSPM supports them. Member accounts can view the cross-Region aggregation settings that the administrator account configured. Choose your preferred method, and follow the steps to view your current cross-Region aggregation settings. ------ #### [ Security Hub CSPM console ] **To view cross-Region aggregation settings (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. On the navigation pane, choose **Settings** and then the **Regions** tab. If cross-Region aggregation is not enabled, then the **Regions** tab displays the option to enable cross-Region aggregation. Only administrator accounts and standalone accounts can enable cross-Region aggregation. If cross-Region aggregation is enabled, then the **Regions** tab displays the following information: + The home Region + Whether to automatically aggregate findings, insights, control statuses, and security scores from new Regions that Security Hub CSPM supports and that you opt into + The list of linked Regions (if any are selected) ------ #### [ Security Hub CSPM API ] **To review cross-Region aggregation settings (Security Hub CSPM API)** Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindingAggregator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindingAggregator.html) operation of the Security Hub CSPM API. If you use the Amazon CLI, run the [get-finding-aggregator](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-finding-aggregator.html) command. When you make the request, provide the finding aggregator ARN. To obtain the finding aggregator ARN, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html) operation or [list-finding-aggregators](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-finding-aggregators.html) command. The following example shows the cross-Region aggregation settings for the specified finding aggregator ARN. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability ``` $aws securityhub get-finding-aggregator --finding-aggregator-arn arn:aws-cn:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 ``` ------ # Updating cross-Region aggregation settings Updating aggregation settings **Note** The *aggregation Region* is now called the *home Region*. Some Security Hub CSPM API operations still use the older term aggregation Region. You can update your current cross-Region aggregation settings in Amazon Security Hub CSPM by changing the linked Regions or the current home Region. You can also change whether to automatically aggregate data from new Amazon Web Services Regions that Security Hub CSPM is supported in. Changes to cross-Region aggregation aren't implemented for an opt-in Region until you enable the Region in your Amazon Web Services account. Regions that Amazon introduced on or after to March 20, 2019 are opt-in Regions. When you stop aggregating data from a linked Region, Amazon Security Hub CSPM doesn't remove any existing aggregated data from that Region that is accessible in the home Region. You can't use the update procedures in this section to change the home Region. To change the home Region, you must do the following: 1. Stop cross-Region aggregation. For instructions, see [Stopping cross-Region aggregation](finding-aggregation-stop.md). 1. Change to the Region that you want to be the new home Region. 1. Enable cross-Region aggregation. For instructions, see [Enabling cross-Region aggregation](finding-aggregation-enable.md). You must update the cross-Region aggregation configuration from the current home Region. ------ #### [ Security Hub CSPM console ] **To change the linked Regions** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in to the current aggregation Region. 1. In the Security Hub CSPM navigation menu, choose **Settings**, then choose **Regions**. 1. For **Finding aggregation**, choose **Edit**. 1. For **Linked Regions**, update the selected linked Regions. 1. If needed, change whether **Link future Regions** is selected. This setting determines whether Security Hub CSPM automatically links new Regions as it adds support for them and you opt into them. 1. Choose **Save**. ------ #### [ Security Hub CSPM API ] Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateFindingAggregator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateFindingAggregator.html) operation. If you use the Amazon CLI, run the [update-finding-aggregator](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-finding-aggregator.html) command. To identify the finding aggregator, you must provide the finding aggregator ARN. To obtain the finding aggregator ARN, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html) operation or [list-finding-aggregators](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-finding-aggregators.html) command.. If the linking mode is `ALL_REGIONS_EXCEPT_SPECIFIED` or `SPECIFIED_REGIONS`, you can change the list of excluded or included Regions. If you want to change the Region linking mode to `NO_REGIONS`, you shouldn't provide a Regions list. When you change the list of excluded or included Regions, you must provide the full list with the updates. For example, suppose you currently aggregate findings from US East (Ohio), and want to also aggregate findings from US West (Oregon). You must provide a `Regions` list that contains both US East (Ohio) and US West (Oregon). The following example updates cross-Region aggregation to selected Regions. The command is run from the current home Region, which is US East (N. Virginia). The linked Regions are US West (N. California) and US West (Oregon). This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` aws securityhub update-finding-aggregator --region us-east-1 --finding-aggregator-arn arn:aws-cn:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 --region-linking-mode SPECIFIED_REGIONS --regions us-west-1 us-west-2 ``` ------ # Stopping cross-Region aggregation Stopping aggregation **Note** The *aggregation Region* is now called the *home Region*. Some Security Hub CSPM API operations still use the older term aggregation Region. If you don't want Amazon Security Hub CSPM to aggregate data, you can delete your finding aggregator. Alternatively, you can keep your finding aggregator but not link any Amazon Web Services Regions to the home Region by updating the existing aggregator to the `NO_REGIONS` linking mode. To change your home Region, you must delete your current finding aggregator and create a new one. When you delete your finding aggregator, Security Hub CSPM stops aggregating data. It doesn't remove any existing aggregated data from the home Region. ## Deleting the finding aggregator (console) You can delete your finding aggregator from the current home Region only. In Regions other than the home Region, the **Finding aggregation** panel on the Security Hub CSPM console displays a message that you must edit the configuration in the home Region. Choose this message to display a link to switch to the home Region. ------ #### [ Security Hub CSPM console ] **To stop cross-Region aggregation (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Ensure that you're signed in to your current home Region. 1. In the Security Hub CSPM navigation menu, choose **Settings**, then choose **Regions**. 1. Under **Finding aggregation**, choose **Edit**. 1. Under **Aggregation Region**, choose **No aggregation Region**. 1. Choose **Save**. 1. On the confirmation dialog, in the confirmation field, type **Confirm**. 1. Choose **Confirm**. ------ #### [ Security Hub CSPM API ] Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteFindingAggregator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DeleteFindingAggregator.html) operation of the Security Hub CSPM API. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-finding-aggregator.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-finding-aggregator.html) command. To identify the finding aggregator to delete, provide the finding aggregator ARN. To obtain the finding aggregator ARN, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListFindingAggregators.html) operation or [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-finding-aggregators.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-finding-aggregators.html) command. The following example deletes the finding aggregator. The command is run from the current home Region, which is US East (N. Virginia). This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $aws securityhub delete-finding-aggregator arn:aws-cn:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 --region us-east-1 ``` ------ # Understanding security standards in Security Hub CSPM Standards In Amazon Security Hub CSPM, a *security standard* is a set of requirements that's based on regulatory frameworks, industry best practices, or company policies. For details about the standards that Security Hub CSPM currently supports, including the security controls that apply to each one, see the [Standards reference for Security Hub CSPM](standards-reference.md). When you enable a standard, Security Hub CSPM automatically enables all the controls that apply to the standard. Security Hub CSPM then runs security checks on the controls, which generates Security Hub CSPM findings. You can disable and later re-enable individual controls as necessary. You can also disable a standard completely. If you disable a standard, Security Hub CSPM stops running security checks on controls that apply to the standard. Findings are no longer generated for the controls. In addition to findings, Security Hub CSPM generates a security score for each standard that you enable. The score is based on the status of the controls that apply to the standard. If you set an aggregation Region, the security score for a standard reflects the status of the controls across all linked Regions. If you're the Security Hub CSPM administrator for an organization, the score reflects the status of the controls for all the accounts in your organization. For more information, see [Calculating security scores](standards-security-score.md). To review and manage standards, you can use the Security Hub CSPM console or the Security Hub CSPM API. On the console, the **Security standards** page shows all the security standards that Security Hub CSPM currently supports. This includes a description of each standard and the current status of the standard. If you enable a standard, you can also use this page to access additional details for the standard. For example, you can review: + The current security score for the standard. + Aggregated statistics for controls that apply to the standard. + A list of controls that apply to the standard and are currently enabled, including the compliance status of each one. + A list of controls that apply to the standard but are currently disabled. For deeper analysis, you can filter and sort the data, and drill down to review the details of individual controls that apply to the standard. You can enable standards individually for a single account and Amazon Web Services Region. However, to save time and reduce configuration drift in multi-account and multi-Region environments, we recommend using [central configuration](central-configuration-intro.md) to enable and manage standards. With central configuration, the delegated Security Hub CSPM administrator can create policies that specify how to configure a standard across multiple accounts and Regions. **Topics** + [Standards reference](standards-reference.md) + [Enabling a standard](enable-standards.md) + [Reviewing the details of a standard](securityhub-standards-view-controls.md) + [Turning off auto-enabled standards](securityhub-auto-enabled-standards.md) + [Disabling a standard](disable-standards.md) # Standards reference for Security Hub CSPM Standards reference In Amazon Security Hub CSPM, a *security standard* is a set of requirements that's based on regulatory frameworks, industry best practices, or company policies. Security Hub CSPM maps these requirements to controls, and runs security checks on the controls to assess whether the requirements of a standard are being met. Each standard includes multiple controls. Security Hub CSPM currently supports the following standards: + **Amazon Foundational Security Best Practices** – Developed by Amazon and industry professionals, this standard is a compilation of security best practices for organizations, regardless of sector or size. It provides a set of controls that detect when your Amazon Web Services accounts and resources deviate from security best practices. It also provides prescriptive guidance about how to improve and maintain your security posture. + **Amazon Resource Tagging** – Developed by Security Hub CSPM, this standard can help you determine whether your Amazon resources have tags. A *tag* is a key-value pair that acts as metadata for an Amazon resource. Tags can help you identify, categorize, manage, and search for Amazon resources. For example, you can use tags to categorize resources by purpose, owner, or environment. + **CIS Amazon Foundations Benchmark** – Developed by the Center for Internet Security (CIS), this standard provides secure configuration guidelines for Amazon. It specifies a set of security configuration guidelines and best practices for a subset of Amazon Web Services services and resources, with an emphasis on foundational, testable, and architecture agnostic settings. The guidelines include clear, step-by-step implementation and assessment procedures. + **NIST SP 800-53 Revision 5** – This standard aligns with National Institute of Standards and Technology (NIST) requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. The associated framework generally applies to U.S. federal agencies or organizations that work with U.S. federal agencies or information systems. However, private organizations can also use the requirements as a guiding framework. + **NIST SP 800-171 Revision 2** – This standard aligns with NIST security recommendations and requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in systems and organizations that aren't part of the U.S. federal government. *CUI* is information that doesn't meet government criteria for classification, but is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government. + **PCI DSS** – This standard aligns with the Payment Card Industry Data Security Standard (PCI DSS) compliance framework defined by the PCI Security Standards Council (SSC). The framework provides a set of rules and guidelines for safely handling credit and debit card information. The framework generally applies to organizations that store, process, or transmit cardholder data. + **Service-managed standard, Amazon Control Tower** – This standard helps you configure the detective controls provided by Security Hub CSPM from Amazon Control Tower. Amazon Control Tower offers a straightforward way to set up and govern an Amazon multi-account environment, following prescriptive best practices. Security Hub CSPM standards and controls don't guarantee compliance with any regulatory frameworks or audits. Instead, they provide a way to evaluate and monitor the state of your Amazon Web Services accounts and resources. We recommend enabling each standard that's relevant to your business needs, industry, or use case. Individual controls can apply to more than one standard. If you enable multiple standards, we recommend that you also enable consolidated control findings. If you do this, Security Hub CSPM generates a single finding for each control, even if the control applies to more than one standard. If you don't turn on consolidated control findings, Security Hub CSPM generates a separate finding for each enabled standard that a control applies to. For example, if you enable two standards and a control applies to both of them, you receive two separate findings for the control, one for each standard. If you enable consolidated control findings, you receive only one finding for the control. For more information, see [Consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Topics** + [Amazon Foundational Security Best Practices](fsbp-standard.md) + [Amazon Resource Tagging](standards-tagging.md) + [CIS Amazon Foundations Benchmark](cis-aws-foundations-benchmark.md) + [NIST SP 800-53 Revision 5](standards-reference-nist-800-53.md) + [NIST SP 800-171 Revision 2](standards-reference-nist-800-171.md) + [PCI DSS](pci-standard.md) + [Service-managed standards](service-managed-standards.md) # Amazon Foundational Security Best Practices standard in Security Hub CSPM Amazon Foundational Security Best Practices Developed by Amazon and industry professionals, the Amazon Foundational Security Best Practices (FSBP) standard is a compilation of security best practices for organizations, regardless of organization sector or size. It provides a set of controls that detect when Amazon Web Services accounts and resources deviate from security best practices. It also provides prescriptive guidance about how to improve and maintain your organization's security posture. In Amazon Security Hub CSPM, the Amazon Foundational Security Best Practices standard includes controls that continuously evaluate your Amazon Web Services accounts and workloads, and help you identify areas that deviate from security best practices. The controls include security best practices for resources from multiple Amazon Web Services services. Each control is assigned a category that reflects the security function that the control applies to. For a list of categories and additional details, see [Control categories](control-categories.md). ## Controls that apply to the standard The following list specifies which Amazon Security Hub CSPM controls apply to the Amazon Foundational Security Best Practices standard (v1.0.0). To review the details of a control, choose the control. [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) [[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled](apigateway-controls.md#apigateway-3) [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) [[APIGateway.11] API Gateway domain names should use recommended security policies](apigateway-controls.md#apigateway-11) [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) [[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand](dynamodb-controls.md#dynamodb-1) [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled](dynamodb-controls.md#dynamodb-2) [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](ec2-controls.md#ec2-3) [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.9] Amazon EC2 instances should not have a public IPv4 address](ec2-controls.md#ec2-9) [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) [[EC2.17] Amazon EC2 instances should not use multiple ENIs](ec2-controls.md#ec2-17) [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) [[EC2.183] EC2 VPN connections should use IKEv2 protocol](ec2-controls.md#ec2-183) [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) [[EKS.9] EKS node groups should run on a supported Kubernetes version](eks-controls.md#eks-9) [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) [[ELB.5] Application and Classic Load Balancers logging should be enabled](elb-controls.md#elb-5) [[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled](elb-controls.md#elb-6) [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration](elb-controls.md#elb-8) [[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled](elb-controls.md#elb-9) [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) [[KMS.3] Amazon KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) [[RDS.6] Enhanced monitoring should be configured for RDS DB instances](rds-controls.md#rds-6) [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) [[RDS.8] RDS DB instances should have deletion protection enabled](rds-controls.md#rds-8) [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) [[RDS.10] IAM authentication should be configured for RDS instances](rds-controls.md#rds-10) [[RDS.11] RDS instances should have automatic backups enabled](rds-controls.md#rds-11) [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts](s3-controls.md#s3-6) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) [[SageMaker.16] SageMaker models should use private registry in VPC for primary containers](sagemaker-controls.md#sagemaker-16) [[SageMaker.17] SageMaker feature group offline stores should be encrypted with Amazon KMS keys](sagemaker-controls.md#sagemaker-17) [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) # Amazon Resource Tagging standard in Security Hub CSPM Amazon Resource Tagging The Amazon Resource Tagging standard, developed by Amazon Security Hub CSPM, helps you determine whether your Amazon resources are missing tags. *Tags* are key‐value pairs that act as metadata for organizing Amazon resources. With most Amazon resources, you have the option of adding tags to a resource when you create the resource or after you create the resource. Examples of resources include Amazon CloudFront distributions, Amazon Elastic Compute Cloud (Amazon EC2) instances, and secrets in Amazon Secrets Manager. Tags can help you manage, identify, organize, search for, and filter Amazon resources. Each tag has two parts: + A tag key—for example, `CostCenter`, `Environment`, or `Project`. Tag keys are case sensitive. + A tag value—for example, `111122223333` or `Production`. Like tag keys, tag values are case sensitive. You can use tags to categorize resources by purpose, owner, environment, or other criteria. For information about adding tags to Amazon resources, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). For each control that applies to the Amazon Resource Tagging standard in Security Hub CSPM, you can optionally use the supported parameter to specify tag keys that you want the control to check for. If you don't specify any tag keys, the control checks only for the existence of at least one tag key, and fails if a resource doesn't have any tag keys. Before you enable the Amazon Resource Tagging standard, it's important to enable and configure resource recording in Amazon Config. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, including a list of the types of resources to record, see [Required Amazon Config resources for control findings](controls-config-resources.md). After you enable the Amazon Resource Tagging standard, you begin receiving findings for controls that apply to the standard. Note that it can take up to 18 hours for Security Hub CSPM to generate findings for controls that use the same Amazon Config service-linked rule as controls that apply to other enabled standards. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). The Amazon Resource Tagging standard has the following Amazon Resource Name (ARN): `arn:aws-cn:securityhub:region::standards/aws-resource-tagging-standard/v/1.0.0`, where *region* is the Region code for the applicable Amazon Web Services Region. You can also use the [GetEnabledStandards](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API to retrieve the ARN of a standard that's currently enabled. **Note** The [Amazon Resource Tagging standard](#standards-tagging) isn't available in the Asia Pacific (New Zealand) and Asia Pacific (Taipei) Regions. ## Controls that apply to the standard Controls that apply to the standard The following list specifies which Amazon Security Hub CSPM controls apply to the Amazon Resource Tagging standard (v1.0.0). To review the details of a control, choose the control. + [[ACM.3] ACM certificates should be tagged](acm-controls.md#acm-3) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) + [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) + [[AutoScaling.10] EC2 Auto Scaling groups should be tagged](autoscaling-controls.md#autoscaling-10) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.3] Amazon Backup vaults should be tagged](backup-controls.md#backup-3) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Backup.5] Amazon Backup backup plans should be tagged](backup-controls.md#backup-5) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.2] CloudFormation stacks should be tagged](cloudformation-controls.md#cloudformation-2) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudTrail.9] CloudTrail trails should be tagged](cloudtrail-controls.md#cloudtrail-9) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DynamoDB.5] DynamoDB tables should be tagged](dynamodb-controls.md#dynamodb-5) + [[EC2.33] EC2 transit gateway attachments should be tagged](ec2-controls.md#ec2-33) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.35] EC2 network interfaces should be tagged](ec2-controls.md#ec2-35) + [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) + [[EC2.37] EC2 Elastic IP addresses should be tagged](ec2-controls.md#ec2-37) + [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) + [[EC2.39] EC2 internet gateways should be tagged](ec2-controls.md#ec2-39) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.41] EC2 network ACLs should be tagged](ec2-controls.md#ec2-41) + [[EC2.42] EC2 route tables should be tagged](ec2-controls.md#ec2-42) + [[EC2.43] EC2 security groups should be tagged](ec2-controls.md#ec2-43) + [[EC2.44] EC2 subnets should be tagged](ec2-controls.md#ec2-44) + [[EC2.45] EC2 volumes should be tagged](ec2-controls.md#ec2-45) + [[EC2.46] Amazon VPCs should be tagged](ec2-controls.md#ec2-46) + [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) + [[EC2.48] Amazon VPC flow logs should be tagged](ec2-controls.md#ec2-48) + [[EC2.49] Amazon VPC peering connections should be tagged](ec2-controls.md#ec2-49) + [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) + [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECS.13] ECS services should be tagged](ecs-controls.md#ecs-13) + [[ECS.14] ECS clusters should be tagged](ecs-controls.md#ecs-14) + [[ECS.15] ECS task definitions should be tagged](ecs-controls.md#ecs-15) + [[EFS.5] EFS access points should be tagged](efs-controls.md#efs-5) + [[EKS.6] EKS clusters should be tagged](eks-controls.md#eks-6) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.2] EventBridge event buses should be tagged](eventbridge-controls.md#eventbridge-2) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.2] Kinesis streams should be tagged](kinesis-controls.md#kinesis-2) + [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[NetworkFirewall.7] Network Firewall firewalls should be tagged](networkfirewall-controls.md#networkfirewall-7) + [[NetworkFirewall.8] Network Firewall firewall policies should be tagged](networkfirewall-controls.md#networkfirewall-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) + [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) + [[RDS.30] RDS DB instances should be tagged](rds-controls.md#rds-30) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.32] RDS DB snapshots should be tagged](rds-controls.md#rds-32) + [[RDS.33] RDS DB subnet groups should be tagged](rds-controls.md#rds-33) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.12] Redshift event notification subscriptions should be tagged](redshift-controls.md#redshift-12) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.14] Redshift cluster subnet groups should be tagged](redshift-controls.md#redshift-14) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SecretsManager.5] Secrets Manager secrets should be tagged](secretsmanager-controls.md#secretsmanager-5) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SNS.3] SNS topics should be tagged](sns-controls.md#sns-3) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.1] Amazon Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) # CIS Amazon Foundations Benchmark in Security Hub CSPM CIS Amazon Foundations Benchmark The Center for Internet Security (CIS) Amazon Foundations Benchmark serves as a set of security configuration best practices for Amazon. These industry-accepted best practices provide you with clear, step-by-step implementation and assessment procedures. Ranging from operating systems to cloud services and network devices, the controls in this benchmark help you protect the specific systems that your organization uses. Amazon Security Hub CSPM supports CIS Amazon Foundations Benchmark versions 5.0.0, 3.0.0, 1.4.0, and 1.2.0. This page lists the security controls that each version supports. It also provides a comparison of the versions. ## CIS Amazon Foundations Benchmark version 5.0.0 Security Hub CSPM supports version 5.0.0 (v5.0.0) of the CIS Amazon Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS Amazon Foundations Benchmark, v5.0.0, Level 1 + CIS Benchmark for CIS Amazon Foundations Benchmark, v5.0.0, Level 2 ### Controls that apply to CIS Amazon Foundations Benchmark version 5.0.0 [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) ## CIS Amazon Foundations Benchmark version 3.0.0 Security Hub CSPM supports version 3.0.0 (v3.0.0) of the CIS Amazon Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS Amazon Foundations Benchmark, v3.0.0, Level 1 + CIS Benchmark for CIS Amazon Foundations Benchmark, v3.0.0, Level 2 ### Controls that apply to CIS Amazon Foundations Benchmark version 3.0.0 [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) ## CIS Amazon Foundations Benchmark version 1.4.0 Security Hub CSPM supports version 1.4.0 (v1.4.0) of the CIS Amazon Foundations Benchmark. ### Controls that apply to CIS Amazon Foundations Benchmark version 1.4.0 [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) ## CIS Amazon Foundations Benchmark version 1.2.0 CIS Amazon Foundations Benchmark version 1.2.0 Security Hub CSPM supports version 1.2.0 (v1.2.0) of the CIS Amazon Foundations Benchmark. Security Hub CSPM has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks: + CIS Benchmark for CIS Amazon Foundations Benchmark, v1.2.0, Level 1 + CIS Benchmark for CIS Amazon Foundations Benchmark, v1.2.0, Level 2 ### Controls that apply to CIS Amazon Foundations Benchmark version 1.2.0 [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) ## Version comparison for CIS Amazon Foundations Benchmark This section summarizes the differences between specific versions of the Center for Internet Security (CIS) Amazon Foundations Benchmark—v5.0.0, v3.0.0, v1.4.0, and v1.2.0. Amazon Security Hub CSPM supports each of these versions of the CIS Amazon Foundations Benchmark. However, we recommend using v5.0.0 to stay current with security best practices. You can have multiple versions of CIS Amazon Foundations Benchmark standards enabled at the same time. For information about enabling standards, see [Enabling a security standard](enable-standards.md). If you want to upgrade to v5.0.0, enable it before you disable an older version. This prevents gaps in your security checks. If you use the Security Hub CSPM integration with Amazon Organizations and want to batch enable v5.0.0 in multiple accounts, we recommend using [central configuration](central-configuration-intro.md). ### Mapping of controls to CIS requirements in each version Understand which controls each version of the CIS Amazon Foundations Benchmark supports. | Control ID and title | CIS v5.0.0 requirement | CIS v3.0.0 requirement | CIS v1.4.0 requirement | CIS v1.2.0 requirement | | --- | --- | --- | --- | --- | | [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) | 1.2 | 1.2 | 1.2 | 1.18 | | [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) | 3.1 | 3.1 | 3.1 | 2.1 | | [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) | 3.5 | 3.5 | 3.7 | 2.7 | | [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) | 3.2 | 3.2 | 3.2 | 2.2 | | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 3.4 | 2.4 | | [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 3.3 | 2.3 | | [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) | 3.4 | 3.4 | 3.6 | 2.6 | | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | Not supported – manual check | Not supported – manual check | 4.3 | 3.3 | | [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) | Not supported – manual check | Not supported – manual check | Not supported – manual check | 3.1 | | [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) | Not supported – manual check | Not supported – manual check | Not supported – manual check | 3.2 | | [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) | Not supported – manual check | Not supported – manual check | 4.4 | 3.4 | | [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) | Not supported – manual check | Not supported – manual check | 4.5 | 3.5 | | [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) | Not supported – manual check | Not supported – manual check | 4.6 | 3.6 | | [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) | Not supported – manual check | Not supported – manual check | 4.7 | 3.7 | | [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) | Not supported – manual check | Not supported – manual check | 4.8 | 3.8 | | [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) | Not supported – manual check | Not supported – manual check | 4.9 | 3.9 | | [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) | Not supported – manual check | Not supported – manual check | 4.10 | 3.10 | | [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) | Not supported – manual check | Not supported – manual check | 4.11 | 3.11 | | [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) | Not supported – manual check | Not supported – manual check | 4.12 | 3.12 | | [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) | Not supported – manual check | Not supported – manual check | 4.13 | 3.13 | | [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) | Not supported – manual check | Not supported – manual check | 4.14 | 3.14 | | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | 3.3 | 3.3 | 3.5 | 2.5 | | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | 5.5 | 5.4 | 5.3 | 4.3 | | [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) | 3.7 | 3.7 | 3.9 | 2.9 | | [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) | 5.1.1 | 2.2.1 | 2.2.1 | Not supported | | [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) | 5.7 | 5.6 | Not supported | Not supported | | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | Not supported – replaced by requirements 5.3 and 5.4 | Not supported – replaced by requirements 5.2 and 5.3 | Not supported – replaced by requirements 5.2 and 5.3 | 4.1 | | [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) | Not supported – replaced by requirements 5.3 and 5.4 | Not supported – replaced by requirements 5.2 and 5.3 | Not supported – replaced by requirements 5.2 and 5.3 | 4.2 | | [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) | 5.2 | 5.1 | 5.1 | Not supported | | [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) | 5.3 | 5.2 | Not supported | Not supported | | [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) | 5.4 | 5.3 | Not supported | Not supported | | [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) | 2.3.1 | 2.4.1 | Not supported | Not supported | | [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) | 2.3.1 | Not supported | Not supported | Not supported | | [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) | Not supported | Not supported | 1.16 | 1.22 | | [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) | 1.14 | 1.15 | Not supported | 1.16 | | [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) | 1.13 | 1.14 | 1.14 | 1.4 | | [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) | 1.3 | 1.4 | 1.4 | 1.12 | | [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) | 1.9 | 1.10 | 1.10 | 1.2 | | [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) | 1.5 | 1.6 | 1.6 | 1.14 | | [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | Not supported – see [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) instead | 1.3 | | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | 1.4 | 1.5 | 1.5 | 1.13 | | [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.5 | | [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.6 | | [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.7 | | [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.8 | | [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) | 1.7 | 1.8 | 1.8 | 1.9 | | [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) | 1.8 | 1.9 | 1.9 | 1.10 | | [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.11 | | [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) | 1.16 | 1.17 | 1.17 | 1.2 | | [[IAM.20] Avoid the use of the root user](iam-controls.md#iam-20) | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | Not supported – CIS removed this requirement | 1.1 | | [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) | 1.11 | 1.12 | 1.12 | Not supported – CIS added this requirement in later versions | | [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) | 1.18 | 1.19 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) | 1.21 | 1.22 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) | 1.19 | 1.20 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) | 3.6 | 3.6 | 3.8 | 2.8 | | [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) | Not supported – manual check | Not supported – manual check | Not supported – manual check | Not supported – manual check | | [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) | 2.2.3 | 2.3.3 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) | 2.2.1 | 2.3.1 | 2.3.1 | Not supported – CIS added this requirement in later versions | | [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) | 2.2.4 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) | 2.2.2 | 2.3.2 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) | 2.2.4 | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | Not supported – CIS added this requirement in later versions | | [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) | 2.1.4 | 2.1.4 | 2.1.5 | Not supported – CIS added this requirement in later versions | | [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) | 2.1.1 | 2.1.1 | 2.1.2 | Not supported – CIS added this requirement in later versions | | [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) | 2.1.4 | 2.1.4 | 2.1.5 | Not supported – CIS added this requirement in later versions | | [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) | 2.1.2 | 2.1.2 | 2.1.3 | Not supported – CIS added this requirement in later versions | ### ARNs for CIS Amazon Foundations Benchmarks When you enable one or more versions of the CIS Amazon Foundations Benchmark, you begin receiving findings in the Amazon Security Finding Format (ASFF). In ASFF, each version uses the following Amazon Resource Name (ARN): **CIS Amazon Foundations Benchmark v5.0.0** `arn:aws-cn:securityhub:region::standards/cis-aws-foundations-benchmark/v/5.0.0` **CIS Amazon Foundations Benchmark v3.0.0** `arn:aws-cn:securityhub:region::standards/cis-aws-foundations-benchmark/v/3.0.0` **CIS Amazon Foundations Benchmark v1.4.0** `arn:aws-cn:securityhub:region::standards/cis-aws-foundations-benchmark/v/1.4.0` **CIS Amazon Foundations Benchmark v1.2.0** `arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0` You can use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API to find the ARN of an enabled standard. The preceding values are for `StandardsArn`. However, `StandardsSubscriptionArn` refers to the standard subscription resource that Security Hub CSPM creates when you subscribe to a standard by calling [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchEnableStandards.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchEnableStandards.html) in a Region. **Note** When you enable a version of the CIS Amazon Foundations Benchmark, it can take up to 18 hours for Security Hub CSPM to generate findings for controls that use the same Amazon Config service-linked rule as enabled controls in other enabled standards. For more information about the schedule for generating control findings, see [Schedule for running security checks](securityhub-standards-schedule.md). Finding fields differ if you turn on consolidated control findings. For information about these differences, see [Impact of consolidation on ASFF fields and values](asff-changes-consolidation.md). For sample control findings, see [Samples of control findings](sample-control-findings.md). ### CIS requirements that aren't supported in Security Hub CSPM As noted in the preceding table, Security Hub CSPM doesn't support every CIS requirement in every version of the CIS Amazon Foundations Benchmark. Many of the unsupported requirements can be evaluated only by manually reviewing the state of your Amazon resources. # NIST SP 800-53 Revision 5 in Security Hub CSPM NIST SP 800-53 Revision 5 NIST Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides a catalog of security and privacy requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. U.S. federal government agencies and contractors must comply with these requirements to protect their systems and organizations. Private organizations can also voluntarily use the requirements as a guiding framework for reducing cybersecurity risk. For more information about the framework and its requirements, see [NIST SP 800-53 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) in the *NIST Computer Security Resource Center*. Amazon Security Hub CSPM provides security controls that support a subset of NIST SP 800-53 Revision 5 requirements. The controls perform automated security checks for certain Amazon Web Services services and resources. To enable and manage these controls, you can enable the NIST SP 800-53 Revision 5 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-53 Revision 5 requirements that require manual checks. Unlike other frameworks, the NIST SP 800-53 Revision 5 framework isn't prescriptive about how its requirements should be evaluated. Instead, the framework provides guidelines. In Security Hub CSPM, the NIST SP 800-53 Revision 5 standard and controls represent the service's understanding of these guidelines. **Topics** + [Configuring resource recording for the standard](#standards-reference-nist-800-53-recording) + [Determining which controls apply to the standard](#standards-reference-nist-800-53-controls) ## Configuring resource recording for controls that apply to the standard Configuring resource recording for the standard To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in Amazon Config before you enable the NIST SP 800-53 Revision 5 standard in Amazon Security Hub CSPM. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. This is primarily for controls that have a *change triggered* schedule type. However, some controls with a *periodic* schedule type also require resource recording. If resource recording isn't enabled or configured correctly, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For information about how Security Hub CSPM uses resource recording in Amazon Config, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). For information about configuring resource recording in Amazon Config, see [Working with the configuration recorder](https://docs.amazonaws.cn/config/latest/developerguide/stop-start-recorder.html) in the *Amazon Config Developer Guide*. The following table specifies the types of resources to record for controls that apply to the NIST SP 800-53 Revision 5 standard in Security Hub CSPM. | Amazon Web Services service | Resource types | | --- | --- | | Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` | | Amazon AppSync | `AWS::AppSync::GraphQLApi` | | Amazon Backup | `AWS::Backup::RecoveryPoint` | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon CloudFormation | `AWS::CloudFormation::Stack` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | Amazon CodeBuild | `AWS::CodeBuild::Project` | | Amazon Database Migration Service (Amazon DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` | | Amazon DynamoDB | `AWS::DynamoDB::Table` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` | | Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` | | Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` | | Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` | | Amazon Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` | | Amazon ElasticSearch | `AWS::Elasticsearch::Domain` | | Amazon EMR | `AWS::EMR::SecurityConfiguration` | | Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` | | Amazon Glue | `AWS::Glue::Job` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` | | Amazon Key Management Service (Amazon KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | Amazon Kinesis | `AWS::Kinesis::Stream` | | Amazon Lambda | `AWS::Lambda::Function` | | Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` | | Amazon MQ | `AWS::AmazonMQ::Broker` | | Amazon Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` | | Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` | | Amazon Route 53 | `AWS::Route53::HostedZone` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` | | Amazon Service Catalog | `AWS::ServiceCatalog::Portfolio` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` | | Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` | | Amazon SageMaker AI | `AWS::SageMaker::NotebookInstance` | | Amazon Secrets Manager | `AWS::SecretsManager::Secret` | | Amazon Transfer Family | `AWS::Transfer::Connector` | | Amazon WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` | ## Determining which controls apply to the standard Determining which controls apply to the standard The following list specifies the controls that support NIST SP 800-53 Revision 5 requirements and apply to the NIST SP 800-53 Revision 5 standard in Amazon Security Hub CSPM. For details about specific requirements that a control supports, choose the control. Then refer to the **Related requirements** field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement. + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled](apigateway-controls.md#apigateway-3) + [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) + [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) + [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) + [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) + [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) + [[CloudWatch.16] CloudWatch log groups should be retained for a specified time period](cloudwatch-controls.md#cloudwatch-16) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DynamoDB.1] DynamoDB tables should automatically scale capacity with demand](dynamodb-controls.md#dynamodb-1) + [[DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled](dynamodb-controls.md#dynamodb-2) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) + [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) + [[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest](ec2-controls.md#ec2-3) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) + [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) + [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) + [[EC2.9] Amazon EC2 instances should not have a public IPv4 address](ec2-controls.md#ec2-9) + [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) + [[EC2.12] Unused Amazon EC2 EIPs should be removed](ec2-controls.md#ec2-12) + [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) + [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) + [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) + [[EC2.17] Amazon EC2 instances should not use multiple ENIs](ec2-controls.md#ec2-17) + [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) + [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) + [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) + [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) + [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) + [[ELB.5] Application and Classic Load Balancers logging should be enabled](elb-controls.md#elb-5) + [[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled](elb-controls.md#elb-6) + [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) + [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration](elb-controls.md#elb-8) + [[ELB.9] Classic Load Balancers should have cross-zone load balancing enabled](elb-controls.md#elb-9) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL](elb-controls.md#elb-16) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) + [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) + [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) + [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) + [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.3] Amazon KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) + [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) + [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) + [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) + [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) + [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) + [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) + [[RDS.5] RDS DB instances should be configured with multiple Availability Zones](rds-controls.md#rds-5) + [[RDS.6] Enhanced monitoring should be configured for RDS DB instances](rds-controls.md#rds-6) + [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) + [[RDS.8] RDS DB instances should have deletion protection enabled](rds-controls.md#rds-8) + [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) + [[RDS.10] IAM authentication should be configured for RDS instances](rds-controls.md#rds-10) + [[RDS.11] RDS instances should have automatic backups enabled](rds-controls.md#rds-11) + [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) + [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) + [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) + [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) + [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) + [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) + [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) + [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) + [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) + [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) + [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) + [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) + [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) + [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) + [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) + [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) + [[S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts](s3-controls.md#s3-6) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) + [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) + [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) + [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) + [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) + [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) + [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS](sns-controls.md#sns-1) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.11] Amazon WAF web ACL logging should be enabled](waf-controls.md#waf-11) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) # NIST SP 800-171 Revision 2 in Security Hub CSPM NIST SP 800-171 Revision 2 NIST Special Publication 800-171 Revision 2 (NIST SP 800-171 Rev. 2) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information in systems and organizations that aren't part of the U.S. federal government. *Controlled Unclassified Information*, also referred to as *CUI*, is sensitive information that doesn't meet government criteria for classification but must be protected. It's information that is considered sensitive and is created or possessed by the U.S. federal government or other entities on behalf of the U.S. federal government. NIST SP 800-171 Rev. 2 provides recommended security requirements for protecting the confidentiality of CUI when: + The information resides in non-federal systems and organizations, + The non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and + There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. The requirements apply to all components of non-federal systems and organizations that process, store, or transmit CUI, or provide security protection for the components. For more information, see [NIST SP 800-171 Rev. 2](https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final) in the *NIST Computer Security Resource Center*. Amazon Security Hub CSPM provides security controls that support a subset of NIST SP 800-171 Revision 2 requirements. The controls perform automated security checks for certain Amazon Web Services services and resources. To enable and manage these controls, you can enable the NIST SP 800-171 Revision 2 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-171 Revision 2 requirements that require manual checks. **Topics** + [Configuring resource recording for the standard](#standards-reference-nist-800-171-recording) + [Determining which controls apply to the standard](#standards-reference-nist-800-171-controls) ## Configuring resource recording for controls that apply to the standard Configuring resource recording for the standard To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in Amazon Config before you enable the NIST SP 800-171 Revision 2 standard in Amazon Security Hub CSPM. When you configure resource recording, also be sure to enable it for all the types of Amazon resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For information about how Security Hub CSPM uses resource recording in Amazon Config, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). For information about configuring resource recording in Amazon Config, see [Working with the configuration recorder](https://docs.amazonaws.cn/config/latest/developerguide/stop-start-recorder.html) in the *Amazon Config Developer Guide*. The following table specifies the types of resources to record for controls that apply to the NIST SP 800-171 Revision 2 standard in Security Hub CSPM. | Amazon Web Services service | Resource types | | --- | --- | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon API Gateway | `AWS::ApiGateway::Stage` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | | Amazon Key Management Service (Amazon KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | Amazon Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Systems Manager (SSM) | `AWS::SSM::PatchCompliance` | | Amazon WAF | `AWS::WAFv2::RuleGroup` | ## Determining which controls apply to the standard Determining which controls apply to the standard The following list specifies the controls that support NIST SP 800-171 Revision 2 requirements and apply to the NIST SP 800-171 Revision 2 standard in Amazon Security Hub CSPM. For details about specific requirements that a control supports, choose the control. Then refer to the **Related requirements** field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) + [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) + [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) + [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) + [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) + [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) + [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) + [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) + [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) + [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) + [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) + [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) + [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) + [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) + [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) + [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) + [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) + [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) + [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) + [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) + [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) + [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) + [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) + [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) + [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration](elb-controls.md#elb-8) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) + [[S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts](s3-controls.md#s3-6) + [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) + [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) + [[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS](sns-controls.md#sns-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) # PCI DSS in Security Hub CSPM PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a third-party compliance framework that provides a set of rules and guidelines for safely handling credit and debit card information. The PCI Security Standards Council (SSC) creates and updates this framework. Amazon Security Hub CSPM provides a PCI DSS standard that can help you stay compliant with this third-party framework. You can use this standard to discover security vulnerabilities in Amazon resources that handle cardholder data. We recommend enabling this standard in Amazon Web Services accounts that have resources that store, process, or transmit cardholder data or sensitive authentication data. Assessments by the PCI SSC validated this standard. Security Hub CSPM offers support for both PCI DSS v3.2.1 and PCI DSS v4.0.1. We recommend using v4.0.1 to stay current with security best practices. You can have both versions of the standard enabled at the same time. For information about enabling standards, see [Enabling a security standard](enable-standards.md). If you currently use v3.2.1 but want to use only v4.0.1, enable the newer version before disabling the older version. This prevents gaps in your security checks. If you use the Security Hub CSPM integration with Amazon Organizations and want to batch enable v4.0.1 in multiple accounts, we recommend using [central configuration](central-configuration-intro.md) to do so. The following sections specify which controls apply to PCI DSS v3.2.1 and PCI DSS v4.0.1. ## Controls that apply to PCI DSS v3.2.1 The following list specifies which Security Hub CSPM controls apply to PCI DSS v3.2.1. To review the details of a control, choose the control. [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) [[EC2.12] Unused Amazon EC2 EIPs should be removed](ec2-controls.md#ec2-12) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) ## Controls that apply to PCI DSS v4.0.1 The following list specifies which Security Hub CSPM controls apply to PCI DSS v4.0.1. To review the details of a control, choose the control. [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) [[EC2.16] Unused Network Access Control Lists should be removed](ec2-controls.md#ec2-16) [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) [[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-8) [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration](elb-controls.md#elb-8) [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) [[RDS.13] RDS automatic minor version upgrades should be enabled](rds-controls.md#rds-13) [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) [[WAF.11] Amazon WAF web ACL logging should be enabled](waf-controls.md#waf-11) # Service-managed standards in Security Hub CSPM Service-managed standards A service-managed standard is a security standard that another Amazon Web Services service manages but that you can view in Security Hub CSPM. For example, [Service-Managed Standard: Amazon Control Tower](service-managed-standard-aws-control-tower.md) is a service-managed standard that Amazon Control Tower manages. A service-managed standard differs from a security standard that Amazon Security Hub CSPM manages in the following ways: + **Standard creation and deletion** – You create and delete a service-managed standard with the managing service's console or API, or with the Amazon CLI. Until you create the standard in the managing service in one of those ways, the standard doesn't appear in the Security Hub CSPM console and isn't accessible by the Security Hub CSPM API or Amazon CLI. + **No automatic enablement of controls** – When you create a service-managed standard, Security Hub CSPM and the managing service don't automatically enable the controls that apply to the standard. In addition, when Security Hub CSPM releases new controls for the standard, they're not automatically enabled. This is a departure from standards that Security Hub CSPM manages. For more information about the usual way of configuring controls in Security Hub CSPM, see [Understanding security controls in Security Hub CSPM](controls-view-manage.md). + **Enabling and disabling controls** – We recommend enabling and disabling controls in the managing service to avoid drift. + **Availability of controls** – The managing service chooses which controls are available as part of the service-managed standard. Available controls may include all, or a subset of, the existing Security Hub CSPM controls. After the managing service creates the service-managed standard and makes controls available for it, you can access your control findings, control statuses, and standard security score in the Security Hub CSPM console, Security Hub CSPM API, or Amazon CLI. Some or all of this information may also be available in the managing service. Select a service-managed standard from the following list to view more details about it. **Topics** + [ # Service-Managed Standard: Amazon Control Tower ](service-managed-standard-aws-control-tower.md) # Service-Managed Standard: Amazon Control Tower This section provides information about Service-Managed Standard: Amazon Control Tower. ## What is Service-Managed Standard: Amazon Control Tower? Service-Managed Standard: Amazon Control Tower is a service-managed standard which Amazon Control Tower manages that supports a subset of Security Hub controls. This standard is designed for users of Amazon Security Hub CSPM and Amazon Control Tower. It lets you configure the detective controls of Security Hub CSPM from the Amazon Control Tower service. Detective controls detect noncompliance of resources (for example, misconfigurations) within your Amazon Web Services accounts. **Tip** Service-managed standards differ from standards that Amazon Security Hub CSPM manages. For example, you must create and delete a service-managed standard in the managing service. For more information, see [Service-managed standards in Security Hub CSPM](service-managed-standards.md). When you enable a Security Hub CSPM control through Amazon Control Tower, Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions, if not already enabled. In the Security Hub CSPM console and API, you can view Service-Managed Standard: Amazon Control Tower alongside other Security Hub CSPM standards, once the standard is enabled from Amazon Control Tower. For more information about this standard, see [Security Hub CSPM controls](https://docs.amazonaws.cn/controltower/latest/userguide/security-hub-controls.html) in the *Amazon Control Tower User Guide*. ## Creating the standard This standard is available in Security Hub CSPM only if you enable Security Hub CSPM controls from Amazon Control Tower. Amazon Control Tower creates the standard when you first enable an applicable control by using one of the following methods: + Amazon Control Tower console + Amazon Control Tower API (call the [https://docs.amazonaws.cn/controltower/latest/APIReference/API_EnableControl.html](https://docs.amazonaws.cn/controltower/latest/APIReference/API_EnableControl.html) API) + Amazon CLI (run the [https://docs.amazonaws.cn/cli/latest/reference/controltower/enable-control.html](https://docs.amazonaws.cn/cli/latest/reference/controltower/enable-control.html) command) When you enable a Security Hub CSPM control through Amazon Control Tower, if you haven’t already enabled Security Hub CSPM, Amazon Control Tower also enables Security Hub CSPM for you in those specific accounts and Regions. To identify an Security Hub CSPM control by control ID in Control Catalog, you can use the field `Implementation.Identifier` in Amazon Control Tower. This field maps to Security Hub CSPM control ID and can be used to filter for a specific control ID. To retrieve control metadata for a specific Security Hub CSPM control (say, "CodeBuild.1") in Amazon Control Tower, you can use the [https://docs.amazonaws.cn/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.amazonaws.cn/controlcatalog/latest/APIReference/API_ListControls.html) API: `aws controlcatalog list-controls --filter '{"Implementations":{"Identifiers":["CodeBuild.1"],"Types":["AWS::SecurityHub::SecurityControl"]}}'` You can't view or access this standard in the Security Hub CSPM console, Security Hub CSPM API, or Amazon CLI without first setting up Amazon Control Tower and enabling Security Hub CSPM controls from Amazon Control Tower using one of the preceding methods. This standard is only available in the [Amazon Web Services Regions where Amazon Control Tower is available](https://docs.amazonaws.cn/controltower/latest/userguide/region-how.html). ## Enabling and disabling controls in the standard After you've enabled Security Hub CSPM controls through Amazon Control Tower and the Service-Managed Standard: Amazon Control Tower standard has been created, you can view the standard and its available controls in Security Hub CSPM. When Security Hub CSPM adds new controls to the Service-Managed Standard: Amazon Control Tower standard, they aren't automatically enabled for customers who have the standard enabled. You should enable and disable controls for the standard from Amazon Control Tower by using one of the following methods: + Amazon Control Tower console + Amazon Control Tower API (call the [https://docs.amazonaws.cn/controltower/latest/APIReference/API_EnableControl.html](https://docs.amazonaws.cn/controltower/latest/APIReference/API_EnableControl.html) and [https://docs.amazonaws.cn/controltower/latest/APIReference/API_DisableControl.html](https://docs.amazonaws.cn/controltower/latest/APIReference/API_DisableControl.html) APIs) + Amazon CLI (run the [https://docs.amazonaws.cn/cli/latest/reference/controltower/enable-control.html](https://docs.amazonaws.cn/cli/latest/reference/controltower/enable-control.html) and [https://docs.amazonaws.cn/cli/latest/reference/controltower/disable-control.html](https://docs.amazonaws.cn/cli/latest/reference/controltower/disable-control.html) commands) When you change the enablement status of a control in Amazon Control Tower, the change is also reflected in Security Hub CSPM. However, disabling a control in Security Hub CSPM that's enabled in Amazon Control Tower results in control drift. The control status in Amazon Control Tower shows as `Drifted`. You can resolve this drift by using the [ResetEnabledControl](https://docs.amazonaws.cn/controltower/latest/APIReference/API_ResetEnabledControl.html) API to reset the control which is in drift, or by selecting [Re-register OU](https://docs.amazonaws.cn/controltower/latest/userguide/drift.html#resolving-drift) in the Amazon Control Tower console, or by disabling and re-enabling the control in Amazon Control Tower using one of the preceding methods. Completing enablement and disablement actions in Amazon Control Tower helps you avoid control drift. When you enable or disable controls in Amazon Control Tower, the action applies across accounts and Regions governed by Amazon Control Tower. If you enable and disable controls in Security Hub CSPM (not recommended for this standard), the action applies only to the current account and region. **Note** [Central configuration](central-configuration-intro.md) can't be used to manage Service-Managed Standard: Amazon Control Tower. You can use *only* the Amazon Control Tower service to enable and disable controls in this standard. ## Viewing enablement status and control status You can view the enablement status of a control by using one of the following methods: + Security Hub CSPM console, Security Hub CSPM API, or Amazon CLI + Amazon Control Tower console + Amazon Control Tower API to see a list of enabled controls (call the [https://docs.amazonaws.cn/controltower/latest/APIReference/API_ListEnabledControls.html](https://docs.amazonaws.cn/controltower/latest/APIReference/API_ListEnabledControls.html) API) + Amazon CLI to see a list of enabled controls (run the [https://docs.amazonaws.cn/cli/latest/reference/controltower/list-enabled-controls.html](https://docs.amazonaws.cn/cli/latest/reference/controltower/list-enabled-controls.html) command) A control that you disable in Amazon Control Tower has an enablement status of `Disabled` in Security Hub CSPM unless you explicitly enable that control in Security Hub CSPM. Security Hub CSPM calculates control status based on the workflow status and compliance status of the control findings. For more information about enablement status and control status, see [Reviewing the details of controls in Security Hub CSPM](securityhub-standards-control-details.md). Based on control statuses, Security Hub CSPM calculates a [security score](standards-security-score.md) for Service-Managed Standard: Amazon Control Tower. This score is only available in Security Hub CSPM. In addition, you can only view [control findings](controls-findings-create-update.md) in Security Hub CSPM. The standard security score and control findings aren't available in Amazon Control Tower. **Note** When you enable controls for Service-Managed Standard: Amazon Control Tower, Security Hub CSPM may take up to 18 hours to generate findings for controls that use an existing Amazon Config service-linked rule. You may have existing service-linked rules if you've enabled other standards and controls in Security Hub CSPM. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). ## Deleting the standard You can delete this service managed standard in Amazon Control Tower by disabling all applicable controls using one of the following methods: + Amazon Control Tower console + Amazon Control Tower API (call the [https://docs.amazonaws.cn/controltower/latest/APIReference/API_DisableControl.html](https://docs.amazonaws.cn/controltower/latest/APIReference/API_DisableControl.html) API) + Amazon CLI (run the [https://docs.amazonaws.cn/cli/latest/reference/controltower/disable-control.html](https://docs.amazonaws.cn/cli/latest/reference/controltower/disable-control.html) command) Disabling all controls deletes the standard in all managed accounts and governed Regions in Amazon Control Tower. Deleting the standard in Amazon Control Tower removes it from the **Standards** page of the Security Hub CSPM console, and you can no longer access it by using the Security Hub CSPM API or Amazon CLI. **Note** Disabling all controls from the standard in Security Hub CSPM doesn't disable or delete the standard. Disabling the Security Hub CSPM service removes Service-Managed Standard: Amazon Control Tower and any other standards that you’ve enabled. ## Finding field format for Service-Managed Standard: Amazon Control Tower When you create Service-Managed Standard: Amazon Control Tower and enable controls for it, you'll start to receive control findings in Security Hub CSPM. Security Hub CSPM reports control findings in the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). These are the ASFF values for this standard's Amazon Resource Name (ARN) and `GeneratorId`: + **Standard ARN** – `arn:aws-cn:us-east-1:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0` + **GeneratorId** – `service-managed-aws-control-tower/v/1.0.0/CodeBuild.1` For a sample finding for Service-Managed Standard: Amazon Control Tower, see [Samples of control findings](sample-control-findings.md). ## Controls that apply to Service-Managed Standard: Amazon Control Tower Service-Managed Standard: Amazon Control Tower supports a subset of controls that are part of the Amazon Foundational Security Best Practices (FSBP) standard. Choose a control to view information about it, including remediation steps for failed findings. To see what Security Hub CSPM controls are supported by Amazon Control Tower, you can use one of the following methods: + Amazon Control Catalog console where you can filter for `“Control owner = Amazon Security Hub”` + Amazon Control Catalog API (call the [https://docs.amazonaws.cn/controlcatalog/latest/APIReference/API_ListControls.html](https://docs.amazonaws.cn/controlcatalog/latest/APIReference/API_ListControls.html) API) with filter for `Implementations` to check for `Types` is `AWS::SecurityHub::SecurityControl` + Amazon CLI (run the [https://docs.amazonaws.cn/cli/latest/reference/controlcatalog/list-controls.html](https://docs.amazonaws.cn/cli/latest/reference/controlcatalog/list-controls.html) command) with filter for `Implementations`. Example CLI command: `aws controlcatalog list-controls --filter '{"Implementations":{"Types":["AWS::SecurityHub::SecurityControl"]}}'` Regional limits on Security Hub CSPM controls when enabled through Control Tower standard may not match Regional limits on the underlying controls. In Security Hub CSPM, if [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings) is turned off in your account, the `ProductFields.ControlId` field in the generated findings uses the standard-based control ID. The standard-based control ID is formatted as **CT.*ControlId*** (for example, **CT.CodeBuild.1**). For more information about this standard, see [Security Hub CSPM controls](https://docs.amazonaws.cn/controltower/latest/userguide/security-hub-controls.html) in the *Amazon Control Tower User Guide*. # Enabling a security standard Enabling a standard When you enable a security standard in Amazon Security Hub CSPM, Security Hub CSPM automatically creates and enables all the controls that apply to the standard. Security Hub CSPM also starts running security checks and generating findings for the controls. To optimize coverage and the accuracy of findings, enable and configure resource recording in Amazon Config before you enable a standard. When you configure resource recording, also be sure to enable it for all the types of resources that are checked by controls that apply to the standard. Otherwise, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard. For more information, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). After you enable a standard, you can disable or later re-enable individual controls that apply to the standard. If you disable a control for a standard, Security Hub CSPM stops generating findings for the control. In addition, Security Hub CSPM ignores the control when it calculates the security score for the standard. The security score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data. When you enable a standard, Security Hub CSPM generates a preliminary security score for the standard, typically within 30 minutes of your first visit to the **Summary** or **Security standards** page on the Security Hub CSPM console. Security scores are generated only for standards that are enabled when you visit those pages on the console. In addition, resource recording must be configured in Amazon Config for the scores to appear. In the China Regions and Amazon GovCloud (US) Regions, it can take up to 24 hours for Security Hub CSPM to generate a preliminary security score for a standard. After Security Hub CSPM generates a preliminary score, it updates the score every 24 hours. To determine when a security score was last updated, you can refer to a timestamp that Security Hub CSPM provides for the score. For more information, see [Calculating security scores](standards-security-score.md). How you enable a standard depends on whether you use [central configuration](central-configuration-intro.md) to manage Security Hub CSPM for multiple accounts and Amazon Web Services Regions. We recommend using central configuration if you want to enable standards in multi-account, multi-Region environments. You can use central configuration if you integrate Security Hub CSPM with Amazon Organizations. If you don't use central configuration, you must enable each standard separately in each account and each Region. **Topics** + [ ## Enabling a standard in multiple accounts and Amazon Web Services Regions ](#enable-standards-central-configuration) + [ ## Enabling a standard in a single account and Amazon Web Services Region ](#securityhub-standard-enable-console) + [ ## Checking the status of a standard ](#standard-subscription-status) ## Enabling a standard in multiple accounts and Amazon Web Services Regions To enable and configure a security standard across multiple accounts and Amazon Web Services Regions, use [central configuration](central-configuration-intro.md). With central configuration, the delegated Security Hub CSPM administrator can create Security Hub CSPM configuration policies that enable one or more standards. The administrator can then associate a configuration policy with individual accounts, organizational units (OUs), or the root. A configuration policy affects the home Region, also referred to as an *aggregation Region*, and all linked Regions. Configuration policies offer customization options. For example, you might choose to enable only the Amazon Foundational Security Best Practices (FSBP) standard for one OU. For another OU, you might choose to enable both the FSBP standard and the Center for Internet Security (CIS) Amazon Foundations Benchmark v1.4.0 standard. For information about creating a configuration policy that enables particular standards that you specify, see [Creating and associating configuration policies](create-associate-policy.md). If you use central configuration, Security Hub CSPM doesn't automatically enable any standards in new or existing accounts. Instead, the Security Hub CSPM administrator specifies which standards to enable in different accounts when they create Security Hub CSPM configuration policies for their organization. Security Hub CSPM offers a recommended configuration policy in which only the FSBP standard is enabled. For more information, see [Types of configuration policies](configuration-policies-overview.md#policy-types). **Note** The Security Hub CSPM administrator can use configuration policies to enable any standard except the [Amazon Control Tower service-managed standard](service-managed-standard-aws-control-tower.md). To enable this standard, the administrator must use Amazon Control Tower directly. They must also use Amazon Control Tower to enable or disable individual controls in this standard for a centrally managed account. If you want some accounts to enable and configure standards for their own accounts, the Security Hub CSPM administrator can designate those accounts as *self-managed accounts*. Self-managed accounts must enable and configure standards separately in each Region. ## Enabling a standard in a single account and Amazon Web Services Region If you don't use central configuration or you have a self-managed account, you can't use configuration policies to centrally enable security standards in multiple accounts or Amazon Web Services Regions. However, you can enable a standard in a single account and Region. You can do this by using the Security Hub CSPM console or the Security Hub CSPM API. ------ #### [ Security Hub CSPM console ] Follow these steps to enable a standard in one account and Region by using the Security Hub CSPM console. **To enable a standard in one account and Region** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. By using the Amazon Web Services Region selector in the upper-right corner of the page, choose the Region in which you want to enable the standard. 1. In the navigation pane, choose **Security standards**. The **Security standards** page lists all the standards that Security Hub CSPM currently supports. If you already enabled a standard, the section for the standard includes the current security score and additional details for the standard. 1. In the section for the standard that you want to enable, choose **Enable standard**. To enable the standard in additional Regions, repeat the preceding steps in each additional Region. ------ #### [ Security Hub CSPM API ] To enable a standard programmatically in a single account and Region, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchEnableStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchEnableStandards.html) operation. Or, if you're using the Amazon Command Line Interface (Amazon CLI), run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-enable-standards.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-enable-standards.html) command. In your request, use the `StandardsArn` parameter to specify the Amazon Resource Name (ARN) of the standard that you want to enable. Also specify the Region that your request applies to. For example, the following command enables the Amazon Foundational Security Best Practices (FSBP) standard: ``` $ aws securityhub batch-enable-standards \ --standards-subscription-requests '{"StandardsArn":"arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"}' \ --region us-east-1 ``` Where *arn:aws-cn:securityhub:*us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0** is the ARN of the FSBP standard in the US East (N. Virginia) Region, and *us-east-1* is the Region in which to enable it. To obtain the ARN for a standard, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandards.html) operation or, if you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-standards.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-standards.html) command. To first review a list of standards that are currently enabled in your account, you can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. If you're using the Amazon CLI, you can run the [get-enabled-standards](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-enabled-standards.html) command to retrieve this list. ------ After you enable a standard, Security Hub CSPM begins performing tasks to enable the standard in the account and the specified Region. This includes creating all the controls that apply to the standard. To monitor the status of these tasks, you can check the status of the standard for the account and Region. ## Checking the status of a standard When you enable a security standard for an account, Security Hub CSPM begins creating all the controls that apply to the standard in the account. Security Hub CSPM also performs additional tasks to enable the standard for the account, such as generating a preliminary security score for the standard. While Security Hub CSPM performs these tasks, the status of the standard is *Pending* for the account. The status of the standard then passes through additional states, which you can monitor and check. **Note** Changes to individual controls for a standard don't affect the overall status of the standard. For example, if you enable a control that you previously disabled, your change doesn't affect the status of the standard. Similarly, if you change a parameter value for an enabled control, your change doesn't affect the status of the standard. To check the status of a standard by using the Security Hub CSPM console, choose **Security standards** in the navigation pane. The **Security standards** page lists all the standards that Security Hub CSPM currently supports. If Security Hub CSPM is currently performing tasks to enable the standard, the section for the standard indicates that Security Hub CSPM is still generating a security score for the standard. If a standard is enabled, the section for the standard includes the current score. Choose **View results** to review additional details, including the status of individual controls that apply to the standard. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). To check the status of a standard programmatically with the Security Hub CSPM API, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. In your request, optionally use the `StandardsSubscriptionArns` parameter to specify the Amazon Resource Name (ARN) of the standard whose status you want to check. If you're using the Amazon Command Line Interface (Amazon CLI), you can run the [get-enabled-standards](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-enabled-standards.html) command to check the status of a standard. To specify the ARN of the standard to check, use the `standards-subscription-arns` parameter. To determine which ARN to specify, you can use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandards.html) operation or, for the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-standards.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-standards.html) command. If your request succeeds, Security Hub CSPM responds with an array of `StandardsSubscription` objects. A *standard subscription* is an Amazon resource that Security Hub CSPM creates in an account when a standard is enabled for the account. Each `StandardsSubscription` object provides details about a standard that is currently enabled or is being enabled or disabled for the account. Within each object, the `StandardsStatus` field specifies the current status of the standard for the account. The status of a standard (`StandardsStatus`) can be one of the following. **PENDING** Security Hub CSPM is currently performing tasks to enable the standard for the account. This includes creating the controls that apply to the standard, and generating a preliminary security score for the standard. It can take several minutes for Security Hub CSPM to complete all the tasks. A standard can also have this status if it's already enabled for the account and Security Hub CSPM is currently adding new controls to the standard. If a standard has this status, you might not be able to retrieve the details of individual controls that apply to the standard. In addition, you might not be able to configure or disable individual controls for the standard. For example, if you try to disable a control by using the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html) operation, an error occurs. To determine whether you can configure or otherwise manage individual controls for the standard, refer to the value for the `StandardsControlsUpdatable` field. If the value for this field is `READY_FOR_UPDATES`, you can start managing individual controls for the standard. Otherwise, wait until Security Hub CSPM completes additional processing tasks to enable the standard. **READY** The standard is currently enabled for the account. Security Hub CSPM can run security checks and generate findings for all the controls that apply to the standard and are currently enabled. Security Hub CSPM can also calculate a security score for the standard. If a standard has this status, you can retrieve the details of individual controls that apply to the standard. In addition, you can configure, disable, or re-enable the controls. You can also disable the standard. **INCOMPLETE** Security Hub CSPM wasn't able to enable the standard completely for the account. Security Hub CSPM can't run security checks and generate findings for all the controls that apply to the standard and are currently enabled. In addition, Security Hub CSPM can't calculate a security score for the standard. To determine why the standard wasn't enabled completely, refer to the information in the `StandardsStatusReason` array. This array specifies issues that prevented Security Hub CSPM from enabling the standard. If an internal error occurred, try enabling the standard for the account again. For other types of issues, [check your Amazon Config settings](securityhub-setup-prereqs.md). You can also [disable individual controls](disable-controls-overview.md) that you don't want to check, or disable the standard completely. **DELETING** Security Hub CSPM is currently processing a request to disable the standard for the account. This includes disabling the controls that apply to the standard, and removing the associated security score. It can take several minutes for Security Hub CSPM to finish processing the request. If a standard has this status, you can't re-enable the standard or try to disable it again for the account. Security Hub CSPM must finish processing the current request first. In addition, you can't retrieve the details of individual controls that apply to the standard or manage the controls. **FAILED** Security Hub CSPM wasn't able to disable the standard for the account. One or more errors occurred when Security Hub CSPM attempted to disable the standard. In addition, Security Hub CSPM can't calculate a security score for the standard. To determine why the standard wasn't disabled completely, refer to the information in the `StandardsStatusReason` array. This array specifies issues that prevented Security Hub CSPM from disabling the standard. If a standard has this status, you can't retrieve the details of individual controls that apply to the standard or manage the controls. You can, however, re-enable the standard for the account. If you address the issues that prevented Security Hub CSPM from disabling the standard, you can also try to disable the standard again. If the status of a standard is `READY`, Security Hub CSPM runs security checks and generates findings for all the controls that apply to the standard and are currently enabled. For other statuses, Security Hub CSPM might run checks and generate findings for some, but not all, enabled controls. It can take up to 24 hours to generate or update control findings. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). # Reviewing the details of a security standard Reviewing the details of a standard After you enable a security standard in Amazon Security Hub CSPM, you can use the console to review the details of the standard. On the console, the details page for a standard includes the following information: + The current security score for the standard. + A table of controls that apply to the standard. + Aggregated statistics for controls that apply to the standard. + A visual summary of the status of the controls that apply to the standard. + A visual summary of security checks for controls that are enabled and apply to the standard. If you integrate with Amazon Organizations, controls that are enabled in at least one organization account are considered enabled. To review these details, choose **Security standards** in the navigation pane on the console. Then, in the section for the standard, choose **View results**. For deeper analysis, you can filter and sort the data, and drill down to review the details of individual controls that apply to the standard. **Topics** + [ ## Understanding the standard security score ](#standard-details-overview) + [ ## Reviewing the controls for a standard ](#standard-controls-list) ## Understanding the standard security score On the Amazon Security Hub CSPM console, the details page for a standard displays the security score for the standard. The score is the percentage of controls that passed evaluation, relative to the total number of controls that apply to the standard, are enabled, and have evaluation data. Under the score is a chart that summarizes security checks for controls that are enabled for the standard. This includes the number of passed and failed security checks. For administrator accounts, the standard score and chart are aggregated across the administrator account and all member accounts. To review failed security checks for controls that have a specific severity, choose the severity. When you enable a standard, Security Hub CSPM generates a preliminary security score for the standard, typically within 30 minutes of your first visit to the **Summary** page or the **Security standards** page on the Security Hub CSPM console. Scores are generated only for standards that are enabled when you visit those pages. In addition, Amazon Config resource recording must be configured for the scores to appear. In the China Regions and Amazon GovCloud (US) Regions, it can take up to 24 hours for Security Hub CSPM to generate a preliminary score. After Security Hub CSPM generates a preliminary score for a standard, it updates the score every 24 hours. For more information, see [Calculating security scores](standards-security-score.md). All the data on **Security standards** detail pages is specific to the current Amazon Web Services Region unless you set an aggregation Region. If you set an aggregation Region, security scores apply across Regions and include findings for all linked Regions. In addition, the compliance status of controls reflects findings from linked Regions, and the number of security checks includes findings from linked Regions. ## Reviewing the controls for a standard When you use the Amazon Security Hub CSPM console to review the details of a standard that you enabled, you can review a table of security controls that apply to the standard. For each control, the table includes the following information: + The control ID and title. + The status of the control. For more information, see [Evaluating compliance status and control status](controls-overall-status.md). + The severity assigned to the control. + The number of failed checks and the total number of checks. If applicable, the **Failed checks** field also specifies the number of findings with a status of **Unknown**. + Whether the control supports custom parameters. For more information, see [Understanding control parameters in Security Hub CSPM](custom-control-parameters.md). Security Hub CSPM updates control statuses and the count of security checks every 24 hours. A timestamp at the top of the page indicates when Security Hub CSPM most recently updated this data. For administrator accounts, control statuses and the number of security checks are aggregated across the administrator account and all member accounts. The count of enabled controls includes controls that are enabled for the standard in the administrator account or at least one member account. The count of disabled controls includes controls that are disabled for the standard in the administrator account and all member accounts. You can filter the table of controls that apply to the standard. Using the **Filter by** options next to the table, you can choose to view only enabled or only disabled controls for the standard. If you display only enabled controls, you can further filter the table by control status. You can then focus on controls that have a specific control status. In addition to the **Filter by** options, you can enter filter criteria in the **Filter controls** box. For example, you can filter by control ID or title. Choose your preferred access method. Then follow the steps to review the controls that apply to a standard that you enabled. ------ #### [ Security Hub CSPM console ] **To review the controls for an enabled standard** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Security standards** in the navigation pane. 1. In the section for the standard, choose **View results**. The table at the bottom of the page lists all the controls that apply to the standard. You can filter and sort the table. You can also download the current page of the table as a CSV file. To do this, choose **Download** above the table. If you filter the table, the downloaded file includes only the controls that match your current filter settings. ------ #### [ Security Hub CSPM API ] **To review the controls for an enabled standard** 1. Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation of the Security Hub CSPM API. If you're using the Amazon CLI, run the [list-security-control-definitions](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html) command. Specify the Amazon Resource Name (ARN) of the standard that you want to review controls for. To obtain ARNs for standards, use the [DescribeStandards](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html) operation or run the [describe-standards](https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-standards.html) command. If you don't specify the ARN for a standard, Security Hub CSPM returns all security control IDs. 1. Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html) operation of the Security Hub CSPM API, or run the [list-standards-control-associations](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html) command. This operation tells you which standards a control is enabled in. Identify the control by providing the security control ID or ARN. Pagination parameters are optional. The following example tells you which standards the Config.1 control is enabled in. ``` $ aws securityhub list-standards-control-associations --region us-east-1 --security-control-id Config.1 ``` ------ # Turning off automatically enabled security standards Turning off auto-enabled standards If your organization doesn't use central configuration, it uses a configuration type called *local configuration*. With local configuration, Amazon Security Hub CSPM can automatically enable default security standards for new member accounts when the accounts join your organization. All the controls that apply to these default standards are also enabled automatically. Currently, the default security standards are the Amazon Foundational Security Best Practices standard and the Center for Internet Security (CIS) Amazon Foundations Benchmark v1.2.0 standard. For information about these standards, see the [Standards reference for Security Hub CSPM](standards-reference.md). If you prefer to manually enable security standards for new member accounts, you can turn off automatic enablement of the default standards. You can do this only if you integrate with Amazon Organizations and use local configuration. If you use central configuration, you can instead create a configuration policy that enables the default standards and associate the policy with the root. All of your organization accounts and OUs then inherit this configuration policy unless they are associated with a different policy or are self-managed. If you don't integrate with Amazon Organizations, you can disable a default standard when you initially enable Security Hub CSPM or later. To learn how, see [Disabling a standard](disable-standards.md). To turn off automatic enablement of the default standards for new member accounts, you can use the Security Hub CSPM console or the Security Hub CSPM API. ------ #### [ Security Hub CSPM console ] Follow these steps to turn off automatic enablement of the default standards by using the Security Hub CSPM console. **To turn off automatic enablement of default standards** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the administrator account. 1. In the navigation pane, under **Settings**, choose **Configuration**. 1. In the **Overview** section, choose **Edit**. 1. Under **New account settings**, clear the **Enable the default security standards** checkbox. 1. Choose **Confirm**. ------ #### [ Security Hub CSPM API ] To turn off automatic enablement of the default standards programmatically, from the Security Hub CSPM administrator account, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateOrganizationConfiguration.html) operation of the Security Hub CSPM API. In your request, specify `NONE` for the `AutoEnableStandards` parameter. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-organization-configuration.html) command to turn off automatic enablement of the default standards. For the `auto-enable-standards` parameter, specify `NONE`. For example, the following command automatically enables Security Hub CSPM for new member accounts, and turns off automatic enablement of the default standards for the accounts. ``` $ aws securityhub update-organization-configuration --auto-enable --auto-enable-standards NONE ``` ------ # Disabling a security standard Disabling a standard When you disable a security standard in Amazon Security Hub CSPM, the following occurs: + All the controls that apply to the standard are disabled, unless they're associated with another standard that's currently enabled. + Security checks for the disabled controls are no longer performed, and no additional findings are generated for the disabled controls. + Existing findings for the disabled controls are archived automatically after approximately 3‐5 days. + Amazon Config rules that Security Hub CSPM created for the disabled controls are deleted. Deletion of the appropriate Amazon Config rules typically occurs within a few minutes of disabling a standard. However, it might take longer. If the first request fails to delete the rules, Security Hub CSPM tries again every 12 hours. However, if you disabled Security Hub CSPM or don't have any other standards enabled, Security Hub CSPM can't try again, which means that it can't delete the rules. If this occurs and you need to delete the rules, contact Amazon Web Services Support. **Topics** + [ ## Disabling a standard in multiple accounts and Amazon Web Services Regions ](#disable-standards-central-configuration) + [ ## Disabling a standard in a single account and Amazon Web Services Region ](#securityhub-standard-disable-console) ## Disabling a standard in multiple accounts and Amazon Web Services Regions To disable a security standard across multiple accounts and Amazon Web Services Regions, use [central configuration](central-configuration-intro.md). With central configuration, the delegated Security Hub CSPM administrator can create Security Hub CSPM configuration policies that disable one or more standards. The administrator can then associate a configuration policy with individual accounts, organizational units (OUs), or the root. A configuration policy affects the home Region, also referred to as an *aggregation Region*, and all linked Regions. Configuration policies offer customization options. For example, you might choose to disable the Payment Card Industry Data Security Standard (PCI DSS) in one OU. For another OU, you might choose to disable both the PCI DSS and the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 standard. For information about creating a configuration policy that enables or disables individual standards that you specify, see [Creating and associating configuration policies](create-associate-policy.md). **Note** The Security Hub CSPM administrator can use configuration policies to disable any standard except the [Amazon Control Tower service-managed standard](service-managed-standard-aws-control-tower.md). To disable this standard, the administrator must use Amazon Control Tower directly. They must also use Amazon Control Tower to disable or enable individual controls in this standard for a centrally managed account. If you want some accounts to configure or disable standards for their own accounts, the Security Hub CSPM administrator can designate those accounts as *self-managed accounts*. Self-managed accounts must disable standards separately in each Region. ## Disabling a standard in a single account and Amazon Web Services Region If you don't use central configuration or you have a self-managed account, you can't use configuration policies to centrally disable security standards in multiple accounts or Amazon Web Services Regions. However, you can disable a standard in a single account and Region. You can do this by using the Security Hub CSPM console or the Security Hub CSPM API. ------ #### [ Security Hub CSPM console ] Follow these steps to disable a standard in one account and Region by using the Security Hub CSPM console. **To disable a standard in one account and Region** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. By using the Amazon Web Services Region selector in the upper-right corner of the page, choose the Region in which you want to disable the standard. 1. In the navigation pane, choose **Security standards**. 1. In the section for the standard that you want to disable, choose **Disable standard**. To disable the standard in additional Regions, repeat the preceding steps in each additional Region. ------ #### [ Security Hub CSPM API ] To disable a standard programmatically in a single account and Region, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchDisableStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchDisableStandards.html) operation. Or, if you're using the Amazon Command Line Interface (Amazon CLI), run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-disable-standards.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-disable-standards.html) command. In your request, use the `StandardsSubscriptionArns` parameter to specify the Amazon Resource Name (ARN) of the standard that you want to disable. If you're using the Amazon CLI, use the `standards-subscription-arns` parameter to specify the ARN. Also specify the Region that your request applies to. For example, the following command disables the Amazon Foundational Security Best Practices (FSBP) standard for an account (*123456789012*): ``` $ aws securityhub batch-disable-standards \ --standards-subscription-arns "arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0" \ --region us-east-1 ``` Where *arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0* is the ARN of the FSBP standard for the account in the US East (N. Virginia) Region, and *us-east-1* is the Region in which to disable it. To obtain the ARN for a standard, you can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation. This operation retrieves information about the standards that are currently enabled in your account. If you're using the Amazon CLI, you can run the [get-enabled-standards](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-enabled-standards.html) command to retrieve this information. ------ After you disable a standard, Security Hub CSPM begins performing tasks to disable the standard in the account and the specified Region. This includes disabling all the controls that apply to the standard. To monitor the status of these tasks, you can [check the status of the standard](enable-standards.md#standard-subscription-status) for the account and Region. # Understanding security controls in Security Hub CSPM Controls In Amazon Security Hub CSPM, a *security control*, also referred to as a *control*, is a safeguard within a security standard that helps an organization protect the confidentiality, integrity, and availability of its information. In Security Hub CSPM, a control is related to a specific Amazon resource. When you enable a control in one or more standards, Security Hub CSPM begins running security checks on it. The security checks result in Security Hub CSPM findings. When you disable a control, Security Hub CSPM stops running security checks on it, and findings are no longer generated. You can enable or disable controls individually for a single account and Amazon Web Services Region. To save time and reduce configuration drift in multi-account environments, we recommend using [central configuration](central-configuration-intro.md) to enable or disable controls. With central configuration, the delegated Security Hub CSPM administrator can create policies that specify how a control should be configured across multiple accounts and Regions. For more information about enabling and disabling controls, see [Enabling controls in Security Hub CSPM](securityhub-standards-enable-disable-controls.md). ## Consolidated controls view The **Controls** page of the Security Hub CSPM console displays all of the controls available in the current Amazon Web Services Region (you can view controls in the context of a standard by visiting the **Security standards** page and choosing an enabled standard). Security Hub CSPM assigns controls a consistent security control ID, title, and description across standards. Controls IDs include the relevant Amazon Web Services service and a unique number (for example, CodeBuild.3). The following information is available on the **Controls** page of the [Security Hub CSPM console](https://console.amazonaws.cn/securityhub/): + An overall security score based on the proportion of passed controls compared to the total number of enabled controls with data + Breakdown of control statuses across all supported Security Hub CSPM controls + The number of total passed and failed security checks. + The number of failed security checks for controls of varying severity, and links to view more details about those failed checks. + A list of Security Hub CSPM controls, with filters to view specific subsets of controls. From the **Controls** page, you can choose a control to view its details and take action on the findings generated by the control. From this page, you can also enable or disable a security control in your current Amazon Web Services account and Amazon Web Services Region. Enablement and disablement actions from the **Controls** page apply across standards. For more information, see [Enabling controls in Security Hub CSPM](securityhub-standards-enable-disable-controls.md). For administrator accounts, the **Controls** page reflects the status of controls across the member accounts. If a control check fails in at least one member account, the control status is **Failed**. If you have set an [aggregation Region](finding-aggregation.md), the **Controls** page reflects the status of controls across all linked Regions. If a control check fails in at least one linked Region, the control status is **Failed**. Consolidated controls view causes changes to control finding fields in the Amazon Security Finding Format (ASFF) that may affect workflows. For more information, see [Consolidated controls view – ASFF changes](asff-changes-consolidation.md#securityhub-findings-format-consolidated-controls-view). ## Summary security score for controls The **Controls** page displays a summary security score from 0–100 percent. The summary security score is calculated based on the proportion of passed controls compared to the total number of enabled controls with data across standards. **Note** To view the overall security score for controls, you must add permission to call **`BatchGetControlEvaluations`** to the IAM role that you use to access Security Hub CSPM. This permission isn't required to view security scores for specific standards. When you enable Security Hub CSPM, Security Hub CSPM calculates the initial security score within 30 minutes after your first visit to the **Summary** page or **Security standards** page on the Security Hub CSPM console. It can take up to 24 hours for first-time security scores to be generated in the China Regions and Amazon GovCloud (US) Regions. In addition to the overall security score, Security Hub CSPM calculates a standard security score for each enabled standard within 30 minutes after your first visit to the **Summary** page or **Security standards** page. To view a list of standards that are currently enabled, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html) API operation. Amazon Config must be enabled with resource recording for scores to appear. For information about how Security Hub CSPM calculates security scores, see [Calculating security scores](standards-security-score.md). After first-time score generation, Security Hub CSPM updates security scores every 24 hours. Security Hub CSPM displays a timestamp to indicate when a security score was last updated. If you have set an aggregation Region, the overall security score reflects control findings across linked Regions. # Control reference for Security Hub CSPM Controls reference This control reference provides a table of available Amazon Security Hub CSPM controls with links to more information about each control. In the table, controls are listed in alphabetical order by control ID. Only controls in active use by Security Hub CSPM are included here. Retired controls are excluded from the table. The table provides the following information for each control: + **Security control ID** – This ID applies across standards and indicates the Amazon Web Services service and resource that the control relates to. The Security Hub CSPM console displays security control IDs, regardless of whether [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings) is turned on or off in your account. However, Security Hub CSPM findings reference security control IDs only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control IDs vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](asff-changes-consolidation.md#securityhub-findings-format-changes-ids-titles). If you want to set up [automations](automations.md) for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub CSPM may occasionally update control titles or descriptions, control IDs stay the same. Control IDs may skip numbers. These are placeholders for future controls. + **Security control title** – This title applies across standards. The Security Hub CSPM console displays security control titles, regardless of whether consolidated control findings is turned on or off in your account. However, Security Hub CSPM findings reference security control titles only if consolidated control findings is turned on in your account. If consolidated control findings is turned off in your account, some control titles vary by standard in your control findings. For a mapping of standard-specific control IDs to security control IDs, see [How consolidation impacts control IDs and titles](asff-changes-consolidation.md#securityhub-findings-format-changes-ids-titles). + **Applicable standards** – Indicates which standards a control applies to. Choose a control to review specific requirements from third-party compliance frameworks. + **Severity** – The severity of a control identifies its importance from a security standpoint. For information about how Security Hub CSPM determines control severity, see [Severity levels for control findings](controls-findings-create-update.md#control-findings-severity). + **Supports custom parameters** – Indicates whether the control supports custom values for one or more parameters. Choose a control to review the parameter details. For more information, see [Understanding control parameters in Security Hub CSPM](custom-control-parameters.md). + **Schedule type** – Indicates when the control is evaluated. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). Choose a control to review additional details. Controls are listed in alphabetical order by security control ID. | Security control ID | Security control title | Applicable standards | Severity | Supports custom parameters | Schedule type | | --- | --- | --- | --- | --- | --- | | [Account.1](account-controls.md#account-1) | Security contact information should be provided for an Amazon Web Services account | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Account.2](account-controls.md#account-2) | Amazon Web Services account should be part of an Amazon Organizations organization | NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ACM.1](acm-controls.md#acm-1) | Imported and ACM-issued certificates should be renewed after a specified time period | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered and periodic | | [ACM.2](acm-controls.md#acm-2) | RSA certificates managed by ACM should use a key length of at least 2,048 bits | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ACM.3](acm-controls.md#acm-3) | ACM certificates should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Amplify.1](amplify-controls.md#amplify-1) | Amplify apps should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Amplify.2](amplify-controls.md#amplify-2) | Amplify branches should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [APIGateway.1](apigateway-controls.md#apigateway-1) | API Gateway REST and WebSocket API execution logging should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [APIGateway.2](apigateway-controls.md#apigateway-2) | API Gateway REST API stages should be configured to use SSL certificates for backend authentication | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.3](apigateway-controls.md#apigateway-3) | API Gateway REST API stages should have Amazon X-Ray tracing enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.4](apigateway-controls.md#apigateway-4) | API Gateway should be associated with a WAF Web ACL | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.5](apigateway-controls.md#apigateway-5) | API Gateway REST API cache data should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.8](apigateway-controls.md#apigateway-8) | API Gateway routes should specify an authorization type | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [APIGateway.9](apigateway-controls.md#apigateway-9) | Access logging should be configured for API Gateway V2 Stages | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.10](apigateway-controls.md#apigateway-10) | API Gateway V2 integrations should use HTTPS for private connections | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [APIGateway.11](apigateway-controls.md#apigateway-11) | API Gateway domain names should use recommended security policies | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AppConfig.1](appconfig-controls.md#appconfig-1) | Amazon AppConfig applications should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppConfig.2](appconfig-controls.md#appconfig-2) | Amazon AppConfig configuration profiles should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppConfig.3](appconfig-controls.md#appconfig-3) | Amazon AppConfig environments should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppConfig.4](appconfig-controls.md#appconfig-4) | Amazon AppConfig extension associations should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppFlow.1](appflow-controls.md#appflow-1) | Amazon AppFlow flows should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppRunner.1](apprunner-controls.md#apprunner-1) | App Runner services should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppRunner.2](apprunner-controls.md#apprunner-2) | App Runner VPC connectors should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppSync.2](appsync-controls.md#appsync-2) | Amazon AppSync should have field-level logging enabled | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppSync.4](appsync-controls.md#appsync-4) | Amazon AppSync GraphQL APIs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AppSync.5](appsync-controls.md#appsync-5) | Amazon AppSync GraphQL APIs should not be authenticated with API keys | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Athena.2](athena-controls.md#athena-2) | Athena data catalogs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Athena.3](athena-controls.md#athena-3) | Athena workgroups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Athena.4](athena-controls.md#athena-4) | Athena workgroups should have logging enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AutoScaling.1](autoscaling-controls.md#autoscaling-1) | Auto Scaling groups associated with a load balancer should use ELB health checks | Amazon Foundational Security Best Practices, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AutoScaling.2](autoscaling-controls.md#autoscaling-2) | Amazon EC2 Auto Scaling group should cover multiple Availability Zones | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [AutoScaling.3](autoscaling-controls.md#autoscaling-3) | Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Autoscaling.5](autoscaling-controls.md#autoscaling-5) | Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AutoScaling.6](autoscaling-controls.md#autoscaling-6) | Auto Scaling groups should use multiple instance types in multiple Availability Zones | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AutoScaling.9](autoscaling-controls.md#autoscaling-9) | EC2 Auto Scaling groups should use EC2 launch templates | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [AutoScaling.10](autoscaling-controls.md#autoscaling-10) | EC2 Auto Scaling groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Backup.1](backup-controls.md#backup-1) | Amazon Backup recovery points should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Backup.2](backup-controls.md#backup-2) | Amazon Backup recovery points should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Backup.3](backup-controls.md#backup-3) | Amazon Backup vaults should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Backup.4](backup-controls.md#backup-4) | Amazon Backup report plans should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Backup.5](backup-controls.md#backup-5) | Amazon Backup backup plans should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Batch.1](batch-controls.md#batch-1) | Batch job queues should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Batch.2](batch-controls.md#batch-2) | Batch scheduling policies should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Batch.3](batch-controls.md#batch-3) | Batch compute environments should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Batch.4](batch-controls.md#batch-4) | Compute resources properties in managed Batch compute environments should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CloudFormation.2](cloudformation-controls.md#cloudformation-2) | CloudFormation stacks should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CloudFormation.3](cloudformation-controls.md#cloudformation-3) | CloudFormation stacks should have termination protection enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFormation.4](cloudformation-controls.md#cloudformation-4) | CloudFormation stacks should have associated service roles | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.1](cloudfront-controls.md#cloudfront-1) | CloudFront distributions should have a default root object configured | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.3](cloudfront-controls.md#cloudfront-3) | CloudFront distributions should require encryption in transit | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.4](cloudfront-controls.md#cloudfront-4) | CloudFront distributions should have origin failover configured | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.5](cloudfront-controls.md#cloudfront-5) | CloudFront distributions should have logging enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.6](cloudfront-controls.md#cloudfront-6) | CloudFront distributions should have WAF enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.7](cloudfront-controls.md#cloudfront-7) | CloudFront distributions should use custom SSL/TLS certificates | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.8](cloudfront-controls.md#cloudfront-8) | CloudFront distributions should use SNI to serve HTTPS requests | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.9](cloudfront-controls.md#cloudfront-9) | CloudFront distributions should encrypt traffic to custom origins | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.10](cloudfront-controls.md#cloudfront-10) | CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.12](cloudfront-controls.md#cloudfront-12) | CloudFront distributions should not point to non-existent S3 origins | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudFront.13](cloudfront-controls.md#cloudfront-13) | CloudFront distributions should use origin access control | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.14](cloudfront-controls.md#cloudfront-14) | CloudFront distributions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CloudFront.15](cloudfront-controls.md#cloudfront-15) | CloudFront distributions should use the recommended TLS security policy | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.16](cloudfront-controls.md#cloudfront-16) | CloudFront distributions should use origin access control for Lambda function URL origins | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudFront.17](cloudfront-controls.md#cloudfront-17) | CloudFront distributions should use trusted key groups for signed URLs and cookies | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CloudTrail.1](cloudtrail-controls.md#cloudtrail-1) | CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.2](cloudtrail-controls.md#cloudtrail-2) | CloudTrail should have encryption at-rest enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0 Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.3](cloudtrail-controls.md#cloudtrail-3) | At least one CloudTrail trail should be enabled | NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.4](cloudtrail-controls.md#cloudtrail-4) | CloudTrail log file validation should be enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, PCI DSS v3.2.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.5](cloudtrail-controls.md#cloudtrail-5) | CloudTrail trails should be integrated with Amazon CloudWatch Logs | CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.6](cloudtrail-controls.md#cloudtrail-6) | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [CloudTrail.7](cloudtrail-controls.md#cloudtrail-7) | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudTrail.9](cloudtrail-controls.md#cloudtrail-9) | CloudTrail trails should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CloudTrail.10](cloudtrail-controls.md#cloudtrail-10) | CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [CloudWatch.1](cloudwatch-controls.md#cloudwatch-1) | A log metric filter and alarm should exist for usage of the "root" user | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.2](cloudwatch-controls.md#cloudwatch-2) | Ensure a log metric filter and alarm exist for unauthorized API calls | CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.3](cloudwatch-controls.md#cloudwatch-3) | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | CIS Amazon Foundations Benchmark v1.2.0 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.4](cloudwatch-controls.md#cloudwatch-4) | Ensure a log metric filter and alarm exist for IAM policy changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.5](cloudwatch-controls.md#cloudwatch-5) | Ensure a log metric filter and alarm exist for CloudTrail configuration changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.6](cloudwatch-controls.md#cloudwatch-6) | Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.7](cloudwatch-controls.md#cloudwatch-7) | Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.8](cloudwatch-controls.md#cloudwatch-8) | Ensure a log metric filter and alarm exist for S3 bucket policy changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.9](cloudwatch-controls.md#cloudwatch-9) | Ensure a log metric filter and alarm exist for Amazon Config configuration changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.10](cloudwatch-controls.md#cloudwatch-10) | Ensure a log metric filter and alarm exist for security group changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.11](cloudwatch-controls.md#cloudwatch-11) | Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.12](cloudwatch-controls.md#cloudwatch-12) | Ensure a log metric filter and alarm exist for changes to network gateways | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.13](cloudwatch-controls.md#cloudwatch-13) | Ensure a log metric filter and alarm exist for route table changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.14](cloudwatch-controls.md#cloudwatch-14) | Ensure a log metric filter and alarm exist for VPC changes | CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [CloudWatch.15](cloudwatch-controls.md#cloudwatch-15) | CloudWatch alarms should have specified actions configured | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CloudWatch.16](cloudwatch-controls.md#cloudwatch-16) | CloudWatch log groups should be retained for a specified time period | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [CloudWatch.17](cloudwatch-controls.md#cloudwatch-17) | CloudWatch alarm actions should be enabled | NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeArtifact.1](codeartifact-controls.md#codeartifact-1) | CodeArtifact repositories should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CodeBuild.1](codebuild-controls.md#codebuild-1) | CodeBuild Bitbucket source repository URLs should not contain sensitive credentials | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeBuild.2](codebuild-controls.md#codebuild-2) | CodeBuild project environment variables should not contain clear text credentials | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeBuild.3](codebuild-controls.md#codebuild-3) | CodeBuild S3 logs should be encrypted | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeBuild.4](codebuild-controls.md#codebuild-4) | CodeBuild project environments should have a logging configuration | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeBuild.7](codebuild-controls.md#codebuild-7) | CodeBuild report group exports should be encrypted at rest | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [CodeGuruProfiler.1](codeguruprofiler-controls.md#codeguruprofiler-1) | CodeGuru Profiler profiling groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [CodeGuruReviewer.1](codegurureviewer-controls.md#codegurureviewer-1) | CodeGuru Reviewer repository associations should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Cognito.1](cognito-controls.md#cognito-1) | Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication | Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Cognito.2](cognito-controls.md#cognito-2) | Cognito identity pools should not allow unauthenticated identities | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Cognito.3](cognito-controls.md#cognito-3) | Password policies for Cognito user pools should have strong configurations | Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Cognito.4](cognito-controls.md#cognito-4) | Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Cognito.5](cognito-controls.md#cognito-5) | MFA should be enabled for Cognito user pools | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Cognito.6](cognito-controls.md#cognito-6) | Cognito user pools should have deletion protection enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Config.1](config-controls.md#config-1) | Amazon Config should be enabled and use the service-linked role for resource recording | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1 | CRITICAL | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [Connect.1](connect-controls.md#connect-1) | Amazon Connect Customer Profiles object types should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Connect.2](connect-controls.md#connect-2) | Amazon Connect instances should have CloudWatch logging enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DataFirehose.1](datafirehose-controls.md#datafirehose-1) | Firehose delivery streams should be encrypted at rest | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [DataSync.1](datasync-controls.md#datasync-1) | DataSync tasks should have logging enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DataSync.2](datasync-controls.md#datasync-2) | DataSync tasks should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Detective.1](detective-controls.md#detective-1) | Detective behavior graphs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DMS.1](dms-controls.md#dms-1) | Database Migration Service replication instances should not be public | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [DMS.2](dms-controls.md#dms-2) | DMS certificates should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DMS.3](dms-controls.md#dms-3) | DMS event subscriptions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DMS.4](dms-controls.md#dms-4) | DMS replication instances should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DMS.5](dms-controls.md#dms-5) | DMS replication subnet groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DMS.6](dms-controls.md#dms-6) | DMS replication instances should have automatic minor version upgrade enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.7](dms-controls.md#dms-7) | DMS replication tasks for the target database should have logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.8](dms-controls.md#dms-8) | DMS replication tasks for the source database should have logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.9](dms-controls.md#dms-9) | DMS endpoints should use SSL | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.10](dms-controls.md#dms-10) | DMS endpoints for Neptune databases should have IAM authorization enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.11](dms-controls.md#dms-11) | DMS endpoints for MongoDB should have an authentication mechanism enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.12](dms-controls.md#dms-12) | DMS endpoints for Redis OSS should have TLS enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DMS.13](dms-controls.md#dms-13) | DMS replication instances should be configured to use multiple Availability Zones | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DocumentDB.1](documentdb-controls.md#documentdb-1) | Amazon DocumentDB clusters should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DocumentDB.2](documentdb-controls.md#documentdb-2) | Amazon DocumentDB clusters should have an adequate backup retention period | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DocumentDB.3](documentdb-controls.md#documentdb-3) | Amazon DocumentDB manual cluster snapshots should not be public | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DocumentDB.4](documentdb-controls.md#documentdb-4) | Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DocumentDB.5](documentdb-controls.md#documentdb-5) | Amazon DocumentDB clusters should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DocumentDB.6](documentdb-controls.md#documentdb-6) | Amazon DocumentDB clusters should be encrypted in transit | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [DynamoDB.1](dynamodb-controls.md#dynamodb-1) | DynamoDB tables should automatically scale capacity with demand | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [DynamoDB.2](dynamodb-controls.md#dynamodb-2) | DynamoDB tables should have point-in-time recovery enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DynamoDB.3](dynamodb-controls.md#dynamodb-3) | DynamoDB Accelerator (DAX) clusters should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [DynamoDB.4](dynamodb-controls.md#dynamodb-4) | DynamoDB tables should be present in a backup plan | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [DynamoDB.5](dynamodb-controls.md#dynamodb-5) | DynamoDB tables should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [DynamoDB.6](dynamodb-controls.md#dynamodb-6) | DynamoDB tables should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [DynamoDB.7](dynamodb-controls.md#dynamodb-7) | DynamoDB Accelerator clusters should be encrypted in transit | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.1](ec2-controls.md#ec2-1) | EBS snapshots should not be publicly restorable | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.2](ec2-controls.md#ec2-2) | VPC default security groups should not allow inbound or outbound traffic | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.3](ec2-controls.md#ec2-3) | Attached EBS volumes should be encrypted at-rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.4](ec2-controls.md#ec2-4) | Stopped EC2 instances should be removed after a specified time period | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.6](ec2-controls.md#ec2-6) | VPC flow logging should be enabled in all VPCs | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.7](ec2-controls.md#ec2-7) | EBS default encryption should be enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.8](ec2-controls.md#ec2-8) | EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.9](ec2-controls.md#ec2-9) | EC2 instances should not have a public IPv4 address | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.10](ec2-controls.md#ec2-10) | Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.12](ec2-controls.md#ec2-12) | Unused EC2 EIPs should be removed | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.13](ec2-controls.md#ec2-13) | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 | CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [EC2.14](ec2-controls.md#ec2-14) | Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [EC2.15](ec2-controls.md#ec2-15) | EC2 subnets should not automatically assign public IP addresses | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.16](ec2-controls.md#ec2-16) | Unused Network Access Control Lists should be removed | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1, | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.17](ec2-controls.md#ec2-17) | EC2 instances should not use multiple ENIs | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.18](ec2-controls.md#ec2-18) | Security groups should only allow unrestricted incoming traffic for authorized ports | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.19](ec2-controls.md#ec2-19) | Security groups should not allow unrestricted access to ports with high risk | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [EC2.20](ec2-controls.md#ec2-20) | Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.21](ec2-controls.md#ec2-21) | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.22](ec2-controls.md#ec2-22) | Unused EC2 security groups should be removed | | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.23](ec2-controls.md#ec2-23) | EC2 Transit Gateways should not automatically accept VPC attachment requests | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.24](ec2-controls.md#ec2-24) | EC2 paravirtual instance types should not be used | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.25](ec2-controls.md#ec2-25) | EC2 launch templates should not assign public IPs to network interfaces | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.28](ec2-controls.md#ec2-28) | EBS volumes should be in a backup plan | NIST SP 800-53 Rev. 5 | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.33](ec2-controls.md#ec2-33) | EC2 transit gateway attachments should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.34](ec2-controls.md#ec2-34) | EC2 transit gateway route tables should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.35](ec2-controls.md#ec2-35) | EC2 network interfaces should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.36](ec2-controls.md#ec2-36) | EC2 customer gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.37](ec2-controls.md#ec2-37) | EC2 Elastic IP addresses should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.38](ec2-controls.md#ec2-38) | EC2 instances should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.39](ec2-controls.md#ec2-39) | EC2 internet gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.40](ec2-controls.md#ec2-40) | EC2 NAT gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.41](ec2-controls.md#ec2-41) | EC2 network ACLs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.42](ec2-controls.md#ec2-42) | EC2 route tables should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.43](ec2-controls.md#ec2-43) | EC2 security groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.44](ec2-controls.md#ec2-44) | EC2 subnets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.45](ec2-controls.md#ec2-45) | EC2 volumes should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.46](ec2-controls.md#ec2-46) | Amazon VPCs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.47](ec2-controls.md#ec2-47) | Amazon VPC endpoint services should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.48](ec2-controls.md#ec2-48) | Amazon VPC flow logs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.49](ec2-controls.md#ec2-49) | Amazon VPC peering connections should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.50](ec2-controls.md#ec2-50) | EC2 VPN gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.51](ec2-controls.md#ec2-51) | EC2 Client VPN endpoints should have client connection logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.52](ec2-controls.md#ec2-52) | EC2 transit gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.53](ec2-controls.md#ec2-53) | EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.54](ec2-controls.md#ec2-54) | EC2 security groups should not allow ingress from ::/0 to remote server administration ports | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EC2.55](ec2-controls.md#ec2-55) | VPCs should be configured with an interface endpoint for ECR API | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.56](ec2-controls.md#ec2-56) | VPCs should be configured with an interface endpoint for Docker Registry | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.57](ec2-controls.md#ec2-57) | VPCs should be configured with an interface endpoint for Systems Manager | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.58](ec2-controls.md#ec2-58) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.60](ec2-controls.md#ec2-60) | VPCs should be configured with an interface endpoint for Systems Manager Incident Manager | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [EC2.170](ec2-controls.md#ec2-170) | EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.171](ec2-controls.md#ec2-171) | EC2 VPN connections should have logging enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.172](ec2-controls.md#ec2-172) | EC2 VPC Block Public Access settings should block internet gateway traffic | Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.173](ec2-controls.md#ec2-173) | EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.174](ec2-controls.md#ec2-174) | EC2 DHCP option sets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.175](ec2-controls.md#ec2-175) | EC2 launch templates should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.176](ec2-controls.md#ec2-176) | EC2 prefix lists should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.177](ec2-controls.md#ec2-177) | EC2 traffic mirror sessions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.178](ec2-controls.md#ec2-178) | EC2 traffic mirror filters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.179](ec2-controls.md#ec2-179) | EC2 traffic mirror targets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EC2.180](ec2-controls.md#ec2-180) | EC2 network interfaces should have source/destination checking enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.181](ec2-controls.md#ec2-181) | EC2 launch templates should enable encryption for attached EBS volumes | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.182](ec2-controls.md#ec2-182) | EBS Snapshots should not be publicly accessible | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EC2.183](ec2-controls.md#ec2-183) | EC2 VPN connections should use IKEv2 protocol | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECR.1](ecr-controls.md#ecr-1) | ECR private repositories should have image scanning configured | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ECR.2](ecr-controls.md#ecr-2) | ECR private repositories should have tag immutability configured | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECR.3](ecr-controls.md#ecr-3) | ECR repositories should have at least one lifecycle policy configured | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECR.4](ecr-controls.md#ecr-4) | ECR public repositories should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ECR.5](ecr-controls.md#ecr-5) | ECR repositories should be encrypted with customer managed Amazon KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ECS.2](ecs-controls.md#ecs-2) | ECS services should not have public IP addresses assigned to them automatically | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.3](ecs-controls.md#ecs-3) | ECS task definitions should not share the host's process namespace | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.4](ecs-controls.md#ecs-4) | ECS containers should run as non-privileged | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.5](ecs-controls.md#ecs-5) | ECS containers should be limited to read-only access to root filesystems | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.8](ecs-controls.md#ecs-8) | Secrets should not be passed as container environment variables | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.9](ecs-controls.md#ecs-9) | ECS task definitions should have a logging configuration | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.10](ecs-controls.md#ecs-10) | ECS Fargate services should run on the latest Fargate platform version | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.12](ecs-controls.md#ecs-12) | ECS clusters should use Container Insights | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.13](ecs-controls.md#ecs-13) | ECS services should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ECS.14](ecs-controls.md#ecs-14) | ECS clusters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ECS.15](ecs-controls.md#ecs-15) | ECS task definitions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ECS.16](ecs-controls.md#ecs-16) | ECS task sets should not automatically assign public IP addresses | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.17](ecs-controls.md#ecs-17) | ECS task definitions should not use host network mode | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.18](ecs-controls.md#ecs-18) | ECS Task Definitions should use in-transit encryption for EFS volumes | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.19](ecs-controls.md#ecs-19) | ECS capacity providers should have managed termination protection enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.20](ecs-controls.md#ecs-20) | ECS Task Definitions should configure non-root users in Linux container definitions | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ECS.21](ecs-controls.md#ecs-21) | ECS Task Definitions should configure non-administrator users in Windows container definitions | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EFS.1](efs-controls.md#efs-1) | Elastic File System should be configured to encrypt file data at-rest using Amazon KMS | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EFS.2](efs-controls.md#efs-2) | Amazon EFS volumes should be in backup plans | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EFS.3](efs-controls.md#efs-3) | EFS access points should enforce a root directory | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EFS.4](efs-controls.md#efs-4) | EFS access points should enforce a user identity | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EFS.5](efs-controls.md#efs-5) | EFS access points should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EFS.6](efs-controls.md#efs-6) | EFS mount targets should not be associated with subnets that assign public IP addresses on launch | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EFS.7](efs-controls.md#efs-7) | EFS file systems should have automatic backups enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EFS.8](efs-controls.md#efs-8) | EFS file systems should be encrypted at rest | CIS Amazon Foundations Benchmark v5.0.0, Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EKS.1](eks-controls.md#eks-1) | EKS cluster endpoints should not be publicly accessible | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EKS.2](eks-controls.md#eks-2) | EKS clusters should run on a supported Kubernetes version | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EKS.3](eks-controls.md#eks-3) | EKS clusters should use encrypted Kubernetes secrets | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EKS.6](eks-controls.md#eks-6) | EKS clusters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EKS.7](eks-controls.md#eks-7) | EKS identity provider configurations should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EKS.8](eks-controls.md#eks-8) | EKS clusters should have audit logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EKS.9](eks-controls.md#eks-9) | EKS node groups should run on a supported Kubernetes version | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ElastiCache.1](elasticache-controls.md#elasticache-1) | ElastiCache (Redis OSS) clusters should have automatic backups enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [ElastiCache.2](elasticache-controls.md#elasticache-2) | ElastiCache clusters should have automatic minor version upgrades enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElastiCache.3](elasticache-controls.md#elasticache-3) | ElastiCache replication groups should have automatic failover enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElastiCache.4](elasticache-controls.md#elasticache-4) | ElastiCache replication groups should be encrypted-at-rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElastiCache.5](elasticache-controls.md#elasticache-5) | ElastiCache replication groups should be encrypted-in-transit | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElastiCache.6](elasticache-controls.md#elasticache-6) | ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElastiCache.7](elasticache-controls.md#elasticache-7) | ElastiCache clusters should not use the default subnet group | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ElasticBeanstalk.1](elasticbeanstalk-controls.md#elasticbeanstalk-1) | Elastic Beanstalk environments should have enhanced health reporting enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ElasticBeanstalk.2](elasticbeanstalk-controls.md#elasticbeanstalk-2) | Elastic Beanstalk managed platform updates should be enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ElasticBeanstalk.3](elasticbeanstalk-controls.md#elasticbeanstalk-3) | Elastic Beanstalk should stream logs to CloudWatch | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ELB.1](elb-controls.md#elb-1) | Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ELB.2](elb-controls.md#elb-2) | Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.3](elb-controls.md#elb-3) | Classic Load Balancer listeners should be configured with HTTPS or TLS termination | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.4](elb-controls.md#elb-4) | Application Load Balancer should be configured to drop http headers | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.5](elb-controls.md#elb-5) | Application and Classic Load Balancers logging should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.6](elb-controls.md#elb-6) | Application, Gateway, and Network Load Balancers should have deletion protection enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.7](elb-controls.md#elb-7) | Classic Load Balancers should have connection draining enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.8](elb-controls.md#elb-8) | Classic Load Balancers with SSL listeners should use a predefined security policy that has strong configuration | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.9](elb-controls.md#elb-9) | Classic Load Balancers should have cross-zone load balancing enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.10](elb-controls.md#elb-10) | Classic Load Balancer should span multiple Availability Zones | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ELB.12](elb-controls.md#elb-12) | Application Load Balancer should be configured with defensive or strictest desync mitigation mode | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.13](elb-controls.md#elb-13) | Application, Network and Gateway Load Balancers should span multiple Availability Zones | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ELB.14](elb-controls.md#elb-14) | Classic Load Balancer should be configured with defensive or strictest desync mitigation mode | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.16](elb-controls.md#elb-16) | Application Load Balancers should be associated with an Amazon WAF web ACL | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.17](elb-controls.md#elb-17) | Application and Network Load Balancers with listeners should use recommended security policies | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.18](elb-controls.md#elb-18) | Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.21](elb-controls.md#elb-21) | Application and Network Load Balancer target groups should use encrypted health check protocols | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ELB.22](elb-controls.md#elb-22) | ELB target groups should use encrypted transport protocols | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EMR.1](emr-controls.md#emr-1) | Amazon EMR cluster primary nodes should not have public IP addresses | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EMR.2](emr-controls.md#emr-2) | Amazon EMR block public access setting should be enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [EMR.3](emr-controls.md#emr-3) | Amazon EMR security configurations should be encrypted at rest | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EMR.4](emr-controls.md#emr-4) | Amazon EMR security configurations should be encrypted in transit | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.1](es-controls.md#es-1) | Elasticsearch domains should have encryption at-rest enabled | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ES.2](es-controls.md#es-2) | Elasticsearch domains should not be publicly accessible | Amazon Foundational Security Best Practices, PCI DSS v3.2.1, PCI DSS v4.0.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [ES.3](es-controls.md#es-3) | Elasticsearch domains should encrypt data sent between nodes | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1, | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.4](es-controls.md#es-4) | Elasticsearch domain error logging to CloudWatch Logs should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.5](es-controls.md#es-5) | Elasticsearch domains should have audit logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.6](es-controls.md#es-6) | Elasticsearch domains should have at least three data nodes | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.7](es-controls.md#es-7) | Elasticsearch domains should be configured with at least three dedicated master nodes | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.8](es-controls.md#es-8) | Connections to Elasticsearch domains should be encrypted using the latest TLS security policy | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [ES.9](es-controls.md#es-9) | Elasticsearch domains should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EventBridge.2](eventbridge-controls.md#eventbridge-2) | EventBridge event buses should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [EventBridge.3](eventbridge-controls.md#eventbridge-3) | EventBridge custom event buses should have a resource-based policy attached | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [EventBridge.4](eventbridge-controls.md#eventbridge-4) | EventBridge global endpoints should have event replication enabled | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [FraudDetector.1](frauddetector-controls.md#frauddetector-1) | Amazon Fraud Detector entity types should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [FraudDetector.2](frauddetector-controls.md#frauddetector-2) | Amazon Fraud Detector labels should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [FraudDetector.3](frauddetector-controls.md#frauddetector-3) | Amazon Fraud Detector outcomes should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [FraudDetector.4](frauddetector-controls.md#frauddetector-4) | Amazon Fraud Detector variables should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [FSx.1](fsx-controls.md#fsx-1) | FSx for OpenZFS file systems should be configured to copy tags to backups and volumes | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [FSx.2](fsx-controls.md#fsx-2) | FSx for Lustre file systems should be configured to copy tags to backups | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [FSx.3](fsx-controls.md#fsx-3) | FSx for OpenZFS file systems should be configured for Multi-AZ deployment | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [FSx.4](fsx-controls.md#fsx-4) | FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment | Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [FSx.5](fsx-controls.md#fsx-5) | FSx for Windows File Server file systems should be configured for Multi-AZ deployment | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Glue.1](glue-controls.md#glue-1) | Amazon Glue jobs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Glue.3](glue-controls.md#glue-3) | Amazon Glue machine learning transforms should be encrypted at rest | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Glue.4](glue-controls.md#glue-4) | Amazon Glue Spark jobs should run on supported versions of Amazon Glue | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [GlobalAccelerator.1](globalaccelerator-controls.md#globalaccelerator-1) | Global Accelerator accelerators should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [GuardDuty.1](guardduty-controls.md#guardduty-1) | GuardDuty should be enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.2](guardduty-controls.md#guardduty-2) | GuardDuty filters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [GuardDuty.3](guardduty-controls.md#guardduty-3) | GuardDuty IPSets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [GuardDuty.4](guardduty-controls.md#guardduty-4) | GuardDuty detectors should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [GuardDuty.5](guardduty-controls.md#guardduty-5) | GuardDuty EKS Audit Log Monitoring should be enabled | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.6](guardduty-controls.md#guardduty-6) | GuardDuty Lambda Protection should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.7](guardduty-controls.md#guardduty-7) | GuardDuty EKS Runtime Monitoring should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.8](guardduty-controls.md#guardduty-8) | GuardDuty Malware Protection for EC2 should be enabled | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.9](guardduty-controls.md#guardduty-9) | GuardDuty RDS Protection should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.10](guardduty-controls.md#guardduty-10) | GuardDuty S3 Protection should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.11](guardduty-controls.md#guardduty-11) | GuardDuty Runtime Monitoring should be enabled | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.12](guardduty-controls.md#guardduty-12) | GuardDuty ECS Runtime Monitoring should be enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [GuardDuty.13](guardduty-controls.md#guardduty-13) | GuardDuty EC2 Runtime Monitoring should be enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.1](iam-controls.md#iam-1) | IAM policies should not allow full "\$1" administrative privileges | CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [IAM.2](iam-controls.md#iam-2) | IAM users should not have IAM policies attached | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [IAM.3](iam-controls.md#iam-3) | IAM users' access keys should be rotated every 90 days or less | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.4](iam-controls.md#iam-4) | IAM root user access key should not exist | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.5](iam-controls.md#iam-5) | MFA should be enabled for all IAM users that have a console password | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.6](iam-controls.md#iam-6) | Hardware MFA should be enabled for the root user | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.7](iam-controls.md#iam-7) | Password policies for IAM users should have strong configurations | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [IAM.8](iam-controls.md#iam-8) | Unused IAM user credentials should be removed | CIS Amazon Foundations Benchmark v1.2.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.9](iam-controls.md#iam-9) | MFA should be enabled for the root user | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.10](iam-controls.md#iam-10) | Password policies for IAM users should have strong configurations | NIST SP 800-171 Rev. 2, PCI DSS v3.2.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.11](iam-controls.md#iam-11) | Ensure IAM password policy requires at least one uppercase letter | CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.12](iam-controls.md#iam-12) | Ensure IAM password policy requires at least one lowercase letter | CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.13](iam-controls.md#iam-13) | Ensure IAM password policy requires at least one symbol | CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.14](iam-controls.md#iam-14) | Ensure IAM password policy requires at least one number | CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.15](iam-controls.md#iam-15) | Ensure IAM password policy requires minimum password length of 14 or greater | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.16](iam-controls.md#iam-16) | Ensure IAM password policy prevents password reuse | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.17](iam-controls.md#iam-17) | Ensure IAM password policy expires passwords within 90 days or less | CIS Amazon Foundations Benchmark v1.2.0, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.18](iam-controls.md#iam-18) | Ensure a support role has been created to manage incidents with Amazon Web Services Support | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.19](iam-controls.md#iam-19) | MFA should be enabled for all IAM users | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.21](iam-controls.md#iam-21) | IAM customer managed policies that you create should not allow wildcard actions for services | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [IAM.22](iam-controls.md#iam-22) | IAM user credentials unused for 45 days should be removed | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.23](iam-controls.md#iam-23) | IAM Access Analyzer analyzers should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IAM.24](iam-controls.md#iam-24) | IAM roles should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IAM.25](iam-controls.md#iam-25) | IAM users should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IAM.26](iam-controls.md#iam-26) | Expired SSL/TLS certificates managed in IAM should be removed | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IAM.27](iam-controls.md#iam-27) | IAM identities should not have the AWSCloudShellFullAccess policy attached | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [IAM.28](iam-controls.md#iam-28) | IAM Access Analyzer external access analyzer should be enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Inspector.1](inspector-controls.md#inspector-1) | Amazon Inspector EC2 scanning should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Inspector.2](inspector-controls.md#inspector-2) | Amazon Inspector ECR scanning should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Inspector.3](inspector-controls.md#inspector-3) | Amazon Inspector Lambda code scanning should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Inspector.4](inspector-controls.md#inspector-4) | Amazon Inspector Lambda standard scanning should be enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [IoT.1](iot-controls.md#iot-1) | Amazon IoT Device Defender security profiles should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoT.2](iot-controls.md#iot-2) | Amazon IoT Core mitigation actions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoT.3](iot-controls.md#iot-3) | Amazon IoT Core dimensions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoT.4](iot-controls.md#iot-4) | Amazon IoT Core authorizers should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoT.5](iot-controls.md#iot-5) | Amazon IoT Core role aliases should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoT.6](iot-controls.md#iot-6) | Amazon IoT Core policies should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTEvents.1](iotevents-controls.md#iotevents-1) | Amazon IoT Events inputs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTEvents.2](iotevents-controls.md#iotevents-2) | Amazon IoT Events detector models should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTEvents.3](iotevents-controls.md#iotevents-3) | Amazon IoT Events alarm models should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTSiteWise.1](iotsitewise-controls.md#iotsitewise-1) | Amazon IoT SiteWise asset models should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTSiteWise.2](iotsitewise-controls.md#iotsitewise-2) | Amazon IoT SiteWise dashboards should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTSiteWise.3](iotsitewise-controls.md#iotsitewise-3) | Amazon IoT SiteWise gateways should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTSiteWise.4](iotsitewise-controls.md#iotsitewise-4) | Amazon IoT SiteWise portals should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTSiteWise.5](iotsitewise-controls.md#iotsitewise-5) | Amazon IoT SiteWise projects should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTTwinMaker.1](iottwinmaker-controls.md#iottwinmaker-1) | Amazon IoT TwinMaker sync jobs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTTwinMaker.2](iottwinmaker-controls.md#iottwinmaker-2) | Amazon IoT TwinMaker workspaces should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTTwinMaker.3](iottwinmaker-controls.md#iottwinmaker-3) | Amazon IoT TwinMaker scenes should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTTwinMaker.4](iottwinmaker-controls.md#iottwinmaker-4) | Amazon IoT TwinMaker entities should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTWireless.1](iotwireless-controls.md#iotwireless-1) | Amazon IoT Wireless multicast groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTWireless.2](iotwireless-controls.md#iotwireless-2) | Amazon IoT Wireless service profiles should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IoTWireless.3](iotwireless-controls.md#iotwireless-3) | Amazon IoT Wireless FUOTA tasks should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IVS.1](ivs-controls.md#ivs-1) | IVS playback key pairs should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IVS.2](ivs-controls.md#ivs-2) | IVS recording configurations should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [IVS.3](ivs-controls.md#ivs-3) | IVS channels should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Keyspaces.1](keyspaces-controls.md#keyspaces-1) | Amazon Keyspaces keyspaces should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Kinesis.1](kinesis-controls.md#kinesis-1) | Kinesis streams should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Kinesis.2](kinesis-controls.md#kinesis-2) | Kinesis streams should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Kinesis.3](kinesis-controls.md#kinesis-3) | Kinesis streams should have an adequate data retention period | Amazon Foundational Security Best Practices | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [KMS.1](kms-controls.md#kms-1) | IAM customer managed policies should not allow decryption actions on all KMS keys | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [KMS.2](kms-controls.md#kms-2) | IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [KMS.3](kms-controls.md#kms-3) | Amazon KMS keys should not be deleted unintentionally | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [KMS.4](kms-controls.md#kms-4) | Amazon KMS key rotation should be enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, CIS Amazon Foundations Benchmark v1.2.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [KMS.5](kms-controls.md#kms-5) | KMS keys should not be publicly accessible | Amazon Foundational Security Best Practices | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Lambda.1](lambda-controls.md#lambda-1) | Lambda function policies should prohibit public access | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Lambda.2](lambda-controls.md#lambda-2) | Lambda functions should use supported runtimes | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Lambda.3](lambda-controls.md#lambda-3) | Lambda functions should be in a VPC | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Lambda.5](lambda-controls.md#lambda-5) | VPC Lambda functions should operate in multiple Availability Zones | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Lambda.6](lambda-controls.md#lambda-6) | Lambda functions should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Lambda.7](lambda-controls.md#lambda-7) | Lambda functions should have Amazon X-Ray active tracing enabled | NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Macie.1](macie-controls.md#macie-1) | Amazon Macie should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Macie.2](macie-controls.md#macie-2) | Macie automated sensitive data discovery should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [MSK.1](msk-controls.md#msk-1) | MSK clusters should be encrypted in transit among broker nodes | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MSK.2](msk-controls.md#msk-2) | MSK clusters should have enhanced monitoring configured | NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MSK.3](msk-controls.md#msk-3) | MSK Connect connectors should be encrypted in transit | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MSK.4](msk-controls.md#msk-4) | MSK clusters should have public access disabled | Amazon Foundational Security Best Practices | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MSK.5](msk-controls.md#msk-5) | MSK connectors should have logging enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MSK.6](msk-controls.md#msk-6) | MSK clusters should disable unauthenticated access | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MQ.2](mq-controls.md#mq-2) | ActiveMQ brokers should stream audit logs to CloudWatch | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MQ.4](mq-controls.md#mq-4) | Amazon MQ brokers should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [MQ.5](mq-controls.md#mq-5) | ActiveMQ brokers should use active/standby deployment mode | NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [MQ.6](mq-controls.md#mq-6) | RabbitMQ brokers should use cluster deployment mode | NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.1](neptune-controls.md#neptune-1) | Neptune DB clusters should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.2](neptune-controls.md#neptune-2) | Neptune DB clusters should publish audit logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.3](neptune-controls.md#neptune-3) | Neptune DB cluster snapshots should not be public | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.4](neptune-controls.md#neptune-4) | Neptune DB clusters should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.5](neptune-controls.md#neptune-5) | Neptune DB clusters should have automated backups enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Neptune.6](neptune-controls.md#neptune-6) | Neptune DB cluster snapshots should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.7](neptune-controls.md#neptune-7) | Neptune DB clusters should have IAM database authentication enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.8](neptune-controls.md#neptune-8) | Neptune DB clusters should be configured to copy tags to snapshots | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Neptune.9](neptune-controls.md#neptune-9) | Neptune DB clusters should be deployed across multiple Availability Zones | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.1](networkfirewall-controls.md#networkfirewall-1) | Network Firewall firewalls should be deployed across multiple Availability Zones | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.2](networkfirewall-controls.md#networkfirewall-2) | Network Firewall logging should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [NetworkFirewall.3](networkfirewall-controls.md#networkfirewall-3) | Network Firewall policies should have at least one rule group associated | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.4](networkfirewall-controls.md#networkfirewall-4) | The default stateless action for Network Firewall policies should be drop or forward for full packets | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.5](networkfirewall-controls.md#networkfirewall-5) | The default stateless action for Network Firewall policies should be drop or forward for fragmented packets | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.6](networkfirewall-controls.md#networkfirewall-6) | Stateless network firewall rule group should not be empty | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.7](networkfirewall-controls.md#networkfirewall-7) | Network Firewall firewalls should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [NetworkFirewall.8](networkfirewall-controls.md#networkfirewall-8) | Network Firewall firewall policies should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [NetworkFirewall.9](networkfirewall-controls.md#networkfirewall-9) | Network Firewall firewalls should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [NetworkFirewall.10](networkfirewall-controls.md#networkfirewall-10) | Network Firewall firewalls should have subnet change protection enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.1](opensearch-controls.md#opensearch-1) | OpenSearch domains should have encryption at rest enabled | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.2](opensearch-controls.md#opensearch-2) | OpenSearch domains should not be publicly accessible | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.3](opensearch-controls.md#opensearch-3) | OpenSearch domains should encrypt data sent between nodes | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.4](opensearch-controls.md#opensearch-4) | OpenSearch domain error logging to CloudWatch Logs should be enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.5](opensearch-controls.md#opensearch-5) | OpenSearch domains should have audit logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.6](opensearch-controls.md#opensearch-6) | OpenSearch domains should have at least three data nodes | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.7](opensearch-controls.md#opensearch-7) | OpenSearch domains should have fine-grained access control enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.8](opensearch-controls.md#opensearch-8) | Connections to OpenSearch domains should be encrypted using the latest TLS security policy | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.9](opensearch-controls.md#opensearch-9) | OpenSearch domains should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Opensearch.10](opensearch-controls.md#opensearch-10) | OpenSearch domains should have the latest software update installed | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Opensearch.11](opensearch-controls.md#opensearch-11) | OpenSearch domains should have at least three dedicated primary nodes | NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [PCA.1](pca-controls.md#pca-1) | Amazon Private CA root certificate authority should be disabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [PCA.2](pca-controls.md#pca-2) | Amazon Private CA certificate authorities should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.1](rds-controls.md#rds-1) | RDS snapshot should be private | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.2](rds-controls.md#rds-2) | RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.3](rds-controls.md#rds-3) | RDS DB instances should have encryption at-rest enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.4](rds-controls.md#rds-4) | RDS cluster snapshots and database snapshots should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.5](rds-controls.md#rds-5) | RDS DB instances should be configured with multiple Availability Zones | CIS Amazon Foundations Benchmark v5.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.6](rds-controls.md#rds-6) | Enhanced monitoring should be configured for RDS DB instances | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.7](rds-controls.md#rds-7) | RDS clusters should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.8](rds-controls.md#rds-8) | RDS DB instances should have deletion protection enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.9](rds-controls.md#rds-9) | RDS DB instances should publish logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.10](rds-controls.md#rds-10) | IAM authentication should be configured for RDS instances | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.11](rds-controls.md#rds-11) | RDS instances should have automatic backups enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.12](rds-controls.md#rds-12) | IAM authentication should be configured for RDS clusters | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.13](rds-controls.md#rds-13) | RDS automatic minor version upgrades should be enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.14](rds-controls.md#rds-14) | Amazon Aurora clusters should have backtracking enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.15](rds-controls.md#rds-15) | RDS DB clusters should be configured for multiple Availability Zones | CIS Amazon Foundations Benchmark v5.0.0, Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.16](rds-controls.md#rds-16) | Aurora DB clusters should be configured to copy tags to DB snapshots | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.17](rds-controls.md#rds-17) | RDS DB instances should be configured to copy tags to snapshots | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.18](rds-controls.md#rds-18) | RDS instances should be deployed in a VPC | | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.19](rds-controls.md#rds-19) | Existing RDS event notification subscriptions should be configured for critical cluster events | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.20](rds-controls.md#rds-20) | Existing RDS event notification subscriptions should be configured for critical database instance events | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.21](rds-controls.md#rds-21) | An RDS event notifications subscription should be configured for critical database parameter group events | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.22](rds-controls.md#rds-22) | An RDS event notifications subscription should be configured for critical database security group events | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.23](rds-controls.md#rds-23) | RDS instances should not use a database engine default port | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.24](rds-controls.md#rds-24) | RDS Database Clusters should use a custom administrator username | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.25](rds-controls.md#rds-25) | RDS database instances should use a custom administrator username | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.26](rds-controls.md#rds-26) | RDS DB instances should be protected by a backup plan | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [RDS.27](rds-controls.md#rds-27) | RDS DB clusters should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.28](rds-controls.md#rds-28) | RDS DB clusters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.29](rds-controls.md#rds-29) | RDS DB cluster snapshots should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.30](rds-controls.md#rds-30) | RDS DB instances should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.31](rds-controls.md#rds-31) | RDS DB security groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.32](rds-controls.md#rds-32) | RDS DB snapshots should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.33](rds-controls.md#rds-33) | RDS DB subnet groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.34](rds-controls.md#rds-34) | Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.35](rds-controls.md#rds-35) | RDS DB clusters should have automatic minor version upgrade enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.36](rds-controls.md#rds-36) | RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.37](rds-controls.md#rds-37) | Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.38](rds-controls.md#rds-38) | RDS for PostgreSQL DB instances should be encrypted in transit | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.39](rds-controls.md#rds-39) | RDS for MySQL DB instances should be encrypted in transit | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.40](rds-controls.md#rds-40) | RDS for SQL Server DB instances should publish logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [RDS.41](rds-controls.md#rds-41) | RDS for SQL Server DB instances should be encrypted in transit | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.42](rds-controls.md#rds-42) | RDS for MariaDB DB instances should publish logs to CloudWatch Logs | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [RDS.43](rds-controls.md#rds-43) | RDS DB proxies should require TLS encryption for connections | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.44](rds-controls.md#rds-44) | RDS for MariaDB DB instances should be encrypted in transit | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.45](rds-controls.md#rds-45) | Aurora MySQL DB clusters should have audit logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.46](rds-controls.md#rds-46) | RDS DB instances should not be deployed in public subnets with routes to internet gateways | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RDS.47](rds-controls.md#rds-47) | RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots | Amazon Foundational Security Best Practices | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.48](rds-controls.md#rds-48) | RDS for MySQL DB clusters should be configured to copy tags to DB snapshots | Amazon Foundational Security Best Practices | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RDS.50](rds-controls.md#rds-50) | RDS DB clusters should have enough backup retention period set | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) Yes | Change triggered | | [Redshift.1](redshift-controls.md#redshift-1) | Amazon Redshift clusters should prohibit public access | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.2](redshift-controls.md#redshift-2) | Connections to Amazon Redshift clusters should be encrypted in transit | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.3](redshift-controls.md#redshift-3) | Amazon Redshift clusters should have automatic snapshots enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.4](redshift-controls.md#redshift-4) | Amazon Redshift clusters should have audit logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.6](redshift-controls.md#redshift-6) | Amazon Redshift should have automatic upgrades to major versions enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.7](redshift-controls.md#redshift-7) | Redshift clusters should use enhanced VPC routing | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.8](redshift-controls.md#redshift-8) | Amazon Redshift clusters should not use the default Admin username | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.10](redshift-controls.md#redshift-10) | Redshift clusters should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.11](redshift-controls.md#redshift-11) | Redshift clusters should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.12](redshift-controls.md#redshift-12) | Redshift event subscription notifications should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.13](redshift-controls.md#redshift-13) | Redshift cluster snapshots should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.14](redshift-controls.md#redshift-14) | Redshift cluster subnet groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.15](redshift-controls.md#redshift-15) | Redshift security groups should allow ingress on the cluster port only from restricted origins | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Redshift.16](redshift-controls.md#redshift-16) | Redshift cluster subnet groups should have subnets from multiple Availability Zones | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Redshift.17](redshift-controls.md#redshift-17) | Redshift cluster parameter groups should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Redshift.18](redshift-controls.md#redshift-18) | Redshift clusters should have Multi-AZ deployments enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [RedshiftServerless.1](redshiftserverless-controls.md#redshiftserverless-1) | Amazon Redshift Serverless workgroups should use enhanced VPC routing | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RedshiftServerless.2](redshiftserverless-controls.md#redshiftserverless-2) | Connections to Redshift Serverless workgroups should be required to use SSL | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RedshiftServerless.3](redshiftserverless-controls.md#redshiftserverless-3) | Redshift Serverless workgroups should prohibit public access | Amazon Foundational Security Best Practices | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RedshiftServerless.4](redshiftserverless-controls.md#redshiftserverless-4) | Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [RedshiftServerless.5](redshiftserverless-controls.md#redshiftserverless-5) | Redshift Serverless namespaces should not use the default admin username | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [RedshiftServerless.6](redshiftserverless-controls.md#redshiftserverless-6) | Redshift Serverless namespaces should export logs to CloudWatch Logs | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Route53.1](route53-controls.md#route53-1) | Route 53 health checks should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Route53.2](route53-controls.md#route53-2) | Route 53 public hosted zones should log DNS queries | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.1](s3-controls.md#s3-1) | S3 general purpose buckets should have block public access settings enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [S3.2](s3-controls.md#s3-2) | S3 general purpose buckets should block public read access | Amazon Foundational Security Best Practices, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [S3.3](s3-controls.md#s3-3) | S3 general purpose buckets should block public write access | Amazon Foundational Security Best Practices, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered and periodic | | [S3.5](s3-controls.md#s3-5) | S3 general purpose buckets should require requests to use SSL | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.6](s3-controls.md#s3-6) | S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.7](s3-controls.md#s3-7) | S3 general purpose buckets should use cross-Region replication | PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.8](s3-controls.md#s3-8) | S3 general purpose buckets should block public access | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.9](s3-controls.md#s3-9) | S3 general purpose buckets should have server access logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.10](s3-controls.md#s3-10) | S3 general purpose buckets with versioning enabled should have Lifecycle configurations | NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.11](s3-controls.md#s3-11) | S3 general purpose buckets should have event notifications enabled | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [S3.12](s3-controls.md#s3-12) | ACLs should not be used to manage user access to S3 general purpose buckets | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.13](s3-controls.md#s3-13) | S3 general purpose buckets should have Lifecycle configurations | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [S3.14](s3-controls.md#s3-14) | S3 general purpose buckets should have versioning enabled | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.15](s3-controls.md#s3-15) | S3 general purpose buckets should have Object Lock enabled | NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [S3.17](s3-controls.md#s3-17) | S3 general purpose buckets should be encrypted at rest with Amazon KMS keys | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.19](s3-controls.md#s3-19) | S3 access points should have block public access settings enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.20](s3-controls.md#s3-20) | S3 general purpose buckets should have MFA delete enabled | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, CIS Amazon Foundations Benchmark v1.4.0, NIST SP 800-53 Rev. 5 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.22](s3-controls.md#s3-22) | S3 general purpose buckets should log object-level write events | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [S3.23](s3-controls.md#s3-23) | S3 general purpose buckets should log object-level read events | CIS Amazon Foundations Benchmark v5.0.0, CIS Amazon Foundations Benchmark v3.0.0, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [S3.24](s3-controls.md#s3-24) | S3 Multi-Region Access Points should have block public access settings enabled | Amazon Foundational Security Best Practices, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [S3.25](s3-controls.md#s3-25) | S3 directory buckets should have lifecycle configurations | Amazon Foundational Security Best Practices | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SageMaker.1](sagemaker-controls.md#sagemaker-1) | Amazon SageMaker notebook instances should not have direct internet access | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SageMaker.2](sagemaker-controls.md#sagemaker-2) | SageMaker notebook instances should be launched in a custom VPC | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.3](sagemaker-controls.md#sagemaker-3) | Users should not have root access to SageMaker notebook instances | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.4](sagemaker-controls.md#sagemaker-4) | SageMaker endpoint production variants should have an initial instance count greater than 1 | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SageMaker.5](sagemaker-controls.md#sagemaker-5) | SageMaker models should have network isolation enabled | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.6](sagemaker-controls.md#sagemaker-6) | SageMaker app image configurations should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SageMaker.7](sagemaker-controls.md#sagemaker-7) | SageMaker images should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SageMaker.8](sagemaker-controls.md#sagemaker-8) | SageMaker notebook instances should run on supported platforms | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SageMaker.9](sagemaker-controls.md#sagemaker-9) | SageMaker data quality job definitions should have inter-container traffic encryption enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.10](sagemaker-controls.md#sagemaker-10) | SageMaker model explainability job definitions should have inter-container traffic encryption enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.11](sagemaker-controls.md#sagemaker-11) | SageMaker data quality job definitions should have network isolation enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.12](sagemaker-controls.md#sagemaker-12) | SageMaker model bias job definitions should have network isolation enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.13](sagemaker-controls.md#sagemaker-13) | SageMaker model quality job definitions should have inter-container traffic encryption enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.14](sagemaker-controls.md#sagemaker-14) | SageMaker monitoring schedules should have network isolation enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.15](sagemaker-controls.md#sagemaker-15) | SageMaker model bias job definitions should have inter-container traffic encryption enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.16](sagemaker-controls.md#sagemaker-16) | SageMaker models should use private registry in VPC for primary containers | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SageMaker.17](sagemaker-controls.md#sagemaker-17) | SageMaker feature group offline stores should be encrypted with Amazon KMS keys | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SecretsManager.1](secretsmanager-controls.md#secretsmanager-1) | Secrets Manager secrets should have automatic rotation enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SecretsManager.2](secretsmanager-controls.md#secretsmanager-2) | Secrets Manager secrets configured with automatic rotation should rotate successfully | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SecretsManager.3](secretsmanager-controls.md#secretsmanager-3) | Remove unused Secrets Manager secrets | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [SecretsManager.4](secretsmanager-controls.md#secretsmanager-4) | Secrets Manager secrets should be rotated within a specified number of days | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Periodic | | [SecretsManager.5](secretsmanager-controls.md#secretsmanager-5) | Secrets Manager secrets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [ServiceCatalog.1](servicecatalog-controls.md#servicecatalog-1) | Service Catalog portfolios should be shared within an Amazon organization only | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SES.1](ses-controls.md#ses-1) | SES contact lists should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SES.2](ses-controls.md#ses-2) | SES configuration sets should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SES.3](ses-controls.md#ses-3) | SES configuration sets should have TLS enabled for sending emails | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SNS.1](sns-controls.md#sns-1) | SNS topics should be encrypted at-rest using Amazon KMS | NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SNS.3](sns-controls.md#sns-3) | SNS topics should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SNS.4](sns-controls.md#sns-4) | SNS topic access policies should not allow public access | Amazon Foundational Security Best Practices | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SQS.1](sqs-controls.md#sqs-1) | Amazon SQS queues should be encrypted at rest | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SQS.2](sqs-controls.md#sqs-2) | SQS queues should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SQS.3](sqs-controls.md#sqs-3) | SQS queue access policies should not allow public access | Amazon Foundational Security Best Practices | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SSM.1](ssm-controls.md#ssm-1) | EC2 instances should be managed by Amazon Systems Manager | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v3.2.1, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SSM.2](ssm-controls.md#ssm-2) | EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2, PCI DSS v3.2.1, PCI DSS v4.0.1 | HIGH | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SSM.3](ssm-controls.md#ssm-3) | EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, PCI DSS v3.2.1, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [SSM.4](ssm-controls.md#ssm-4) | SSM documents should not be public | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SSM.5](ssm-controls.md#ssm-5) | SSM documents should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [SSM.6](ssm-controls.md#ssm-6) | SSM Automation should have CloudWatch logging enabled | Amazon Foundational Security Best Practices v1.0.0 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [SSM.7](ssm-controls.md#ssm-7) | SSM documents should have the block public sharing setting enabled | Amazon Foundational Security Best Practices v1.0.0 | CRITICAL | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [StepFunctions.1](stepfunctions-controls.md#stepfunctions-1) | Step Functions state machines should have logging turned on | Amazon Foundational Security Best Practices v1.0.0, PCI DSS v4.0.1 | MEDIUM | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [StepFunctions.2](stepfunctions-controls.md#stepfunctions-2) | Step Functions activities should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Transfer.1](transfer-controls.md#transfer-1) | Transfer Family workflows should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Transfer.2](transfer-controls.md#transfer-2) | Transfer Family servers should not use FTP protocol for endpoint connection | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [Transfer.3](transfer-controls.md#transfer-3) | Transfer Family connectors should have logging enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [Transfer.4](transfer-controls.md#transfer-4) | Transfer Family agreements should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Transfer.5](transfer-controls.md#transfer-5) | Transfer Family certificates should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Transfer.6](transfer-controls.md#transfer-6) | Transfer Family connectors should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [Transfer.7](transfer-controls.md#transfer-7) | Transfer Family profiles should be tagged | Amazon Resource Tagging Standard | LOW | ![\[Yes\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-yes.png) Yes | Change triggered | | [WAF.1](waf-controls.md#waf-1) | Amazon WAF Classic Global Web ACL logging should be enabled | Amazon Foundational Security Best Practices, NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [WAF.2](waf-controls.md#waf-2) | Amazon WAF Classic Regional rules should have at least one condition | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.3](waf-controls.md#waf-3) | Amazon WAF Classic Regional rule groups should have at least one rule | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.4](waf-controls.md#waf-4) | Amazon WAF Classic Regional web ACLs should have at least one rule or rule group | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.6](waf-controls.md#waf-6) | Amazon WAF Classic global rules should have at least one condition | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.7](waf-controls.md#waf-7) | Amazon WAF Classic global rule groups should have at least one rule | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.8](waf-controls.md#waf-8) | Amazon WAF Classic global web ACLs should have at least one rule or rule group | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.10](waf-controls.md#waf-10) | Amazon WAF web ACLs should have at least one rule or rule group | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WAF.11](waf-controls.md#waf-11) | Amazon WAF web ACL logging should be enabled | NIST SP 800-53 Rev. 5, PCI DSS v4.0.1 | LOW | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Periodic | | [WAF.12](waf-controls.md#waf-12) | Amazon WAF rules should have CloudWatch metrics enabled | Amazon Foundational Security Best Practices v1.0.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 2 | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WorkSpaces.1](workspaces-controls.md#workspaces-1) | WorkSpaces user volumes should be encrypted at rest | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | | [WorkSpaces.2](workspaces-controls.md#workspaces-2) | WorkSpaces root volumes should be encrypted at rest | Amazon Foundational Security Best Practices | MEDIUM | ![\[No\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/images/icon-no.png) No | Change triggered | # Change log for Security Hub CSPM controls Change log for controls The following change log tracks material changes to existing Amazon Security Hub CSPM controls, which can result in changes to the overall status of a control and the compliance status of its findings. For information about how Security Hub CSPM evaluates control status, see [Evaluating compliance status and control status](controls-overall-status.md). Changes can take a few days after their entry in this log to affect all Amazon Web Services Regions in which the control is available. This log tracks changes occurring since April 2023. Choose a control to review additional details about it. Title changes are noted in a control's detailed description for 90 days. | Date of change | Control ID and title | Description of change | | --- | --- | --- | | April 7, 2026 | [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) | Security Hub CSPM changed the title and description of this control. The new title and description more accurately reflect that the control checks whether Amazon EBS snapshots are configured to be publicly restorable. Previously, the title of this control was: *Amazon EBS snapshots should not be publicly restorable*. | | April 7, 2026 | [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) | Security Hub CSPM changed the title and description of this control. The new title and description more accurately reflect that the control checks whether account level block public access is enabled for Amazon EBS snapshots. Previously, the title of this control was: *Amazon EBS Snapshots should not be publicly accessible*. | | April 6, 2026 | [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) | Security Hub CSPM updated the parameter value for this control to reflect recommended security policies. | | April 3, 2026 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon EKS cluster runs on a supported Kubernetes version. Security Hub CSPM changed the parameter value for this control from `1.32` to `1.33`. Standard support for Kubernetes version 1.32 in Amazon EKS ended on March 23, 2026. | | April 3, 2026 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 parameter for supported runtimes no longer includes ruby3.2 as Lambda has deprecated this runtime. | | March 24, 2026 | [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) | Security Hub CSPM updated the control title to reflect that the control checks all RDS DB clusters. | | March 24, 2026 | [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) | Security Hub CSPM updated the control title and description to reflect that the control checks ECS task definitions. Security Hub CSPM also updated the control to not generate findings for task definitions with `runtimePlatform` configured to specify a `WINDOWS_SERVER` OS family. | | March 9, 2026 | [AppSync.1] Amazon AppSync API caches should be encrypted at rest | Security Hub CSPM retired this control and removed it from the [Amazon Foundational Security Best Practices (FSBP) standard](https://docs.amazonaws.cn/securityhub/latest/userguide/fsbp-standard.html). Amazon AppSync now provides default encryption on all current and future API caches. | | March 9, 2026 | [AppSync.6] Amazon AppSync API caches should be encrypted in transit | Security Hub CSPM retired this control and removed it from the [Amazon Foundational Security Best Practices (FSBP) standard](https://docs.amazonaws.cn/securityhub/latest/userguide/fsbp-standard.html). Amazon AppSync now provides default encryption on all current and future API caches. | | March 4, 2026 | [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions | Security Hub CSPM retired this control and removed it from the [Amazon Foundational Security Best Practices (FSBP) standard](https://docs.amazonaws.cn/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.amazonaws.cn/securityhub/latest/userguide/nist-standard.html). | | February 5, 2026 | [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) | Security Hub CSPM will retire this control and remove from all applicable Security Hub CSPM standards on March 9, 2026. Amazon AppSync is providing default encryption on all current and future API caches. | | February 5, 2026 | [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) | Security Hub CSPM will retire this control and remove from all applicable Security Hub CSPM standards on March 9, 2026. Amazon AppSync is providing default encryption on all current and future API caches. | | January 16, 2026 | [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) | Security Hub CSPM provided notice that this control will be retired and removed from all applicable Security Hub CSPM standards after February 16, 2026. | | January 12, 2026 | [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) | Security Hub CSPM updated this control to remove the `loggingEnabled` parameter. | | January 12, 2026 | [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled | Security Hub CSPM retired the control and removed the control from all applicable standards. Security Hub CSPM retired the control due to Amazon MQ requirements for automatic minor version upgrades. Previously, the control applied to the [Amazon Foundational Security Best Practices (FSBP) standard](https://docs.amazonaws.cn/securityhub/latest/userguide/fsbp-standard.html), the [NIST SP 800-53 Rev. 5 standard](https://docs.amazonaws.cn/securityhub/latest/userguide/nist-standard.html) and the [PCI DSS v4.0.1 standard](https://docs.amazonaws.cn/securityhub/latest/userguide/pci-standard.html). | | January 12, 2026 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM now supports `dotnet10` as a parameter value for this control. Amazon Lambda added support for this runtime. | | December 15, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM no longer supports `python3.9` as a parameter value for this control. Amazon Lambda no longer supports this runtime. | | December 12, 2025 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon EKS cluster runs on a supported Kubernetes version. Security Hub CSPM changed the parameter value for this control from `1.31` to `1.32`. Standard support for Kubernetes version 1.31 in Amazon EKS ended on November 26, 2025. | | November 21, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM now supports `nodejs24.x` and `python3.14` as parameter values for this control. Amazon Lambda added support for these runtimes. | | November 14, 2025 | [[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses](ec2-controls.md#ec2-15) | Security Hub CSPM updated the description and rationale for this control. Previously, the control only checked for IPv4 public IP auto-assignment in Amazon VPC subnets using the `MapPublicIpOnLaunch` flag. This control now checks for both IPv4 and IPv6 public IP auto-assignment. The control's description and rationale have been updated to reflect these changes. | | November 14, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM now supports `java25` as a parameter value for this control. Amazon Lambda added support for this runtime. | | November 13, 2025 | [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) | Security Hub CSPM changed the severity of this control from `HIGH` to `CRITICAL`. Allowing public access to Amazon SNS topics poses a significant security risk. | | November 13, 2025 | [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) | Security Hub CSPM changed the severity of this control from `HIGH` to `CRITICAL`. Allowing public access to Amazon SQS queues poses a significant security risk. | | November 13, 2025 | [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) | Security Hub CSPM changed the severity of this control from `MEDIUM` to `HIGH`. This type of runtime monitoring provides enhanced threat detection for Amazon EKS resources. | | November 13, 2025 | [[MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled](mq-controls.md#mq-3) | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Minor version upgrades include security patches that are necessary for maintaining Amazon MQ broker security. | | November 13, 2025 | [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Software updates include security patches that are necessary for maintaining OpenSearch domain security. | | November 13, 2025 | [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Deletion protection helps prevent accidental deletion of Amazon RDS databases and deletion of RDS databases by unauthorized entities. | | November 13, 2025 | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | Security Hub CSPM changed the severity of this control from `LOW` to `MEDIUM`. Amazon CloudTrail logging data in Amazon CloudWatch Logs can be used for audit activities, alarms, and other important security operations. | | November 13, 2025 | [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) | Security Hub CSPM changed the severity of this control from `HIGH` to `MEDIUM`. Sharing Amazon Service Catalog portfolios with specific accounts could be intentional and doesn’t necessarily indicate that a portfolio is publicly accessible. | | November 13, 2025 | [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) | Security Hub CSPM changed the severity of this control from `MEDIUM` to `LOW`. Default `cloudfront.net` domain names for Amazon CloudFront distributions are generated randomly, which reduces security risk. | | November 13, 2025 | [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) | Security Hub CSPM changed the severity of this control from `MEDIUM` to `LOW`. In multi-instance deployments, other healthy instances can handle user sessions when an instance is terminated without connection draining, which reduces operational impact and availability risks. | | November 13, 2025 | [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) | Security Hub CSPM updated this control to remove the optional `validAdminUserNames` parameter. | | October 23, 2025 | [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) | Security Hub CSPM reverted the changes that were made to the title, description, and rule for this control on October 14, 2025. | | October 22, 2025 | [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) | Security Hub CSPM updated this control to not generate findings for Amazon CloudFront distributions that use custom origins. | | October 16, 2025 | [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) | This control checks whether an Amazon CloudFront distribution is configured to use a recommended TLS security policy. Security Hub CSPM now supports `TLSv1.2_2025` and `TLSv1.3_2025` as parameter values for this control. | | October 14, 2025 | [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) | Security Hub CSPM changed the title, description, and rule for this control. Previously, the control checked Redis OSS clusters and all replication groups, using the [elasticache-redis-cluster-automatic-backup-check](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html) rule. The title of the control was: *ElastiCache (Redis OSS) clusters should have automatic backups enabled*. This control now checks Valkey clusters in addition to Redis OSS clusters and all replication groups, using the [elasticache-automatic-backup-check-enabled](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-automatic-backup-check-enabled.html) rule. The new title and description reflect that the control checks both types of clusters. | | October 5, 2025 | [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) | The rule for this control was updated to also generate a `PASSED` finding if an Amazon OpenSearch Service domain has no software updates available and the update status is ineligible. Previously, this control generated a `PASSED` finding only if an OpenSearch domain had no software updates available and the update status was complete. | | September 24, 2025 | [Redshift.9] Redshift clusters should not use the default database name [RedshiftServerless.7] Redshift Serverless namespaces should not use the default database name | Security Hub CSPM retired these controls and removed them from all applicable standards. Security Hub CSPM retired these controls due to inherent Amazon Redshift limitations that prevented effective remediation of `FAILED` findings for the controls. Previously, the controls applied to the [Amazon Foundational Security Best Practices (FSBP) standard](https://docs.amazonaws.cn/securityhub/latest/userguide/fsbp-standard.html) and the [NIST SP 800-53 Rev. 5 standard](https://docs.amazonaws.cn/securityhub/latest/userguide/nist-standard.html). The Redshift.9 control also applied to the [Amazon Control Tower service-managed standard](https://docs.amazonaws.cn/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). | | September 9, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM no longer supports `nodejs18.x` as a parameter value for this control. Amazon Lambda no longer supports Node.js 18 runtimes. | | August 13, 2025 | [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) | Security Hub CSPM changed the title and description of this control. The new title and description more accurately reflect that the control checks the setting for the `EnableNetworkIsolation` parameter of Amazon SageMaker AI hosted models. Previously, the title of this control was: *SageMaker models should block inbound traffic*. | | August 13, 2025 | [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) | Security Hub CSPM changed the title and description of this control. The new title and description more precisely reflect the scope and nature of the check that the control performs. Previously, the title of this control was: *EFS mount targets should not be associated with a public subnet*. | | July 24, 2025 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon EKS cluster runs on a supported Kubernetes version. Security Hub CSPM changed the parameter value for this control from `1.30` to `1.31`. Standard support for Kubernetes version 1.30 in Amazon EKS ended on July 23, 2025. | | July 23, 2025 | [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) | Security Hub CSPM changed the title of this control. The new title more accurately reflects that the control only checks Amazon EC2 Spot Fleet requests that specify launch parameters. Previously, the title of this control was: *EC2 Spot Fleet requests should enable encryption for attached EBS volumes*. | | June 30, 2025 | [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) | Security Hub CSPM removed this control from the [PCI DSS v4.0.1 standard](pci-standard.md). PCI DSS v4.0.1 doesn't explicitly require the use of symbols in passwords. | | June 30, 2025 | [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) | Security Hub CSPM removed this control from the [NIST SP 800-171 Revision 2 standard](standards-reference-nist-800-171.md). NIST SP 800-171 Revision 2 doesn't explicitly require password expiration periods of 90 days or less. | | June 30, 2025 | [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) | Security Hub CSPM changed the title of this control. The new title more accurately reflects that the control only checks Amazon Aurora DB clusters. Previously, the title of this control was: *RDS DB clusters should be configured to copy tags to snapshots*. | | June 30, 2025 | [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) | This control checks whether an Amazon SageMaker AI notebook instance is configured to run on a supported platform, based on the platform identifier specified for the notebook instance. Security Hub CSPM no longer supports `notebook-al2-v1` and `notebook-al2-v2` as parameter values for this control. Notebook instances that run on these platforms reached end of support on June 30, 2025. | | May 30, 2025 | [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) | Security Hub CSPM removed this control from the [PCI DSS v4.0.1 standard](pci-standard.md). This control checks whether account password policies for IAM users meet minimum requirements, including a minimum password length of 7 characters. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. The control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements. To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the [IAM.7 control](iam-controls.md#iam-7). This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub CSPM. | | May 8, 2025 | [RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways | Security Hub CSPM rolled back the release of the RDS.46 control in all Amazon Web Services Regions. Previously, this control supported the Amazon Foundational Security Best Practices (FSBP) standard. | | April 7, 2025 | [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) | This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encrypt data in transit by using a recommended security policy. Security Hub CSPM now supports two additional parameter values for this control: `ELBSecurityPolicy-TLS13-1-2-Res-2021-06` and `ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04`. | | March 27, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM now supports `ruby3.4` as a parameter value for this control. Amazon Lambda added support for this runtime. | | March 26, 2025 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. For the `oldestVersionSupported` parameter, Security Hub CSPM changed the value from `1.29` to `1.30`. The oldest supported Kubernetes version is now `1.30`. | | March 10, 2025 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | This control checks whether the runtime settings for an Amazon Lambda function match expected values for supported runtimes in each language. Security Hub CSPM no longer supports `dotnet6` and `python3.8` as parameter values for this control. Amazon Lambda no longer supports these runtimes. | | March 7, 2025 | [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) | Security Hub CSPM removed this control from the Amazon Foundational Security Best Practices standard and automated checks for NIST SP 800-53 Rev. 5 requirements. Since Amazon EC2-Classic networking was retired, Amazon Relational Database Service (Amazon RDS) instances can no longer be deployed outside a VPC. The control continues to be part of the [Amazon Control Tower service-managed standard](service-managed-standard-aws-control-tower.md). | | January 10, 2025 | [Glue.2] Amazon Glue jobs should have logging enabled | Security Hub CSPM retired this control and removed it from all standards. | | December 20, 2024 | EC2.61 through EC2.169 | Security Hub CSPM rolled back the release of the EC2.61 through EC2.169 controls. | | December 12, 2024 | [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) | RDS.23 checks whether an Amazon Relational Database Service (Amazon RDS) cluster or instance uses a port other than the default port of the database engine. We updated the control so that the underlying Amazon Config rule returns a result of NOT\$1APPLICABLE for RDS instances that are part of a cluster. | | December 2, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports nodejs22.x as a parameter. | | November 26, 2024 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The oldest supported version is now 1.29. | | November 20, 2024 | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | Config.1 checks whether Amazon Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub CSPM increased the severity of this control from `MEDIUM` to `CRITICAL`. Security Hub CSPM also added [new status codes and status reasons](controls-findings-create-update.md#control-findings-asff-compliance) for failed Config.1 findings. These changes reflect the importance of Config.1 to the operation of Security Hub CSPM controls. If you have Amazon Config or resource recording disabled, you can receive inaccurate control findings. To receive a `PASSED` finding for Config.1, turn on resource recording for resources that correspond to enabled Security Hub CSPM controls, and disable controls that aren't required in your organization. For instructions on configuring Amazon Config for Security Hub CSPM, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). For a list of Security Hub CSPM controls and their corresponding resources, see [Required Amazon Config resources for control findings](controls-config-resources.md). | | November 12, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports python3.13 as a parameter. | | October 11, 2024 | ElastiCache controls | Changed control titles for ElastiCache.3, ElastiCache.4, ElastiCache.5, and ElastiCache.7. Titles no longer mention Redis OSS because the controls also apply to ElastiCache for Valkey. | | September 27, 2024 | [[ELB.4] Application Load Balancer should be configured to drop invalid http headers](elb-controls.md#elb-4) | Changed control title from Application Load Balancer should be configured to drop http headers to Application Load Balancer should be configured to drop invalid http headers. | | August 19, 2024 | Title changes to DMS.12 and ElastiCache controls | Changed control titles for DMS.12 and ElastiCache.1 through ElastiCache.7. We changed these titles to reflect a name change in the Amazon ElastiCache (Redis OSS) service. | | August 15, 2024 | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | Config.1 checks whether Amazon Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub CSPM added a custom control parameter named includeConfigServiceLinkedRoleCheck. By setting this parameter to false, you can opt out of checking whether Amazon Config uses the service-linked role. | | July 31, 2024 | [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) | Changed control title from Amazon IoT Core security profiles should be tagged to Amazon IoT Device Defender security profiles should be tagged. | | July 29, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM no longer supports nodejs16.x as a parameter. | | July 29, 2024 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The oldest supported version is 1.28. | | June 25, 2024 | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | This control checks whether Amazon Config is enabled, uses the service-linked role, and records resources for enabled controls. Security Hub CSPM updated the control title to reflect what the control evaluates. | | June 14, 2024 | [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) | This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. Security Hub CSPM updated the control so that it doesn't generate findings for Aurora Serverless v1 DB clusters. | | June 11, 2024 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The oldest supported version is 1.27. | | June 10, 2024 | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | This control checks whether Amazon Config is enabled and Amazon Config resource recording is turned on. Previously, the control produced a PASSED finding only if you configured recording for all resources. Security Hub CSPM updated the control to produce a PASSED finding when recording is turned on for resources that are required for enabled controls. The control has also been updated to check whether the Amazon Config service-linked role is used, which provides permissions to record necessary resources. | | May 8, 2024 | [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) | This control checks whether an Amazon S3 general purpose versioned bucket has multi-factor authentication (MFA) delete enabled. Previously, the control produced a FAILED finding for buckets that have a Lifecycle configuration. However, MFA delete with versioning can't be enabled on a bucket that has a Lifecycle configuration. Security Hub CSPM updated the control to produce no findings for buckets that have a Lifecycle configuration. The control description has been updated to reflect the current behavior. | | May 2, 2024 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | Security Hub CSPM updated the oldest supported version of Kubernetes that the Amazon EKS cluster can run on to produce a passed finding. The current oldest supported version is Kubernetes 1.26. | | April 30, 2024 | [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) | Changed control title from CloudTrail should be enabled to At least one CloudTrail trail should be enabled. This control currently produces a PASSED finding if an Amazon Web Services account has at least one CloudTrail trail enabled. The title and description have been changed to accurately reflect the current behavior. | | April 29, 2024 | [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) | Changed control title from Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks to Auto Scaling groups associated with a load balancer should use ELB health checks. This control currently evaluates Application, Gateway, Network, and Classic Load Balancers. The title and description have been changed to accurately reflect the current behavior. | | April 19, 2024 | [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) | The control checks whether Amazon CloudTrail is enabled and configured with at least one multi-Region trail that includes read and write management events. Previously, the control incorrectly generated PASSED findings when an account had CloudTrail enabled and configured with at least one multi-Region trail, even if no trail captured read and write management events. The control now generates a PASSED finding only when CloudTrail is enabled and configured with at least one multi-Region trail that captures read and write management events. | | April 10, 2024 | [Athena.1] Athena workgroups should be encrypted at rest | Security Hub CSPM retired this control and removed it from all standards. Athena workgroups send logs to Amazon Simple Storage Service (Amazon S3) buckets. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. | | April 10, 2024 | [AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1 | Security Hub CSPM retired this control and removed it from all standards. Metadata response hop limits for Amazon Elastic Compute Cloud (Amazon EC2) instances are workload dependent. | | April 10, 2024 | [CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS) | Security Hub CSPM retired this control and removed it from all standards. Integrating Amazon CloudFormation stacks with Amazon SNS topics is no longer a security best practice. Though integrating important CloudFormation stacks with SNS topics can be useful, it is not required for all stacks. | | April 10, 2024 | [CodeBuild.5] CodeBuild project environments should not have privileged mode enabled | Security Hub CSPM retired this control and removed it from all standards. Enabling privileged mode in a CodeBuild project does not impose an additional risk to the customer environment. | | April 10, 2024 | [IAM.20] Avoid the use of the root user | Security Hub CSPM retired this control and removed it from all standards. The purpose of this control is covered by another control, [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1). | | April 10, 2024 | [SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic | Security Hub CSPM retired this control and removed it from all standards. Logging delivery status for SNS topics is no longer a security best practice. Though logging delivery status for important SNS topics can be useful, it is not required for all topics. | | April 10, 2024 | [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) | Security Hub CSPM removed this control from Amazon Foundational Security Best Practices and Service-Managed Standard: Amazon Control Tower. The purpose of this control is covered by two other controls: [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) and [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14). This control is still part of NIST SP 800-53 Rev. 5. | | April 10, 2024 | [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) | Security Hub CSPM removed this control from Amazon Foundational Security Best Practices and Service-Managed Standard: Amazon Control Tower. Though there are some cases where event notifications for S3 buckets are useful, this not a universal security best practice. This control is still part of NIST SP 800-53 Rev. 5. | | April 10, 2024 | [[SNS.1] SNS topics should be encrypted at-rest using Amazon KMS](sns-controls.md#sns-1) | Security Hub CSPM removed this control from Amazon Foundational Security Best Practices and Service-Managed Standard: Amazon Control Tower. By default, SNS encrypts topics at rest with disk encryption. For more information, see [Data encryption](https://docs.amazonaws.cn/sns/latest/dg/sns-data-encryption.html). Using Amazon KMS to encrypt topics is no longer recommended as a security best practice. This control is still part of NIST SP 800-53 Rev. 5. | | April 8, 2024 | [[ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled](elb-controls.md#elb-6) | Changed control title from Application Load Balancer deletion protection should be enabled to Application, Gateway, and Network Load Balancers should have deletion protection enabled. This control currently evaluates Application, Gateway, and Network Load Balancers. The title and description have been changed to accurately reflect the current behavior. | | March 22, 2024 | [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) | Changed control title from Connections to OpenSearch domains should be encrypted using TLS 1.2 to Connections to OpenSearch domains should be encrypted using the latest TLS security policy. Previously, the control only checked whether connections to OpenSearch domains used TLS 1.2. The control now produces a PASSED finding if OpenSearch domains are encrypted using the latest TLS security policy. The control title and description have been updated to reflect the current behavior. | | March 22, 2024 | [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) | Changed control title from Connections to Elasticsearch domains should be encrypted using TLS 1.2 to Connections to Elasticsearch domains should be encrypted using the latest TLS security policy. Previously, the control only checked whether connections to Elasticsearch domains used TLS 1.2. The control now produces a PASSED finding if Elasticsearch domains are encrypted using the latest TLS security policy. The control title and description have been updated to reflect the current behavior. | | March 12, 2024 | [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) | Changed title from S3 Block Public Access setting should be enabled to S3 general purpose buckets should have block public access settings enabled. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) | Changed title from S3 buckets should prohibit public read access to S3 general purpose buckets should block public read access. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) | Changed title from S3 buckets should prohibit public write access to S3 general purpose buckets should block public write access. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) | Changed title from S3 buckets should require requests to use Secure Socket Layer to S3 general purpose buckets should require requests to use SSL. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts](s3-controls.md#s3-6) | Changed title from S3 permissions granted to other Amazon Web Services accounts in bucket policies should be restricted to S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) | Changed title from S3 buckets should have cross-Region replication enabled to S3 general purpose buckets should use cross-Region replication. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) | Changed title from S3 buckets should have cross-Region replication enabled to S3 general purpose buckets should use cross-Region replication. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) | Changed title from S3 Block Public Access setting should be enabled at the bucket-level to S3 general purpose buckets should block public access. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.9] S3 general purpose buckets should have server access logging enabled](s3-controls.md#s3-9) | Changed title from S3 bucket server access logging should be enabled to Server access logging should be enabled for S3 general purpose buckets. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) | Changed title from S3 buckets with versioning enabled should have lifecycle policies configured to S3 general purpose buckets with versioning enabled should have Lifecycle configurations. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) | Changed title from S3 buckets should have event notifications enabled to S3 general purpose buckets should have event notifications enabled. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) | Changed title from S3 access control lists (ACLs) should not be used to manage user access to buckets to ACLs should not be used to manage user access to S3 general purpose buckets. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) | Changed title from S3 buckets should have lifecycle policies configured to S3 general purpose buckets should have Lifecycle configurations. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.14] S3 general purpose buckets should have versioning enabled](s3-controls.md#s3-14) | Changed title from S3 buckets should use versioning to S3 general purpose buckets should have versioning enabled. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.15] S3 general purpose buckets should have Object Lock enabled](s3-controls.md#s3-15) | Changed title from S3 buckets should be configured to use Object Lock to S3 general purpose buckets should have Object Lock enabled. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 12, 2024 | [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) | Changed title from S3 buckets should be encrypted at rest with Amazon KMS keys to S3 general purpose buckets should be encrypted at rest with Amazon KMS keys. Security Hub CSPM changed the title to account for a new S3 bucket type. | | March 7, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports nodejs20.x and ruby3.3 as parameters. | | February 22, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports dotnet8 as a parameter. | | February 5, 2024 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | Security Hub CSPM updated the oldest supported version of Kubernetes that the Amazon EKS cluster can run on to produce a passed finding. The current oldest supported version is Kubernetes 1.25. | | January 10, 2024 | [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) | Changed title from CodeBuild GitHub or Bitbucket source repository URLs should use OAuth to CodeBuild Bitbucket source repository URLs should not contain sensitive credentials. Security Hub CSPM removed mention of OAuth because other connection methods can also be secure. Security Hub CSPM removed mention of GitHub because it's no longer possible to have a personal access token or username and password in GitHub source repository URLs. | | January 8, 2024 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM no longer supports go1.x and java8 as parameters because these are retired runtimes. | | December 29, 2023 | [[RDS.8] RDS DB instances should have deletion protection enabled](rds-controls.md#rds-8) | RDS.8 checks whether an Amazon RDS DB instance that uses one of the supported database engines has deletion protection enabled. Security Hub CSPM now supports custom-oracle-ee, oracle-ee-cdb, and oracle-se2-cdb as database engines. | | December 22, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports java21 and python3.12 as parameters. Security Hub CSPM no longer supports ruby2.7 as a parameter. | | December 15, 2023 | [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) | CloudFront.1 checks whether an Amazon CloudFront distribution has a default root object configured. Security Hub CSPM lowered the severity of this control from CRITICAL to HIGH because adding the default root object is a recommendation that depends on a user's application and specific requirements. | | December 5, 2023 | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | Changed control title from Security groups should not allow ingress from 0.0.0.0/0 to port 22 to Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22. | | December 5, 2023 | [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) | Changed control title from Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 to Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389. | | December 5, 2023 | [[RDS.9] RDS DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-9) | Changed control title from Database logging should be enabled to RDS DB instances should publish logs to CloudWatch Logs. Security Hub CSPM identified that this control only checks whether logs are published to Amazon CloudWatch Logs and doesn't check whether RDS logs are enabled. The control produces a PASSED finding if RDS DB instances are configured to publish logs to CloudWatch Logs. The control title has been updated to reflect the current behavior. | | December 5, 2023 | [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) | This control checks whether Amazon EKS clusters have audit logging enabled. The Amazon Config rule that Security Hub CSPM uses to evaluate this control changed from eks-cluster-logging-enabled to eks-cluster-log-enabled. | | November 17, 2023 | [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) | EC2.19 checks whether unrestricted incoming traffic for a security group is accessible to the specified ports that are considered to be high risk. Security Hub CSPM updated this control to account for managed prefix lists when they are supplied as the source for a security group rule. The control produces a FAILED finding if the prefix lists contain the strings '0.0.0.0/0' or '::/0'. | | November 16, 2023 | [[CloudWatch.15] CloudWatch alarms should have specified actions configured](cloudwatch-controls.md#cloudwatch-15) | Changed control title from CloudWatch alarms should have an action configured for the ALARM state to CloudWatch alarms should have specified actions configured. | | November 16, 2023 | [[CloudWatch.16] CloudWatch log groups should be retained for a specified time period](cloudwatch-controls.md#cloudwatch-16) | Changed control title from CloudWatch log groups should be retained for at least 1 year to CloudWatch log groups should be retained for a specified time period. | | November 16, 2023 | [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) | Changed control title from VPC Lambda functions should operate in more than one Availability Zone to VPC Lambda functions should operate in multiple Availability Zones. | | November 16, 2023 | [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) | Changed control title from Amazon AppSync should have request-level and field-level logging turned on to Amazon AppSync should have field-level logging enabled. | | November 16, 2023 | [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) | Changed control title from Amazon Elastic MapReduce cluster master nodes should not have public IP addresses to Amazon EMR cluster primary nodes should not have public IP addresses. | | November 16, 2023 | [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) | Changed control title from OpenSearch domains should be in a VPC to OpenSearch domains should not be publicly accessible. | | November 16, 2023 | [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) | Changed control title from Elasticsearch domains should be in a VPC to Elasticsearch domains should not be publicly accessible. | | October 31, 2023 | [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) | ES.4 checks whether Elasticsearch domains are configured to send error logs to Amazon CloudWatch Logs. The control previously produced a PASSED finding for an Elasticsearch domain that has any logs configured to send to CloudWatch Logs. Security Hub CSPM updated the control to produce a PASSED finding only for an Elasticsearch domain that is configured to send error logs to CloudWatch Logs. The control was also updated to exclude Elasticsearch versions that don’t support error logs from evaluation. | | October 16, 2023 | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | EC2.13 checks whether security groups allow unrestricted ingress access to port 22. Security Hub CSPM updated this control to account for managed prefix lists when they are supplied as the source for a security group rule. The control produces a FAILED finding if the prefix lists contain the strings '0.0.0.0/0' or '::/0'. | | October 16, 2023 | [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) | EC2.14 checks whether security groups allow unrestricted ingress access to port 3389. Security Hub CSPM updated this control to account for managed prefix lists when they are supplied as the source for a security group rule. The control produces a FAILED finding if the prefix lists contain the strings '0.0.0.0/0' or '::/0'. | | October 16, 2023 | [[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports](ec2-controls.md#ec2-18) | EC2.18 checks whether the security groups that are in use allow unrestricted incoming traffic. Security Hub CSPM updated this control to account for managed prefix lists when they are supplied as the source for a security group rule. The control produces a FAILED finding if the prefix lists contain the strings '0.0.0.0/0' or '::/0'. | | October 16, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports python3.11 as a parameter. | | October 4, 2023 | [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) | Security Hub CSPM added the parameter ReplicationType with a value of CROSS-REGION to ensure that S3 buckets have cross-Region replication enabled rather than same-Region replication. | | September 27, 2023 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | Security Hub CSPM updated the oldest supported version of Kubernetes that the Amazon EKS cluster can run on to produce a passed finding. The current oldest supported version is Kubernetes 1.24. | | September 20, 2023 | [CloudFront.2] CloudFront distributions should have origin access identity enabled | Security Hub CSPM retired this control and removed it from all standards. Instead, see [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13). Origin access control is the current security best practice. This control will be removed from documentation in 90 days. | | September 20, 2023 | [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) | Security Hub CSPM removed this control from Amazon Foundational Security Best Practices (FSBP) and National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5. It is still part of Service-Managed Standard: Amazon Control Tower. This control produces a passed finding if security groups are attached to EC2 instances or to an elastic network interface. However, for certain use cases, unattached security groups don't pose a security risk. You can use other EC2 controls—such as EC2.2, EC2.13, EC2.14, EC2.18, and EC2.19—to monitor your security groups. | | September 20, 2023 | [EC2.29] EC2 instances should be launched in a VPC | Security Hub CSPM retired this control and removed it from all standards. Amazon EC2 has migrated EC2-Classic instances to a VPC. This control will be removed from documentation in 90 days. | | September 20, 2023 | [S3.4] S3 buckets should have server-side encryption enabled | Security Hub CSPM retired this control and removed it from all standards. Amazon S3 now provides default encryption with S3 managed keys (SS3-S3) on new and existing S3 buckets. The encryption settings are unchanged for existing buckets that are encrypted with SS3-S3 or SS3-KMS server-side encryption. This control will be removed from documentation in 90 days. | | September 14, 2023 | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | Changed control title from The VPC default security group should not allow inbound and outbound traffic to VPC default security groups should not allow inbound or outbound traffic. | | September 14, 2023 | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | Changed control title from Virtual MFA should be enabled for the root user to MFA should be enabled for the root user. | | September 14, 2023 | [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) | Changed control title from An RDS event notifications subscription should be configured for critical cluster events to Existing RDS event notification subscriptions should be configured for critical cluster events. | | September 14, 2023 | [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) | Changed control title from An RDS event notifications subscription should be configured for critical database instance events to Existing RDS event notification subscriptions should be configured for critical database instance events. | | September 14, 2023 | [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) | Changed control title from A WAF Regional rule should have at least one condition to Amazon WAF Classic Regional rules should have at least one condition. | | September 14, 2023 | [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) | Changed control title from A WAF Regional rule group should have at least one rule to Amazon WAF Classic Regional rule groups should have at least one rule. | | September 14, 2023 | [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) | Changed control title from A WAF Regional web ACL should have at least one rule or rule group to Amazon WAF Classic Regional web ACLs should have at least one rule or rule group. | | September 14, 2023 | [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) | Changed control title from A WAF global rule should have at least one condition to Amazon WAF Classic global rules should have at least one condition. | | September 14, 2023 | [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) | Changed control title from A WAF global rule group should have at least one rule to Amazon WAF Classic global rule groups should have at least one rule. | | September 14, 2023 | [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) | Changed control title from A WAF global web ACL should have at least one rule or rule group to Amazon WAF Classic global web ACLs should have at least one rule or rule group. | | September 14, 2023 | [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) | Changed control title from A WAFv2 web ACL should have at least one rule or rule group to Amazon WAF web ACLs should have at least one rule or rule group. | | September 14, 2023 | [[WAF.11] Amazon WAF web ACL logging should be enabled](waf-controls.md#waf-11) | Changed control title from Amazon WAFv2 web ACL logging should be activated to Amazon WAF web ACL logging should be enabled. | | July 20, 2023 | [S3.4] S3 buckets should have server-side encryption enabled | S3.4 checks whether an Amazon S3 bucket either has server-side encryption enabled or that the S3 bucket policy explicitly denies PutObject requests without server-side encryption. Security Hub CSPM updated this control to include dual-layer server side encryption with KMS keys (DSSE-KMS). The control produces a passed finding when an S3 bucket is encrypted with SSE-S3, SSE-KMS, or DSSE-KMS. | | July 17, 2023 | [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) | S3.17 checks whether an Amazon S3 bucket is encrypted with an Amazon KMS key. Security Hub CSPM updated this control to include dual-layer server side encryption with KMS keys (DSSE-KMS). The control produces a passed finding when an S3 bucket is encrypted with SSE-KMS or DSSE-KMS. | | June 9, 2023 | [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) | EKS.2 checks whether an Amazon EKS cluster is running on a supported Kubernetes version.The oldest supported version is now 1.23. | | June 9, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports ruby3.2 as a parameter. | | June 5, 2023 | [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) | APIGateway.5.checks whether all methods in Amazon API Gateway REST API stages are encrypted at rest. Security Hub CSPM updated the control to evaluate the encryption of a particular method only when caching is enabled for that method. | | May 18, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports java17 as a parameter. | | May 18, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM no longer supports nodejs12.x as a parameter. | | April 23, 2023 | [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) | ECS.10 checks whether Amazon ECS Fargate services are running the latest Fargate platform version. Customers can deploy Amazon ECS through ECS directly, or by using CodeDeploy. Security Hub CSPM updated this control to produce Passed findings when you use CodeDeploy to deploy ECS Fargate services. | | April 20, 2023 | [[S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts](s3-controls.md#s3-6) | S3.6 checks whether an Amazon Simple Storage Service (Amazon S3) bucket policy prevents principals from other Amazon Web Services accounts from performing denied actions on resources in the S3 bucket. Security Hub CSPM updated the control to account for conditionals in a bucket policy. | | April 18, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM now supports python3.10 as a parameter. | | April 18, 2023 | [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) | Lambda.2 checks whether the Amazon Lambda function settings for runtimes match the expected values set for the supported runtimes in each language. Security Hub CSPM no longer supports dotnetcore3.1 as a parameter. | | April 17, 2023 | [[RDS.11] RDS instances should have automatic backups enabled](rds-controls.md#rds-11) | RDS.11 checks whether Amazon RDS instances have automated backups enabled, with a backup retention period that's greater than or equal to seven days. Security Hub CSPM updated this control to exclude read replicas from evaluation, as not all engines support automated backups on read replicas. Additionally, RDS doesn’t provide the option to specify a backup retention period when creating read replicas. Read replicas are created with a backup retention period of 0 by default. | # Security Hub CSPM controls for Amazon Web Services accounts Amazon Web Services account controls These Security Hub CSPM controls evaluate Amazon Web Services accounts. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Account.1] Security contact information should be provided for an Amazon Web Services account **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.2, NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Resource Configuration **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/security-account-information-provided.html](https://docs.amazonaws.cn/config/latest/developerguide/security-account-information-provided.html) **Schedule type:** Periodic **Parameters:** None This control checks if an Amazon Web Services (Amazon) account has security contact information. The control fails if security contact information is not provided for the account. Alternate security contacts allow Amazon to contact another person about issues with your account in case you're unavailable. Notifications can be from Amazon Web Services Support, or other Amazon Web Services service teams about security-related topics associated with your Amazon Web Services account usage. ### Remediation To add an alternate contact as a security contact to your Amazon Web Services account, see [Update the alternate contacts for your Amazon Web Services account](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-update-contact-alternate.html) in the *Amazon Account Management Reference Guide*. ## [Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization **Category:** Protect > Secure access management > Access control **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/account-part-of-organizations.html](https://docs.amazonaws.cn/config/latest/developerguide/account-part-of-organizations.html) **Schedule type:** Periodic **Parameters:** None This control checks if an Amazon Web Services account is part of an organization managed through Amazon Organizations. The control fails if the account is not part of an organization. Organizations helps you centrally manage your environment as you scale your workloads on Amazon. You can use multiple Amazon Web Services accounts to isolate workloads that have specific security requirements, or to comply with frameworks such as HIPAA or PCI. By creating an organization, you can administer multiple accounts as a single unit and centrally manage their access to Amazon Web Services services, resources, and Regions. ### Remediation To create a new organization and automatically add Amazon Web Services accounts to it, see [Creating an organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_org_create.html) in the *Amazon Organizations User Guide*. To add accounts to an existing organization, see [Inviting an Amazon Web Services account to join your organization](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_accounts_invites.html) in the *Amazon Organizations User Guide*. # Security Hub CSPM controls for Amazon Amplify Amazon Amplify controls These Security Hub CSPM controls evaluate the Amazon Amplify service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Amplify.1] Amplify apps should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Amplify::App` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/amplify-app-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/amplify-app-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Amplify app has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the app doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the app doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Amplify app, see [Resource tagging support](https://docs.amazonaws.cn/amplify/latest/userguide/resource-tagging-support-chapter.html) in the *Amazon Amplify Hosting User Guide*. ## [Amplify.2] Amplify branches should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Amplify::Branch` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/amplify-branch-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/amplify-branch-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Amplify branch has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the branch doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the branch doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Amplify branch, see [Resource tagging support](https://docs.amazonaws.cn/amplify/latest/userguide/resource-tagging-support-chapter.html) in the *Amazon Amplify Hosting User Guide*. # Security Hub CSPM controls for Amazon API Gateway Amazon API Gateway controls These Amazon Security Hub CSPM controls evaluate the Amazon API Gateway service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gw-execution-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gw-execution-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `loggingLevel` | Logging level | Enum | `ERROR`, `INFO` | `No default value` | This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if the `loggingLevel` isn't `ERROR` or `INFO` for all stages of the API. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub CSPM produces a passed finding if the logging level is either `ERROR` or `INFO`. API Gateway REST or WebSocket API stages should have relevant logs enabled. API Gateway REST and WebSocket API execution logging provides detailed records of requests made to API Gateway REST and WebSocket API stages. The stages include API integration backend responses, Lambda authorizer responses, and the `requestId` for Amazon integration endpoints. ### Remediation To enable logging for REST and WebSocket API operations, see [Set up CloudWatch API logging using the API Gateway console](https://docs.amazonaws.cn/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console) in the *API Gateway Developer Guide*. ## [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.15 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ApiGateway::Stage` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gw-ssl-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gw-ssl-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway. API Gateway REST API stages should be configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway. ### Remediation For detailed instructions on how to generate and configure API Gateway REST API SSL certificates, see [Generate and configure an SSL certificate for backend authentication](https://docs.amazonaws.cn/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html) in the *API Gateway Developer Guide*. ## [APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled **Related requirements:** NIST.800-53.r5 CA-7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::ApiGateway::Stage` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gw-xray-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gw-xray-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon X-Ray active tracing is enabled for your Amazon API Gateway REST API stages. X-Ray active tracing enables a more rapid response to performance changes in the underlying infrastructure. Changes in performance could result in a lack of availability of the API. X-Ray active tracing provides real-time metrics of user requests that flow through your API Gateway REST API operations and connected services. ### Remediation For detailed instructions on how to enable X-Ray active tracing for API Gateway REST API operations, see [Amazon API Gateway active tracing support for Amazon X-Ray](https://docs.amazonaws.cn/xray/latest/devguide/xray-services-apigateway.html) in the *Amazon X-Ray Developer Guide*. ## [APIGateway.4] API Gateway should be associated with a WAF Web ACL **Related requirements:** NIST.800-53.r5 AC-4(21) **Category:** Protect > Protective services **Severity:** Medium **Resource type:** `AWS::ApiGateway::Stage` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gw-associated-with-waf.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gw-associated-with-waf.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an API Gateway stage uses an Amazon WAF web access control list (ACL). This control fails if an Amazon WAF web ACL is not attached to a REST API Gateway stage. Amazon WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure an ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure that your API Gateway stage is associated with an Amazon WAF web ACL to help protect it from malicious attacks. ### Remediation For information on how to use the API Gateway console to associate an Amazon WAF Regional web ACL with an existing API Gateway API stage, see [Using Amazon WAF to protect your APIs](https://docs.amazonaws.cn/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html) in the *API Gateway Developer Guide*. ## [APIGateway.5] API Gateway REST API cache data should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data protection > Encryption of data at rest **Severity:** Medium **Resource type:** `AWS::ApiGateway::Stage` **Amazon Config rule:** `api-gw-cache-encrypted` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted. Security Hub CSPM evaluates the encryption of a particular method only when caching is enabled for that method. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to Amazon. It adds another set of access controls to limit unauthorized users ability access the data. For example, API permissions are required to decrypt the data before it can be read. API Gateway REST API caches should be encrypted at rest for an added layer of security. ### Remediation To configure API caching for a stage, see [Enable Amazon API Gateway caching](https://docs.amazonaws.cn/apigateway/latest/developerguide/api-gateway-caching.html#enable-api-gateway-caching) in the *API Gateway Developer Guide*. In **Cache Settings**, choose **Encrypt cache data**. ## [APIGateway.8] API Gateway routes should specify an authorization type **Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Protect > Secure Access Management **Severity:** Medium **Resource type:** `AWS::ApiGatewayV2::Route` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gwv2-authorization-type-configured.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gwv2-authorization-type-configured.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `authorizationType` | Authorization type of the API routes | Enum | `AWS_IAM`, `CUSTOM`, `JWT` | No default value | This control checks if Amazon API Gateway routes have an authorization type. The control fails if the API Gateway route doesn't have any authorization type. Optionally, you can provide a custom parameter value if you want the control to pass only if the route uses the authorization type specified in the `authorizationType` parameter. API Gateway supports multiple mechanisms for controlling and managing access to your API. By specifying an authorization type, you can restrict access to your API to only authorized users or processes. ### Remediation To set an authorization type for HTTP APIs, see [Controlling and managing access to an HTTP API in API Gateway](https://docs.amazonaws.cn/apigateway/latest/developerguide/http-api-access-control.html) in the *API Gateway Developer Guide*. To set an authorization type for WebSocket APIs, see [Controlling and managing access to a WebSocket API in API Gateway](https://docs.amazonaws.cn/apigateway/latest/developerguide/apigateway-websocket-api-control-access.html) in the *API Gateway Developer Guide*. ## [APIGateway.9] Access logging should be configured for API Gateway V2 Stages **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::ApiGatewayV2::Stage` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/api-gwv2-access-logs-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/api-gwv2-access-logs-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined. API Gateway access logs provide detailed information about who has accessed your API and how the caller accessed the API. These logs are useful for applications such as security and access audits and forensics investigation. Enable these access logs to analyze traffic patterns and to troubleshoot issues. For additional best practices, see [Monitoring REST APIs](https://docs.amazonaws.cn/apigateway/latest/developerguide/rest-api-monitor.html) in the *API Gateway Developer Guide*. ### Remediation To set up access logging, see [Set up CloudWatch API logging using the API Gateway console](https://docs.amazonaws.cn/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-using-console) in the *API Gateway Developer Guide*. ## [APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ApiGatewayV2::Integration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/apigatewayv2-integration-private-https-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/apigatewayv2-integration-private-https-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an API Gateway V2 integration has HTTPS enabled for private connections. The control fails if a private connection doesn't have TLS configured. VPC Links connect API Gateway to private resources. While VPC Links create private connectivity, they don't inherently encrypt data. Configuring TLS ensures use of HTTPS for end-to-end encryption from client through API Gateway to backend. Without TLS, sensitive API traffic flows unencrypted across private connections. HTTPS encryption protects the traffic through private connections from data interception, man-in-the-middle attacks and credential exposure. ### Remediation To enable encryption in transit for private connections in an API Gateway v2 Integration, see [Update a private integration](https://docs.amazonaws.cn/apigateway/latest/developerguide/set-up-private-integration.html#set-up-private-integration-update) in the *Amazon API Gateway Developer Guide*. Configure [TLS configuration](https://docs.amazonaws.cn/apigatewayv2/latest/api-reference/apis-apiid-integrations-integrationid.html#apis-apiid-integrations-integrationid-model-tlsconfig) so that the private integration uses HTTPS protocol. ## [APIGateway.11] API Gateway domain names should use recommended security policies **Category:** Protect > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ApiGateway::DomainName` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/apigateway-domain-name-tls-check.html](https://docs.amazonaws.cn/config/latest/developerguide/apigateway-domain-name-tls-check.html) **Schedule type:** Change triggered **Parameters:** + `allowedSecurityPolicies`: `SecurityPolicy_TLS13_1_3_2025_09, SecurityPolicy_TLS13_1_3_FIPS_2025_09, SecurityPolicy_TLS13_1_2_PFS_PQ_2025_09, SecurityPolicy_TLS13_2025_EDGE, SecurityPolicy_TLS12_PFS_2025_EDGE` (not customizable) This control checks whether an API Gateway domain name is configured to encrypt data in transit by using a recommended security policy. The control fails if the API Gateway domain name isn't configured to use a recommended security policy. A security policy is a predefined combination of minimum TLS version and cipher suites offered by API Gateway. When your clients establish a TLS handshake to your API or custom domain name, the security policy enforces the TLS version and cipher suite accepted by API Gateway. Security policies protect your APIs and custom domain names from network security problems such as tampering and eavesdropping between a client and server. Using a recommended security policy helps ensure that API Gateway domain names use modern, secure TLS configurations that protect data in transit between clients and your API. ### Remediation To update the TLS security policy for an API Gateway domain name, see [How to change a security policy](https://docs.amazonaws.cn/apigateway/latest/developerguide/apigateway-security-policies-update.html) in the *Amazon API Gateway Developer Guide*. # Security Hub CSPM controls for Amazon AppConfig Amazon AppConfig controls These Security Hub CSPM controls evaluate the Amazon AppConfig service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [AppConfig.1] Amazon AppConfig applications should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppConfig::Application` **Amazon Config rule:** `appconfig-application-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppConfig application has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the application doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the application isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon AppConfig application, see [https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html](https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html) in the *Amazon AppConfig API Reference*. ## [AppConfig.2] Amazon AppConfig configuration profiles should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppConfig::ConfigurationProfile` **Amazon Config rule:** `appconfig-configuration-profile-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppConfig configuration profile has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the configuration profile doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the configuration profile isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon AppConfig configuration profile, see [https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html](https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html) in the *Amazon AppConfig API Reference*. ## [AppConfig.3] Amazon AppConfig environments should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppConfig::Environment` **Amazon Config rule:** `appconfig-environment-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppConfig environment has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the environment doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the environment isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon AppConfig environment, see [https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html](https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html) in the *Amazon AppConfig API Reference*. ## [AppConfig.4] Amazon AppConfig extension associations should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppConfig::ExtensionAssociation` **Amazon Config rule:** `appconfig-extension-association-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppConfig extension association has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the extension association doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the extension association isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon AppConfig extension association, see [https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html](https://docs.amazonaws.cn/appconfig/2019-10-09/APIReference/API_TagResource.html) in the *Amazon AppConfig API Reference*. # Security Hub CSPM controls for Amazon AppFlow Amazon AppFlow controls These Security Hub CSPM controls evaluate the Amazon AppFlow service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [AppFlow.1] Amazon AppFlow flows should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppFlow::Flow` **Amazon Config rule:** `appflow-flow-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppFlow flow has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the flow doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the flow isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon AppFlow flow, see [Creating flows in Amazon AppFlow](https://docs.amazonaws.cn/appflow/latest/userguide/flows-manage.html) in the *Amazon AppFlow User Guide*. # Security Hub CSPM controls for Amazon App Runner Amazon App Runner controls These Amazon Security Hub CSPM controls evaluate the Amazon App Runner service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [AppRunner.1] App Runner services should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppRunner::Service` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/apprunner-service-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/apprunner-service-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon App Runner service has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the App Runner service doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the App Runner service isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation For information about adding tags to an Amazon App Runner service, see [https://docs.amazonaws.cn/apprunner/latest/api/API_TagResource.html](https://docs.amazonaws.cn/apprunner/latest/api/API_TagResource.html) in the *Amazon App Runner API Reference*. ## [AppRunner.2] App Runner VPC connectors should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppRunner::VpcConnector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/apprunner-vpc-connector-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/apprunner-vpc-connector-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon App Runner VPC connector has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the VPC connector doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the VPC connector isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation For information about adding tags to an Amazon App Runner VPC connector, see [https://docs.amazonaws.cn/apprunner/latest/api/API_TagResource.html](https://docs.amazonaws.cn/apprunner/latest/api/API_TagResource.html) in the *Amazon App Runner API Reference*. # Security Hub CSPM controls for Amazon AppSync Amazon AppSync controls These Security Hub CSPM controls evaluate the Amazon AppSync service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [AppSync.1] Amazon AppSync API caches should be encrypted at rest **Important** Security Hub CSPM retired this control on March 9, 2026. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). Amazon AppSync now provides default encryption on all current and future API caches. **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::AppSync::GraphQLApi` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/appsync-cache-ct-encryption-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/appsync-cache-ct-encryption-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon AppSync API cache is encrypted at rest. The control fails if the API cache isn't encrypted at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation You can't change the encryption settings after enabling caching for your Amazon AppSync API. Instead, you must delete the cache and and recreate it with encryption enabled. For more information, see [Cache encryption](https://docs.amazonaws.cn/appsync/latest/devguide/enabling-caching.html#caching-encryption) in the *Amazon AppSync Developer Guide*. ## [AppSync.2] Amazon AppSync should have field-level logging enabled **Related requirements:** PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::AppSync::GraphQLApi` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/appsync-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/appsync-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `fieldLoggingLevel` | Field logging level | Enum | `ERROR`, `ALL`, `INFO`, `DEBUG` | `No default value` | This control checks whether an Amazon AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to **None**. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub CSPM produces a passed finding if the field resolver log level is either `ERROR` or `ALL`. You can use logging and metrics to identify, troubleshoot, and optimize your GraphQL queries. Turning on logging for Amazon AppSync GraphQL helps you get detailed information about API requests and responses, identify and respond to issues, and comply with regulatory requirements. ### Remediation To turn on logging for Amazon AppSync, see [Setup and configuration](https://docs.amazonaws.cn/appsync/latest/devguide/monitoring.html#setup-and-configuration) in the *Amazon AppSync Developer Guide*. ## [AppSync.4] Amazon AppSync GraphQL APIs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AppSync::GraphQLApi` **Amazon Config rule:** `tagged-appsync-graphqlapi` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon AppSync GraphQL API has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the GraphQL API doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the GraphQL API isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon AppSync GraphQL API, see [https://docs.amazonaws.cn/appsync/latest/APIReference/API_TagResource.html](https://docs.amazonaws.cn/appsync/latest/APIReference/API_TagResource.html) in the *Amazon AppSync API Reference*. ## [AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** High **Resource type:** `AWS::AppSync::GraphQLApi` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/appsync-authorization-check.html](https://docs.amazonaws.cn/config/latest/developerguide/appsync-authorization-check.html) **Schedule type:** Change triggered **Parameters:** + `AllowedAuthorizationTypes`: ` Amazon_LAMBDA, Amazon_IAM, OPENID_CONNECT, AMAZON_COGNITO_USER_POOLS` (not customizable) This control checks whether your application uses an API key to interact with an Amazon AppSync GraphQL API. The control fails if an Amazon AppSync GraphQL API is authenticated with an API key. An API key is a hard-coded value in your application that is generated by the Amazon AppSync service when you create an unauthenticated GraphQL endpoint. If this API key is compromised, your endpoint is vulnerable to unintended access. Unless you are supporting a publicly accessible application or website, we don't recommend using an API key for authentication. ### Remediation To set an authorization option for your Amazon AppSync GraphQL API, see [Authorization and authentication ](https://docs.amazonaws.cn/appsync/latest/devguide/security-authz.html) in the *Amazon AppSync Developer Guide*. ## [AppSync.6] Amazon AppSync API caches should be encrypted in transit **Important** Security Hub CSPM retired this control on March 9, 2026. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). Amazon AppSync now provides default encryption on all current and future API caches. **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::AppSync::ApiCache` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/appsync-cache-ct-encryption-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/appsync-cache-ct-encryption-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon AppSync API cache is encrypted in transit. The control fails if the API cache isn't encrypted in transit. Data in transit refers to data that moves from one location to another, such as between nodes in your cluster or between your cluster and your application. Data may move across the internet or within a private network. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. ### Remediation You can't change the encryption settings after enabling caching for your Amazon AppSync API. Instead, you must delete the cache and and recreate it with encryption enabled. For more information, see [Cache encryption](https://docs.amazonaws.cn/appsync/latest/devguide/enabling-caching.html#caching-encryption) in the *Amazon AppSync Developer Guide*. # Security Hub CSPM controls for Amazon Athena Amazon Athena controls These Amazon Security Hub CSPM controls evaluate the Amazon Athena service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Athena.1] Athena workgroups should be encrypted at rest **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Category:** Protect > Data protection > Encryption of data at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Severity:** Medium **Resource type:** `AWS::Athena::WorkGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/athena-workgroup-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/athena-workgroup-encrypted-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks if an Athena workgroup is encrypted at rest. The control fails if an Athena workgroup isn’t encrypted at rest. In Athena, you can create workgroups for running queries for teams, applications, or different workloads. Each workgroup has a setting to enable encryption on all queries. You have the option to use server-side encryption with Amazon Simple Storage Service (Amazon S3) managed keys, server-side encryption with Amazon Key Management Service (Amazon KMS) keys, or client-side encryption with customer managed KMS keys. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. ### Remediation To enable encryption at rest for Athena workgroups, see [Edit a workgroup](https://docs.amazonaws.cn/athena/latest/ug/workgroups-create-update-delete.html#editing-workgroups) in the *Amazon Athena User Guide*. In the **Query Result Configuration** section, select **Encrypt query results**. ## [Athena.2] Athena data catalogs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Athena::DataCatalog` **Amazon Config rule:** `tagged-athena-datacatalog` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Athena data catalog has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the data catalog doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the data catalog isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Athena data catalog, see [Tagging Athena resources](https://docs.amazonaws.cn/athena/latest/ug/tags.html) in the *Amazon Athena User Guide*. ## [Athena.3] Athena workgroups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Athena::WorkGroup` **Amazon Config rule:** `tagged-athena-workgroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Athena workgroup has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the workgroup doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the workgroup isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Athena workgroup, see [Adding and deleting tags on an individual workgroup](https://docs.amazonaws.cn/athena/latest/ug/tags-console.html#tags-add-delete) in the *Amazon Athena User Guide*. ## [Athena.4] Athena workgroups should have logging enabled **Category:** Identify > Logging **Severity:** Medium **Resource type:** `Amazon::Athena::WorkGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/athena-workgroup-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/athena-workgroup-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Athena workgroup has logging enabled. The control fails if the workgroup doesn't have logging enabled. Audit logs track and monitor system activities. They provide a record of events that can help you detect security breaches, investigate incidents, and comply with regulations. Audit logs also enhance the overall accountability and transparency of your organization. ### Remediation For information about enabling logging for an Athena workgroup, see [Enable CloudWatch query metrics in Athena](https://docs.amazonaws.cn/athena/latest/ug/athena-cloudwatch-metrics-enable.html) in the *Amazon Athena User Guide*. # Security Hub CSPM controls for Amazon Backup Amazon Backup controls These Security Hub CSPM controls evaluate the Amazon Backup service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Backup.1] Amazon Backup recovery points should be encrypted at rest **Related requirements:** NIST.800-53.r5 CP-9(8), NIST.800-53.r5 SI-12 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::Backup::RecoveryPoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/backup-recovery-point-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/backup-recovery-point-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks if an Amazon Backup recovery point is encrypted at rest. The control fails if the recovery point isn't encrypted at rest. An Amazon Backup recovery point refers to a specific copy or snapshot of data that is created as part of a backup process. It represents a particular moment in time when the data was backed up and serves as a restore point in case the original data becomes lost, corrupted, or inaccessible. Encrypting the backup recovery points adds an extra layer of protection against unauthorized access. Encryption is a best practice to protect the confidentiality, integrity, and security of backup data. ### Remediation To encrypt an Amazon Backup recovery point, see [Encryption for backups in Amazon Backup](https://docs.amazonaws.cn/aws-backup/latest/devguide/encryption.html) in the *Amazon Backup Developer Guide*. ## [Backup.2] Amazon Backup recovery points should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Backup::RecoveryPoint` **Amazon Configrule:** `tagged-backup-recoverypoint` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Backup recovery point has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the recovery point doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the recovery point isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation **To add tags to an Amazon Backup recovery point** 1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup). 1. In the navigation pane, choose **Backup plans**. 1. Select a backup plan from the list. 1. In the **Backup plan tags** section, choose **Manage tags**. 1. Enter the key and value for the tag. Choose **Add new tag** for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [Backup.3] Amazon Backup vaults should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Backup::BackupVault` **Amazon Configrule:** `tagged-backup-backupvault` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Backup vault has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the recovery point doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the recovery point isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation **To add tags to an Amazon Backup vault** 1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup). 1. In the navigation pane, choose **Backup vaults**. 1. Select a backup vault from the list. 1. In the **Backup vault tags** section, choose **Manage tags**. 1. Enter the key and value for the tag. Choose **Add new tag** for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [Backup.4] Amazon Backup report plans should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Backup::ReportPlan` **Amazon Configrule:** `tagged-backup-reportplan` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Backup report plan has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the report plan doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the report plan isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation **To add tags to an Amazon Backup report plan** 1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup). 1. In the navigation pane, choose **Backup vaults**. 1. Select a backup vault from the list. 1. In the **Backup vault tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [Backup.5] Amazon Backup backup plans should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Backup::BackupPlan` **Amazon Configrule:** `tagged-backup-backupplan` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Backup backup plan has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the backup plan doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the backup plan isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation **To add tags to an Amazon Backup backup plan** 1. Open the Amazon Backup console at [https://console.amazonaws.cn/backup](https://console.amazonaws.cn/backup). 1. In the navigation pane, choose **Backup vaults**. 1. Select a backup vault from the list. 1. In the **Backup vault tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. # Security Hub CSPM controls for Amazon Batch Amazon Batch controls These Security Hub CSPM controls evaluate the Amazon Batch service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Batch.1] Batch job queues should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Batch::JobQueue` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/batch-job-queue-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/batch-job-queue-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Batch job queue has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the job queue doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the job queue isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a Batch job queue, see [Tag your resources](https://docs.amazonaws.cn/batch/latest/userguide/tag-resources.html) in the *Amazon Batch User Guide*. ## [Batch.2] Batch scheduling policies should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Batch::SchedulingPolicy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/batch-scheduling-policy-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/batch-scheduling-policy-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Batch scheduling policy has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the scheduling policy doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the scheduling policy isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a Batch scheduling policy, see [Tag your resources](https://docs.amazonaws.cn/batch/latest/userguide/tag-resources.html) in the *Amazon Batch User Guide*. ## [Batch.3] Batch compute environments should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Batch::ComputeEnvironment` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/batch-compute-environment-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/batch-compute-environment-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Batch compute environment has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the compute environment doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the compute environment isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a Batch compute environment, see [Tag your resources](https://docs.amazonaws.cn/batch/latest/userguide/tag-resources.html) in the *Amazon Batch User Guide*. ## [Batch.4] Compute resources properties in managed Batch compute environments should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Batch::ComputeEnvironment` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/batch-managed-compute-env-compute-resources-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/batch-managed-compute-env-compute-resources-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether the compute resources property in a managed Amazon Batch compute environment has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the compute resources property doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if a compute resources property doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. This control doesn’t evaluate unmanaged compute environments, or managed environments that use Amazon Fargate resources. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to compute resources in a managed Amazon Batch compute environment, see [Tag your resources](https://docs.amazonaws.cn/batch/latest/userguide/tag-resources.html) in the *Amazon Batch User Guide*. # Security Hub CSPM controls for Amazon Certificate Manager Amazon Certificate Manager controls These Amazon Security Hub CSPM controls evaluate the Amazon Certificate Manager (ACM) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period **Related requirements:** NIST.800-53.r5 SC-28(3), NIST.800-53.r5 SC-7(16), NIST.800-171.r2 3.13.15, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ACM::Certificate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/acm-certificate-expiration-check.html](https://docs.amazonaws.cn/config/latest/developerguide/acm-certificate-expiration-check.html) **Schedule type:** Change triggered and periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `daysToExpiration` | Number of days within which the ACM certificate must be renewed | Integer | `14` to `365` | `30` | This control checks whether an Amazon Certificate Manager (ACM) certificate is renewed within the specified time period. It checks both imported certificates and certificates provided by ACM. The control fails if the certificate isn't renewed within the specified time period. Unless you provide a custom parameter value for the renewal period, Security Hub CSPM uses a default value of 30 days. ACM can automatically renew certificates that use DNS validation. For certificates that use email validation, you must respond to a domain validation email. ACM doesn't automatically renew certificates that you import. You must renew imported certificates manually. ### Remediation ACM provides managed renewal for your SSL/TLS certificates issued by Amazon. This means that ACM either renews your certificates automatically (if you use DNS validation), or it sends you email notices when the certificate expiration approaches. These services are provided for both public and private ACM certificates. **For domains validated by email** When a certificate is 45 days from expiration, ACM sends to the domain owner an email for each domain name. To validate the domains and complete the renewal, you must respond to the email notifications. For more information, see [Renewal for domains validated by email](https://docs.amazonaws.cn/acm/latest/userguide/email-renewal-validation.html) in the *Amazon Certificate Manager User Guide*. **For domains validated by DNS** ACM automatically renews certificates that use DNS validation. 60 days before the expiration, ACM verifies that the certificate can be renewed. If it cannot validate a domain name, then ACM sends a notification that manual validation is required. It sends these notifications 45 days, 30 days, 7 days, and 1 day before the expiration. For more information, see [Renewal for domains validated by DNS](https://docs.amazonaws.cn/acm/latest/userguide/dns-renewal-validation.html) in the *Amazon Certificate Manager User Guide*. ## [ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits **Related requirements:** PCI DSS v4.0.1/4.2.1 **Category:** Identify > Inventory > Inventory services **Severity:** High **Resource type:** `AWS::ACM::Certificate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/acm-certificate-rsa-check.html](https://docs.amazonaws.cn/config/latest/developerguide/acm-certificate-rsa-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether RSA certificates managed by Amazon Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits. The strength of encryption directly correlates with key size. We recommend key lengths of at least 2,048 bits to protect your Amazon resources as computing power becomes less expensive and servers become more advanced. ### Remediation The minimum key length for RSA certificates issued by ACM is already 2,048 bits. For instructions on issuing new RSA certificates with ACM, see [Issuing and managing certificates](https://docs.amazonaws.cn/acm/latest/userguide/gs.html) in the *Amazon Certificate Manager User Guide*. While ACM allows you to import certificates with shorter key lengths, you must use keys of at least 2,048 bits to pass this control. You can't change the key length after importing a certificate. Instead, you must delete certificates with a key length smaller than 2,048 bits. For more information about importing certificates into ACM, see [Prerequisites for importing certificates](https://docs.amazonaws.cn/acm/latest/userguide/import-certificate-prerequisites.html) in the *Amazon Certificate Manager User Guide*. ## [ACM.3] ACM certificates should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::ACM::Certificate` **Amazon Config rule:** `tagged-acm-certificate` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Certificate Manager (ACM) certificate has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the certificate doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the certificate isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an ACM certificate, see [Tagging Amazon Certificate Manager certificates](https://docs.amazonaws.cn/acm/latest/userguide/tags.html) in the *Amazon Certificate Manager User Guide*. # Security Hub CSPM controls for Amazon CloudFormation Amazon CloudFormation controls These Security Hub CSPM controls evaluate the Amazon CloudFormation service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CloudFormation.1] CloudFormation stacks should be integrated with Simple Notification Service (SNS) **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5) **Category:** Detect > Detection services > Application monitoring **Severity:** Low **Resource type:** `AWS::CloudFormation::Stack` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-stack-notification-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-stack-notification-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Simple Notification Service notification is integrated with an Amazon CloudFormation stack. The control fails for a CloudFormation stack if no SNS notification is associated with it. Configuring an SNS notification with your CloudFormation stack helps immediately notify stakeholders of any events or changes occurring with the stack. ### Remediation To integrate a CloudFormation stack and an SNS topic, see [Updating stacks directly](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-direct.html) in the *Amazon CloudFormation User Guide*. ## [CloudFormation.2] CloudFormation stacks should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CloudFormation::Stack` **Amazon Config rule:** `tagged-cloudformation-stack` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CloudFormation stack has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the stack doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the stack isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a CloudFormation stack, see [CreateStack](https://docs.amazonaws.cn/AWSCloudFormation/latest/APIReference/API_CreateStack.html) in the *Amazon CloudFormation API Reference*. ## [CloudFormation.3] CloudFormation stacks should have termination protection enabled **Category:** Protect > Data Protection > Data deletion protection **Severity:** Medium **Resource type:** `AWS::CloudFormation::Stack` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-termination-protection-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-termination-protection-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFormation stack has termination protection enabled. The control fails if termination protection is not enabled on a CloudFormation stack. CloudFormation helps to manage related resources as a single unit called a Stack. You can prevent a stack from being accidentally deleted by enabling termination protection on the stack. If a user attempts to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, remains unchanged. You can set termination protection on a stack with any status except `DELETE_IN_PROGRESS` or `DELETE_COMPLETE`. **Note** Enabling or disabling termination protection on a stack passes the same choice on to any nested stacks belonging to that stack as well. You can't enable or disable termination protection directly on a nested stack. You can't directly delete a nested stack belonging with a stack that has termination protection enabled. If NESTED is displayed next to the stack name, the stack is a nested stack. You can only change termination protection on the root stack to which the nested stack belongs. ### Remediation To enable termination protection on a CloudFormation stack, see [Protect CloudFormation stacks from being deleted](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html) in the *Amazon CloudFormation User Guide*. ## [CloudFormation.4] CloudFormation stacks should have associated service roles **Category:** Detect > Secure access management **Severity:** Medium **Resource type:** `AWS::CloudFormation::Stack` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-stack-service-role-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudformation-stack-service-role-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFormation stack has a service role associated with it. The control fails for a CloudFormation stack if no service role is associated with it. Service-managed StackSets use execution roles through Amazon Organizations trusted access integration. The control also generates a FAILED finding for an Amazon CloudFormation stack created by service-managed StackSets because there is no service role associated with it. Due to how service-managed StackSets authenticate, the `roleARN` field cannot be populated for these stacks. Using service roles with CloudFormation stacks helps implement least privilege access by separating permissions between the user who creates/updates stacks and the permissions needed by CloudFormation to create/update resources. This reduces the risk of privilege escalation and helps maintain security boundaries between different operational roles. **Note** It is not possible to remove a service role attached to a stack after the stack is created. Other users that have permissions to perform operations on this stack are able to use this role, regardless of whether those users have the `iam:PassRole` permission or not. If the role includes permissions that the user shouldn't have, you can unintentionally escalate a user's permissions. Ensure that the role grants least privilege. ### Remediation To associate a service role with a CloudFormation stack, see [CloudFormation service role](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) in the *Amazon CloudFormation User Guide*. # Security Hub CSPM controls for Amazon CloudFront Amazon CloudFront controls These Amazon Security Hub CSPM controls evaluate the Amazon CloudFront service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CloudFront.1] CloudFront distributions should have a default root object configured **Related requirements:** NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), PCI DSS v4.0.1/2.2.6 **Category:** Protect > Secure access management > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-default-root-object-configured.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-default-root-object-configured.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution with S3 origins is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution uses S3 origins and doesn't have a default root object configured. This control doesn't apply to CloudFront distributions that use custom origins. A user might sometimes request the distribution's root URL instead of an object in the distribution. When this happens, specifying a default root object can help you to avoid exposing the contents of your web distribution. ### Remediation To configure a default root object for a CloudFront distribution, see [How to specify a default root object](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html#DefaultRootObjectHowToDefine) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.3] CloudFront distributions should require encryption in transit **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-viewer-policy-https.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-viewer-policy-https.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if `ViewerProtocolPolicy` is set to `allow-all` for `defaultCacheBehavior` or for `cacheBehaviors`. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. ### Remediation To encrypt a CloudFront distribution in transit, see [Requiring HTTPS for communication between viewers and CloudFront](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.4] CloudFront distributions should have origin failover configured **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Low **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-origin-failover-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-origin-failover-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes. ### Remediation To configure origin failover for a CloudFront distribution, see [Creating an origin group](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html#concept_origin_groups.creating) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.5] CloudFront distributions should have logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-accesslogs-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-accesslogs-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution. This control only evaluates whether standard logging (legacy) is enabled for a distribution. CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer. These logs are useful for applications such as security and access audits and forensics investigation. For more information about analyzing access logs, see [Query Amazon CloudFront logs](https://docs.amazonaws.cn/athena/latest/ug/cloudfront-logs.html) in the *Amazon Athena User Guide*. ### Remediation To configure standard logging (legacy) for a CloudFront distribution, see [Configure standard logging (legacy)](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/standard-logging-legacy-s3.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.6] CloudFront distributions should have WAF enabled **Related requirements:** NIST.800-53.r5 AC-4(21), PCI DSS v4.0.1/6.4.2 **Category:** Protect > Protective services **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-associated-with-waf.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-associated-with-waf.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether CloudFront distributions are associated with either Amazon WAF Classic or Amazon WAF web ACLs. The control fails if the distribution is not associated with a web ACL. Amazon WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an Amazon WAF web ACL to help protect it from malicious attacks. ### Remediation To associate an Amazon WAF web ACL with a CloudFront distribution, see [Using Amazon WAF to control access to your content](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.15 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Low **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-custom-ssl-certificate.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-custom-ssl-certificate.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether CloudFront distributions are using the default SSL/TLS certificate CloudFront provides. This control passes if the CloudFront distribution uses a custom SSL/TLS certificate. This control fails if the CloudFront distribution uses the default SSL/TLS certificate. Custom SSL/TLS allow your users to access content by using alternate domain names. You can store custom certificates in Amazon Certificate Manager (recommended), or in IAM. ### Remediation To add an alternate domain name for a CloudFront distribution using a custom SSL/TLS certificate, see [Adding an alternate domain name](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#CreatingCNAME) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Low **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-sni-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-sni-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address. Server Name Indication (SNI) is an extension to the TLS protocol that is supported by browsers and clients released after 2010. If you configure CloudFront to serve HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. When a viewer submits an HTTPS request for your content, DNS routes the request to the IP address for the correct edge location. The IP address to your domain name is determined during the SSL/TLS handshake negotiation; the IP address isn't dedicated to your distribution. ### Remediation To configure a CloudFront distribution to use SNI to serve HTTPS requests, see [Using SNI to Serve HTTPS Requests (works for Most Clients)](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-sni) in the CloudFront Developer Guide. For information about custom SSL certificates, see [Requirements for using SSL/TLS certificates with CloudFront](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html). ## [CloudFront.9] CloudFront distributions should encrypt traffic to custom origins **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'. HTTPS (TLS) can be used to help prevent eavesdropping or manipulation of network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. ### Remediation To update the Origin Protocol Policy to require encryption for a CloudFront connection, see [Requiring HTTPS for communication between CloudFront and your custom origin](https://docs.amazonaws.cn//AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.15, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a `CustomOriginConfig` where `OriginSslProtocols` includes `SSLv3`. In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins. ### Remediation To update the Origin SSL Protocols for a CloudFront distribution, see [Requiring HTTPS for communication between CloudFront and your custom origin](https://docs.amazonaws.cn//AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.12] CloudFront distributions should not point to non-existent S3 origins **Related requirements:** NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), PCI DSS v4.0.1/2.2.6 **Category:** Identify > Resource configuration **Severity:** High **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-s3-origin-non-existent-bucket.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-s3-origin-non-existent-bucket.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin. When a CloudFront distribution in your account is configured to point to a non-existent bucket, a malicious third party can create the referenced bucket and serve their own content through your distribution. We recommend checking all origins regardless of routing behavior to ensure that your distributions are pointing to appropriate origins. ### Remediation To modify a CloudFront distribution to point to a new origin, see [Updating a distribution](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.13] CloudFront distributions should use origin access control **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-s3-origin-access-control-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-s3-origin-access-control-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution with an Amazon S3 origin has origin access control (OAC) configured. The control fails if OAC isn't configured for the CloudFront distribution. When using an S3 bucket as an origin for your CloudFront distribution, you can enable OAC. This permits access to the content in the bucket only through the specified CloudFront distribution, and prohibits access directly from the bucket or another distribution. Although CloudFront supports Origin Access Identity (OAI), OAC offers additional functionality, and distributions using OAI can migrate to OAC. While OAI provides a secure way to access S3 origins, it has limitations, such as lack of support for granular policy configurations and for HTTP/HTTPS requests that use the POST method in Amazon Web Services Regions that require Amazon Signature Version 4 (SigV4). OAI also doesn't support encryption with Amazon Key Management Service. OAC is based on an Amazon best practice of using IAM service principals to authenticate with S3 origins. ### Remediation To configure OAC for a CloudFront distribution with S3 origins, see [ Restricting access to an Amazon S3 origin](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.14] CloudFront distributions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::CloudFront::Distribution` **Amazon Config rule:**`tagged-cloudfront-distribution` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CloudFront distribution has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the distribution doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the distribution isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a CloudFront distribution, see [Tagging Amazon CloudFront distributions](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/tagging.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.15] CloudFront distributions should use the recommended TLS security policy **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-ssl-policy-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-ssl-policy-check.html) **Schedule type:** Change triggered **Parameters:** `securityPolicies`: `TLSv1.2_2021,TLSv1.2_2025,TLSv1.3_2025` (not customizable) This control checks whether an Amazon CloudFront distribution is configured to use a recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use a recommended TLS security policy. If you configure an Amazon CloudFront distribution to require viewers to use HTTPS to access content, you have to choose a security policy and specify the minimum SSL/TLS protocol version to use. This determines which protocol version CloudFront uses to communicate with viewers, and the ciphers that CloudFront uses to encrypt the communications. We recommend using the latest security policy that CloudFront provides. This ensures that CloudFront uses the latest cipher suites to encrypt data in transit between a viewer and a CloudFront distribution. **Note** This control generates findings only for CloudFront distributions that are configured to use custom SSL certificates and are not configured to support legacy clients. ### Remediation For information about configuring the security policy for a CloudFront distribution, see [Update a distribution](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html) in the *Amazon CloudFront Developer Guide*. When you configure the security policy for a distribution, choose the latest security policy. ## [CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-origin-lambda-url-oac-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-origin-lambda-url-oac-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution with an Amazon Lambda function URL as an origin has origin access control (OAC) enabled. The control fails if the CloudFront distribution has a Lambda function URL as an origin and OAC isn't enabled. An Amazon Lambda function URL is a dedicated HTTPS endpoint for a Lambda function. If a Lambda function URL is the origin for a CloudFront distribution, the function URL must be publicly accessible. Therefore, as a security best practice, you should create an OAC and add it to the Lambda function URL in a distribution. OAC uses IAM service principals to authenticate requests between CloudFront and the function URL. It also supports the use of resource-based policies to allow invocation of a function only if a request is on behalf of a CloudFront distribution specified in the policy. ### Remediation For information about configuring OAC for an Amazon CloudFront distribution that uses a Lambda function URL as an origin, see [Restrict access to an Amazon Lambda function URL origin](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html) in the *Amazon CloudFront Developer Guide*. ## [CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::CloudFront::Distribution` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-distribution-key-group-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudfront-distribution-key-group-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CloudFront distribution is configured to use trusted key groups for signed URL or signed cookie authentication. The control fails if the CloudFront distribution uses trusted signers, or if the distribution has no authentication configured. To use signed URLs or signed cookies, you need a signer. A signer is either a trusted key group that you create in CloudFront, or an Amazon account that contains a CloudFront key pair. We recommend that you use trusted key groups because with CloudFront key groups, you don't need to use the Amazon account root user to manage the public keys for CloudFront signed URLs and signed cookies. **Note** This control does not evaluate multi-tenant CloudFront distributions `(connectionMode=tenant-only)`. ### Remediation For information about using trusted key groups with signed URLs and cookies, see [Using trusted key groups](https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html) in the *Amazon CloudFront Developer Guide*. # Security Hub CSPM controls for Amazon CloudTrail Amazon CloudTrail controls These Amazon Security Hub CSPM controls evaluate the Amazon CloudTrail service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.1, CIS Amazon Foundations Benchmark v1.2.0/2.1, CIS Amazon Foundations Benchmark v1.4.0/3.1, CIS Amazon Foundations Benchmark v3.0.0/3.1, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-14(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-53.r5 SA-8(22) **Category:** Identify > Logging **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/multi-region-cloudtrail-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/multi-region-cloudtrail-enabled.html) **Schedule type:** Periodic **Parameters:** + `readWriteType`: `ALL` (not customizable) `includeManagementEvents`: `true` (not customizable) This control checks whether there is at least one multi-Region Amazon CloudTrail trail that captures read and write management events. The control fails if CloudTrail is disabled or if there isn't at least one CloudTrail trail that captures read and write management events. Amazon CloudTrail records Amazon API calls for your account and delivers log files to you. The recorded information includes the following information: + Identity of the API caller + Time of the API call + Source IP address of the API caller + Request parameters + Response elements returned by the Amazon Web Services service CloudTrail provides a history of Amazon API calls for an account, including API calls made from the Amazon Web Services Management Console, Amazon SDKs, command line tools. The history also includes API calls from higher-level Amazon Web Services services such as Amazon CloudFormation. The Amazon API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Multi-Region trails also provide the following benefits. + A multi-Region trail helps to detect unexpected activity occurring in otherwise unused Regions. + A multi-Region trail ensures that global service event logging is enabled for a trail by default. Global service event logging records events generated by Amazon global services. + For a multi-Region trail, management events for all read and write operations ensure that CloudTrail records management operations on all resources in an Amazon Web Services account. By default, CloudTrail trails that are created using the Amazon Web Services Management Console are multi-Region trails. ### Remediation To create a new multi-Region trail in CloudTrail, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Use the following values: | Field | Value | | --- | --- | | Additional settings, Log file validation | Enabled | | Choose log events, Management events, API activity | **Read** and **Write**. Clear check boxes for exclusions. | To update an existing trail, see [Updating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html) in the *Amazon CloudTrail User Guide*. In **Management events**, for **API activity**, choose **Read** and **Write**. ## [CloudTrail.2] CloudTrail should have encryption at-rest enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.5, CIS Amazon Foundations Benchmark v1.2.0/2.7, CIS Amazon Foundations Benchmark v1.4.0/3.7, CIS Amazon Foundations Benchmark v3.0.0/3.5, NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.3.8, PCI DSS v3.2.1/3.4, PCI DSS v4.0.1/10.3.2 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::CloudTrail::Trail` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-encryption-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether CloudTrail is configured to use the server-side encryption (SSE) Amazon KMS key encryption. The control fails if the `KmsKeyId` isn't defined. For an added layer of security for your sensitive CloudTrail log files, you should use [server-side encryption with Amazon KMS keys (SSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/dev/UsingKMSEncryption.html) for your CloudTrail log files for encryption at rest. Note that by default, the log files delivered by CloudTrail to your buckets are encrypted by [Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3)](https://docs.amazonaws.cn/AmazonS3/latest/dev/UsingServerSideEncryption.html). ### Remediation To enable SSE-KMS encryption for CloudTrail log files, see [Update a trail to use a KMS key](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail-update-trail.html#kms-key-policy-update-trail) in the *Amazon CloudTrail User Guide*. ## [CloudTrail.3] At least one CloudTrail trail should be enabled **Related requirements:** NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/10.1, PCI DSS v3.2.1/10.2.1, PCI DSS v3.2.1/10.2.2, PCI DSS v3.2.1/10.2.3, PCI DSS v3.2.1/10.2.4, PCI DSS v3.2.1/10.2.5, PCI DSS v3.2.1/10.2.6, PCI DSS v3.2.1/10.2.7, PCI DSS v3.2.1/10.3.1, PCI DSS v3.2.1/10.3.2, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon CloudTrail trail is enabled in your Amazon Web Services account. The control fails if your account doesn't have at least one CloudTrail trail enabled. However, some Amazon services do not enable logging of all APIs and events. You should implement any additional audit trails other than CloudTrail and review the documentation for each service in [CloudTrail Supported Services and Integrations](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html). ### Remediation To get started with CloudTrail and create a trail, see the [Getting started with Amazon CloudTrail tutorial](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-tutorial.html) in the *Amazon CloudTrail User Guide*. ## [CloudTrail.4] CloudTrail log file validation should be enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.2, CIS Amazon Foundations Benchmark v1.2.0/2.2, CIS Amazon Foundations Benchmark v1.4.0/3.2, CIS Amazon Foundations Benchmark v3.0.0/3.2, NIST.800-53.r5 AU-9, NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-7(1), NIST.800-53.r5 SI-7(3), NIST.800-53.r5 SI-7(7), NIST.800-171.r2 3.3.8, PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/10.5.5, PCI DSS v4.0.1/10.3.2 **Category:** Data protection > Data integrity **Severity:** Low **Resource type:** `AWS::CloudTrail::Trail` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether log file integrity validation is enabled on a CloudTrail trail. CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. Security Hub CSPM recommends that you enable file validation on all trails. Log file validation provides additional integrity checks of CloudTrail logs. ### Remediation To enable CloudTrail log file validation, see [Enabling log file integrity validation for CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html) in the *Amazon CloudTrail User Guide*. ## [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.4, PCI DSS v3.2.1/10.5.3, CIS Amazon Foundations Benchmark v1.2.0/2.4, CIS Amazon Foundations Benchmark v1.4.0/3.4, NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 AU-7(1), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-4(5), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::CloudTrail::Trail` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the `CloudWatchLogsLogGroupArn` property of the trail is empty. CloudTrail records Amazon API calls that are made in a given account. The recorded information includes the following: + The identity of the API caller + The time of the API call + The source IP address of the API caller + The request parameters + The response elements returned by the Amazon Web Services service CloudTrail uses Amazon S3 for log file storage and delivery. You can capture CloudTrail logs in a specified S3 bucket for long-term analysis. To perform real-time analysis, you can configure CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all of those Regions to a CloudWatch Logs log group. Security Hub CSPM recommends that you send CloudTrail logs to CloudWatch Logs. Note that this recommendation is intended to ensure that account activity is captured, monitored, and appropriately alarmed on. You can use CloudWatch Logs to set this up with your Amazon Web Services services. This recommendation does not preclude the use of a different solution. Sending CloudTrail logs to CloudWatch Logs facilitates real-time and historic activity logging based on user, API, resource, and IP address. You can use this approach to establish alarms and notifications for anomalous or sensitivity account activity. ### Remediation To integrate CloudTrail with CloudWatch Logs, see [Sending events to CloudWatch Logs](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html) in the *Amazon CloudTrail User Guide*. ## [CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/2.3, CIS Amazon Foundations Benchmark v1.4.0/3.3, PCI DSS v4.0.1/1.4.4 **Category:** Identify > Logging **Severity:** Critical **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic and change triggered **Parameters:** None CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. To run this check, Security Hub CSPM first uses custom logic to look for the S3 bucket where your CloudTrail logs are stored. It then uses the Amazon Config managed rules to check that bucket is publicly accessible. If you aggregate your logs into a single centralized S3 bucket, then Security Hub CSPM only runs the check against the account and Region where the centralized S3 bucket is located. For other accounts and Regions, the control status is **No data**. If the bucket is publicly accessible, the check generates a failed finding. ### Remediation To block public access to your CloudTrail S3 bucket, see [Configuring block public access settings for your S3 buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html) in the *Amazon Simple Storage Service User Guide*. Select all four Amazon S3 Block Public Access Settings. ## [CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/2.6, CIS Amazon Foundations Benchmark v1.4.0/3.6, CIS Amazon Foundations Benchmark v3.0.0/3.4, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Low **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket. By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. To run this check, Security Hub CSPM first uses custom logic to look for the bucket where your CloudTrail logs are stored and then uses the Amazon Config managed rule to check if logging is enabled. If CloudTrail delivers log files from multiple Amazon Web Services accounts into a single destination Amazon S3 bucket, Security Hub CSPM evaluates this control only against the destination bucket in the Region where it's located. This streamlines your findings. However, you should turn on CloudTrail in all accounts that deliver logs to the destination bucket. For all accounts except the one that holds the destination bucket, the control status is **No data**. ### Remediation To enable server access logging for your CloudTrail S3 bucket, see [Enabling Amazon S3 server access logging](https://docs.amazonaws.cn/AmazonS3/latest/userguide/enable-server-access-logging.html#enable-server-logging) in the *Amazon Simple Storage Service User Guide*. ## [CloudTrail.9] CloudTrail trails should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CloudTrail::Trail` **Amazon Config rule:** `tagged-cloudtrail-trail` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CloudTrail trail has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the trail doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the trail isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a CloudTrail trail, see [AddTags](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_AddTags.html) in the *Amazon CloudTrail API Reference*. ## [CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys **Related requirements:** NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::CloudTrail::EventDataStore` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/event-data-store-cmk-encryption-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `kmsKeyArns` | A list of Amazon Resource Names (ARNs) of Amazon KMS keys to include in the evaluation. The control generates a `FAILED` finding if an event data store isn't encrypted with a KMS key in the list. | StringList (maximum of 3 items) | 1–3 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`. | No default value | This control checks whether an Amazon CloudTrail Lake event data store is encrypted at rest with a customer managed Amazon KMS key. The control fails if the event data store isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation. By default, Amazon CloudTrail Lake encrypts event data stores with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure CloudTrail Lake to encrypt an event data store with a customer managed Amazon KMS key (SSE-KMS) instead. A customer managed KMS key is an Amazon KMS key that you create, own, and manage in your Amazon Web Services account. You have full control over this type of KMS key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. You can use a customer managed KMS key in cryptographic operations for your CloudTrail data and audit usage with CloudTrail logs. ### Remediation For information about encrypting an Amazon CloudTrail Lake event data store with an Amazon KMS key that you specify, see [Update an event data store](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/query-event-data-store-update.html) in the *Amazon CloudTrail User Guide*. After you associate an event data store with a KMS key, the KMS key can't be removed or changed. # Security Hub CSPM controls for Amazon CloudWatch Amazon CloudWatch controls These Amazon Security Hub CSPM controls evaluate the Amazon CloudWatch service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.1,CIS Amazon Foundations Benchmark v1.2.0/3.3, CIS Amazon Foundations Benchmark v1.4.0/1.7,CIS Amazon Foundations Benchmark v1.4.0/4.3, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/7.2.1 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None The root user has unrestricted access to all services and resources in an Amazon Web Services account. We highly recommend that you avoid using the root user for daily tasks. Minimizing the use of the root user and adopting the principle of least privilege for access management reduces the risk of accidental changes and unintended disclosure of highly privileged credentials. As a best practice, use your root user credentials only when required to [ perform account and service management tasks](https://docs.amazonaws.cn/general/latest/gr/aws_tasks-that-require-root.html). Apply Amazon Identity and Access Management (IAM) policies directly to groups and roles but not users. For a tutorial on how to set up an administrator for daily use, see [ Creating your first IAM admin user and group](https://docs.amazonaws.cn/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide* To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 1.7 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for unauthorized API calls. Monitoring unauthorized API calls helps reveal application errors and might reduce time to detect malicious activity. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 3.1 in the [CIS Amazon Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.2 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 3.2 in the [CIS Amazon Foundations Benchmark v1.2](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.4, CIS Amazon Foundations Benchmark v1.4.0/4.4, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None This control checks whether you monitor API calls in real time by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation **Note** Our recommended filter pattern in these remediation steps differs from the filter pattern in the CIS guidance. Our recommended filters target only events coming from IAM API calls. To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.5, CIS Amazon Foundations Benchmark v1.4.0/4.5, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.5 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.6, CIS Amazon Foundations Benchmark v1.4.0/4.6, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.6 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.7, CIS Amazon Foundations Benchmark v1.4.0/4.7, NIST.800-171.r2 3.13.10, NIST.800-171.r2 3.13.16, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.7 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. The control also fails if `ExcludeManagementEventSources` contains `kms.amazonaws.com`. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.8, CIS Amazon Foundations Benchmark v1.4.0/4.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.8 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.9, CIS Amazon Foundations Benchmark v1.4.0/4.9, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. CIS recommends that you create a metric filter and alarm for changes to Amazon Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.9 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.10, CIS Amazon Foundations Benchmark v1.4.0/4.10, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.10 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.11, CIS Amazon Foundations Benchmark v1.4.0/4.11, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that Amazon resources and services aren't unintentionally exposed. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.11 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.12, CIS Amazon Foundations Benchmark v1.4.0/4.12, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.12 in the [CIS Amazon Foundations Benchmark v1.2](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.13, CIS Amazon Foundations Benchmark v1.4.0/4.13, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None This control checks whether you monitor API calls in real time by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation **Note** Our recommended filter pattern in these remediation steps differs from the filter pattern in the CIS guidance. Our recommended filters target only events coming from Amazon Elastic Compute Cloud (EC2) API calls. To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/3.14, CIS Amazon Foundations Benchmark v1.4.0/4.14, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::Logs::MetricFilter`, `AWS::CloudWatch::Alarm`, `AWS::CloudTrail::Trail`, `AWS::SNS::Topic` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. To run this check, Security Hub CSPM uses custom logic to perform the exact audit steps prescribed for control 4.14 in the [CIS Amazon Foundations Benchmark v1.4.0](https://acrobat.adobe.com/link/track?uri=urn:aaid:scds:US:2e5fec5c-5e99-4fb5-b08d-bb46b14754c1#pageNum=1). This control fails if the exact metric filters prescribed by CIS are not used. Additional fields or terms cannot be added to the metric filters. **Note** When Security Hub CSPM performs the check for this control, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region. The check results in `FAILED` findings in the following cases: No trail is configured. The available trails that are in the current Region and that are owned by current account do not meet the control requirements. The check results in a control status of `NO_DATA` in the following cases: A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. We recommend organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of `NO_DATA` for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling `ListSubscriptionsByTopic`. Otherwise Security Hub CSPM generates `WARNING` findings for the control. ### Remediation To pass this control, follow these steps to create an Amazon SNS topic, an Amazon CloudTrail trail, a metric filter, and an alarm for the metric filter. 1. Create an Amazon SNS topic. For instructions, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Create a topic that receives all CIS alarms, and create at least one subscription to the topic. 1. Create a CloudTrail trail that applies to all Amazon Web Services Regions. For instructions, see [Creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) in the *Amazon CloudTrail User Guide*. Make note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group in the next step. 1. Create a metric filter. For instructions, see [Create a metric filter for a log group](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) 1. Create an alarm based on the filter. For instructions, see [Create a CloudWatch alarm based on a log group-metric filter](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/Alarm-On-Logs.html) in the *Amazon CloudWatch User Guide*. Use the following values: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/cloudwatch-controls.html) ## [CloudWatch.15] CloudWatch alarms should have specified actions configured **Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 IR-4(1), NIST.800-53.r5 IR-4(5), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-4(12), NIST.800-53.r5 SI-4(5), NIST.800-171.r2 3.3.4, NIST.800-171.r2 3.14.6 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::CloudWatch::Alarm` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudwatch-alarm-action-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudwatch-alarm-action-check.html) `` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `alarmActionRequired` | The control produces a `PASSED` finding if the parameter is set to `true` and the alarm has an action when the alarm state changes to `ALARM`. | Boolean | Not customizable | `true` | | `insufficientDataActionRequired` | The control produces a `PASSED` finding if the parameter is set to `true` and the alarm has an action when the alarm state changes to `INSUFFICIENT_DATA`. | Boolean | `true` or `false` | `false` | | `okActionRequired` | The control produces a `PASSED` finding if the parameter is set to `true` and the alarm has an action when the alarm state changes to `OK`. | Boolean | `true` or `false` | `false` | This control checks whether an Amazon CloudWatch alarm has at least one action configured for the `ALARM` state. The control fails if the alarm doesn't have an action configured for the `ALARM` state. Optionally, you can include custom parameter values to also require alarm actions for the `INSUFFICIENT_DATA` or `OK` states. **Note** Security Hub CSPM evaluates this control based on CloudWatch metric alarms. Metric alarms may be part of composite alarms that have the specified actions configured. The control generates `FAILED` findings in the following cases: The specified actions aren't configured for a metric alarm. The metric alarm is part of a composite alarm that has the specified actions configured. This control focuses on whether a CloudWatch alarm has an alarm action configured, whereas [CloudWatch.17](#cloudwatch-17) focuses on the activation status of a CloudWatch alarm action. We recommend CloudWatch alarm actions to automatically alert you when a monitored metric is outside the defined threshold. Monitoring alarms help you identify unusual activities and quickly respond to security and operational issues when an alarm goes into a specific state. The most common type of alarm action is to notify one or more users by sending a message to an Amazon Simple Notification Service (Amazon SNS) topic. ### Remediation For information about actions supported by CloudWatch alarms, see [Alarm actions](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions) in the *Amazon CloudWatch User Guide*. ## [CloudWatch.16] CloudWatch log groups should be retained for a specified time period **Category:** Identify > Logging **Related requirements:** NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-11, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-12 **Severity:** Medium **Resource type:** `AWS::Logs::LogGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cw-loggroup-retention-period-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cw-loggroup-retention-period-check.html) `` **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minRetentionTime` | Minimum retention period in days for CloudWatch log groups | Enum | `365, 400, 545, 731, 1827, 3653` | `365` | This control checks whether an Amazon CloudWatch log group has a retention period of at least the specified number of days. The control fails if the retention period is less than the specified number. Unless you provide a custom parameter value for the retention period, Security Hub CSPM uses a default value of 365 days. CloudWatch Logs centralize logs from all of your systems, applications, and Amazon Web Services services in a single, highly scalable service. You can use CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (EC2) instances, Amazon CloudTrail, Amazon Route 53, and other sources. Retaining your logs for at least 1 year can help you comply with log retention standards. ### Remediation To configure log retention settings, see [Change log data retention in CloudWatch Logs](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention) in the *Amazon CloudWatch User Guide*. ## [CloudWatch.17] CloudWatch alarm actions should be activated **Category:** Detect > Detection services **Related requirements:** NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-4(12) **Severity:** High **Resource type:** `AWS::CloudWatch::Alarm` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudwatch-alarm-action-enabled-check.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks whether CloudWatch alarm actions are activated (`ActionEnabled` should be set to true). The control fails if the alarm action for a CloudWatch alarm is deactivated. **Note** Security Hub CSPM evaluates this control based on CloudWatch metric alarms. Metric alarms may be part of composite alarms that have the alarm actions activated. The control generates `FAILED` findings in the following cases: The specified actions aren't configured for a metric alarm. The metric alarm is part of a composite alarm that has alarm actions activated. This control focuses on the activation status of a CloudWatch alarm action, whereas [CloudWatch.15](#cloudwatch-15) focuses on whether any `ALARM` action is configured in a CloudWatch alarm. Alarm actions automatically alert you when a monitored metric is outside the defined threshold. If the alarm action is deactivated, no actions are run when the alarm changes state, and you won't be alerted to changes in monitored metrics. We recommend activating CloudWatch alarm actions to help you quickly respond to security and operational issues. ### Remediation **To activate a CloudWatch alarm action (console)** 1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/). 1. In the navigation pane, under **Alarms**, choose **All alarms**. 1. Select the alarm that you want to activate actions for. 1. For **Actions**, choose **Alarm actions–new**, and then choose **Enable**. For more information about activating CloudWatch alarm actions, see [Alarm actions](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions) in the *Amazon CloudWatch User Guide*. # Security Hub CSPM controls for CodeArtifact Amazon CodeArtifact controls These Security Hub CSPM controls evaluate the Amazon CodeArtifact service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CodeArtifact.1]CodeArtifact repositories should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CodeArtifact::Repository` **Amazon Config rule:** `tagged-codeartifact-repository` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CodeArtifact repository has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the repository doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the repository isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a CodeArtifact repository, see [Tag a repository in CodeArtifact](https://docs.amazonaws.cn/codeartifact/latest/ug/tag-repositories.html) in the *Amazon CodeArtifact User Guide*. # Security Hub CSPM controls for CodeBuild Amazon CodeBuild controls These Security Hub CSPM controls evaluate the Amazon CodeBuild service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials **Related requirements:** NIST.800-53.r5 SA-3, PCI DSS v3.2.1/8.2.1, PCI DSS v4.0.1/8.3.2 **Category:** Protect > Secure development **Severity:** Critical **Resource type:** `AWS::CodeBuild::Project` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-source-repo-url-check.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-source-repo-url-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CodeBuild project Bitbucket source repository URL contains personal access tokens or a user name and password. The control fails if the Bitbucket source repository URL contains personal access tokens or a user name and password. **Note** This control evaluates both the primary source and secondary sources of a CodeBuild build project. For more information about project sources, see [Multiple input sources and output artifacts sample](https://docs.amazonaws.cn/codebuild/latest/userguide/sample-multi-in-out.html) in the *Amazon CodeBuild User Guide*. Sign-in credentials shouldn't be stored or transmitted in clear text or appear in the source repository URL. Instead of personal access tokens or sign-in credentials, you should access your source provider in CodeBuild, and change your source repository URL to contain only the path to the Bitbucket repository location. Using personal access tokens or sign-in credentials could result in unintended data exposure or unauthorized access. ### Remediation You can update your CodeBuild project to use OAuth. **To remove basic authentication / (GitHub) Personal Access Token from CodeBuild project source** 1. Open the CodeBuild console at [https://console.amazonaws.cn/codebuild/](https://console.amazonaws.cn/codebuild/). 1. Choose the build project that contains personal access tokens or a user name and password. 1. From **Edit**, choose **Source**. 1. Choose **Disconnect from GitHub / Bitbucket**. 1. Choose **Connect using OAuth**, then choose **Connect to GitHub / Bitbucket**. 1. When prompted, choose **authorize as appropriate**. 1. Reconfigure your repository URL and additional configuration settings, as needed. 1. Choose **Update source**. For more information, refer to [CodeBuild use case-based samples](https://docs.amazonaws.cn/codebuild/latest/userguide/use-case-based-samples.html) in the *Amazon CodeBuild User Guide*. ## [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials **Related requirements:** NIST.800-53.r5 IA-5(7), NIST.800-53.r5 SA-3, PCI DSS v3.2.1/8.2.1, PCI DSS v4.0.1/8.3.2 **Category:** Protect > Secure development **Severity:** Critical **Resource type:** `AWS::CodeBuild::Project` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-envvar-awscred-check.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-envvar-awscred-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the project contains the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. Authentication credentials `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access. ### Remediation To remove environment variables from a CodeBuild project, see [Change a build project's settings in Amazon CodeBuild](https://docs.amazonaws.cn/codebuild/latest/userguide/change-project.html) in the *Amazon CodeBuild User Guide*. Ensure nothing is selected for **Environment variables**. You can store environment variables with sensitive values in the Amazon Systems Manager Parameter Store or Amazon Secrets Manager and then retrieve them from your build spec. For instructions, see the box labeled **Important** in the [Environment section](https://docs.amazonaws.cn/codebuild/latest/userguide/change-project-console.html#change-project-console-environment) in the *Amazon CodeBuild User Guide*. ## [CodeBuild.3] CodeBuild S3 logs should be encrypted **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6), PCI DSS v4.0.1/10.3.2 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Low **Resource type:** `AWS::CodeBuild::Project` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-s3-logs-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon S3 logs for an Amazon CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project. Encryption of data at rest is a recommended best practice to add a layer of access management around your data. Encrypting the logs at rest reduces the risk that a user not authenticated by Amazon will access the data stored on disk. It adds another set of access controls to limit the ability of unauthorized users to access the data. ### Remediation To change the encryption settings for CodeBuild project S3 logs, see [Change a build project's settings in Amazon CodeBuild](https://docs.amazonaws.cn/codebuild/latest/userguide/change-project.html) in the *Amazon CodeBuild User Guide*. ## [CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::CodeBuild::Project` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled. From a security perspective, logging is an important feature to enable for future forensics efforts in the case of any security incidents. Correlating anomalies in CodeBuild projects with threat detections can increase confidence in the accuracy of those threat detections. ### Remediation For more information on how to configure CodeBuild project log settings, see [Create a build project (console)](https://docs.amazonaws.cn/codebuild/latest/userguide/create-project-console.html#create-project-console-logs) in the CodeBuild User Guide. ## [CodeBuild.5] CodeBuild project environments should not have privileged mode enabled **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2) **Category:** Protect > Secure Access Management **Severity:** High **Resource type:** `AWS::CodeBuild::Project` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-environment-privileged-check.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-project-environment-privileged-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon CodeBuild project environment has privileged mode enabled or disabled. The control fails if an CodeBuild project environment has privileged mode enabled. By default, Docker containers do not allow access to any devices. Privileged mode grants a build project's Docker container access to all devices. Setting `privilegedMode` with value `true` permits the Docker daemon to run inside a Docker container. The Docker daemon listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. This parameter should only be set to true if the build project is used to build Docker images. Otherwise, this setting should be disabled to prevent unintended access to Docker APIs as well as the container's underlying hardware. Setting `privilegedMode` to `false` helps protect critical resources from tampering and deletion. ### Remediation To configure CodeBuild project environment settings, see [ Create a build project (console)](https://docs.amazonaws.cn/codebuild/latest/userguide/create-project-console.html#create-project-console-environment) in the *CodeBuild User Guide*. In the **Environment** section, don't select the **Privileged** setting. ## [CodeBuild.7] CodeBuild report group exports should be encrypted at rest **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::CodeBuild::ReportGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/codebuild-report-group-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/codebuild-report-group-encrypted-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the test results of an Amazon CodeBuild report group that are exported to an Amazon Simple Storage Service (Amazon S3) bucket are encrypted at rest. The control fails if the report group export isn't encrypted at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To encrypt the report group export to S3, see [Update a report group](https://docs.amazonaws.cn/codebuild/latest/userguide/report-group-export-settings.html) in the *Amazon CodeBuild User Guide*. # Security Hub CSPM controls for Amazon CodeGuru Profiler Amazon CodeGuru Profiler controls These Security Hub CSPM controls evaluate the Amazon CodeGuru Profiler service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CodeGuruProfiler::ProfilingGroup` **Amazon Config rule:** `codeguruprofiler-profiling-group-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CodeGuru Profiler profiling group has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the profiling group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the profiling group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a CodeGuru Profiler profiling group, see [Tagging profiling groups](https://docs.amazonaws.cn/codeguru/latest/profiler-ug/tagging-profiling-groups.html) in the *Amazon CodeGuru Profiler User Guide*. # Security Hub CSPM controls for Amazon CodeGuru Reviewer Amazon CodeGuru Reviewer controls These Security Hub CSPM controls evaluate the Amazon CodeGuru Reviewer service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CodeGuruReviewer::RepositoryAssociation` **Amazon Config rule:** `codegurureviewer-repository-association-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon CodeGuru Reviewer repository association has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the repository association doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the repository association isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a CodeGuru Reviewer repository association, see [Tagging a repository association](https://docs.amazonaws.cn/codeguru/latest/reviewer-ug/tag-repository-association.html) in the *Amazon CodeGuru Reviewer User Guide*. # Security Hub CSPM controls for Amazon Cognito Amazon Cognito controls These Amazon Security Hub CSPM controls evaluate the Amazon Cognito service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::Cognito::UserPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-advanced-security-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-advanced-security-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `SecurityMode` | The threat protection enforcement mode that the control checks for. | String | `AUDIT`, `ENFORCED` | `ENFORCED` | This control checks whether an Amazon Cognito user pool has threat protection activated with the enforcement mode set to full function for standard authentication. The control fails if the user pool has threat protection deactivated or if the enforcement mode isn't set to full function for standard authentication. Unless you provide custom parameter values, Security Hub CSPM uses the default value of `ENFORCED` for enforcement mode set to full function for standard authentication. After you create an Amazon Cognito user pool, you can activate threat protection and customize the actions that are taken in response to different risks. Or, you can use audit mode to gather metrics on detected risks without applying any security mitigations. In audit mode, threat protection publishes metrics to Amazon CloudWatch. You can see metrics after Amazon Cognito generates its first event. ### Remediation For information about activating threat protection for an Amazon Cognito user pool, see [Advanced security with threat protection](https://docs.amazonaws.cn/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) in the *Amazon Cognito Developer Guide*. ## [Cognito.2] Cognito identity pools should not allow unauthenticated identities **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::Cognito::IdentityPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-identity-pool-unauth-access-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-identity-pool-unauth-access-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Cognito identity pool is configured to allow unauthenticated identities. The control fails if guest access is activated (the `AllowUnauthenticatedIdentities` parameter is set to `true`) for the identity pool. If an Amazon Cognito identity pool allows unauthenticated identities, the identity pool provides temporary Amazon credentials to users who haven't authenticated through an identity provider (guests). This creates security risks because it allows anonymous access to Amazon resources. If you deactivate guest access, you can help ensure that only properly authenticated users can access your Amazon resources, which reduces the risk of unauthorized access and potential security breaches. As a best practice, an identity pool should require authentication through supported identity providers. If unauthenticated access is necessary, it's important to carefully restrict permissions for unauthenticated identities, and regularly review and monitor their usage. ### Remediation For information about deactivating guest access for an Amazon Cognito identity pool, see [Activate or deactivate guest access](https://docs.amazonaws.cn/cognito/latest/developerguide/identity-pools.html#enable-or-disable-unauthenticated-identities) in the *Amazon Cognito Developer Guide*. ## [Cognito.3] Password policies for Cognito user pools should have strong configurations **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::Cognito::UserPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-password-policy-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-password-policy-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minLength` | The minimum number of characters that a password must contain. | Integer | `8` to `128` | `8 ` | | `requireLowercase` | Require at least one lowercase character in a password. | Boolean | `True`, `False` | `True` | | `requireUppercase` | Require at least one uppercase character in a password. | Boolean | `True`, `False` | `True` | | `requireNumbers` | Require at least one number in a password. | Boolean | `True`, `False` | `True` | | `requireSymbols` | Require at least one symbol in a password. | Boolean | `True`, `False` | `True` | | `temporaryPasswordValidity` | The maximum number of days that a password can exist before it expires. | Integer | `7` to `365` | `7` | This control checks whether the password policy for an Amazon Cognito user pool requires the use of strong passwords, based on recommended settings for password policies. The control fails if the password policy for the user pool doesn't require strong passwords. You can optionally specify custom values for the policy settings that the control checks. Strong passwords are a security best practice for Amazon Cognito user pools. Weak passwords can expose users' credentials to systems that guess passwords and try to access data. This is especially the case for applications that are open to the internet. Password policies are a central element of the security of user directories. By using a password policy, you can configure a user pool to require password complexity and other settings that comply with your security standards and requirements. ### Remediation For information about creating or updating the password policy for an Amazon Cognito user pool, see [Adding user pool password requirements](https://docs.amazonaws.cn/cognito/latest/developerguide/managing-users-passwords.html#user-pool-settings-policies) in the *Amazon Cognito Developer Guide*. ## [Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::Cognito::UserPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-userpool-cust-auth-threat-full-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-userpool-cust-auth-threat-full-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Cognito user pool has threat protection activated with the enforcement mode set to full function for custom authentication. The control fails if the user pool has threat protection disabled or if the enforcement mode isn't set to full function for custom authentication. Threat protection, formerly called advanced security features, is a set of monitoring tools for unwanted activity in your user pool, and configuration tools to automatically shut down potentially malicious activity. After you create an Amazon Cognito user pool, you can activate threat protection with full function enforcement mode for custom authentication and customize the actions that are taken in response to different risks. Full-function mode includes a set of automatic reactions to detect unwanted activity and compromised passwords. ### Remediation For information about activating threat protection for an Amazon Cognito user pool, see [Advanced security with threat protection](https://docs.amazonaws.cn/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) in the *Amazon Cognito Developer Guide*. ## [Cognito.5] MFA should be enabled for Cognito user pools **Category:** Protect > Secure access management > Multi-factor authentication **Severity:** Medium **Resource type:** `AWS::Cognito::UserPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-mfa-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-mfa-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Cognito user pool configured with a password-only sign-in policy has multi-factor authentication (MFA) enabled. The control fails if the user pool configured with a password-only sign-in policy does not have MFA enabled. Multi-factor authentication (MFA) adds a something you have authentication factor to the something you know factor (typically username and password). For federated users, Amazon Cognito delegates authentication to the identity provider (IdP) and doesn't offer additional authentication factors. However, if you have local users with password authentication, configuring MFA for the user pool increases their security. **Note** This control is not applicable for federated users and users signing in with passwordless factors. ### Remediation For information about how to configure MFA for an Amazon Cognito user pool, see [Adding MFA to a user pool](https://docs.amazonaws.cn/cognito/latest/developerguide/user-pool-settings-mfa.html) in the *Amazon Cognito Developer Guide*. ## [Cognito.6] Cognito user pools should have deletion protection enabled **Category:** Protect > Data Protection > Data deletion protection **Severity:** Medium **Resource type:** `AWS::Cognito::UserPool` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cognito-user-pool-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Cognito user pool has deletion protection enabled. The control fails if deletion protection is disabled for the user pool. Deletion protection helps ensure that your user pool is not accidentally deleted. When you configure a user pool with deletion protection, the pool cannot be deleted by any user. Deletion protection prevents you from requesting the deletion of a user pool unless you first modify the pool and deactivate deletion protection. ### Remediation To configure deletion protection for an Amazon Cognito user pool, see [User pool deletion protection ](https://docs.amazonaws.cn/cognito/latest/developerguide/user-pool-settings-deletion-protection.html) in the *Amazon Cognito Developer Guide*. # Security Hub CSPM controls for Amazon Config Amazon Config controls These Security Hub CSPM controls evaluate the Amazon Config service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Config.1] Amazon Config should be enabled and use the service-linked role for resource recording **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.3, CIS Amazon Foundations Benchmark v1.2.0/2.5, CIS Amazon Foundations Benchmark v1.4.0/3.5, CIS Amazon Foundations Benchmark v3.0.0/3.3, NIST.800-53.r5 CM-3, NIST.800-53.r5 CM-6(1), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(2), PCI DSS v3.2.1/10.5.2, PCI DSS v3.2.1/11.5 **Category:** Identify > Inventory **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** None (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `includeConfigServiceLinkedRoleCheck` | The control doesn’t evaluate whether Amazon Config uses the service-linked role if the parameter is set to `false`. | Boolean | `true` or `false` | `true` | This control checks whether Amazon Config is enabled in your account in the current Amazon Web Services Region, records all resources that correspond to controls that are enabled in the current Region, and uses the [service-linked Amazon Config role](https://docs.amazonaws.cn/config/latest/developerguide/using-service-linked-roles.html). The name of the service-linked role is **AWSServiceRoleForConfig**. If you don't use the service-linked role and don't set the `includeConfigServiceLinkedRoleCheck` parameter to `false`, the control fails because other roles might not have the necessary permissions for Amazon Config to accurately record your resources. The Amazon Config service performs configuration management of supported Amazon resources in your account and delivers log files to you. The recorded information includes the configuration item (Amazon resource), relationships between configuration items, and any configuration changes within resources. Global resources are resources that are available in any Region. The control is evaluated as follows: + If the current Region is set as your [aggregation Region](finding-aggregation.md), the control produces `PASSED` findings only if Amazon Identity and Access Management (IAM) global resources are recorded (if you have enabled controls that require them). + If the current Region is set as a linked Region, the control doesn’t evaluate whether IAM global resources are recorded. + If the current Region isn’t in your aggregator, or if cross-Region aggregation isn’t set up in your account, the control produces `PASSED` findings only if IAM global resources are recorded (if you have enabled controls that require them). Control results aren't impacted by whether you choose daily or continuous recording of changes in resource state in Amazon Config. However, the results of this control can change when new controls are released if you have configured automatic enablement of new controls or have a central configuration policy that automatically enables new controls. In these cases, if you don't record all resources, you must configure recording for resources that are associated with new controls in order to receive a `PASSED` finding. Security Hub CSPM security checks work as intended only if you enable Amazon Config in all Regions and configure resource recording for controls that require it. **Note** Config.1 requires that Amazon Config is enabled in all Regions in which you use Security Hub CSPM. Since Security Hub CSPM is a Regional service, the check performed for this control evaluates only the current Region for the account. To allow security checks against IAM global resources in a Region, you must record IAM global resources in that Region. Regions that don’t have IAM global resources recorded will receive a default `PASSED` finding for controls that check IAM global resources. Since IAM global resources are identical across Amazon Web Services Regions, we recommend that you record IAM global resources in only the home Region (if cross-Region aggregation is enabled in your account). IAM resources will be recorded only in the Region in which global resource recording is turned on. The IAM globally recorded resource types that Amazon Config supports are IAM users, groups, roles, and customer managed policies. You can consider disabling Security Hub CSPM controls that check these resource types in Regions where global resource recording is turned off. For more information, see [Suggested controls to disable in Security Hub CSPM](controls-to-disable.md). ### Remediation In the home Region and Regions that aren’t part of an aggregator, record all resources that are required for controls that are enabled in the current Region, including IAM global resources if you have enabled controls that require IAM global resources. In linked Regions, you can use any Amazon Config recording mode, as long as you are recording all resources that correspond to controls that are enabled in the current Region. In linked Regions, if you have enabled controls that require recording of IAM global resources, you won’t receive a `FAILED` finding (your recording of other resources is sufficient). The `StatusReasons` field in the `Compliance` object of your finding can help you determine why you have a failed finding for this control. For more information, see [Compliance details for control findings](controls-findings-create-update.md#control-findings-asff-compliance). For a list of which resources must be recorded for each control, see [Required Amazon Config resources for control findings](controls-config-resources.md). For general information about enabling Amazon Config and configuring resource recording, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). # Security Hub CSPM controls for Amazon Connect Amazon Connect controls These Security Hub CSPM controls evaluate the Amazon Connect service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Connect.1] Amazon Connect Customer Profiles object types should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::CustomerProfiles::ObjectType` **Amazon Config rule:** `customerprofiles-object-type-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Connect Customer Profiles object type has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the object type doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the object type isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to a Customer Profiles object type, see [Add tags to resources in Amazon Connect](https://docs.amazonaws.cn/connect/latest/adminguide/tagging.html) in the *Amazon Connect Administrator Guide*. ## [Connect.2] Amazon Connect instances should have CloudWatch logging enabled **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::Connect::Instance` **Amazon Config rule:** [connect-instance-logging-enabled](https://docs.amazonaws.cn/config/latest/developerguide/connect-instance-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Connect instance is configured to generate and store flow logs in an Amazon CloudWatch log group. The control fails if the Amazon Connect instance isn't configured to generate and store flow logs in a CloudWatch log group. Amazon Connect flow logs provide real-time details about events in Amazon Connect flows. A *flow* defines the customer experience with an Amazon Connect contact center from start to finish. By default, when you create a new Amazon Connect instance, an Amazon CloudWatch log group is created automatically to store flow logs for the instance. Flow logs can help you analyze flows, find errors, and monitor operational metrics. You can also set up alerts for specific events that can occur in a flow. ### Remediation For information about enabling flow logs for an Amazon Connect instance, see [Enable Amazon Connect flow logs in an Amazon CloudWatch log group](https://docs.amazonaws.cn/connect/latest/adminguide/contact-flow-logs.html) in the *Amazon Connect Administrator Guide*. # Security Hub CSPM controls for Amazon Data Firehose Amazon Data Firehose controls These Security Hub CSPM controls evaluate the Amazon Data Firehose service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [DataFirehose.1] Firehose delivery streams should be encrypted at rest **Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 AU-3, NIST.800-53.r5 SC-12, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::KinesisFirehose::DeliveryStream` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/kinesis-firehose-delivery-stream-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/kinesis-firehose-delivery-stream-encrypted.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Data Firehose delivery stream is encrypted at rest with server-side encryption. This control fails if a Firehose delivery stream isn't encrypted at rest with server-side encryption. Server-side encryption is a feature in Amazon Data Firehose delivery streams that automatically encrypts data before it's at rest by using a key created in Amazon Key Management Service (Amazon KMS). Data is encrypted before it's written to the Data Firehose stream storage layer, and decrypted after it’s retrieved from storage. This allows you to comply with regulatory requirements and enhance the security of your data. ### Remediation To enable server-side encryption on Firehose delivery streams,, see [Data Protection in Amazon Data Firehose](https://docs.amazonaws.cn/firehose/latest/dev/encryption.html) in the *Amazon Data Firehose Developer Guide*. # Security Hub CSPM controls for Amazon Database Migration Service Amazon Database Migration Service controls These Amazon Security Hub CSPM controls evaluate the Amazon Database Migration Service (Amazon DMS) and Amazon DMS resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [DMS.1] Database Migration Service replication instances should not be public **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/1.3.2,PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::DMS::ReplicationInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-not-public.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-not-public.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon DMS replication instances are public. To do this, it examines the value of the `PubliclyAccessible` field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, Amazon Direct Connect, or VPC peering. To learn more about public and private replication instances, see [Public and private replication instances](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.html#CHAP_ReplicationInstance.PublicPrivate) in the *Amazon Database Migration Service User Guide*. You should also ensure that access to your Amazon DMS instance configuration is limited to only authorized users. To do this, restrict users' IAM permissions to modify Amazon DMS settings and resources. ### Remediation You can't change the public access setting for a DMS replication instance after creating it. To change the public access setting, [delete your current instance](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.Deleting.html), and then [recreate it](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.Creating.html). Don't select the **Publicly accessible** option. ## [DMS.2] DMS certificates should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::DMS::Certificate` **Amazon Config rule:** `tagged-dms-certificate` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DMS certificate has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the certificate doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the certificate isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a DMS certificate, see [Tagging resources in Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Tagging.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.3] DMS event subscriptions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::DMS::EventSubscription` **Amazon Config rule:** `tagged-dms-eventsubscription` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DMS event subscription has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the event subscription doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the event subscription isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a DMS event subscription, see [Tagging resources in Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Tagging.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.4] DMS replication instances should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::DMS::ReplicationInstance` **Amazon Config rule:** `tagged-dms-replicationinstance` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DMS replication instance has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the replication instance doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the replication instance isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a DMS replication instance, see [Tagging resources in Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Tagging.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.5] DMS replication subnet groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::DMS::ReplicationSubnetGroup` **Amazon Config rule:** `tagged-dms-replicationsubnetgroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DMS replication subnet group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the replication subnet group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the replication subnet group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a DMS replication subnet group, see [Tagging resources in Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Tagging.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.6] DMS replication instances should have automatic minor version upgrade enabled **Related requirements:** NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::DMS::ReplicationInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-auto-minor-version-upgrade-check.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-auto-minor-version-upgrade-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks if automatic minor version upgrade is enabled for an Amazon DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance. DMS provides automatic minor version upgrade to each supported replication engine so that you can keep your replication instance up-to-date. Minor versions can introduce new software features, bug fixes, security patches, and performance improvements. By enabling automatic minor version upgrade on DMS replication instances, minor upgrades are applied automatically during the maintenance window or immediately if the **Apply changes immediately option is chosen**. ### Remediation To enable automatic minor version upgrade on DMS replication instances, see [Modifying a replication instance](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.7] DMS replication tasks for the target database should have logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::DMS::ReplicationTask` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-task-targetdb-logging.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-task-targetdb-logging.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether logging is enabled with the minimum severity level of `LOGGER_SEVERITY_DEFAULT` for DMS replication tasks `TARGET_APPLY` and `TARGET_LOAD`. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than `LOGGER_SEVERITY_DEFAULT`. DMS uses Amazon CloudWatch to log information during the migration process. Using logging task settings, you can specify which component activities are logged and how much information is logged. You should specify logging for the following tasks: + `TARGET_APPLY` – Data and data definition language (DDL) statements are applied to the target database. + `TARGET_LOAD` – Data is loaded into the target database. Logging plays a critical role in DMS replication tasks by enabling monitoring, troubleshooting, auditing, performance analysis, error detection, and recovery, as well as historical analysis and reporting. It helps ensure the successful replication of data between databases while maintaining data integrity and compliance with regulatory requirements. Logging levels other than `DEFAULT` are rarely needed for these components during troubleshooting. We recommend keeping the logging level as `DEFAULT` for these components unless specifically requested to change it by Amazon Web Services Support. A minimal logging level of `DEFAULT` ensures that informational messages, warnings, and error messages are written to the logs. This control checks if the logging level is at least one of the following for the preceding replication tasks: `LOGGER_SEVERITY_DEFAULT`, `LOGGER_SEVERITY_DEBUG`, or `LOGGER_SEVERITY_DETAILED_DEBUG`. ### Remediation To enable logging for target database DMS replication tasks, see [Viewing and managing Amazon DMS task logs](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Monitoring.html#CHAP_Monitoring.ManagingLogs) in the *Amazon Database Migration Service User Guide*. ## [DMS.8] DMS replication tasks for the source database should have logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::DMS::ReplicationTask` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-task-sourcedb-logging.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-task-sourcedb-logging.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether logging is enabled with the minimum severity level of `LOGGER_SEVERITY_DEFAULT` for DMS replication tasks `SOURCE_CAPTURE` and `SOURCE_UNLOAD`. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than `LOGGER_SEVERITY_DEFAULT`. DMS uses Amazon CloudWatch to log information during the migration process. Using logging task settings, you can specify which component activities are logged and how much information is logged. You should specify logging for the following tasks: + `SOURCE_CAPTURE` – Ongoing replication or change data capture (CDC) data is captured from the source database or service, and passed to the `SORTER` service component. + `SOURCE_UNLOAD` – Data is unloaded from the source database or service during full load. Logging plays a critical role in DMS replication tasks by enabling monitoring, troubleshooting, auditing, performance analysis, error detection, and recovery, as well as historical analysis and reporting. It helps ensure the successful replication of data between databases while maintaining data integrity and compliance with regulatory requirements. Logging levels other than `DEFAULT` are rarely needed for these components during troubleshooting. We recommend keeping the logging level as `DEFAULT` for these components unless specifically requested to change it by Amazon Web Services Support. A minimal logging level of `DEFAULT` ensures that informational messages, warnings, and error messages are written to the logs. This control checks if the logging level is at least one of the following for the preceding replication tasks: `LOGGER_SEVERITY_DEFAULT`, `LOGGER_SEVERITY_DEBUG`, or `LOGGER_SEVERITY_DETAILED_DEBUG`. ### Remediation To enable logging for source database DMS replication tasks, see [Viewing and managing Amazon DMS task logs](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Monitoring.html#CHAP_Monitoring.ManagingLogs) in the *Amazon Database Migration Service User Guide*. ## [DMS.9] DMS endpoints should use SSL **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::DMS::Endpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-endpoint-ssl-configured.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-endpoint-ssl-configured.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL. SSL/TLS connections provide a layer of security by encrypting connections between DMS replication instances and your database. Using certificates provides an extra layer of security by validating that the connection is being made to the expected database. It does so by checking the server certificate that is automatically installed on all database instances that you provision. By enabling SSL connection on your DMS endpoints, you protect the confidentiality of the data during the migration. ### Remediation To add an SSL connection to a new or existing DMS endpoint, see [Using SSL with Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Security.SSL.html#CHAP_Security.SSL.Procedure) in the *Amazon Database Migration Service User Guide*. ## [DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled **Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-17, NIST.800-53.r5 IA-2, NIST.800-53.r5 IA-5, PCI DSS v4.0.1/7.3.1 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::DMS::Endpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-neptune-iam-authorization-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-neptune-iam-authorization-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DMS endpoint for an Amazon Neptune database is configured with IAM authorization. The control fails if the DMS endpoint doesn't have IAM authorization enabled. Amazon Identity and Access Management (IAM) provides fine-grained access control across Amazon. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions. By enabling IAM authorization on Amazon DMS endpoints for Neptune databases, you can grant authorization privileges to IAM users by using a service role specified by the `ServiceAccessRoleARN` parameter. ### Remediation To enable IAM authorization on DMS endpoints for Neptune databases, see [Using Amazon Neptune as a target for Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Target.Neptune.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled **Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-6, NIST.800-53.r5 IA-2, NIST.800-53.r5 IA-5, PCI DSS v4.0.1/7.3.1 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::DMS::Endpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-mongo-db-authentication-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-mongo-db-authentication-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DMS endpoint for MongoDB is configured with an authentication mechanism. The control fails if an authentication type isn't set for the endpoint. Amazon Database Migration Service supports two authentications methods for MongoDB—**MONGODB-CR** for MongoDB version 2.x, and **SCRAM-SHA-1** for MongoDB version 3.x or later. These authentication methods are used to authenticate and encrypt MongoDB passwords if users want to use the passwords to access the databases. Authentication on Amazon DMS endpoints ensures that only authorized users can access and modify the data being migrated between databases. Without proper authentication, unauthorized users may be able to gain access to sensitive data during the migration process. This can result in data breaches, data loss, or other security incidents. ### Remediation To enable an authentication mechanism on DMS endpoints for MongoDB, see [Using MongoDB as a source for Amazon DMS](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Source.MongoDB.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.12] DMS endpoints for Redis OSS should have TLS enabled **Related requirements:** NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-13, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::DMS::Endpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-redis-tls-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-redis-tls-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DMS endpoint for Redis OSS is configured with a TLS connection. The control fails if the endpoint doesn't have TLS enabled. TLS provides end-to-end security when data is sent between applications or databases over the internet. When you configure SSL encryption for your DMS endpoint, it enables encrypted communication between the source and target databases during the migration process. This helps prevent eavesdropping and interception of sensitive data by malicious actors. Without SSL encryption, sensitive data may be accessed, resulting in data breaches, data loss, or other security incidents. ### Remediation To enable a TLS connection on DMS endpoints for Redis, see [Using Redis as a target for Amazon Database Migration Service](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_Target.Redis.html) in the *Amazon Database Migration Service User Guide*. ## [DMS.13] DMS replication instances should be configured to use multiple Availability Zones **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::DMS::ReplicationInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-instance-multi-az-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dms-replication-instance-multi-az-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Database Migration Service (Amazon DMS) replication instance is configured to use multiple Availability Zones (Multi-AZ deployment). The control fails if the Amazon DMS replication instance isn't configured to use a Multi-AZ deployment. In a Multi-AZ deployment, Amazon DMS automatically provisions and maintains a standby replica of a replication instance in a different Availability Zone (AZ). The primary replication instance is then synchronously replicated to the standby replica. If the primary replication instance fails or becomes unresponsive, the standby resumes any running tasks with minimal interruption. For more information, see [Working with a replication instance](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.html) in the *Amazon Database Migration Service User Guide*. ### Remediation After you create an Amazon DMS replication instance, you can change the Multi-AZ deployment setting for it. For information about changing this and other settings for an existing replication instance, see [Modifying a replication instance](https://docs.amazonaws.cn/dms/latest/userguide/CHAP_ReplicationInstance.Modifying.html) in the *Amazon Database Migration Service User Guide*. # Security Hub CSPM controls for Amazon DataSync Amazon DataSync controls These Security Hub CSPM controls evaluate the Amazon DataSync service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [DataSync.1] DataSync tasks should have logging enabled **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::DataSync::Task` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/datasync-task-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/datasync-task-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DataSync task has logging enabled. The control fails if the task doesn't have logging enabled. Audit logs track and monitor system activities. They provide a record of events that can help you detect security breaches, investigate incidents, and comply with regulations. Audit logs also enhance the overall accountability and transparency of your organization. ### Remediation For information about configuring logging for Amazon DataSync tasks, see [Monitoring data transfers with Amazon CloudWatch Logs](https://docs.amazonaws.cn/datasync/latest/userguide/configure-logging.html) in the *Amazon DataSync User Guide*. ## [DataSync.2] DataSync tasks should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::DataSync::Task` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/datasync-task-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/datasync-task-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DataSync task has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the task doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the task doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon DataSync task, see [Tagging your Amazon DataSync tasks](https://docs.amazonaws.cn/datasync/latest/userguide/tagging-tasks.html) in the *Amazon DataSync User Guide*. # Security Hub CSPM controls for Amazon Detective Amazon Detective controls This Amazon Security Hub CSPM control evaluates the Amazon Detective service and resources. The control might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Detective.1] Detective behavior graphs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Detective::Graph` **Amazon Config rule:** `tagged-detective-graph` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Detective behavior graph has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the behavior graph doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the behavior graph isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Detective behavior graph, see [Adding tags to a behavior graph](https://docs.amazonaws.cn/detective/latest/adminguide/graph-tags.html#graph-tags-add-console) in the *Amazon Detective Administration Guide*. # Security Hub CSPM controls for Amazon DocumentDB Amazon DocumentDB controls These Amazon Security Hub CSPM controls evaluate the Amazon DocumentDB (with MongoDB compatibility) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DocumentDB cluster is encrypted at rest. The control fails if an Amazon DocumentDB cluster isn't encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user gets access to it. Data in Amazon DocumentDB clusters should be encrypted at rest for an added layer of security. Amazon DocumentDB uses the 256-bit Advanced Encryption Standard (AES-256) to encrypt your data using encryption keys stored in Amazon Key Management Service (Amazon KMS). ### Remediation You can enable encryption at rest when you create an Amazon DocumentDB cluster. You can't change encryption settings after creating a cluster. For more information, see [Enabling encryption at rest for an Amazon DocumentDB cluster](https://docs.amazonaws.cn/documentdb/latest/developerguide/encryption-at-rest.html#encryption-at-rest-enabling) in the *Amazon DocumentDB Developer Guide*. ## [DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period **Related requirements:** NIST.800-53.r5 SI-12, PCI DSS v4.0.1/3.2.1 **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-backup-retention-check.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-backup-retention-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minimumBackupRetentionPeriod` | Minimum backup retention period in days | Integer | `7` to `35` | `7` | This control checks whether an Amazon DocumentDB cluster has a backup retention period greater than or equal to the specified time frame. The control fails if the backup retention period is less than the specified time frame. Unless you provide a custom parameter value for the backup retention period, Security Hub CSPM uses a default value of 7 days. Backups help you recover more quickly from a security incident and strengthen the resilience of your systems. By automating backups for your Amazon DocumentDB clusters, you'll be able to restore your systems to a point in time and minimize downtime and data loss. In Amazon DocumentDB, clusters have a default backup retention period of 1 day. This must be increased to a value between 7 and 35 days to pass this control. ### Remediation To change the backup retention period for your Amazon DocumentDB clusters, see [Modifying an Amazon DocumentDB cluster](https://docs.amazonaws.cn/documentdb/latest/developerguide/db-cluster-modify.html) in the *Amazon DocumentDB Developer Guide*. For **Backup**, choose the backup retention period. ## [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::RDS::DBClusterSnapshot` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-snapshot-public-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-snapshot-public-prohibited.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public. An Amazon DocumentDB manual cluster snapshot should not be public unless intended. If you share an unencrypted manual snapshot as public, the snapshot is available to all Amazon Web Services accounts. Public snapshots may result in unintended data exposure. **Note** This control evaluates manual cluster snapshots. You can't share an Amazon DocumentDB automated cluster snapshot. However, you can create a manual snapshot by copying the automated snapshot, and then share the copy. ### Remediation To remove public access for Amazon DocumentDB manual cluster snapshots, see [Sharing a snapshot](https://docs.amazonaws.cn/documentdb/latest/developerguide/backup_restore-share_cluster_snapshots.html#backup_restore-share_snapshots) in the *Amazon DocumentDB Developer Guide*. Programmatically, you can use the Amazon DocumentDB operation `modify-db-snapshot-attribute`. Set `attribute-name` as `restore` and `values-to-remove` as `all`. ## [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.3.3 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-audit-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-audit-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if the cluster doesn't publish audit logs to CloudWatch Logs. Amazon DocumentDB (with MongoDB compatibility) allows you to audit events that were performed in your cluster. Examples of logged events include successful and failed authentication attempts, dropping a collection in a database, or creating an index. By default, auditing is disabled in Amazon DocumentDB and requires that you take action to enable it. ### Remediation To publish Amazon DocumentDB audit logs to CloudWatch Logs, see [Enabling auditing](https://docs.amazonaws.cn/documentdb/latest/developerguide/event-auditing.html#event-auditing-enabling-auditing) in the *Amazon DocumentDB Developer Guide*. ## [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DocumentDB cluster has deletion protection enabled. The control fails if the cluster doesn't have deletion protection enabled. Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. An Amazon DocumentDB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed. Deletion protection is enabled by default when you create a cluster in the Amazon DocumentDB console. ### Remediation To enable deletion protection for an existing Amazon DocumentDB cluster, see [Modifying an Amazon DocumentDB cluster](https://docs.amazonaws.cn/documentdb/latest/developerguide/db-cluster-modify.html) in the *Amazon DocumentDB Developer Guide*. In the **Modify Cluster** section, choose **Enable** for **Deletion protection**. ## [DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/docdb-cluster-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** `excludeTlsParameters`: `disabled`, `enabled` (not customizable) This controls checks whether an Amazon DocumentDB cluster requires TLS for connections to the cluster. The control fails if the cluster parameter group associated with the cluster is not in sync, or the TLS cluster parameter is set to `disabled` or `enabled`. You can use TLS to encrypt the connection between an application and an Amazon DocumentDB cluster. Use of TLS can help protect data from being intercepted while the data is in transit between an application and an Amazon DocumentDB cluster. Encryption in transit for an Amazon DocumentDB cluster is managed using the TLS parameter in the cluster parameter group that's associated with the cluster. When encryption in transit is enabled, secure connections using TLS are required to connect to the cluster. We recommend using the following TLS parameters: `tls1.2+`, `tls1.3+`, and `fips-140-3`. ### Remediation For information about changing the TLS settings for an Amazon DocumentDB cluster, see [Encrypting data in transit](https://docs.amazonaws.cn/documentdb/latest/developerguide/security.encryption.ssl.html) in the *Amazon DocumentDB Developer Guide*. # Security Hub CSPM controls for DynamoDB Amazon DynamoDB controls These Amazon Security Hub CSPM controls evaluate the Amazon DynamoDB service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::DynamoDB::Table` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-autoscaling-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-autoscaling-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Valid custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minProvisionedReadCapacity` | Minimum number of provisioned read capacity units for DynamoDB auto scaling | Integer | `1` to `40000` | No default value | | `targetReadUtilization` | Target utilization percentage for read capacity | Integer | `20` to `90` | No default value | | `minProvisionedWriteCapacity` | Minimum number of provisioned write capacity units for DynamoDB auto scaling | Integer | `1` to `40000` | No default value | | `targetWriteUtilization` | Target utilization percentage for write capacity | Integer | `20` to `90` | No default value | This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. The control fails if the table doesn't use on-demand capacity mode or provisioned mode with auto scaling configured. By default, this control only requires that one of these modes be configured, without regard to specific levels of read or write capacity. Optionally, you can provide custom parameter values to require specific levels of read and write capacity or target utilization. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications. DynamoDB tables that use on-demand capacity mode are limited only by the DynamoDB throughput default table quotas. To raise these quotas, you can file a support ticket with Amazon Web Services Support. DynamoDB tables that use provisioned mode with auto scaling adjust the provisioned throughput capacity dynamically in response to traffic patterns. For more information about DynamoDB request throttling, see [Request throttling and burst capacity](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/ProvisionedThroughput.html#ProvisionedThroughput.Throttling) in the *Amazon DynamoDB Developer Guide*. ### Remediation To enable DynamoDB automatic scaling on existing tables in capacity mode, see [Enabling DynamoDB auto scaling on existing tables](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/AutoScaling.Console.html#AutoScaling.Console.ExistingTable) in the *Amazon DynamoDB Developer Guide*. ## [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::DynamoDB::Table` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-pitr-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-pitr-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days. ### Remediation To restore a DynamoDB table to a point in time, see [Restoring a DynamoDB table to a point in time](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/PointInTimeRecovery.Tutorial.html) in the *Amazon DynamoDB Developer Guide*. ## [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::DAX::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dax-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dax-encryption-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon DynamoDB Accelerator (DAX) cluster is encrypted at rest. The control fails if the DAX cluster isn't encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to Amazon. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read. ### Remediation You cannot enable or disable encryption at rest after a cluster is created. You must recreate the cluster in order to enable encryption at rest. For detailed instructions on how to create a DAX cluster with encryption at rest enabled, see[ Enabling encryption at rest using the Amazon Web Services Management Console](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html#dax.encryption.tutorial-console) in the *Amazon DynamoDB Developer Guide*. ## [DynamoDB.4] DynamoDB tables should be present in a backup plan **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::DynamoDB::Table` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html](https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-resources-protected-by-backup-plan.html) `` **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `backupVaultLockCheck` | The control produces a `PASSED` finding if the parameter is set to `true` and the resource uses Amazon Backup Vault Lock. | Boolean | `true` or `false` | No default value | This control evaluates whether an Amazon DynamoDB table in `ACTIVE` state is covered by a backup plan. The control fails if the DynamoDB table isn't covered by a backup plan. If you set the `backupVaultLockCheck` parameter equal to `true`, the control passes only if the DynamoDB table is backed up in an Amazon Backup locked vault. Amazon Backup is a fully managed backup service that helps you centralize and automate the backing up of data across Amazon Web Services services. With Amazon Backup, you can create backup plans that define your backup requirements, such as how frequently to back up your data and how long to retain those backups. Including DynamoDB tables in your backup plans helps you protect your data from unintended loss or deletion. ### Remediation To add a DynamoDB table to an Amazon Backup backup plan, see [Assigning resources to a backup plan](https://docs.amazonaws.cn/aws-backup/latest/devguide/assigning-resources.html) in the *Amazon Backup Developer Guide*. ## [DynamoDB.5] DynamoDB tables should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::DynamoDB::Table` **Amazon Config rule:** `tagged-dynamodb-table` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon DynamoDB table has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the table doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the table isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a DynamoDB table, see [Tagging resources in DynamoDB](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/Tagging.Operations.html) in the *Amazon DynamoDB Developer Guide*. ## [DynamoDB.6] DynamoDB tables should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Medium **Resource type:** `AWS::DynamoDB::Table` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-table-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/dynamodb-table-deletion-protection-enabled.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled. You can protect a DynamoDB table from accidental deletion with the deletion protection property. Enabling this property for tables helps ensure that tables don't get accidentally deleted during regular table management operations by your administrators. This helps prevent disruption to your normal business operations. ### Remediation To enable deletion protection for a DynamoDB table, see [Using deletion protection](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection) in the *Amazon DynamoDB Developer Guide*. ## [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit **Related requirements:** NIST.800-53.r5 AC-17, NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::DAX::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/dax-tls-endpoint-encryption.html](https://docs.amazonaws.cn/config/latest/developerguide/dax-tls-endpoint-encryption.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon DynamoDB Accelerator (DAX) cluster is encrypted in transit, with the endpoint encryption type set to TLS. The control fails if the DAX cluster isn't encrypted in transit. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. You should only allow encrypted connections over TLS to access DAX clusters. However, encrypting data in transit can affect performance. You should test your application with encryption turned on to understand the performance profile and the impact of TLS. ### Remediation You can't change the TLS encryption setting after creating a DAX cluster. To encrypt an existing DAX cluster, create a new cluster with encryption in transit enabled, shift your application's traffic to it, and then delete the old cluster. For more information, see [Using deletion protection](https://docs.amazonaws.cn/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.DeletionProtection) in the *Amazon DynamoDB Developer Guide*. # Security Hub CSPM controls for Amazon EC2 Amazon EC2 controls These Amazon Security Hub CSPM controls evaluate the Amazon Elastic Compute Cloud (Amazon EC2) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable **Related requirements:** PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ebs-snapshot-public-restorable-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ebs-snapshot-public-restorable-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Elastic Block Store snapshots are configured to be publicly restorable. The control fails if Amazon EBS snapshots are configured to be restorable by all. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional. ### Remediation To make a public EBS snapshot private, see [Share a snapshot](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#share-unencrypted-snapshot) in the *Amazon EC2 User Guide*. For **Actions, Modify permissions**, choose **Private**. ## [EC2.2] VPC default security groups should not allow inbound or outbound traffic **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.5, PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/2.1, CIS Amazon Foundations Benchmark v1.2.0/4.3, CIS Amazon Foundations Benchmark v1.4.0/5.3, CIS Amazon Foundations Benchmark v3.0.0/5.4, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5) **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-default-security-group-closed.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-default-security-group-closed.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the default security group of a VPC allows inbound or outbound traffic. The control fails if the security group allows inbound or outbound traffic. The rules for the [default security group](https://docs.amazonaws.cn/vpc/latest/userguide/default-security-group.html) allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. We recommend that you don't use the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances. ### Remediation To remediate this issue, start by creating new least-privilege security groups. For instructions, see [Create a security group](https://docs.amazonaws.cn/vpc/latest/userguide/security-groups.html#creating-security-groups) in the *Amazon VPC User Guide*. Then, assign the new security groups to your EC2 instances. For instructions, see [Change an instance's security group](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/working-with-security-groups.html#changing-security-group) in the *Amazon EC2 User Guide*. After you assign the new security groups to your resources, remove all inbound and outbound rules from the default security groups. For instructions, see [Configure security group rules](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-security-group-rules.html) in the *Amazon VPC User Guide*. ## [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EC2::Volume` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/encrypted-volumes.html](https://docs.amazonaws.cn/config/latest/developerguide/encrypted-volumes.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check. For an added layer of security of your sensitive data in EBS volumes, you should enable EBS encryption at rest. Amazon EBS encryption offers a straightforward encryption solution for your EBS resources that doesn't require you to build, maintain, and secure your own key management infrastructure. It uses KMS keys when creating encrypted volumes and snapshots. To learn more about Amazon EBS encryption, see [Amazon EBS encryption](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/EBSEncryption.html) in the *Amazon EC2 User Guide*. ### Remediation There's no direct way to encrypt an existing unencrypted volume or snapshot. You can only encrypt a new volume or snapshot when you create it. If you enabled encryption by default, Amazon EBS encrypts the resulting new volume or snapshot using your default key for Amazon EBS encryption. Even if you have not enabled encryption by default, you can enable encryption when you create an individual volume or snapshot. In both cases, you can override the default key for Amazon EBS encryption and choose a symmetric customer managed key. For more information, see [Creating an Amazon EBS volume](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ebs-creating-volume.html) and [Copying an Amazon EBS snapshot](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html) in the *Amazon EC2 User Guide*. ## [EC2.4] Stopped EC2 instances should be removed after a specified time period **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Inventory **Severity:** Medium **Resource type:** `AWS::EC2::Instance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-stopped-instance.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-stopped-instance.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `AllowedDays` | Number of days the EC2 instance is allowed to be in a stopped state before generating a failed finding. | Integer | `1` to `365` | `30` | This control checks whether an Amazon EC2 instance has been stopped for longer than the allowed number of days. The control fails if an EC2 instance is stopped for longer than the maximum allowed time period. Unless you provide a custom parameter value for the maximum allowed time period, Security Hub CSPM uses a default value of 30 days. When an EC2 instance has not run for a significant period of time, it creates a security risk because the instance is not being actively maintained (analyzed, patched, updated). If it is later launched, the lack of proper maintenance could result in unexpected issues in your Amazon environment. To safely maintain an EC2 instance over time in an inactive state, start it periodically for maintenance and then stop it after maintenance. Ideally, this should be an automated process. ### Remediation To terminate an inactive EC2 instance, see [Terminate an instance](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/terminating-instances.html#terminating-instances-console) in the *Amazon EC2 User Guide*. ## [EC2.6] VPC flow logging should be enabled in all VPCs **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.7, CIS Amazon Foundations Benchmark v1.2.0/2.9, CIS Amazon Foundations Benchmark v1.4.0/3.9, CIS Amazon Foundations Benchmark v3.0.0/3.7, NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-7(8), NIST.800-171.r2 3.1.20, NIST.800-171.r2 3.3.1, NIST.800-171.r2 3.13.1, PCI DSS v3.2.1/10.3.3, PCI DSS v3.2.1/10.3.4, PCI DSS v3.2.1/10.3.5, PCI DSS v3.2.1/10.3.6 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::EC2::VPC` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-flow-logs-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-flow-logs-enabled.html) **Schedule type:** Periodic **Parameters:** + `trafficType`: `REJECT` (not customizable) This control checks whether Amazon VPC Flow Logs are found and enabled for VPCs. The traffic type is set to `Reject`. The control fails if VPC Flow Logs aren't enabled for VPCs in your account. **Note** This control doesn't check whether Amazon VPC Flow Logs are enabled through Amazon Security Lake for the Amazon Web Services account. With the VPC Flow Logs feature, you can capture information about the IP address traffic going to and from network interfaces in your VPC. After you create a flow log, you can view and retrieve its data in CloudWatch Logs. To reduce cost, you can also send your flow logs to Amazon S3. Security Hub CSPM recommends that you enable flow logging for packet rejects for VPCs. Flow logs provide visibility into network traffic that traverses the VPC and can detect anomalous traffic or provide insight during security workflows. By default, the record includes values for the different components of the IP address flow, including the source, destination, and protocol. For more information and descriptions of the log fields, see [VPC Flow Logs](https://docs.amazonaws.cn/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide*. ### Remediation To create a VPC Flow Log, see [Create a Flow Log](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-flow-logs.html#create-flow-log) in the *Amazon VPC User Guide*. After you open the Amazon VPC console, choose **Your VPCs**. For **Filter**, choose **Reject** or **All**. ## [EC2.7] EBS default encryption should be enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.1.1, CIS Amazon Foundations Benchmark v1.4.0/2.2.1, CIS Amazon Foundations Benchmark v3.0.0/2.2.1, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-ebs-encryption-by-default.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-ebs-encryption-by-default.html) **Schedule type:** Periodic **Parameters:** None This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store (Amazon EBS) volumes. The control fails if the account level encryption isn't enabled for EBS volumes. When encryption is enabled for your account, Amazon EBS volumes and snapshot copies are encrypted at rest. This adds an additional layer of protection for your data. For more information, see [Encryption by default](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) in the *Amazon EC2 User Guide*. ### Remediation To configure default encryption for Amazon EBS volumes, see [Encryption by default](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) in the *Amazon EC2 User Guide*. ## [EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.7, CIS Amazon Foundations Benchmark v3.0.0/5.6, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, PCI DSS v4.0.1/2.2.6 **Category:** Protect > Network Security **Severity:** High **Resource type:** `AWS::EC2::Instance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-imdsv2-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-imdsv2-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if `HttpTokens` is set to required for IMDSv2. The control fails if `HttpTokens` is set to `optional`. You use instance metadata to configure or manage the running instance. The IMDS provides access to temporary, frequently rotated credentials. These credentials remove the need to hard code or distribute sensitive credentials to instances manually or programmatically. The IMDS is attached locally to every EC2 instance. It runs on a special "link local" IP address of 169.254.169.254. This IP address is only accessible by software that runs on the instance. Version 2 of the IMDS adds new protections for the following types of vulnerabilities. These vulnerabilities could be used to try to access the IMDS. + Open website application firewalls + Open reverse proxies + Server-side request forgery (SSRF) vulnerabilities + Open Layer 3 firewalls and network address translation (NAT) Security Hub CSPM recommends that you configure your EC2 instances with IMDSv2. ### Remediation To configure EC2 instances with IMDSv2, see [Recommended path to requiring IMDSv2](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html#recommended-path-for-requiring-imdsv2) in the *Amazon EC2 User Guide*. ## [EC2.9] Amazon EC2 instances should not have a public IPv4 address **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::EC2::Instance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-no-public-ip.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-no-public-ip.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether EC2 instances have a public IP address. The control fails if the `publicIp` field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only. A public IPv4 address is an IP address that is reachable from the internet. If you launch your instance with a public IP address, then your EC2 instance is reachable from the internet. A private IPv4 address is an IP address that is not reachable from the internet. You can use private IPv4 addresses for communication between EC2 instances in the same VPC or in your connected private network. IPv6 addresses are globally unique, and therefore are reachable from the internet. However, by default all subnets have the IPv6 addressing attribute set to false. For more information about IPv6, see [IP addressing in your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-ip-addressing.html) in the *Amazon VPC User Guide*. If you have a legitimate use case to maintain EC2 instances with public IP addresses, then you can suppress the findings from this control. For more information about front-end architecture options, see the [Amazon Architecture Blog](https://amazonaws-china.com/blogs/architecture/) or the [This Is My Architecture series](https://www.amazonaws.cn/this-is-my-architecture/?tma.sort-by=item.additionalFields.airDate&tma.sort-order=desc&awsf.category=categories%23mobile) Amazon video series. ### Remediation Use a non-default VPC so that your instance isn't assigned a public IP address by default. When you launch an EC2 instance into a default VPC, it is assigned a public IP address. When you launch an EC2 instance into a non-default VPC, the subnet configuration determines whether it receives a public IP address. The subnet has an attribute to determine if new EC2 instances in the subnet receive a public IP address from the public IPv4 address pool. You can disassociate an automatically-assigned public IP address from your EC2 instance. For more information, see [Public IPv4 addresses and external DNS hostnames](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses) in the *Amazon EC2 User Guide*. ## [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.13.1 **Category:** Protect > Secure network configuration > API private access **Severity:** Medium **Resource type:** `AWS::EC2::VPC` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/service-vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/service-vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** + `serviceName`: `ec2` (not customizable) This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. This control evaluates resources in single account. It cannot describe resources that are outside of the account. Because Amazon Config and Security Hub CSPM do not conduct cross-account checks, you will see `FAILED` findings for VPCs that are shared across accounts. Security Hub CSPM recommends that you suppress these `FAILED` findings. To improve the security posture of your VPC, you can configure Amazon EC2 to use an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to access Amazon EC2 API operations privately. It restricts all network traffic between your VPC and Amazon EC2 to the Amazon network. Because endpoints are supported within the same Region only, you cannot create an endpoint between a VPC and a service in a different Region. This prevents unintended Amazon EC2 API calls to other Regions. To learn more about creating VPC endpoints for Amazon EC2, see [Amazon EC2 and interface VPC endpoints ](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html)in the *Amazon EC2 User Guide*. ### Remediation To create an interface endpoint to Amazon EC2 from the Amazon VPC console, see [Create a VPC endpoint ](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws)in the *Amazon PrivateLink Guide*. For **Service name**, choose **com.amazonaws.*region*.ec2**. You can also create and attach an endpoint policy to your VPC endpoint to control access to the Amazon EC2 API. For instructions on creating a VPC endpoint policy, see [Create an endpoint policy](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html#endpoint-policy) in the *Amazon EC2 User Guide*. ## [EC2.12] Unused Amazon EC2 EIPs should be removed **Related requirements:** PCI DSS v3.2.1/2.4, NIST.800-53.r5 CM-8(1) **Category:** Protect > Secure network configuration **Severity:** Low **Resource type:** `AWS::EC2::EIP` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eip-attached.html](https://docs.amazonaws.cn/config/latest/developerguide/eip-attached.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Elastic IP (EIP) addresses that are allocated to a VPC are attached to EC2 instances or in-use elastic network interfaces (ENIs). A failed finding indicates you may have unused EC2 EIPs. This will help you maintain an accurate asset inventory of EIPs in your cardholder data environment (CDE). ### Remediation To release an unused EIP, see [Release an Elastic IP address](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-releasing) in the *Amazon EC2 User Guide*. ## [EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/4.1, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.13.1, PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/2.2.2, PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/restricted-ssh.html](https://docs.amazonaws.cn/config/latest/developerguide/restricted-ssh.html) **Schedule type:** Change triggered and periodic **Parameters:** None This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 or ::/0 to port 22. The control fails if the security group allows ingress from 0.0.0.0/0 or ::/0 to port 22. Security groups provide stateful filtering of ingress and egress network traffic to Amazon resources. We recommend that no security group allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. ### Remediation To prohibit ingress to port 22, remove the rule that allows such access for each security group associated with a VPC. For instructions, see [Update security group rules](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/working-with-security-groups.html#updating-security-group-rules) in the *Amazon EC2 User Guide*. After selecting a security group in the Amazon EC2 console, choose **Actions, Edit inbound rules**. Remove the rule that allows access to port 22. ## [EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/4.2, PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/restricted-common-ports.html](https://docs.amazonaws.cn/config/latest/developerguide/restricted-common-ports.html) (created rule is `restricted-rdp`) **Schedule type:** Change triggered and periodic **Parameters:** None This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 or ::/0 to port 3389. The control fails if the security group allows ingress from 0.0.0.0/0 or ::/0 to port 3389. Security groups provide stateful filtering of ingress and egress network traffic to Amazon resources. We recommend that no security group allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk. ### Remediation To prohibit ingress to port 3389, remove the rule that allows such access for each security group associated with a VPC. For instructions, see [Update security group rules](https://docs.amazonaws.cn/vpc/latest/userguide/security-group-rules.html#updating-security-group-rules) in the *Amazon VPC User Guide*. After selecting a security group in the Amazon VPC Console, choose **Actions, Edit inbound rules**. Remove the rule that allows access to port 3389. ## [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Network Security **Severity:** Medium **Resource type:** `AWS::EC2::Subnet` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Virtual Private Cloud (Amazon VPC) subnet is configured to automatically assign public IP addresses. The control fails if the subnet is configured to automatically assign public IPv4 or IPv6 addresses. Subnets have attributes that determine whether network interfaces automatically receive public IPv4 and IPv6 addresses. For IPv4, this attribute is set to `TRUE` for default subnets and `FALSE` for nondefault subnets (with an exception for nondefault subnets created through the EC2 launch instance wizard, where it's set to `TRUE`). For IPv6, this attribute is set to `FALSE` for all subnets by default. When these attributes are enabled, instances launched in the subnet automatically receive the corresponding IP addresses (IPv4 or IPv6) on their primary network interface. ### Remediation To configure a subnet to not assign public IP addresses, see [Modify the IP addressing attributes of your subnet](https://docs.amazonaws.cn/vpc/latest/userguide/subnet-public-ip.html) in the *Amazon VPC User Guide*. ## [EC2.16] Unused Network Access Control Lists should be removed **Related requirements:** NIST.800-53.r5 CM-8(1), NIST.800-171.r2 3.4.7, PCI DSS v4.0.1/1.2.7 **Category:** Protect > Network Security **Severity:** Low **Resource type:** `AWS::EC2::NetworkAcl` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-network-acl-unused-check.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-network-acl-unused-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether there are any unused network access control lists (network ACLs) in your virtual private cloud (VPC). The control fails if the network ACL isn't associated with a subnet. The control doesn't generate findings for an unused default network ACL. The control checks the item configuration of the resource `AWS::EC2::NetworkAcl` and determines the relationships of the network ACL. If the only relationship is the VPC of the network ACL, the control fails. If other relationships are listed, then the control passes. ### Remediation For instructions on deleting an unused network ACL, see [Deleting a network ACL](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-network-acls.html#DeleteNetworkACL) in the *Amazon VPC User Guide*. You can't delete the default network ACL or an ACL that is associated with subnets. ## [EC2.17] Amazon EC2 instances should not use multiple ENIs **Related requirements:** NIST.800-53.r5 AC-4(21) **Category:** Protect > Network Security **Severity:** Low **Resource type:** `AWS::EC2::Instance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-multiple-eni-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-multiple-eni-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs. This control also fails if an EC2 instance that belongs to an Amazon EKS cluster uses more than one ENI. If your EC2 instances need to have multiple ENIs as part of an Amazon EKS cluster, you can suppress those control findings. Multiple ENIs can cause dual-homed instances, meaning instances that have multiple subnets. This can add network security complexity and introduce unintended network paths and access. ### Remediation To detach a network interface from an EC2 instance, see [Detach a network interface from an instance](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-eni.html#detach_eni) in the *Amazon EC2 User Guide*. ## [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.1.20, NIST.800-171.r2 3.13.1 **Category:** Protect > Secure network configuration > Security group configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `authorizedTcpPorts` | List of authorized TCP ports | IntegerList (minimum of 1 item and maximum of 32 items) | `1` to `65535` | `[80,443]` | | `authorizedUdpPorts` | List of authorized UDP ports | IntegerList (minimum of 1 item and maximum of 32 items) | `1` to `65535` | No default value | This control checks whether an Amazon EC2 security group permits unrestricted incoming traffic from unauthorized ports. The control status is determined as follows: + If you use the default value for `authorizedTcpPorts`, the control fails if the security group permits unrestricted incoming traffic from any port other than ports 80 and 443. + If you provide custom values for `authorizedTcpPorts` or `authorizedUdpPorts`, the control fails if the security group permits unrestricted incoming traffic from any unlisted port. Security groups provide stateful filtering of ingress and egress network traffic to Amazon. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data. Unless a port is specifically allowed, the port should deny unrestricted access. ### Remediation To modify a security group, see [Work with security groups](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-security-groups.html) in the *Amazon VPC User Guide*. ## [EC2.19] Security groups should not allow unrestricted access to ports with high risk **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.1.20, NIST.800-171.r2 3.13.1 **Category:** Protect > Restricted network access **Severity:** Critical **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/restricted-common-ports.html](https://docs.amazonaws.cn/config/latest/developerguide/restricted-common-ports.html) (created rule is `vpc-sg-restricted-common-ports`) **Schedule type:** Change triggered and periodic **Parameters:** `"blockedPorts": "20,21,22,23,25,110,135,143,445,1433,1434,3000,3306,3389,4333,5000,5432,5500,5601,8080,8088,8888,9200,9300"` (not customizable) This control checks whether unrestricted incoming traffic for an Amazon EC2 security group is accessible to the specified ports that are considered to be high risk. This control fails if any of the rules in a security group allow ingress traffic from '0.0.0.0/0' or '::/0' to those ports. Security groups provide stateful filtering of ingress and egress network traffic to Amazon resources. Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data. No security group should allow unrestricted ingress access to the following ports: + 20, 21 (FTP) + 22 (SSH) + 23 (Telnet) + 25 (SMTP) + 110 (POP3) + 135 (RPC) + 143 (IMAP) + 445 (CIFS) + 1433, 1434 (MSSQL) + 3000 (Go, Node.js, and Ruby web development frameworks) + 3306 (mySQL) + 3389 (RDP) + 4333 (ahsp) + 5000 (Python web development frameworks) + 5432 (postgresql) + 5500 (fcp-addr-srvr1) + 5601 (OpenSearch Dashboards) + 8080 (proxy) + 8088 (legacy HTTP port) + 8888 (alternative HTTP port) + 9200 or 9300 (OpenSearch) ### Remediation To delete rules from a security group, see [Delete rules from a security group](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/working-with-security-groups.html#deleting-security-group-rule) in the *Amazon EC2 User Guide*. ## [EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5), NIST.800-171.r2 3.1.13, NIST.800-171.r2 3.1.20 **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:**`AWS::EC2::VPNConnection` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-vpn-2-tunnels-up.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-vpn-2-tunnels-up.html) **Schedule type:** Change triggered **Parameters:** None A VPN tunnel is an encrypted link where data can pass from the customer network to or from Amazon within an Amazon Site-to-Site VPN connection. Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. Ensuring that both VPN tunnels are up for a VPN connection is important for confirming a secure and highly available connection between an Amazon VPC and your remote network. This control checks that both VPN tunnels provided by Amazon Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status. ### Remediation To modify VPN tunnel options, see [Modifying Site-to-Site VPN tunnel options](https://docs.amazonaws.cn/vpn/latest/s2svpn/modify-vpn-tunnel-options.html) in the Amazon Site-to-Site VPN User Guide. ## [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.2, CIS Amazon Foundations Benchmark v1.4.0/5.1, CIS Amazon Foundations Benchmark v3.0.0/5.1, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-7, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(5), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.1.20, NIST.800-171.r2 3.13.1, PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure Network Configuration **Severity:** Medium **Resource type:**`AWS::EC2::NetworkAcl` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/nacl-no-unrestricted-ssh-rdp.html](https://docs.amazonaws.cn/config/latest/developerguide/nacl-no-unrestricted-ssh-rdp.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a network access control list (network ACL) allows unrestricted access to the default TCP ports for SSH/RDP ingress traffic. The control fails if the network ACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for TCP ports 22 or 3389. The control doesn't generate findings for a default network ACL. Access to remote server administration ports, such as port 22 (SSH) and port 3389 (RDP), should not be publicly accessible, as this may allow unintended access to resources within your VPC. ### Remediation To edit network ACL traffic rules, see [Work with network ACLs](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-network-acls.html#nacl-tasks) in the *Amazon VPC User Guide*. ## [EC2.22] Unused Amazon EC2 security groups should be removed **Category:** Identify > Inventory **Severity:** Medium **Resource type:** `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-security-group-attached-to-eni-periodic.html) **Schedule type:** Periodic **Parameters:** None This control checks whether security groups are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or to an elastic network interface. The control fails if the security group is not associated with an Amazon EC2 instance or an elastic network interface. **Important** On September 20, 2023, Security Hub CSPM removed this control from the Amazon Foundational Security Best Practices and NIST SP 800-53 Revision 5 standards. This control continues to be part of the Amazon Control Tower service-managed standard. This control produces a passed finding if security groups are attached to EC2 instances or an elastic network interface. However, for certain use cases, unattached security groups don't pose a security risk. You can use other EC2 controls—such as EC2.2, EC2.13, EC2.14, EC2.18, and EC2.19—to monitor your security groups. ### Remediation To create, assign and delete security groups, see [Security groups for your EC2 instances](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-security-groups.html) in the *Amazon EC2 User Guide*. ## [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** High **Resource type:**`AWS::EC2::TransitGateway` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-transit-gateway-auto-vpc-attach-disabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if EC2 transit gateways are automatically accepting shared VPC attachments. This control fails for a transit gateway that automatically accepts shared VPC attachment requests. Turning on `AutoAcceptSharedAttachments` configures a transit gateway to automatically accept any cross-account VPC attachment requests without verifying the request or the account the attachment is originating from. To follow the best practices of authorization and authentication, we recommended turning off this feature to ensure that only authorized VPC attachment requests are accepted. ### Remediation To modify a transit gateway, see [Modify a transit gateway](https://docs.amazonaws.cn/vpc/latest/tgw/tgw-transit-gateways.html#tgw-modifying) in the Amazon VPC Developer Guide. ## [EC2.24] Amazon EC2 paravirtual instance types should not be used **Related requirements:** NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:**`AWS::EC2::Instance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-paravirtual-instance-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-paravirtual-instance-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the `virtualizationType` of the EC2 instance is set to `paravirtual`. Linux Amazon Machine Images (AMIs) use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance. Historically, PV guests had better performance than HVM guests in many cases, but because of enhancements in HVM virtualization and the availability of PV drivers for HVM AMIs, this is no longer true. For more information, see [Linux AMI virtualization types](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/virtualization_types.html) in the Amazon EC2 User Guide. ### Remediation To update an EC2 instance to a new instance type, see [Change the instance type](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-instance-resize.html) in the *Amazon EC2 User Guide*. ## [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:**`AWS::EC2::LaunchTemplate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-public-ip-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-public-ip-disabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address. A public IP address is one that is reachable from the internet. If you configure your network interfaces with a public IP address, then the resources associated with those network interfaces may be reachable from the internet. EC2 resources shouldn't be publicly accessible because this may permit unintended access to your workloads. ### Remediation To update an EC2 launch template, see [Change the default network interface settings](https://docs.amazonaws.cn/autoscaling/ec2/userguide/create-launch-template.html#change-network-interface) in the *Amazon EC2 Auto Scaling User Guide*. ## [EC2.28] EBS volumes should be covered by a backup plan **Category:** Recover > Resilience > Backups enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Severity:** Low **Resource type:** `AWS::EC2::Volume` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html](https://docs.amazonaws.cn/config/latest/developerguide/ebs-resources-protected-by-backup-plan.html) `` **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `backupVaultLockCheck` | The control produces a `PASSED` finding if the parameter is set to `true` and the resource uses Amazon Backup Vault Lock. | Boolean | `true` or `false` | No default value | This control evaluates if an Amazon EBS volume in `in-use` state is covered by a backup plan. The control fails if an EBS volume isn't covered by a backup plan. If you set the `backupVaultLockCheck` parameter equal to `true`, the control passes only if the EBS volume is backed up in an Amazon Backup locked vault. Backups help you recover more quickly from a security incident. They also strengthen the resilience of your systems. Including Amazon EBS volumes in a backup plan helps you protect your data from unintended loss or deletion. ### Remediation To add an Amazon EBS volume to an Amazon Backup backup plan, see [Assigning resources to a backup plan](https://docs.amazonaws.cn/aws-backup/latest/devguide/assigning-resources.html) in the *Amazon Backup Developer Guide*. ## [EC2.33] EC2 transit gateway attachments should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TransitGatewayAttachment` **Amazon Config rule:** `tagged-ec2-transitgatewayattachment` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 transit gateway attachment has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the transit gateway attachment doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the transit gateway attachment isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 transit gateway attachment, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.34] EC2 transit gateway route tables should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TransitGatewayRouteTable` **Amazon Config rule:** `tagged-ec2-transitgatewayroutetable` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 transit gateway route table has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the transit gateway route table doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the transit gateway route table isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 transit gateway route table, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.35] EC2 network interfaces should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::NetworkInterface` **Amazon Config rule:** `tagged-ec2-networkinterface` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 network interface has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the network interface doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the network interface isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 network interface, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.36] EC2 customer gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::CustomerGateway` **Amazon Config rule:** `tagged-ec2-customergateway` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 customer gateway has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the customer gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the customer gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 customer gateway, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.37] EC2 Elastic IP addresses should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::EIP` **Amazon Config rule:** `tagged-ec2-eip` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 Elastic IP address has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the Elastic IP address doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the Elastic IP address isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 Elastic IP address, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.38] EC2 instances should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::Instance` **Amazon Config rule:** `tagged-ec2-instance` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 instance has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the instance doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the instance isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 instance, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.39] EC2 internet gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::InternetGateway` **Amazon Config rule:** `tagged-ec2-internetgateway` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 internet gateway has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the internet gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the internet gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 internet gateway, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.40] EC2 NAT gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::NatGateway` **Amazon Config rule:** `tagged-ec2-natgateway` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 network address translation (NAT) gateway has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the NAT gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the NAT gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 NAT gateway, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.41] EC2 network ACLs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::NetworkAcl` **Amazon Config rule:** `tagged-ec2-networkacl` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 network access control list (network ACL) has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the network ACL doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the network ACL isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 network ACL, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.42] EC2 route tables should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::RouteTable` **Amazon Config rule:** `tagged-ec2-routetable` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 route table has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the route table doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the route table isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 route table, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.43] EC2 security groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** `tagged-ec2-securitygroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 security group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the security group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the security group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 security group, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.44] EC2 subnets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::Subnet` **Amazon Config rule:** `tagged-ec2-subnet` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 subnet, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.45] EC2 volumes should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::Volume` **Amazon Config rule:** `tagged-ec2-volume` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 volume has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the volume doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the volume isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 volume, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.46] Amazon VPCs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::VPC` **Amazon Config rule:** `tagged-ec2-vpc` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Virtual Private Cloud (Amazon VPC) has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the Amazon VPC doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the Amazon VPC isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a VPC, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.47] Amazon VPC endpoint services should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::VPCEndpointService` **Amazon Config rule:** `tagged-ec2-vpcendpointservice` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon VPC endpoint service has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the endpoint service doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the endpoint service isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon VPC endpoint service, see [Manage Tags](https://docs.amazonaws.cn/vpc/latest/privatelink/configure-endpoint-service.html#add-remove-endpoint-service-tags) in the [Configure an endpoint service](https://docs.amazonaws.cn/vpc/latest/privatelink/configure-endpoint-service.html) section of the *Amazon PrivateLink Guide*. ## [EC2.48] Amazon VPC flow logs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::FlowLog` **Amazon Config rule:** `tagged-ec2-flowlog` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon VPC flow log has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the flow log doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the flow log isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon VPC flow log, see [Tag a flow log](https://docs.amazonaws.cn/vpc/latest/userguide/working-with-flow-logs.html#modify-tags-flow-logs) in the *Amazon VPC User Guide*. ## [EC2.49] Amazon VPC peering connections should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::VPCPeeringConnection` **Amazon Config rule:** `tagged-ec2-vpcpeeringconnection` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon VPC peering connection has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the peering connection doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the peering connection isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon VPC peering connection, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.50] EC2 VPN gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::VPNGateway` **Amazon Config rule:** `tagged-ec2-vpngateway` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 VPN gateway has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the VPN gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the VPN gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 VPN gateway, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-171.r2 3.1.12, NIST.800-171.r2 3.1.20, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Low **Resource type:** `AWS::EC2::ClientVpnEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-client-vpn-connection-log-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-client-vpn-connection-log-enabled.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled. Client VPN endpoints allow remote clients to securely connect to resources in a Virtual Private Cloud (VPC) in Amazon. Connection logs allow you to track user activity on the VPN endpoint and provides visibility. When you enable connection logging, you can specify the name of a log stream in the log group. If you don't specify a log stream, the Client VPN service creates one for you. ### Remediation To enable connection logging, see [Enable connection logging for an existing Client VPN endpoint](https://docs.amazonaws.cn/vpn/latest/clientvpn-admin/cvpn-working-with-connection-logs.html#create-connection-log-existing) in the *Amazon Client VPN Administrator Guide*. ## [EC2.52] EC2 transit gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TransitGateway` **Amazon Config rule:** `tagged-ec2-transitgateway` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 transit gateway has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the transit gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the transit gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EC2 transit gateway, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html#Using_Tags_Console) in the *Amazon EC2 User Guide*. ## [EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.3, CIS Amazon Foundations Benchmark v3.0.0/5.2, PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure network configuration > Security group configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-port-restriction-check.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-port-restriction-check.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `ipType` | The IP version | String | Not customizable | `IPv4` | | `restrictPorts` | List of ports that should reject ingress traffic | IntegerList | Not customizable | `22,3389` | This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389. Security groups provide stateful filtering of ingress and egress network traffic to Amazon resources. We recommend that no security group allow unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17), or ALL (-1) protocols. Permitting public access to these ports increases resource attack surface and the risk of resource compromise. ### Remediation To update an EC2 security group rule to prohibit ingress traffic to the specified ports, see [Update security group rules](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/working-with-security-groups.html#updating-security-group-rules) in the *Amazon EC2 User Guide*. After selecting a security group in the Amazon EC2 console, choose **Actions, Edit inbound rules**. Remove the rule that allows access to port 22 or port 3389. ## [EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/5.4, CIS Amazon Foundations Benchmark v3.0.0/5.3, PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure network configuration > Security group configuration **Severity:** High **Resource type:** `AWS::EC2::SecurityGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-port-restriction-check.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-sg-port-restriction-check.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `ipType` | The IP version | String | Not customizable | `IPv6` | | `restrictPorts` | List of ports that should reject ingress traffic | IntegerList | Not customizable | `22,3389` | This control checks whether an Amazon EC2 security group allows ingress from ::/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from ::/0 to port 22 or 3389. Security groups provide stateful filtering of ingress and egress network traffic to Amazon resources. We recommend that no security group allow unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17), or ALL (-1) protocols. Permitting public access to these ports increases resource attack surface and the risk of resource compromise. ### Remediation To update an EC2 security group rule to prohibit ingress traffic to the specified ports, see [Update security group rules](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/working-with-security-groups.html#updating-security-group-rules) in the *Amazon EC2 User Guide*. After selecting a security group in the Amazon EC2 console, choose **Actions, Edit inbound rules**. Remove the rule that allows access to port 22 or port 3389. ## [EC2.55] VPCs should be configured with an interface endpoint for ECR API **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4) **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::EC2::VPC`, `AWS::EC2::VPCEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Required | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | --- | | serviceNames | Required | The name of the service that the control evaluates | String | Not customizable | ecr.api | | vpcIds | Optional | Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the control fails if the services specified in the serviceName parameter don't have one of these VPC endpoints. | StringList | Customize with one or more VPC IDs | No default value | This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Amazon ECR API. The control fails if the VPC doesn't have an interface VPC endpoint for ECR API. This control evaluates resources in a single account. Amazon PrivateLink enables customers to access services hosted on Amazon in a highly available and scalable manner, while keeping all the network traffic within the Amazon network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet. ### Remediation To configure a VPC endpoint, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon PrivateLink Guide*. ## [EC2.56] VPCs should be configured with an interface endpoint for Docker Registry **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4) **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::EC2::VPC`, `AWS::EC2::VPCEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Required | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | --- | | serviceNames | Required | The name of the service that the control evaluates | String | Not customizable | ecr.dkr | | vpcIds | Optional | Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the control fails if the services specified in the serviceName parameter don't have one of these VPC endpoints. | StringList | Customize with one or more VPC IDs | No default value | This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Docker Registry. The control fails if the VPC doesn't have an interface VPC endpoint for Docker Registry. This control evaluates resources in a single account. Amazon PrivateLink enables customers to access services hosted on Amazon in a highly available and scalable manner, while keeping all the network traffic within the Amazon network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet. ### Remediation To configure a VPC endpoint, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon PrivateLink Guide*. ## [EC2.57] VPCs should be configured with an interface endpoint for Systems Manager **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4) **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::EC2::VPC`, `AWS::EC2::VPCEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Required | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | --- | | serviceNames | Required | The name of the service that the control evaluates | String | Not customizable | ssm | | vpcIds | Optional | Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the control fails if the services specified in the serviceName parameter don't have one of these VPC endpoints. | StringList | Customize with one or more VPC IDs | No default value | This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Amazon Systems Manager. The control fails if the VPC doesn't have an interface VPC endpoint for Systems Manager. This control evaluates resources in a single account. Amazon PrivateLink enables customers to access services hosted on Amazon in a highly available and scalable manner, while keeping all the network traffic within the Amazon network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet. ### Remediation To configure a VPC endpoint, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon PrivateLink Guide*. ## [EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4) **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::EC2::VPC`, `AWS::EC2::VPCEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Required | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | --- | | serviceNames | Required | The name of the service that the control evaluates | String | Not customizable | ssm-contacts | | vpcIds | Optional | Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the control fails if the services specified in the serviceName parameter don't have one of these VPC endpoints. | StringList | Customize with one or more VPC IDs | No default value | This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Amazon Systems Manager Incident Manager Contacts. The control fails if the VPC doesn't have an interface VPC endpoint for Systems Manager Incident Manager Contacts. This control evaluates resources in a single account. Amazon PrivateLink enables customers to access services hosted on Amazon in a highly available and scalable manner, while keeping all the network traffic within the Amazon network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet. ### Remediation To configure a VPC endpoint, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon PrivateLink Guide*. ## [EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4) **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::EC2::VPC`, `AWS::EC2::VPCEndpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/vpc-endpoint-enabled.html) **Schedule type:** Periodic **Parameters:** | Parameter | Required | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | --- | | serviceNames | Required | The name of the service that the control evaluates | String | Not customizable | ssm-incidents | | vpcIds | Optional | Comma-separated list of Amazon VPC IDs for VPC endpoints. If provided, the control fails if the services specified in the serviceName parameter don't have one of these VPC endpoints. | StringList | Customize with one or more VPC IDs | No default value | This control checks whether a virtual private cloud (VPC) that you manage has an interface VPC endpoint for Amazon Systems Manager Incident Manager. The control fails if the VPC doesn't have an interface VPC endpoint for Systems Manager Incident Manager. This control evaluates resources in a single account. Amazon PrivateLink enables customers to access services hosted on Amazon in a highly available and scalable manner, while keeping all the network traffic within the Amazon network. Service users can privately access services powered by PrivateLink from their VPC or their on-premises, without using public IPs, and without requiring traffic to traverse across the internet. ### Remediation To configure a VPC endpoint, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon PrivateLink Guide*. ## [EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2) **Related requirements:** PCI DSS v4.0.1/2.2.6 **Category:** Protect > Network Security **Severity:** Low **Resource type:** `AWS::EC2::LaunchTemplate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-imdsv2-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-imdsv2-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 launch template is configured with Instance Metadata Service Version 2 (IMDSv2). The control fails if `HttpTokens` is set to `optional`. Running resources on supported software versions ensures optimal performance, security, and access to the latest features. Regular updates safeguard against vulnerabilities, which help ensure a stable and efficient user experience. ### Remediation To require IMDSv2 on an EC2 launch template, see [Configure the Instance Metadata Service options](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html) in the *Amazon EC2 User Guide*. ## [EC2.171] EC2 VPN connections should have logging enabled **Related requirements:** CIS Amazon Foundations Benchmark v3.0.0/5.3, PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::EC2::VPNConnection` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-vpn-connection-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-vpn-connection-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Site-to-Site VPN connection has Amazon CloudWatch Logs enabled for both tunnels. The control fails if a Site-to-Site VPN connection doesn't have CloudWatch Logs enabled for both tunnels. Amazon Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. With this feature, you have access to Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, Internet Key Exchange (IKE) negotiations, and dead peer detection (DPD) protocol messages. Site-to-Site VPN logs can be published to CloudWatch Logs. This feature provides customers with a single consistent way to access and analyze detailed logs for all of their Site-to-Site VPN connections. ### Remediation To enable tunnel logging on an EC2 VPN connection, see [Amazon Site-to-Site VPN logs](https://docs.amazonaws.cn/vpn/latest/s2svpn/monitoring-logs.html#enable-logs) in the *Amazon Site-to-Site VPN User Guide*. ## [EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Medium **Resource type:** `AWS::EC2::VPCBlockPublicAccessOptions` **Amazon Config rule:** `ec2-vpc-bpa-internet-gateway-blocked` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `vpcBpaInternetGatewayBlockMode` | String value of the VPC BPA options mode. | Enum | `block-bidirectional`, `block-ingress` | No default value | This control checks whether Amazon EC2 VPC Block Public Access (BPA) settings are configured to block internet gateway traffic for all Amazon VPCs in the Amazon Web Services account. The control fails if VPC BPA settings aren't configured to block internet gateway traffic. For the control to pass, the VPC BPA `InternetGatewayBlockMode` must be set to `block-bidirectional` or `block-ingress`. If the parameter `vpcBpaInternetGatewayBlockMode` is provided, the control passes only if the VPC BPA value for `InternetGatewayBlockMode` matches the parameter. Configuring the VPC BPA settings for your account in an Amazon Web Services Region lets you block resources in VPCs and subnets that you own in that Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways. If you need specific VPCs and subnets to be able to reach or be reachable from the internet, you can exclude them by configuring VPC BPA exclusions. For instructions on creating and deleting exclusions, see [Create and delete exclusions](https://docs.amazonaws.cn/vpc/latest/userguide/security-vpc-bpa-basics.html#security-vpc-bpa-exclusions) in the *Amazon VPC User Guide*. ### Remediation To enable bi-directional BPA at the account level, see [Enable BPA bidirectional mode for your account](https://docs.amazonaws.cn/vpc/latest/userguide/security-vpc-bpa-basics.html#security-vpc-bpa-enable-bidir) in the *Amazon VPC User Guide*. To enable ingress-only BPA, see [Change VPC BPA mode to ingress-only](https://docs.amazonaws.cn/vpc/latest/userguide/security-vpc-bpa-basics.html#security-vpc-bpa-ingress-only). To enable VPC BPA at the Organization level, see [Enable VPC BPA at the Organization level](https://docs.amazonaws.cn/vpc/latest/userguide/security-vpc-bpa-basics.html#security-vpc-bpa-exclusions-orgs). ## [EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EC2::SpotFleet` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-spot-fleet-request-ct-encryption-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-spot-fleet-request-ct-encryption-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 Spot Fleet request that specifies launch parameters is configured to enable encryption for all Amazon Elastic Block Store (Amazon EBS) volumes attached to EC2 instances. The control fails if the Spot Fleet request specifies launch parameters and doesn't enable encryption for one or more EBS volumes specified in the request. For an additional layer of security, you should enable encryption for Amazon EBS volumes. Encryption operations then occur on the servers that host Amazon EC2 instances, which helps ensure the security of both data at rest and data in transit between an instance and its attached EBS storage. Amazon EBS encryption is a straightforward encryption solution for EBS resources associated with your EC2 instances. With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses Amazon KMS keys when creating encrypted volumes. **Notes** This control doesn't generate findings for Amazon EC2 Spot Fleet requests that use launch templates. It also doesn't generate findings for Spot Fleet requests that don't explicitly specify a value for the `encrypted` parameter. ### Remediation There's no direct way to encrypt an existing, unencrypted Amazon EBS volume. You can encrypt a new volume only when you create it. However, if you enable encryption by default, Amazon EBS encrypts new volumes by using your default key for EBS encryption. If you don't enable encryption by default, you can enable encryption when you create an individual volume. In both cases, you can override the default key for EBS encryption and choose a customer managed Amazon KMS key. For more information about EBS encryption, see [Amazon EBS encryption](https://docs.amazonaws.cn/ebs/latest/userguide/ebs-encryption.html) in the *Amazon EBS User Guide*. For information about creating an Amazon EC2 Spot Fleet request, see [Create a Spot Fleet](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/create-spot-fleet.html) in the *Amazon Elastic Compute Cloud User Guide*. ## [EC2.174] EC2 DHCP option sets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::DHCPOptions` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-dhcp-options-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-dhcp-options-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 DHCP option set has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the option set doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the option set doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 DHCP option set, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.175] EC2 launch templates should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::LaunchTemplate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-template-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 launch template has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the launch template doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the launch template doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 launch template, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.176] EC2 prefix lists should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::PrefixList` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-prefix-list-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-prefix-list-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 prefix list has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the prefix list doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the prefix list doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 prefix list, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.177] EC2 traffic mirror sessions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TrafficMirrorSession` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-session-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-session-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 traffic mirror session has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the session doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the session doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 traffic mirror session, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.178] EC2 traffic mirror filters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TrafficMirrorFilter` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-filter-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-filter-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 traffic mirror filter has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the filter doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the filter doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 traffic mirror filter, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.179] EC2 traffic mirror targets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::EC2::TrafficMirrorTarget` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-target-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-traffic-mirror-target-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 traffic mirror target has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the target doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the target doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon EC2 traffic mirror target, see [Tag your Amazon EC2 resources](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/Using_Tags.html) in the *Amazon EC2 User Guide*. ## [EC2.180] EC2 network interfaces should have source/destination checking enabled **Category:** Protect > Network Security **Severity:** Medium **Resource type:** `AWS::EC2::NetworkInterface` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-enis-source-destination-check-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-enis-source-destination-check-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether source/destination checking is enabled for an Amazon EC2 elastic network interface (ENI) that's managed by users. The control fails if source/destination checking is disabled for the user-managed ENI. This control checks only the following types of ENIs: `aws_codestar_connections_managed`, `branch`, `efa`, `interface`, `lambda`, and `quicksight`. Source/destination checking for Amazon EC2 instances and attached ENIs should be enabled and configured consistently across your EC2 instances. Each ENI has its own setting for source/destination checks. If source/destination checking is enabled, Amazon EC2 enforces source/destination address validation, which ensures that an instance is either the source or the destination of any traffic that it receives. This provides an additional layer of network security by preventing resources from handling unintended traffic and preventing IP address spoofing. **Note** If you're using an EC2 instance as a NAT instance and you disabled source/destination checking for its ENI, you can use a [NAT gateway](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-nat-gateway.html) instead. ### Remediation For information about enabling source/destination checks for an Amazon EC2 ENI, see [Modify network interface attributes](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/modify-network-interface-attributes.html#modify-source-dest-check) in the *Amazon EC2 User Guide*. ## [EC2.181] EC2 launch templates should enable encryption for attached EBS volumes **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EC2::LaunchTemplate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-templates-ebs-volume-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-launch-templates-ebs-volume-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 launch template enables encryption for all attached EBS volumes. The control fails if the encryption parameter is set to `False` for any EBS volumes specified by the EC2 launch template. Amazon EBS encryption is a straightforward encryption solution for EBS resources that are associated with Amazon EC2 instances. With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses Amazon KMS keys when creating encrypted volumes and snapshots. Encryption operations occur on the servers that host EC2 instances, which helps ensure the security of data at rest and data in transit between an EC2 instance and its attached EBS storage. For more information, see [Amazon EBS encryption](https://docs.amazonaws.cn/ebs/latest/userguide/ebs-encryption.html) in the *Amazon EBS User Guide*. You can enable EBS encryption during manual launches of individual EC2 instances. However, there are several benefits to using EC2 launch templates and configuring encryption settings in those templates. You can enforce encryption as a standard and ensure the use of consistent encryption settings. You can also reduce the risk of error and security gaps that might occur with manual launches of instances. **Note** When this control checks an EC2 launch template, it only evaluates EBS encryption settings that are explicitly specified by the template. The evaluation doesn’t include encryption settings that are inherited from account-level EBS encryption settings, AMI block device mappings, or source snapshot encryption statuses. ### Remediation After you create an Amazon EC2 launch template, you can't modify it. However, you can create a new version of a launch template and change the encryption settings in that new version of the template. You can also specify the new version as the default version of the launch template. Then, if you launch an EC2 instance from a launch template and don't specify a template version, EC2 uses the settings of the default version when it launches the instance. For more information, see [Modify a launch template](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/manage-launch-template-versions.html) in the *Amazon EC2 User Guide*. ## [EC2.182] Block public access settings should be enabled for Amazon EBS snapshots **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::EC2::SnapshotBlockPublicAccess` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ebs-snapshot-block-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/ebs-snapshot-block-public-access.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether account level block public access is enabled to prevent sharing of Amazon EBS snapshots to all. The control fails if block public access is not enabled to block sharing of Amazon EBS snapshots to all. To prevent public sharing of your Amazon EBS snapshots, you can enable block public access for snapshots. Once block public access for snapshots is enabled in a Region, any attempt to publicly share snapshots in that Region is automatically blocked. This helps improve the security of the snapshots and protect the snapshot data from unauthorized or unintended access. ### Remediation To enable block public access for snapshots, see [Configure block public access for Amazon EBS snapshots](https://docs.amazonaws.cn/ebs/latest/userguide/block-public-access-snapshots-enable.html) in the *Amazon EBS User Guide*. For **Block public access**, choose **Block all public access**. ## [EC2.183] EC2 VPN connections should use IKEv2 protocol **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::EC2::VPNConnection` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-vpn-connection-ike-version-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-vpn-connection-ike-version-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Site-to-Site VPN connection is configured to use IKEv2 protocol. The control fails if a Site-to-Site VPN connection allows IKEv1 protocol or does not explicitly restrict to IKEv2 on all VPN tunnels. IKEv2 provides stronger cryptographic algorithms and improved security features compared to the legacy IKEv1 protocol, including built-in protection against denial-of-service attacks and enhanced authentication mechanisms. IKEv1 has known vulnerabilities and weaknesses in its key exchange process that can be exploited by attackers to compromise VPN tunnel security. By enforcing IKEv2-only connections, you reduce your attack surface and ensure VPN communications use modern, industry-standard encryption protocols that better protect data in transit. ### Remediation To update the IKE version for a VPN tunnel on an EC2 VPN connection, see [Modify Amazon Site-to-Site VPN tunnel options](https://docs.amazonaws.cn/vpn/latest/s2svpn/modify-vpn-tunnel-options.html) in the *Amazon Site-to-Site VPN User Guide*. # Security Hub CSPM controls for Auto Scaling Amazon EC2 Auto Scaling controls These Security Hub CSPM controls evaluate the Amazon EC2 Auto Scaling service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks **Related requirements:** PCI DSS v3.2.1/2.2, NIST.800-53.r5 CA-7, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 SI-2 **Category:** Identify > Inventory **Severity:** Low **Resource type:** `AWS::AutoScaling::AutoScalingGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 Auto Scaling group that is associated with a load balancer uses Elastic Load Balancing (ELB) health checks. The control fails if the Auto Scaling group doesn't use ELB health checks. ELB health checks help ensure that an Auto Scaling group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks also helps support the availability of applications that use EC2 Auto Scaling groups. ### Remediation To add Elastic Load Balancing health checks, see [Add Elastic Load Balancing health checks](https://docs.amazonaws.cn/autoscaling/ec2/userguide/as-add-elb-healthcheck.html#as-add-elb-healthcheck-console) in the *Amazon EC2 Auto Scaling User Guide*. ## [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::AutoScaling::AutoScalingGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-multiple-az.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-multiple-az.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minAvailabilityZones` | Minimum number of Availability Zones | Enum | `2, 3, 4, 5, 6` | `2` | This control checks whether an Amazon EC2 Auto Scaling group spans at least the specified number of Availability Zones (AZs). The control fails if an Auto Scaling group doesn't span at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub CSPM uses a default value of two AZs. An Auto Scaling group that doesn't span multiple AZs can't launch instances in another AZ to compensate if the configured single AZ becomes unavailable. However, an Auto Scaling group with a single Availability Zone may be preferred in some use cases, such as batch jobs or when inter-AZ transfer costs need to be kept to a minimum. In such cases, you can disable this control or suppress its findings. ### Remediation To add AZs to an existing Auto Scaling group, see [Add and remove Availability Zones](https://docs.amazonaws.cn/autoscaling/ec2/userguide/as-add-availability-zone.html) in the *Amazon EC2 Auto Scaling User Guide*. ## [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) **Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/2.2.6 **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::AutoScaling::LaunchConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version isn't included in the launch configuration or is configured as `token optional`, which is a setting that allows either IMDSv1 or IMDSv2. IMDS provides data about your instance that you can use to configure or manage the running instance. Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances. ### Remediation An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see [Configure instance metadata options for new instances](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html) in the *Amazon EC2 User Guide*. ## [AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1 **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::AutoScaling::LaunchConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-config-hop-limit.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-config-hop-limit.html) **Schedule type:** Change triggered **Parameters:** None This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than `1`. The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration. Restricting the HTTP `PUT` response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use. The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the `PUT` response that contains the secret token cannot travel outside the instance because the default metadata response hop limit is set to `1`. However, if this value is greater than `1`, the token can leave the EC2 instance. ### Remediation To modify the metadata response hop limit for an existing launch configuration, see [Modify instance metadata options for existing instances](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-existing-instances) in the *Amazon EC2 User Guide*. ## [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::AutoScaling::LaunchConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Auto Scaling group's associated launch configuration assigns a [public IP address](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-instance-addressing.html#public-ip-addresses) to the group's instances. The control fails if the associated launch configuration assigns a public IP address. Amazon EC2 instances in an Auto Scaling group launch configuration should not have an associated public IP address, except for in limited edge cases. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet. ### Remediation An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration. Then, update the Auto Scaling group to use the new launch configuration. For step-by-step instructions, see [Change the launch configuration for an Auto Scaling group](https://docs.amazonaws.cn/autoscaling/ec2/userguide/change-launch-config.html) in the *Amazon EC2 Auto Scaling User Guide*. When creating the new launch configuration, under **Additional configuration**, for **Advanced details, IP address type**, choose **Do not assign a public IP address to any instances**. After you change the launch configuration, Auto Scaling launches new instances with the new configuration options. Existing instances aren't affected. To update an existing instance, we recommend that you refresh your instance, or allow automatic scaling to gradually replace older instances with newer instances based on your termination policies. For more information about updating Auto Scaling instances, see [Update Auto Scaling instances](https://docs.amazonaws.cn/autoscaling/ec2/userguide/update-auto-scaling-group.html#update-auto-scaling-instances) in the *Amazon EC2 Auto Scaling User Guide*. ## [AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::AutoScaling::AutoScalingGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-multiple-instance-types.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-multiple-instance-types.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined. You can enhance availability by deploying your application across multiple instance types running in multiple Availability Zones. Security Hub CSPM recommends using multiple instance types so that the Auto Scaling group can launch another instance type if there is insufficient instance capacity in your chosen Availability Zones. ### Remediation To create an Auto Scaling group with multiple instance types, see [Auto Scaling groups with multiple instance types and purchase options](https://docs.amazonaws.cn/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html) in the *Amazon EC2 Auto Scaling User Guide*. ## [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Resource Configuration **Severity:** Medium **Resource type:** `AWS::AutoScaling::AutoScalingGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-template.html](https://docs.amazonaws.cn/config/latest/developerguide/autoscaling-launch-template.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy. An EC2 Auto Scaling group can be created from either an EC2 launch template or a launch configuration. However, using a launch template to create an Auto Scaling group ensures that you have access to the latest features and improvements. ### Remediation To create an Auto Scaling group with an EC2 launch template, see [Create an Auto Scaling group using a launch template](https://docs.amazonaws.cn/autoscaling/ec2/userguide/create-asg-launch-template.html) in the *Amazon EC2 Auto Scaling User Guide*. For information about how to replace a launch configuration with a launch template, see [Replace a launch configuration with a launch template](https://docs.amazonaws.cn/autoscaling/ec2/userguide/replace-launch-config.html) in the *Amazon EC2 User Guide*. ## [AutoScaling.10] EC2 Auto Scaling groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AutoScaling::AutoScalingGroup` **Amazon Config rule:** `tagged-autoscaling-autoscalinggroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EC2 Auto Scaling group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the Auto Scaling group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the Auto Scaling group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Auto Scaling group, see [Tag Auto Scaling groups and instances](https://docs.amazonaws.cn/autoscaling/ec2/userguide/ec2-auto-scaling-tagging.html) in the *Amazon EC2 Auto Scaling User Guide*. # Security Hub CSPM controls for Amazon ECR Amazon ECR controls These Security Hub CSPM controls evaluate the Amazon Elastic Container Registry (Amazon ECR) service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ECR.1] ECR private repositories should have image scanning configured **Related requirements:** NIST.800-53.r5 RA-5, PCI DSS v4.0.1/6.2.3, PCI DSS v4.0.1/6.2.4 **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::ECR::Repository` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-image-scanning-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-image-scanning-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether a private Amazon ECR repository has image scanning configured. The control fails if the private ECR repository isn't configured for scan on push or continuous scanning. ECR image scanning helps in identifying software vulnerabilities in your container images. Configuring image scanning on ECR repositories adds a layer of verification for the integrity and safety of the images being stored. ### Remediation To configure image scanning for an ECR repository, see [Image scanning](https://docs.amazonaws.cn//AmazonECR/latest/userguide/image-scanning.html) in the *Amazon Elastic Container Registry User Guide*. ## [ECR.2] ECR private repositories should have tag immutability configured **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-8(1) **Category:** Identify > Inventory > Tagging **Severity:** Medium **Resource type:** `AWS::ECR::Repository` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-tag-immutability-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-tag-immutability-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value `IMMUTABLE`. Amazon ECR Tag Immutability enables customers to rely on the descriptive tags of an image as a reliable mechanism to track and uniquely identify images. An immutable tag is static, which means each tag refers to a unique image. This improves reliability and scalability as the use of a static tag will always result in the same image being deployed. When configured, tag immutability prevents the tags from being overridden, which reduces the attack surface. ### Remediation To create a repository with immutable tags configured or to update the image tag mutability settings for an existing repository, see [Image tag mutability](https://docs.amazonaws.cn//AmazonECR/latest/userguide/image-tag-mutability.html) in the *Amazon Elastic Container Registry User Guide*. ## [ECR.3] ECR repositories should have at least one lifecycle policy configured **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Resource configuration **Severity:** Medium **Resource type:** `AWS::ECR::Repository` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html](https://docs.amazonaws.cn/config/latest/developerguide/ecr-private-lifecycle-policy-configured.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured. Amazon ECR lifecycle policies enable you to specify the lifecycle management of images in a repository. By configuring lifecycle policies, you can automate the cleanup of unused images and the expiration of images based on age or count. Automating these tasks can help you avoid unintentionally using outdated images in your repository. ### Remediation To configure a lifecycle policy, see [Creating a lifecycle policy preview](https://docs.amazonaws.cn//AmazonECR/latest/userguide/lpp_creation.html) in the *Amazon Elastic Container Registry User Guide*. ## [ECR.4] ECR public repositories should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::ECR::PublicRepository` **Amazon Config rule:** `tagged-ecr-publicrepository` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon ECR public repository has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the public repository doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the public repository isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an ECR public repository, see [Tagging an Amazon ECR public repository](https://docs.amazonaws.cn/AmazonECR/latest/public/ecr-public-using-tags.html) in the *Amazon Elastic Container Registry User Guide*. ## [ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys **Related requirements:** NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6), NIST.800-53.r5 AU-9 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::ECR::Repository` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecr-repository-cmk-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ecr-repository-cmk-encryption-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `kmsKeyArns` | A list of Amazon Resource Names (ARNs) of Amazon KMS keys to include in the evaluation. The control generates a `FAILED` finding if an ECR repository isn't encrypted with a KMS key in the list. | StringList (maximum of 10 items) | 1–10 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab` | No default value | This control checks whether an Amazon ECR repository is encrypted at rest with a customer managed Amazon KMS key. The control fails if the ECR repository isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation. By default, Amazon ECR encrypts repository data with Amazon S3 managed keys (SSE-S3), using an AES-256 algorithm. For additional control, you can configure Amazon ECR to encrypt the data with an Amazon KMS key (SSE-KMS or DSSE-KMS) instead. The KMS key can be: an Amazon managed key that Amazon ECR creates and manages for you and has the alias `aws/ecr`, or a customer managed key that you create and manage in your Amazon Web Services account. With a customer managed KMS key, you have full control of the key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. **Note** Amazon KMS supports cross-account access to KMS keys. If an ECR repository is encrypted with a KMS key that’s owned by another account, this control doesn’t perform cross-account checks when it evaluates the repository. The control doesn’t assess whether Amazon ECR can access and use the key when performing cryptographic operations for the repository. ### Remediation You can't change the encryption settings for an existing ECR repository. However, you can specify different encryption settings for ECR repositories that you subsequently create. Amazon ECR supports the use of different encryption settings for individual repositories. For more information about encryption options for ECR repositories, see [Encryption at rest](https://docs.amazonaws.cn/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon ECR User Guide*. For more information about customer managed Amazon KMS keys, see [Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html) in the *Amazon Key Management Service Developer Guide*. # Security Hub CSPM controls for Amazon ECS Amazon ECS controls These Security Hub CSPM controls evaluate the Amazon Elastic Container Service (Amazon ECS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions **Important** Security Hub CSPM retired this control in March 2026. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). You can refer to the following controls for evaluation of privileged configuration, network mode configuration, and user configuration: [[ECS.4] ECS containers should run as non-privileged](#ecs-4) [[ECS.17] ECS task definitions should not use host network mode](#ecs-17) [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](#ecs-20) [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](#ecs-21) **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-user-for-host-mode-check.html) **Schedule type:** Change triggered **Parameters:** + `SkipInactiveTaskDefinitions`: `true` (not customizable) This control checks whether an active Amazon ECS task definition with host networking mode has `privileged` or `user` container definitions. The control fails for task definitions that have host network mode and container definitions of `privileged=false`, empty and `user=root`, or empty. This control only evaluates the latest active revision of an Amazon ECS task definition. The purpose of this control is to ensure that access is defined intentionally when you run tasks that use the host network mode. If a task definition has elevated privileges, it is because you have chosen that configuration. This control checks for unexpected privilege escalation when a task definition has host networking enabled, and you don't choose elevated privileges. ### Remediation For information about how to update a task definition, see [Updating a task definition](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition.html) in the *Amazon Elastic Container Service Developer Guide*. When you update a task definition, it doesn't update running tasks that were launched from the previous task definition. To update a running task, you must redeploy the task with the new task definition. ## [ECS.2] ECS services should not have public IP addresses assigned to them automatically **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::ECS::Service` **Amazon Config rule:** `ecs-service-assign-public-ip-disabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. This control fails if `AssignPublicIP` is `ENABLED`. This control passes if `AssignPublicIP` is `DISABLED`. A public IP address is an IP address that is reachable from the internet. If you launch your Amazon ECS instances with a public IP address, then your Amazon ECS instances are reachable from the internet. Amazon ECS services should not be publicly accessible, as this may allow unintended access to your container application servers. ### Remediation First, you must create a task definition for your cluster that uses the `awsvpc` network mode and specifies **FARGATE** for `requiresCompatibilities`. Then, for **Compute configuration**, choose **Launch type** and **FARGATE**. Finally, for the **Networking** field, turn off **Public IP** to disable automatic public IP assignment for your service. ## [ECS.3] ECS task definitions should not share the host's process namespace **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Identify > Resource configuration **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-pid-mode-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-pid-mode-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it. This control only evaluates the latest active revision of an Amazon ECS task definition. A process ID (PID) namespace provides separation between processes. It prevents system processes from being visible, and allows PIDs to be reused, including PID 1. If the host's PID namespace is shared with containers, it would allow containers to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. These circumstances could lead to unauthorized access to processes on the host itself, including the ability to manipulate and terminate them. Customers shouldn't share the host's process namespace with containers running on it. ### Remediation To configure the `pidMode` on a task definition, see [Task definition parameters](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_pidmode) in the Amazon Elastic Container Service Developer Guide. ## [ECS.4] ECS containers should run as non-privileged **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Root user access restrictions **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-containers-nonprivileged.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-containers-nonprivileged.html) **Schedule type:** Change triggered **Parameters:** None This control checks if the `privileged` parameter in the container definition of Amazon ECS Task Definitions is set to `true`. The control fails if this parameter is equal to `true`. This control only evaluates the latest active revision of an Amazon ECS task definition. We recommend that you remove elevated privileges from your ECS task definitions. When the privilege parameter is `true`, the container is given elevated privileges on the host container instance (similar to the root user). ### Remediation To configure the `privileged` parameter on a task definition, see [Advanced container definition parameters](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_security) in the Amazon Elastic Container Service Developer Guide. ## [ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-containers-readonly-access.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-containers-readonly-access.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether ECS task definitions configure containers to be limited to read-only access to mounted root file systems. The control fails if the `readonlyRootFilesystem` parameter in the container definitions of ECS task definition is set to `false`, or the parameter doesn't exist in the container definition within the task definition. This control evaluates only the latest active revision of an Amazon ECS task definition. If the `readonlyRootFilesystem` parameter is set to `true` in an Amazon ECS task definition, the ECS container is given read-only access to its root file system. This reduces security attack vectors because the container instance's root file system can't be tampered with or written to without explicit volume mounts that have read-write permissions for file system folders and directories. Enabling this option also adheres to the principle of least privilege. **Note** The `readonlyRootFilesystem` parameter is not supported for Windows containers. Task definitions with `runtimePlatform` configured to specify a `WINDOWS_SERVER` OS family are marked as `NOT_APPLICABLE` and will not generate findings for this control. ### Remediation To give an Amazon ECS container read-only access to its root file system, add the `readonlyRootFilesystem` parameter to the task definition for the container, and set the value for the parameter to `true`. For information about task definition parameters and how to add them to a task definition, see [Amazon ECS task definitions](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/task_definitions.html) and [Updating a task definition](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.8] Secrets should not be passed as container environment variables **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/8.6.2 **Category:** Protect > Secure development > Credentials not hard-coded **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-no-environment-secrets.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-no-environment-secrets.html) **Schedule type:** Change triggered **Parameters:** `secretKeys`: `AWS_ACCESS_KEY_ID`,`AWS_SECRET_ACCESS_KEY`,`ECS_ENGINE_AUTH_DATA` (not customizable) This control checks if the key value of any variables in the `environment` parameter of container definitions includes `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `ECS_ENGINE_AUTH_DATA`. This control fails if a single environment variable in any container definition equals `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `ECS_ENGINE_AUTH_DATA`. This control does not cover environmental variables passed in from other locations such as Amazon S3. This control only evaluates the latest active revision of an Amazon ECS task definition. Amazon Systems Manager Parameter Store can help you improve the security posture of your organization. We recommend using the Parameter Store to store secrets and credentials instead of directly passing them into your container instances or hard coding them into your code. ### Remediation To create parameters using SSM, see [Creating Systems Manager parameters](https://docs.amazonaws.cn/systems-manager/latest/userguide/sysman-paramstore-su-create.html) in the *Amazon Systems Manager User Guide*. For more information about creating a task definition that specifies a secret, see [Specifying sensitive data using Secrets Manager](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-create-taskdefinition) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.9] ECS task definitions should have a logging configuration **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** High **Resource type:** `AWS::ECS::TaskDefinition` **Amazon Config rule:** [ecs-task-definition-log-configuration](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-log-configuration.html) **Schedule type:** Change triggered **Parameters:** None This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition doesn't have the `logConfiguration` property defined or if the value for `logDriver` is null in at least one container definition. Logging helps you maintain the reliability, availability, and performance of Amazon ECS. Collecting data from task definitions provides visibility, which can help you debug processes and find the root cause of errors. If you are using a logging solution that does not have to be defined in the ECS task definition (such as a third party logging solution), you can disable this control after ensuring that your logs are properly captured and delivered. ### Remediation To define a log configuration for your Amazon ECS task definitions, see [Specifying a log configuration in your task definition](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/using_awslogs.html#specify-log-config) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.10] ECS Fargate services should run on the latest Fargate platform version **Related requirements:** NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::ECS::Service` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-fargate-latest-platform-version.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-fargate-latest-platform-version.html) **Schedule type:** Change triggered **Parameters:** + `latestLinuxVersion: 1.4.0` (not customizable) + `latestWindowsVersion: 1.0.0` (not customizable) This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest. Amazon Fargate platform versions refer to a specific runtime environment for Fargate task infrastructure, which is a combination of kernel and container runtime versions. New platform versions are released as the runtime environment evolves. For example, a new version may be released for kernel or operating system updates, new features, bug fixes, or security updates. Security updates and patches are deployed automatically for your Fargate tasks. If a security issue is found that affects a platform version, Amazon patches the platform version. ### Remediation To update an existing service, including its platform version, see [Updating a service](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-service.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.12] ECS clusters should use Container Insights **Related requirements:** NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::ECS::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-container-insights-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-container-insights-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster. Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon ECS clusters. Use CloudWatch Container Insights to collect, aggregate, and summarize metrics and logs from your containerized applications and microservices. CloudWatch automatically collects metrics for many resources, such as CPU, memory, disk, and network. Container Insights also provides diagnostic information, such as container restart failures, to help you isolate issues and resolve them quickly. You can also set CloudWatch alarms on metrics that Container Insights collects. ### Remediation To use Container Insights, see [Updating a service](https://docs.amazonaws.cn/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS.html) in the *Amazon CloudWatch User Guide*. ## [ECS.13] ECS services should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::ECS::Service` **Amazon Config rule:** `tagged-ecs-service` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon ECS service has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the service doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the service isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an ECS service, see [Tagging your Amazon ECS resources](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/ecs-using-tags.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.14] ECS clusters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::ECS::Cluster` **Amazon Config rule:** `tagged-ecs-cluster` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon ECS cluster has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an ECS cluster, see [Tagging your Amazon ECS resources](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/ecs-using-tags.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.15] ECS task definitions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::ECS::TaskDefinition` **Amazon Config rule:** `tagged-ecs-taskdefinition` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon ECS task definition has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the task definition doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the task definition isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an ECS task definition, see [Tagging your Amazon ECS resources](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/ecs-using-tags.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.16] ECS task sets should not automatically assign public IP addresses **Related requirements:** PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `Amazon::ECS::TaskSet` **Amazon Config rule:** `ecs-taskset-assign-public-ip-disabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon ECS task set is configured to automatically assign public IP addresses. The control fails if `AssignPublicIP` is set to `ENABLED`. A public IP address is reachable from the internet. If you configure your task set with a public IP address, the resources associated with the task set can be reached from the internet. ECS task sets shouldn't be publicly accessible, as this may allow unintended access to your container application servers. ### Remediation To update an ECS task set so that it doesn't use a public IP address, see [Updating an Amazon ECS task definition using the console](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.17] ECS task definitions should not use host network mode **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `Amazon::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-network-mode-not-host.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-network-mode-not-host.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the latest active revision of an Amazon ECS task definition uses `host` network mode. The control fails if the latest active revision of the ECS task definition uses `host` network mode. When using `host` network mode, the networking of an Amazon ECS container is tied directly to the underlying host that's running the container. Consequently, this mode allows containers to connect to private loopback network services on the host and to impersonate the host. Other significant drawbacks are that there's no way to remap a container port when using `host` network mode, and you can't run more than a single instantiation of a task on each host. ### Remediation For information about networking modes and options for Amazon ECS tasks that are hosted on Amazon EC2 instances, see [Amazon ECS task networking options for the EC2 launch type](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/task-networking.html) in the *Amazon Elastic Container Service Developer Guide*. For information about creating a new revision of a task definition and specifying a different network mode, see [Updating an Amazon ECS task definition](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in that guide. If the Amazon ECS task definition was created by Amazon Batch, see [Networking modes for Amazon Batch jobs](https://docs.amazonaws.cn/batch/latest/userguide/networking-modes-jobs.html) to learn about networking modes and typical usage for Amazon Batch job types and to choose a secure option. ## [ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes **Category:** Protect > Encryption of data-in-transit **Severity:** Medium **Resource type:** `Amazon::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-efs-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-efs-encryption-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the latest active revision of an Amazon ECS task definition uses in-transit encryption for EFS volumes. The control fails if the latest active revision of the ECS task definition has in-transit encryption disabled for EFS volumes. Amazon EFS volumes provide simple, scalable, and persistent shared file storage for use with your Amazon ECS tasks. Amazon EFS supports encryption of data in transit with Transport Layer Security (TLS). When encryption of data in transit is declared as a mount option for your EFS file system, Amazon EFS establishes a secure TLS connection with your EFS file system upon mounting your file system. ### Remediation For information about enabling in-transit encryption for Amazon ECS Task Definition with EFS volumes, see [Step 5: Create a task definition](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/tutorial-efs-volumes.html#efs-task-def) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.19] ECS capacity providers should have managed termination protection enabled **Category:** Protect > Data Protection **Severity:** Medium **Resource type:** `Amazon::ECS::CapacityProvider` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-capacity-provider-termination-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-capacity-provider-termination-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon ECS capacity provider has managed termination protection enabled. The control fails if managed termination protection is not enabled on an ECS capacity provider. Amazon ECS capacity providers manage the scaling of infrastructure for tasks in your clusters. When you use EC2 instances for your capacity, you use Auto Scaling group to manage the EC2 instances. Managed termination protection allows cluster auto scaling to control which instances are terminated. When you used managed termination protection, Amazon ECS only terminates EC2 instances that don't have any running Amazon ECS tasks. **Note** When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work. ### Remediation To enable managed termination protection for an Amazon ECS capacity provider, see [Updating managed termination protection for Amazon ECS capacity providers](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-managed-termination-protection.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions **Category:** Protect > Secure access management > Root user access restrictions **Severity:** Medium **Resource type:** `Amazon::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-linux-user-non-root.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-linux-user-non-root.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the latest active revision of an Amazon ECS task definition configures Linux containers to run as non-root users. The control fails if a default root user is configured or user configuration is absent for any container. When Linux containers run with root privileges, they pose several significant security risks. Root users have unrestricted access within the container. This elevated access increases the risk of container escape attacks, where an attacker could potentially break out of container isolation and access the underlying host system. If a container running as root is compromised, attackers may exploit this to access or modify host system resources, affecting other containers or the host itself. Furthermore, root access could enable privilege escalation attacks, allowing attackers to gain additional permissions beyond the container's intended scope. The user parameter in ECS task definitions can specify users in several formats, including username, user ID, username with group, or UID with group ID. It's important to be aware of these various formats when configuring task definitions to ensure no root access is inadvertently granted. Following the principle of least privilege, containers should run with the minimum required permissions using non-root users. This approach significantly reduces the potential attack surface and mitigates the impact of potential security breaches. **Note** This control only evaluates the container definitions in a task definition if the `operatingSystemFamily` is configured as `LINUX` or `operatingSystemFamily` is not configured in the task definition. The control will generate a `FAILED` finding for an evaluated task definition if any container definition in the task definition has `user` not configured or `user` configured as default root user. The default root users for `LINUX` containers are `"root"` and `"0"`. ### Remediation For information about creating a new revision of an Amazon ECS Task Definition and updating the `user` parameter in the container definition, see [Updating an Amazon ECS task defintion](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in the *Amazon Elastic Container Service Developer Guide*. ## [ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions **Category:** Protect > Secure access management > Root user access restrictions **Severity:** Medium **Resource type:** `Amazon::ECS::TaskDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-windows-user-non-admin.html](https://docs.amazonaws.cn/config/latest/developerguide/ecs-task-definition-windows-user-non-admin.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the latest active revision of an Amazon ECS task definition configures Windows containers to run as users that are not default administrators. The control fails if a default administrator is configured as user or user configuration is absent for any container. When Windows containers run with administrator privileges, they pose several significant security risks. Administrators have unrestricted access within the container. This elevated access increases the risk of container escape attacks, where an attacker could potentially break out of container isolation and access the underlying host system. **Note** This control only evaluates the container definitions in a task definition if the `operatingSystemFamily` is configured as `WINDOWS_SERVER` or `operatingSystemFamily` is not configured in the task definition. The control will generate a `FAILED` finding for an evaluated task definition if any container definition in the task definition has `user` not configured or `user` configured as default administrator for `WINDOWS_SERVER` containers which is `"containeradministrator"`. ### Remediation For information about creating a new revision of an Amazon ECS Task Definition and updating the `user` parameter in the container definition, see [Updating an Amazon ECS task defintion](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/update-task-definition-console-v2.html) in the *Amazon Elastic Container Service Developer Guide*. # Security Hub CSPM controls for Amazon EFS Amazon EFS controls These Security Hub CSPM controls evaluate the Amazon Elastic File System (Amazon EFS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.3.1, CIS Amazon Foundations Benchmark v3.0.0/2.4.1, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EFS::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Elastic File System is configured to encrypt the file data using Amazon KMS. The check fails in the following cases. + `Encrypted` is set to `false` in the [https://docs.amazonaws.cn/efs/latest/ug/API_DescribeFileSystems.html](https://docs.amazonaws.cn/efs/latest/ug/API_DescribeFileSystems.html) response. + The `KmsKeyId` key in the [https://docs.amazonaws.cn/efs/latest/ug/API_DescribeFileSystems.html](https://docs.amazonaws.cn/efs/latest/ug/API_DescribeFileSystems.html) response does not match the `KmsKeyId` parameter for [https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html). Note that this control does not use the `KmsKeyId` parameter for [https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-encrypted-check.html). It only checks the value of `Encrypted`. For an added layer of security for your sensitive data in Amazon EFS, you should create encrypted file systems. Amazon EFS supports encryption for file systems at-rest. You can enable encryption of data at rest when you create an Amazon EFS file system. To learn more about Amazon EFS encryption, see[ Data encryption in Amazon EFS](https://docs.amazonaws.cn/efs/latest/ug/encryption.html) in the *Amazon Elastic File System User Guide*. ### Remediation For details on how to encrypt a new Amazon EFS file system, see [Encrypting data at rest](https://docs.amazonaws.cn/efs/latest/ug/encryption-at-rest.html) in the *Amazon Elastic File System User Guide*. ## [EFS.2] Amazon EFS volumes should be in backup plans **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backup **Severity:** Medium **Resource type:** `AWS::EFS::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-in-backup-plan.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-in-backup-plan.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in Amazon Backup. The control fails if Amazon EFS file systems are not included in the backup plans. Including EFS file systems in the backup plans helps you to protect your data from deletion and data loss. ### Remediation To enable automatic backups for an existing Amazon EFS file system, see [Getting started 4: Create Amazon EFS automatic backups](https://docs.amazonaws.cn/aws-backup/latest/devguide/create-auto-backup.html) in the *Amazon Backup Developer Guide*. ## [EFS.3] EFS access points should enforce a root directory **Related requirements:** NIST.800-53.r5 AC-6(10) **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::EFS::AccessPoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-access-point-enforce-root-directory.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-access-point-enforce-root-directory.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of `Path` is set to `/` (the default root directory of the file system). When you enforce a root directory, the NFS client using the access point uses the root directory configured on the access point instead of the file system's root directory. Enforcing a root directory for an access point helps restrict data access by ensuring that users of the access point can only reach files of the specified subdirectory. ### Remediation For instructions on how to enforce a root directory for an Amazon EFS access point, see [Enforcing a root directory with an access point](https://docs.amazonaws.cn/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point) in the *Amazon Elastic File System User Guide*. ## [EFS.4] EFS access points should enforce a user identity **Related requirements:** NIST.800-53.r5 AC-6(2), PCI DSS v4.0.1/7.3.1 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::EFS::AccessPoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-access-point-enforce-user-identity.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-access-point-enforce-user-identity.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point. Amazon EFS access points are application-specific entry points into an EFS file system that make it easier to manage application access to shared datasets. Access points can enforce a user identity, including the user's POSIX groups, for all file system requests that are made through the access point. Access points can also enforce a different root directory for the file system so that clients can only access data in the specified directory or its subdirectories. ### Remediation To enforce a user identity for an Amazon EFS access point, see [Enforcing a user identity using an access point](https://docs.amazonaws.cn/efs/latest/ug/efs-access-points.html#enforce-identity-access-points) in the *Amazon Elastic File System User Guide*. ## [EFS.5] EFS access points should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::EFS::AccessPoint` **Amazon Configrule:** `tagged-efs-accesspoint` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EFS access point has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the access point doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the access point isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EFS access point, see [Tagging Amazon EFS resources](https://docs.amazonaws.cn/efs/latest/ug/manage-fs-tags.html) in the *Amazon Elastic File System User Guide*. ## [EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch **Category:** Protect > Network security > Resources not publicly accessible **Severity:** Medium **Resource type:** `AWS::EFS::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-mount-target-public-accessible.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-mount-target-public-accessible.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon EFS mount target is associated with subnets that assign public IP addresses on launch. The control fails if the mount target is associated with subnets that assign public IP addresses on launch. Subnets have attributes that determine whether network interfaces automatically receive public IPv4 and IPv6 addresses. For IPv4, this attribute is set to `TRUE` for default subnets and `FALSE` for nondefault subnets (with an exception for nondefault subnets created through the EC2 launch instance wizard, where it's set to `TRUE`). For IPv6, this attribute is set to `FALSE` for all subnets by default. When these attributes are enabled, instances launched in the subnet automatically receive the corresponding IP addresses (IPv4 or IPv6) on their primary network interface. Amazon EFS mount targets that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. ### Remediation To associate an existing mount target with a different subnet, you must create a new mount target in a subnet that does not assign public IP addresses on launch and then remove the old mount target. For information about managing mount targets, see [Creating and managing mount targets and security groups](https://docs.amazonaws.cn/efs/latest/ug/accessing-fs.html) in the *Amazon Elastic File System User Guide*. ## [EFS.7] EFS file systems should have automatic backups enabled **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::EFS::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-automatic-backups-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-automatic-backups-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EFS file system has automatic backups enabled. This control fails if the EFS file system doesn't have automatic backups enabled. A data backup is a copy of your system, configuration, or application data that's stored separately from the original. Enabling regular backups helps you safeguard valuable data against unforeseen events like system failures, cyberattacks, or accidental deletions. Having a robust backup strategy also facilitates quicker recovery, business continuity, and peace of mind in the face of potential data loss. ### Remediation For information about using Amazon Backup for EFS file systems, see [Backing up EFS file systems](https://docs.amazonaws.cn/efs/latest/ug/awsbackup.html) in the *Amazon Elastic File System User Guide*. ## [EFS.8] EFS file systems should be encrypted at rest **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.3.1 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EFS::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/efs-filesystem-ct-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/efs-filesystem-ct-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EFS file system encrypts data with Amazon Key Management Service (Amazon KMS). The control fails if a file system isn't encrypted. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To enable encryption at rest for a new EFS file system, see [Encrypting data at rest](https://docs.amazonaws.cn/efs/latest/ug/encryption-at-rest.html) in the *Amazon Elastic File System User Guide*. # Security Hub CSPM controls for Amazon EKS Amazon EKS controls These Security Hub CSPM controls evaluate the Amazon Elastic Kubernetes Service (Amazon EKS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [EKS.1] EKS cluster endpoints should not be publicly accessible **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::EKS::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eks-endpoint-no-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/eks-endpoint-no-public-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible. When you create a new cluster, Amazon EKS creates an endpoint for the managed Kubernetes API server that you use to communicate with your cluster. By default, this API server endpoint is publicly available to the internet. Access to the API server is secured using a combination of Amazon Identity and Access Management (IAM) and native Kubernetes Role Based Access Control (RBAC). By removing public access to the endpoint, you can avoid unintentional exposure and access to your cluster. ### Remediation To modify endpoint access for an existing EKS cluster, see [Modifying cluster endpoint access](https://docs.amazonaws.cn/eks/latest/userguide/cluster-endpoint.html#modify-endpoint-access) in the **Amazon EKS User Guide**. You can set up endpoint access for a new EKS cluster when creating it. For instructions on creating a new Amazon EKS cluster, see [Creating an Amazon EKS cluster](https://docs.amazonaws.cn/eks/latest/userguide/create-cluster.html) in the **Amazon EKS User Guide**. ## [EKS.2] EKS clusters should run on a supported Kubernetes version **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/12.3.4 **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::EKS::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-supported-version.html](https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-supported-version.html) **Schedule type:** Change triggered **Parameters:** + `oldestVersionSupported`: `1.33` (not customizable) This control checks whether an Amazon Elastic Kubernetes Service (Amazon EKS) cluster runs on a supported Kubernetes version. The control fails if the EKS cluster runs on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters. For more information, see [Amazon EKS Kubernetes release calendar](https://docs.amazonaws.cn/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar) and [Understand the Kubernetes version lifecycle on Amazon EKS](https://docs.amazonaws.cn/eks/latest/userguide/kubernetes-versions.html#version-deprecation) in the **Amazon EKS User Guide**. ### Remediation To update an EKS cluster, see [Update an existing cluster to a new Kubernetes version](https://docs.amazonaws.cn/eks/latest/userguide/update-cluster.html) in the **Amazon EKS User Guide**. ## [EKS.3] EKS clusters should use encrypted Kubernetes secrets **Related requirements:** NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-12, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, PCI DSS v4.0.1/8.3.2 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EKS::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-secrets-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-secrets-encrypted.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon EKS cluster uses encrypted Kubernetes secrets. The control fails if the cluster's Kubernetes secrets aren't encrypted. When you encrypt secrets, you can use Amazon Key Management Service (Amazon KMS) keys to provide envelope encryption of Kubernetes secrets stored in etcd for your cluster. This encryption is in addition to the EBS volume encryption that is enabled by default for all data (including secrets) that is stored in etcd as part of an EKS cluster. Using secrets encryption for your EKS cluster allows you to deploy a defense in depth strategy for Kubernetes applications by encrypting Kubernetes secrets with a KMS key that you define and manage. ### Remediation To enable secrets encryption on an EKS cluster, see [Enabling secret encryption on an existing cluster](https://docs.amazonaws.cn/eks/latest/userguide/enable-kms.html) in the **Amazon EKS User Guide**. ## [EKS.6] EKS clusters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::EKS::Cluster` **Amazon Config rule:** `tagged-eks-cluster` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EKS cluster has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EKS cluster, see [Tagging your Amazon EKS resources](https://docs.amazonaws.cn/eks/latest/userguide/eks-using-tags.html) in the **Amazon EKS User Guide**. ## [EKS.7] EKS identity provider configurations should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::EKS::IdentityProviderConfig` **Amazon Config rule:** `tagged-eks-identityproviderconfig` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EKS identity provider configuration has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the configuration doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the configuration isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EKS identity provider configurations, see [Tagging your Amazon EKS resources](https://docs.amazonaws.cn/eks/latest/userguide/eks-using-tags.html) in the **Amazon EKS User Guide**. ## [EKS.8] EKS clusters should have audit logging enabled **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::EKS::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-log-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/eks-cluster-log-enabled.html) **Schedule type:** Change triggered **Parameters:** + `logTypes: audit` (not customizable) This control checks whether an Amazon EKS cluster has audit logging enabled. The control fails if audit logging isn't enabled for the cluster. **Note** This control doesn't check whether Amazon EKS audit logging is enabled through Amazon Security Lake for the Amazon Web Services account. EKS control plane logging provides audit and diagnostic logs directly from the EKS control plane to Amazon CloudWatch Logs in your account. You can select the log types you need, and logs are sent as log streams to a group for each EKS cluster in CloudWatch. Logging provides visibility into the access and performance of EKS clusters. By sending EKS control plane logs for your EKS clusters to CloudWatch Logs, you can record operations for audit and diagnostic purposes in a central location. ### Remediation To enable audit logs for your EKS cluster, see [Enabling and disabling control plane logs ](https://docs.amazonaws.cn/eks/latest/userguide/control-plane-logs.html#enabling-control-plane-log-export) in the **Amazon EKS User Guide**. ## [EKS.9] EKS node groups should run on a supported Kubernetes version **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::EKS::Nodegroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/eks-nodegroup-supported-version-check.html](https://docs.amazonaws.cn/config/latest/developerguide/eks-nodegroup-supported-version-check.html) **Schedule type:** Change triggered **Parameters:** + `oldestVersionSupported`: `1.33` (not customizable) This control checks whether an Amazon EKS node group runs on a supported Kubernetes version. The control fails if the EKS node group runs on an unsupported version. Running EKS node groups on unsupported Kubernetes versions means those nodes no longer receive security patches, bug fixes, or compatibility updates from Amazon. Unsupported versions may contain known vulnerabilities that have been addressed in newer releases, and they may experience compatibility issues with updated Amazon Web Services services, container images, and third-party tools in the Kubernetes ecosystem. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by Amazon EKS for your node groups. For more information, see [Amazon EKS Kubernetes release calendar](https://docs.amazonaws.cn/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar) and [Understand each phase of node updates](https://docs.amazonaws.cn/eks/latest/userguide/managed-node-update-behavior.html) in the **Amazon EKS User Guide**. ### Remediation To update an EKS node group, see [Update a managed node group for your cluster](https://docs.amazonaws.cn/eks/latest/userguide/update-managed-node-group.html) in the **Amazon EKS User Guide**. # Security Hub CSPM controls for ElastiCache Amazon ElastiCache controls These Amazon Security Hub CSPM controls evaluate the Amazon ElastiCache service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** High **Resource type:** `AWS::ElastiCache::CacheCluster`, `AWS:ElastiCache:ReplicationGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-redis-cluster-automatic-backup-check.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `snapshotRetentionPeriod` | Minimum snapshot retention period in days | Integer | `1` to `35` | `1` | This control evaluates whether an Amazon ElastiCache (Redis OSS) cluster has automatic backups enabled. The control fails if the `SnapshotRetentionLimit` for the Redis OSS cluster is less than the specified time period. Unless you provide a custom parameter value for the snapshot retention period, Security Hub CSPM uses a default value of 1 day. ElastiCache (Redis OSS) clusters can back up their data. You can use the backup to restore a cluster or seed a new cluster. The backup consists of the cluster's metadata, along with all the data in the cluster. All backups are written to Amazon S3, which provides durable storage. You can restore your data by creating a new ElastiCache cluster and populating it with data from a backup. You can manage backups using the Amazon Web Services Management Console, the Amazon CLI, and the ElastiCache API. **Note** This control also evaluates ElastiCache (Redis OSS and Valkey) replication groups. ### Remediation For information about scheduling automatic backups for an ElastiCache cluster, see [Scheduling automatic backups](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/backups-automatic.html) in the *Amazon ElastiCache User Guide*. ## [ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled **Related requirements:** NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5) PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::ElastiCache::CacheCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-auto-minor-version-upgrade-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-auto-minor-version-upgrade-check.html) **Schedule type:** Periodic **Parameters:** None This control evaluates whether Amazon ElastiCache automatically applies minor version upgrades to a cache cluster. The control fails if the cache cluster doesn't have minor version upgrades automatically applied. **Note** This control doesn't apply to ElastiCache Memcached clusters. Automatic minor version upgrade is a feature that you can enable in Amazon ElastiCache to automatically upgrade your cache clusters when a new minor cache engine version is available. These upgrades might include security patches and bug fixes. Staying up-to-date with patch installation is an important step in securing systems. ### Remediation To automatically apply minor version upgrades to an existing ElastiCache cache cluster, see [Version management for ElastiCache](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/VersionManagement.html) in the *Amazon ElastiCache User Guide*. ## [ElastiCache.3] ElastiCache replication groups should have automatic failover enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::ElastiCache::ReplicationGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-auto-failover-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-auto-failover-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an ElastiCache replication groups has automatic failover enabled. The control fails if automatic failover isn't enabled for a replication group. When automatic failover is enabled for a replication group, the role of primary node will automatically fail over to one of the read replicas. This failover and replica promotion ensure that you can resume writing to the new primary after promotion is complete, which reduces overall downtime in case of failure. ### Remediation To enable automatic failover for an existing ElastiCache replication group,, see [Modifying an ElastiCache cluster](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CON) in the *Amazon ElastiCache User Guide*. If you use the ElastiCache console, set **Auto failover** to enabled. ## [ElastiCache.4] ElastiCache replication groups should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::ElastiCache::ReplicationGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-encrypted-at-rest.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an ElastiCache replication group is encrypted at rest. The control fails if the replication group isn't encrypted at rest. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. ElastiCache (Redis OSS) replication groups should be encrypted at rest for an added layer of security. ### Remediation To configure at-rest encryption on an ElastiCache replication group, see [Enabling at-rest encryption](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/at-rest-encryption.html#at-rest-encryption-enable) in the *Amazon ElastiCache User Guide*. ## [ElastiCache.5] ElastiCache replication groups should be encrypted in transit **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElastiCache::ReplicationGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an ElastiCache replication group is encrypted in transit. The control fails if the replication group isn't encrypted in transit. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. Enabling encryption in transit on an ElastiCache replication group encrypts your data whenever it's moving from one place to another, such as between nodes in your cluster or between your cluster and your application. ### Remediation To configure in-transit encryption on an ElastiCache replication group, see [Enabling in-transit encryption](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/in-transit-encryption.html) in the *Amazon ElastiCache User Guide*. ## [ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, PCI DSS v4.0.1/8.3.1 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::ElastiCache::ReplicationGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-redis-auth-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-repl-grp-redis-auth-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an ElastiCache (Redis OSS) replication group has Redis OSS AUTH enabled. The control fails if the Redis OSS version of the replication group nodes is below 6.0 and `AuthToken` isn't in use. When you use Redis authentication tokens, or passwords, Redis requires a password before allowing clients to run commands, which improves data security. For Redis 6.0 and later versions, we recommend using Role-Based Access Control (RBAC). Since RBAC is not supported for Redis versions earlier than 6.0, this control only evaluates versions which can't use the RBAC feature. ### Remediation To use Redis AUTH on an ElastiCache (Redis OSS) replication group, see [Modifying the AUTH token on an existing ElastiCache (Redis OSS) cluster](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/auth.html#auth-modifyng-token) in the *Amazon ElastiCache User Guide*. ## [ElastiCache.7] ElastiCache clusters should not use the default subnet group **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5) **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::ElastiCache::CacheCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticache-subnet-group-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticache-subnet-group-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an ElastiCache cluster is configured with a custom subnet group. The control fails if `CacheSubnetGroupName` for an ElastiCache cluster has the value `default`. When launching an ElastiCache cluster, a default subnet group is created if one doesn't exist already. The default group uses subnets from the default Virtual Private Cloud (VPC). We recommend using custom subnet groups that are more restrictive of the subnets that the cluster resides in, and the networking that the cluster inherits from the subnets. ### Remediation To create a new subnet group for an ElastiCache cluster, see [Creating a subnet group](https://docs.amazonaws.cn/AmazonElastiCache/latest/red-ug/SubnetGroups.Creating.html) in the *Amazon ElastiCache User Guide*. # Security Hub CSPM controls for Elastic Beanstalk Amazon Elastic Beanstalk controls These Amazon Security Hub CSPM controls evaluate the Amazon Elastic Beanstalk service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled **Related requirements:** NIST.800-53.r5 CA-7,NIST.800-53.r5 SI-2 **Category:** Detect > Detection services > Application monitoring **Severity:** Low **Resource type:** `AWS::ElasticBeanstalk::Environment` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/beanstalk-enhanced-health-reporting-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether enhanced health reporting is enabled for your Amazon Elastic Beanstalk environments. Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application. Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate. The Elastic Beanstalk health agent, included in supported Amazon Machine Images (AMIs), evaluates logs and metrics of environment EC2 instances. For additional information, see [Enhanced health reporting and monitoring](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/health-enhanced.html) in the *Amazon Elastic Beanstalk Developer Guide*. ### Remediation For instructions on how to enable enhanced health reporting, see [Enabling enhanced health reporting using the Elastic Beanstalk console](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/health-enhanced-enable.html#health-enhanced-enable-console) in the *Amazon Elastic Beanstalk Developer Guide*. ## [ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled **Related requirements:** NIST.800-53.r5 SI-2,NIST.800-53.r5 SI-2(2),NIST.800-53.r5 SI-2(4),NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::ElasticBeanstalk::Environment` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elastic-beanstalk-managed-updates-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `UpdateLevel` | Version update level | Enum | `minor`, `patch` | No default value | This control checks whether managed platform updates are enabled for an Elastic Beanstalk environment. The control fails if no managed platform updates are enabled. By default, the control passes if any type of platform update is enabled. Optionally, you can provide a custom parameter value to require a specific update level. Enabling managed platform updates ensures that the latest available platform fixes, updates, and features for the environment are installed. Keeping up to date with patch installation is an important step in securing systems. ### Remediation To enable managed platform updates, see [To configure managed platform updates under Managed platform updates](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/environment-platform-update-managed.html) in the *Amazon Elastic Beanstalk Developer Guide*. ## [ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch **Related requirements:** PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** High **Resource type:** `AWS::ElasticBeanstalk::Environment` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elastic-beanstalk-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/elastic-beanstalk-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `RetentionInDays` | Number of days to keep log events before expiration | Enum | `1`, `3`, `5`, `7`, `14`, `30`, `60`, `90`, `120`, `150`, `180`, `365` , `400`, `545`, `731`, `1827`, `3653` | No default value | This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the `RetentionInDays` parameter if you want the control to pass only if logs are retained for the specified number of days before expiration. CloudWatch helps you collect and monitor various metrics for your applications and infrastructure resources. You can also use CloudWatch to configure alarm actions based on specific metrics. We recommend integrating Elastic Beanstalk with CloudWatch to get increased visibility into your Elastic Beanstalk environment. Elastic Beanstalk logs include the eb-activity.log, access logs from the environment nginx or Apache proxy server, and logs that are specific to an environment. ### Remediation To integrate Elastic Beanstalk with CloudWatch Logs, see [Streaming instance logs to CloudWatch Logs](https://docs.amazonaws.cn/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html#AWSHowTo.cloudwatchlogs.streaming) in the *Amazon Elastic Beanstalk Developer Guide*. # Security Hub CSPM controls for Elastic Load Balancing Elastic Load Balancing controls These Amazon Security Hub CSPM controls evaluate the Elastic Load Balancing service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS **Related requirements:** PCI DSS v3.2.1/2.3,PCI DSS v3.2.1/4.1, NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6) **Category:** Detect > Detection services **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/alb-http-to-https-redirection-check.html](https://docs.amazonaws.cn/config/latest/developerguide/alb-http-to-https-redirection-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured. Before you start to use your Application Load Balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners support both the HTTP and HTTPS protocols. You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer. To enforce encryption in transit, you should use redirect actions with Application Load Balancers to redirect client HTTP requests to an HTTPS request on port 443. To learn more, see [Listeners for your Application Load Balancers](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/load-balancer-listeners.html) in *User Guide for Application Load Balancers*. ### Remediation To redirect HTTP requests to HTTPS, you must add an Application Load Balancer listener rule or edit an existing rule. For instructions on adding a new rule, see [Add a rule](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/listener-update-rules.html#add-rule) in the *User Guide for Application Load Balancers*. For **Protocol : Port**, choose **HTTP**, and then enter **80**. For **Add action, Redirect to**, choose **HTTPS**, and then enter **443**. For instructions on editing an existing rule, see [Edit a rule](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/listener-update-rules.html#edit-rule) in the *User Guide for Application Load Balancers*. For **Protocol : Port**, choose **HTTP**, and then enter **80**. For **Add action, Redirect to**, choose **HTTPS**, and then enter **443**. ## [ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(5), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.8 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-acm-certificate-required.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-acm-certificate-required.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by Amazon Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM. To create a certificate, you can use either ACM or a tool that supports the SSL and TLS protocols, such as OpenSSL. Security Hub CSPM recommends that you use ACM to create or import certificates for your load balancer. ACM integrates with Classic Load Balancers so that you can deploy the certificate on your load balancer. You also should automatically renew these certificates. ### Remediation For information about how to associate an ACM SSL/TLS certificate with a Classic Load Balancer, see the Amazon Knowledge Center article [How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?](https://www.amazonaws.cn/premiumsupport/knowledge-center/associate-acm-certificate-alb-nlb/) ## [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.8, NIST.800-171.r2 3.13.15, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-tls-https-listeners-only.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-tls-https-listeners-only.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections. Before you start to use a load balancer, you must add one or more listeners. A listener is a process that uses the configured protocol and port to check for connection requests. Listeners can support both HTTP and HTTPS/TLS protocols. You should always use an HTTPS or TLS listener, so that the load balancer does the work of encryption and decryption in transit. ### Remediation To remediate this issue, update your listeners to use the TLS or HTTPS protocol. **To change all noncompliant listeners to TLS/HTTPS listeners** 1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. In the navigation pane, under **Load Balancing**, choose **Load Balancers**. 1. Select your Classic Load Balancer. 1. On the **Listeners** tab, choose **Edit**. 1. For all listeners where **Load Balancer Protocol** is not set to HTTPS or SSL, change the setting to HTTPS or SSL. 1. For all modified listeners, on the **Certificates** tab, choose **Change default**. 1. For **ACM and IAM certificates**, select a certificate. 1. Choose **Save as default**. 1. After you update all of the listeners, choose **Save**. ## [ELB.4] Application Load Balancer should be configured to drop invalid http headers **Related requirements:** NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8(2), PCI DSS v4.0.1/6.2.4 **Category:** Protect > Network Security **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/alb-http-drop-invalid-header-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control evaluates whether an Application Load Balancer is configured to drop invalid HTTP headers. The control fails if the value of `routing.http.drop_invalid_header_fields.enabled` is set to `false`. By default, Application Load Balancers are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks. **Note** We recommend disabling this control if ELB.12 is enabled in your account. For more information, see [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](#elb-12). ### Remediation To remediate this issue, configure your load balancer to drop invalid header fields. **To configure the load balancer to drop invalid header fields** 1. Open the Amazon EC2 console at [https://console.amazonaws.cn/ec2/](https://console.amazonaws.cn/ec2/). 1. In the navigation pane, choose **Load balancers**. 1. Choose an Application Load Balancer. 1. From **Actions**, choose **Edit attributes**. 1. Under **Drop Invalid Header Fields**, choose **Enable**. 1. Choose **Save**. ## [ELB.5] Application and Classic Load Balancers logging should be enabled **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the Application Load Balancer and the Classic Load Balancerhave logging enabled. The control fails if `access_logs.s3.enabled` is `false`. Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues. To learn more, see [Access logs for your Classic Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/access-log-collection.html) in *User Guide for Classic Load Balancers*. ### Remediation To enable access logs, see [Step 3: Configure access logs](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/enable-access-logging.html#enable-access-logs) in the *User Guide for Application Load Balancers*. ## [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Application, Gateway, or Network Load Balancer has deletion protection enabled. The control fails if deletion protection is disabled. Enable deletion protection to protect your Application, Gateway, or Network Load Balancer from deletion. ### Remediation To prevent your load balancer from being deleted accidentally, you can enable deletion protection. By default, deletion protection is disabled for your load balancer. If you enable deletion protection for your load balancer, you must disable delete protection before you can delete the load balancer. To enable deletion protection for an Application Load Balancer, see [Deletion protection](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/application-load-balancers.html#deletion-protection) in the *User Guide for Application Load Balancers*. To enable deletion protection for a Gateway Load Balancer, see [Deletion protection](https://docs.amazonaws.cn/elasticloadbalancing/latest/gateway/gateway-load-balancers.html#deletion-protection) in the *User Guide for Gateway Load Balancers*. To enable deletion protection for a Network Load Balancer, see [Deletion protection](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/network-load-balancers.html#deletion-protection) in the *User Guide for Network Load Balancers*. ## [ELB.7] Classic Load Balancers should have connection draining enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Recover > Resilience **Severity:** Low **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** `elb-connection-draining-enabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether Classic Load Balancers have connection draining enabled. Enabling connection draining on Classic Load Balancers ensures that the load balancer stops sending requests to instances that are de-registering or unhealthy. It keeps the existing connections open. This is particularly useful for instances in Auto Scaling groups, to ensure that connections aren't severed abruptly. ### Remediation To enable connection draining on Classic Load Balancers, see [Configure connection draining for your Classic Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/config-conn-drain.html) in *User Guide for Classic Load Balancers*. ## [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.8, NIST.800-171.r2 3.13.15, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-predefined-security-policy-ssl-check.html) **Schedule type:** Change triggered **Parameters:** + `predefinedPolicyName`: `ELBSecurityPolicy-TLS-1-2-2017-01` (not customizable) This control checks whether your Classic Load Balancer HTTPS/SSL listeners use the predefined policy `ELBSecurityPolicy-TLS-1-2-2017-01`. The control fails if the Classic Load Balancer HTTPS/SSL listeners do not use `ELBSecurityPolicy-TLS-1-2-2017-01`. A security policy is a combination of SSL protocols, ciphers, and the Server Order Preference option. Predefined policies control the ciphers, protocols, and preference orders to support during SSL negotiations between a client and load balancer. Using `ELBSecurityPolicy-TLS-1-2-2017-01` can help you to meet compliance and security standards that require you to disable specific versions of SSL and TLS. For more information, see [Predefined SSL security policies for Classic Load Balancers](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/elb-security-policy-table.html) in *User Guide for Classic Load Balancers*. ### Remediation For information on how to use the predefined security policy `ELBSecurityPolicy-TLS-1-2-2017-01` with a Classic Load Balancer, see [Configure security settings](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#config-backend-auth) in *User Guide for Classic Load Balancers*. ## [ELB.9] Classic Load Balancers should have cross-zone load balancing enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/elb-cross-zone-load-balancing-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). The control fails if cross-zone load balancing is not enabled for a CLB. A load balancer node distributes traffic only across the registered targets in its Availability Zone. When cross-zone load balancing is disabled, each load balancer node distributes traffic only across the registered targets in its Availability Zone. If the number of registered targets is not same across the Availability Zones, traffic wont be distributed evenly and the instances in one zone may end up over utilized compared to the instances in another zone. With cross-zone load balancing enabled, each load balancer node for your Classic Load Balancer distributes requests evenly across the registered instances in all enabled Availability Zones. For details see [Cross-zone load balancing](https://docs.amazonaws.cn/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html#cross-zone-load-balancing) in the Elastic Load Balancing User Guide. ### Remediation To enable cross-zone load balancing in a Classic Load Balancer, see [Enable cross-zone load balancing](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html#enable-cross-zone) in the *User Guide for Classic Load Balancers*. ## [ELB.10] Classic Load Balancer should span multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/clb-multiple-az.html](https://docs.amazonaws.cn/config/latest/developerguide/clb-multiple-az.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minAvailabilityZones` | Minimum number of Availability Zones | Enum | `2, 3, 4, 5, 6` | `2` | This control checks whether a Classic Load Balancer has been configured to span at least the specified number of Availability Zones (AZs). The control fails if the Classic Load Balancer does not span at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub CSPM uses a default value of two AZs. A Classic Load Balancer can be set up to distribute incoming requests across Amazon EC2 instances in a single Availability Zone or multiple Availability Zones. A Classic Load Balancer that does not span multiple Availability Zones is unable to redirect traffic to targets in another Availability Zone if the sole configured Availability Zone becomes unavailable. ### Remediation To add Availability Zones to a Classic Load Balancer, see [Add or remove subnets for your Classic Load Balancer](https://docs.amazonaws.cn//elasticloadbalancing/latest/classic/elb-manage-subnets.html) in the *User Guide for Classic Load Balancers*. ## [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/6.2.4 **Category:** Protect > Data Protection > Data integrity **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/alb-desync-mode-check.html](https://docs.amazonaws.cn/config/latest/developerguide/alb-desync-mode-check.html) **Schedule type:** Change triggered **Parameters:** + `desyncMode`: `defensive, strictest` (not customizable) This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode. HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential stuffing or execution of unauthorized commands. Application Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync. ### Remediation To update desync mitigation mode of an Application Load Balancer, see [Desync mitigation mode](https://docs.amazonaws.cn//elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode) in the *User Guide for Application Load Balancers*. ## [ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elbv2-multiple-az.html](https://docs.amazonaws.cn/config/latest/developerguide/elbv2-multiple-az.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minAvailabilityZones` | Minimum number of Availability Zones | Enum | `2, 3, 4, 5, 6` | `2` | This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from at least the specified number of Availability Zones (AZs). The control fails if an Elastic Load Balancer V2 doesn't have instances registered in at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub CSPM uses a default value of two AZs. Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It is recommended to configure at least two availability zones to ensure availability of services, as the Elastic Load Balancer will be able to direct traffic to another availability zone if one becomes unavailable. Having multiple availability zones configured will help eliminate having a single point of failure for the application. ### Remediation To add an Availability Zone to an Application Load Balancer, see [Availability Zones for your Application Load Balancer](https://docs.amazonaws.cn//elasticloadbalancing/latest/application/load-balancer-subnets.html) in the *User Guide for Application Load Balancers*. To add an Availability Zone to an Network Load Balancer, see [Network Load Balancers](https://docs.amazonaws.cn//elasticloadbalancing/latest/network/network-load-balancers.html#availability-zones) in the *User Guide for Network Load Balancers*. To add an Availability Zone to a Gateway Load Balancer, see [Create a Gateway Load Balancer](https://docs.amazonaws.cn//elasticloadbalancing/latest/gateway/create-load-balancer.html) in the *User Guide for Gateway Load Balancers*. ## [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/6.2.4 **Category:** Protect > Data Protection > Data integrity **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancing::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/clb-desync-mode-check.html](https://docs.amazonaws.cn/config/latest/developerguide/clb-desync-mode-check.html) **Schedule type:** Change triggered **Parameters:** + `desyncMode`: `defensive, strictest` (not customizable) This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if the Classic Load Balancer isn't configured with defensive or strictest desync mitigation mode. HTTP Desync issues can lead to request smuggling and make applications vulnerable to request queue or cache poisoning. In turn, these vulnerabilities can lead to credential hijacking or execution of unauthorized commands. Classic Load Balancers configured with defensive or strictest desync mitigation mode protect your application from security issues that may be caused by HTTP Desync. ### Remediation To update desync mitigation mode on a Classic Load Balancer, see [Modify desync mitigation mode](https://docs.amazonaws.cn/elasticloadbalancing/latest/classic/config-desync-mitigation-mode.html#update-desync-mitigation-mode) in the *User Guide for Classic Load Balancers*. ## [ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL **Related requirements:** NIST.800-53.r5 AC-4(21) **Category:** Protect > Protective services **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::LoadBalancer` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/alb-waf-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/alb-waf-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Application Load Balancer is associated with an Amazon WAF Classic or Amazon WAF web access control list (web ACL). The control fails if the `Enabled` field for the Amazon WAF configuration is set to `false`. Amazon WAF is a web application firewall that helps protect web applications and APIs from attacks. With Amazon WAF, you can configure a web ACL, which is a set of rules that allow, block, or count web requests based on customizable web security rules and conditions that you define. We recommend associating your Application Load Balancer with an Amazon WAF web ACL to help protect it from malicious attacks. ### Remediation To associate an Application Load Balancer with a web ACL, see [Associating or disassociating a web ACL with an Amazon resource](https://docs.amazonaws.cn/waf/latest/developerguide/web-acl-associating-aws-resource.html) in the *Amazon WAF Developer Guide*. ## [ELB.17] Application and Network Load Balancers with listeners should use recommended security policies **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::Listener` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elbv2-predefined-security-policy-ssl-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elbv2-predefined-security-policy-ssl-check.html) **Schedule type:** Change triggered **Parameters:** `sslPolicies`: `ELBSecurityPolicy-TLS13-1-3-2021-06, ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-2-Res-2021-06, ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04, ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09, ELBSecurityPolicy-TLS13-1-3-PQ-2025-09, ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09, ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09` (not customizable) This control checks whether the HTTPS listener for an Application Load Balancer or the TLS listener for a Network Load Balancer is configured to encrypt data in transit by using a recommended security policy. The control fails if the HTTPS or TLS listener for a load balancer isn't configured to use a recommended security policy. Elastic Load Balancing uses an SSL negotiation configuration, known as a *security policy*, to negotiate connections between a client and a load balancer. The security policy specifies a combination of protocols and ciphers. The protocol establishes a secure connection between a client and a server. A cipher is an encryption algorithm that uses encryption keys to create a coded message. During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. Using a recommended security policy for a load balancer can help you meet compliance and security standards. ### Remediation For information about recommended security policies and how to update listeners, see the following sections of the *Elastic Load Balancing User Guides*: [Security policies for Application Load Balancers](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html), [Security policies for Network Load Balancers](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/describe-ssl-policies.html), [Update an HTTPS listener for your Application Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/listener-update-certificates.html), and [Update a listener for your Network Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/listener-update-rules.html). ## [ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::Listener` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elbv2-listener-encryption-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/elbv2-listener-encryption-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the listener for an Application Load Balancer or Network Load Balancer is configured to use a secure protocol for encryption of data in transit. The control fails if an Application Load Balancer listener isn't configured to use the HTTPS protocol, or a Network Load Balancer listener isn't configured to use the TLS protocol. To encrypt data that's transmitted between a client and a load balancer, Elastic Load Balancer listeners should be configured to use industry-standard security protocols: HTTPS for Application Load Balancers, or TLS for Network Load Balancers. Otherwise, data that's transmitted between a client and a load balancer is vulnerable to interception, tampering, and unauthorized access. Use of HTTPS or TLS by a listener aligns with security best practices and helps ensure the confidentiality and integrity of data during transmission. This is particularly important for applications that handle sensitive information, or must comply with security standards that require encryption of data in transit. ### Remediation For information about configuring security protocols for listeners, see the following sections of the *Elastic Load Balancing User Guides*: [Create an HTTPS listener for your Application Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/create-https-listener.html) and [Create a listener for your Network Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/create-listener.html). ## [ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::TargetGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elbv2-targetgroup-healthcheck-protocol-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/elbv2-targetgroup-healthcheck-protocol-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the target group for application and network load balancer health checks use an encrypted transport protocol. The control fails if the health check protocol does not use HTTPS. This control is not applicable to Lambda target types. Load Balancers send health check requests to registered targets to determine their status and route traffic accordingly. The health check protocol specified in the target group configuration determines how these checks are performed. When health check protocols use unencrypted communication such as HTTP, the requests and responses can be intercepted or manipulated during transmission. This allows attackers to gain insights into infrastructure configuration, tamper with health check results, or conduct man-in-the-middle attacks that affect routing decisions. Using HTTPS for health checks provides encrypted communication between the load balancer and its targets, protecting the integrity and confidentiality of health status information. ### Remediation To configure encrypted health checks for your Application Load Balancer target group, see [Update the health check settings of an Application Load Balancer target group](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/modify-health-check-settings.html) in the *Elastic Load Balancing User Guide*. To configure encrypted health checks for your Network Load Balancer target group, see [Update the health check settings of an Network Load Balancer target group](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/modify-health-check-settings.html) in the *Elastic Load Balancing User Guide*. ## [ELB.22] ELB target groups should use encrypted transport protocols **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::ElasticLoadBalancingV2::TargetGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elbv2-targetgroup-protocol-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/elbv2-targetgroup-protocol-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Elastic Load Balancing target group uses an encrypted transport protocol. This control does not apply to target groups with a target type of Lambda or ALB, or target groups using the GENEVE protocol. The control fails if the target group does not use HTTPS, TLS, or QUIC protocol. Encrypting data in transit protects it from interception by unauthorized users. Target groups that use unencrypted protocols (HTTP, TCP, UDP) transmit data without encryption, making it vulnerable to eavesdropping. Using encrypted protocols (HTTPS, TLS, QUIC) ensures that data transmitted between load balancers and targets is protected. ### Remediation To use an encrypted protocol, you must create a new target group with HTTPS, TLS, or QUIC protocol. Target group protocol cannot be modified after creation. To create Application Load Balancer target group, see [Create a target group for your Application Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/create-target-group.html) in the *Elastic Load Balancing User Guide*. To create Network Load Balancer target group, see [Create a target group for your Network Load Balancer](https://docs.amazonaws.cn/elasticloadbalancing/latest/network/create-target-group.html) in the *Elastic Load Balancing User Guide*. # Security Hub CSPM for Elasticsearch Elasticsearch controls These Amazon Security Hub CSPM controls evaluate the Elasticsearch service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ES.1] Elasticsearch domains should have encryption at-rest enabled **Related requirements:** PCI DSS v3.2.1/3.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-encrypted-at-rest.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Elasticsearch domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for your sensitive data in OpenSearch, you should configure your OpenSearch to be encrypted at rest. Elasticsearch domains offer encryption of data at rest. The feature uses Amazon KMS to store and manage your encryption keys. To perform the encryption, it uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256). To learn more about OpenSearch encryption at rest, see [Encryption of data at rest for Amazon OpenSearch Service](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/encryption-at-rest.html) in the *Amazon OpenSearch Service Developer Guide*. Certain instance types, such as `t.small` and `t.medium`, don't support encryption of data at rest. For details, see [Supported instance types](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/supported-instance-types.html) in the *Amazon OpenSearch Service Developer Guide*. ### Remediation To enable encryption at rest for new and existing Elasticsearch domains, see [Enabling encryption of data at rest](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear) in the *Amazon OpenSearch Service Developer Guide*. ## [ES.2] Elasticsearch domains should not be publicly accessible **Related requirements:** PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/1.3.2,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/1.3.6, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** Critical **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-in-vpc-only.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-in-vpc-only.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Elasticsearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Elasticsearch domains are not attached to public subnets. See [Resource-based policies](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ac.html#ac-types-resource) in the *Amazon OpenSearch Service Developer Guide*. You should also ensure that your VPC is configured according to the recommended best practices. See [Security best practices for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-security-best-practices.html) in the *Amazon VPC User Guide*. Elasticsearch domains deployed within a VPC can communicate with VPC resources over the private Amazon network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to Elasticsearch domains, including network ACL and security groups. Security Hub CSPM recommends that you migrate public Elasticsearch domains to VPCs to take advantage of these controls. ### Remediation If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data. The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either [create another domain](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/createupdatedomains.html) or disable this control. See [Launching your Amazon OpenSearch Service domains within a VPC](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/vpc.html) in the *Amazon OpenSearch Service Developer Guide*. ## [ES.3] Elasticsearch domains should encrypt data sent between nodes **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-node-to-node-encryption-check.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-node-to-node-encryption-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Elasticsearch domain has node-to-node encryption enabled. The control fails if the Elasticsearch domain doesn't have node-to-node encryption enabled. The control also produces failed findings if an Elasticsearch version doesn't support node-to-node encryption checks. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Elasticsearch domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option. ### Remediation For information about enabling node-to-node encryption on new and existing domains, see [Enabling node-to-node encryption](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ntn.html#enabling-ntn) in the *Amazon OpenSearch Service Developer Guide*. ## [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify - Logging **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/elasticsearch-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** + `logtype = 'error'` (not customizable) This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs. You should enable error logs for Elasticsearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues. ### Remediation For information on how to enable log publishing, see [Enabling log publishing (console)](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html#createdomain-configure-slow-logs-console) in the *Amazon OpenSearch Service Developer Guide*. ## [ES.5] Elasticsearch domains should have audit logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** `elasticsearch-audit-logging-enabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** + `cloudWatchLogsLogGroupArnList` (not customizable). Security Hub CSPM does not populate this parameter. Comma-separated list of CloudWatch Logs log groups that should be configured for audit logs. This rule is `NON_COMPLIANT` if the CloudWatch Logs log group of the Elasticsearch domain is not specified in this parameter list. This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled. Audit logs are highly customizable. They allow you to track user activity on your Elasticsearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries. ### Remediation For detailed instructions on enabling audit logs, see [Enabling audit logs](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the *Amazon OpenSearch Service Developer Guide*. ## [ES.6] Elasticsearch domains should have at least three data nodes **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** `elasticsearch-data-node-fault-tolerance` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether Elasticsearch domains are configured with at least three data nodes and `zoneAwarenessEnabled` is `true`. An Elasticsearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an Elasticsearch domain with at least three data nodes ensures cluster operations if a node fails. ### Remediation **To modify the number of data nodes in an Elasticsearch domain** 1. Open the Amazon OpenSearch Service console at [https://console.amazonaws.cn/aos/](https://console.amazonaws.cn/aos/). 1. Under **Domains**, choose the name of the domain you want to edit. 1. Choose **Edit domain**. 1. Under **Data nodes**, set **Number of nodes** to a number greater than or equal to `3`. For three Availability Zone deployments, set to a multiple of three to ensure equal distribution across Availability Zones. 1. Choose **Submit**. ## [ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Configrule:** `elasticsearch-primary-node-fault-tolerance` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether Elasticsearch domains are configured with at least three dedicated primary nodes. This control fails if the domain does not use dedicated primary nodes. This control passes if Elasticsearch domains have five dedicated primary nodes. However, using more than three primary nodes might be unnecessary to mitigate the availability risk, and will result in additional cost. An Elasticsearch domain requires at least three dedicated primary nodes for high availability and fault-tolerance. Dedicated primary node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated primary nodes ensures sufficient primary node resource capacity and cluster operations if a node fails. ### Remediation **To modify the number of dedicated primary nodes in an OpenSearch domain** 1. Open the Amazon OpenSearch Service console at [https://console.amazonaws.cn/aos/](https://console.amazonaws.cn/aos/). 1. Under **Domains**, choose the name of the domain you want to edit. 1. Choose **Edit domain**. 1. Under **Dedicated master nodes**, set **Instance type** to the desired instance type. 1. Set **Number of master nodes** equal to three or greater. 1. Choose **Submit**. ## [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** `elasticsearch-https-required` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This controls checks whether an Elasticsearch domain endpoint is configured to use the latest TLS security policy. The control fails if the Elasticsearch domain endpoint isn't configured to use the latest supported policy or if HTTPs isn't enabled. The current latest supported TLS security policy is `Policy-Min-TLS-1-2-PFS-2023-10`. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS. ### Remediation To enable TLS encryption, use the [https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_UpdateDomainConfig.html](https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_UpdateDomainConfig.html) API operation to configure the [https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_DomainEndpointOptions.html](https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_DomainEndpointOptions.html) object. This sets the `TLSSecurityPolicy`. ## [ES.9] Elasticsearch domains should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Elasticsearch::Domain` **Amazon Config rule:** `tagged-elasticsearch-domain` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Elasticsearch domain has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the domain doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the domain isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Elasticsearch domain, see [Working with tags](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/managedomains-awsresourcetagging.html#managedomains-awsresourcetagging-console) in the *Amazon OpenSearch Service Developer Guide*. # Security Hub CSPM controls for Amazon EMR Amazon EMR controls These Amazon Security Hub CSPM controls evaluate the Amazon EMR (previously called Amazon Elastic MapReduce) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses **Related requirements:** PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.1,PCI DSS v3.2.1/1.3.2,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::EMR::Cluster` **Amazon Config rule:** [emr-master-no-public-ip](https://docs.amazonaws.cn/config/latest/developerguide/emr-master-no-public-ip.html) **Schedule type:** Periodic **Parameters:** None This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if public IP addresses are associated with any of the master node instances. Public IP addresses are designated in the `PublicIp` field of the `NetworkInterfaces` configuration for the instance. This control only checks Amazon EMR clusters that are in a `RUNNING` or `WAITING` state. ### Remediation During launch, you can control whether your instance in a default or nondefault subnet is assigned a public IPv4 address. By default, default subnets have this attribute set to `true`. Nondefault subnets have the IPv4 public addressing attribute set to `false`, unless it was created by the Amazon EC2 launch instance wizard. In that case, the attribute is set to `true`. After launch, you can't manually disassociate a public IPv4 address from your instance. To remediate a failed finding, you must launch a new cluster in a VPC with a private subnet that has the IPv4 public addressing attribute set to `false`. For instructions, see [Launch clusters into a VPC](https://docs.amazonaws.cn/emr/latest/ManagementGuide/emr-vpc-launching-job-flows.html) in the *Amazon EMR Management Guide*. ## [EMR.2] Amazon EMR block public access setting should be enabled **Related requirements:** PCI DSS v4.0.1/1.4.4, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [emr-block-public-access](https://docs.amazonaws.cn/config/latest/developerguide/emr-block-public-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed. Amazon EMR block public access prevents you from launching a cluster in a public subnet if the cluster has a security configuration that allows inbound traffic from public IP addresses on a port. When a user from your Amazon Web Services account launches a cluster, Amazon EMR checks the port rules in the security group for the cluster and compares them with your inbound traffic rules. If the security group has an inbound rule that opens ports to the public IP addresses IPv4 0.0.0.0/0 or IPv6 ::/0, and those ports aren't specified as exceptions for your account, Amazon EMR doesn't let the user create the cluster. **Note** Block public access is enabled by default. To increase account protection, we recommend that you keep it enabled. ### Remediation To configure block public access for Amazon EMR, see [Using Amazon EMR block public access](https://docs.amazonaws.cn/emr/latest/ManagementGuide/emr-block-public-access.html) in the *Amazon EMR Management Guide*. ## [EMR.3] Amazon EMR security configurations should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CP-9(8), NIST.800-53.r5 SI-12 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::EMR::SecurityConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/emr-security-configuration-encryption-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/emr-security-configuration-encryption-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EMR security configuration has encryption at rest enabled. The control fails if the security configuration doesn't enable encryption at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To enable encryption at rest in an Amazon EMR security configuration, see [Configure data encryption](https://docs.amazonaws.cn/emr/latest/ManagementGuide/emr-create-security-configuration.html#emr-security-configuration-encryption.html) in the *Amazon EMR Management Guide*. ## [EMR.4] Amazon EMR security configurations should be encrypted in transit **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3) **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::EMR::SecurityConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/emr-security-configuration-encryption-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/emr-security-configuration-encryption-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon EMR security configuration has encryption in transit enabled. The control fails if the security configuration doesn't enable encryption in transit. Data in transit refers to data that moves from one location to another, such as between nodes in your cluster or between your cluster and your application. Data may move across the internet or within a private network. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. ### Remediation To enable encryption in transit in an Amazon EMR security configuration, see [Configure data encryption](https://docs.amazonaws.cn/emr/latest/ManagementGuide/emr-create-security-configuration.html#emr-security-configuration-encryption.html) in the *Amazon EMR Management Guide*. # Security Hub CSPM controls for EventBridge Amazon EventBridge controls These Amazon Security Hub CSPM controls evaluate the Amazon EventBridge service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [EventBridge.2] EventBridge event buses should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Events::EventBus` **Amazon Config rule:**`tagged-events-eventbus` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon EventBridge event bus has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the event bus doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the event bus isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an EventBridge event bus, see [Amazon EventBridge tags](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-tagging.html) in the *Amazon EventBridge User Guide*. ## [EventBridge.3] EventBridge custom event buses should have a resource-based policy attached **Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3), PCI DSS v4.0.1/10.3.1 **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Low **Resource type:** `AWS::Events::EventBus` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/custom-eventbus-policy-attached.html](https://docs.amazonaws.cn/config/latest/developerguide/custom-eventbus-policy-attached.html) **Schedule type:** Change triggered **Parameters:** None This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy. By default, an EventBridge custom event bus doesn't have a resource-based policy attached. This allows principals in the account to access the event bus. By attaching a resource-based policy to the event bus, you can limit access to the event bus to specified accounts, as well as intentionally grant access to entities in another account. ### Remediation To attach a resource-based policy to an EventBridge custom event bus, see [Using resource-based policies for Amazon EventBridge](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-use-resource-based.html) in the *Amazon EventBridge User Guide*. ## [EventBridge.4] EventBridge global endpoints should have event replication enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Events::Endpoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/global-endpoint-event-replication-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/global-endpoint-event-replication-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if event replication is enabled for an Amazon EventBridge global endpoint. The control fails if event replication isn't enabled for a global endpoint. Global endpoints help make your application Regional-fault tolerant. To start, you assign an Amazon Route 53 health check to the endpoint. When failover is initiated, the health check reports an "unhealthy" state. Within minutes of failover initiation, all custom events are routed to an event bus in the secondary Region and are processed by that event bus. When you use global endpoints, you can enable event replication. Event replication sends all custom events to the event buses in the primary and secondary Regions using managed rules. We recommend enabling event replication when setting up global endpoints. Event replication helps you verify that your global endpoints are configured correctly. Event replication is required to automatically recover from a failover event. If you don’t have event replication enabled, you’ll have to manually reset the Route 53 health check to "healthy" before events are rerouted back to the primary Region. **Note** If you're using custom event buses, you'll need a custom even bus in each Region with the same name and in the same account for failover to work properly. Enabling event replication can increase your monthly cost. For information about pricing, see [Amazon EventBridge pricing](https://www.amazonaws.cn/eventbridge/pricing/). ### Remediation To enable event replication for EventBridge global endpoints, see [Create a global endpoint](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-global-endpoints.html#eb-ge-create-endpoint) in the *Amazon EventBridge User Guide*. For **Event replication**, select **Event replication enabled**. # Security Hub CSPM controls for Amazon Fraud Detector Amazon Fraud Detector controls These Security Hub CSPM controls evaluate the Amazon Fraud Detector service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [FraudDetector.1] Amazon Fraud Detector entity types should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FraudDetector::EntityType` **Amazon Config rule:** `frauddetector-entity-type-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Fraud Detector entity type has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the entity type doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the entity type isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation **To add tags to an Amazon Fraud Detector entity type (console)** 1. Open the Amazon Fraud Detector console at [https://console.aws.amazon.com/frauddetector](https://console.amazonaws.cn/frauddetector/). 1. In the navigation pane, choose **Entities**. 1. Select an entity type from the list. 1. In the **entity type tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [FraudDetector.2] Amazon Fraud Detector labels should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FraudDetector::Label` **Amazon Config rule:** `frauddetector-label-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Fraud Detector label has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the label doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the label isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation **To add tags to an Amazon Fraud Detector label (console)** 1. Open the Amazon Fraud Detector console at [https://console.aws.amazon.com/frauddetector](https://console.amazonaws.cn/frauddetector/). 1. In the navigation pane, choose **Labels**. 1. Select a label from the list. 1. In the **labels tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [FraudDetector.3] Amazon Fraud Detector outcomes should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FraudDetector::Outcome` **Amazon Config rule:** `frauddetector-outcome-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Fraud Detector outcome has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the outcome doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the outcome isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation **To add tags to an Amazon Fraud Detector outcome (console)** 1. Open the Amazon Fraud Detector console at [https://console.aws.amazon.com/frauddetector](https://console.amazonaws.cn/frauddetector/). 1. In the navigation pane, choose **Outcomes**. 1. Select an outcome from the list. 1. In the **outcomes tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. ## [FraudDetector.4] Amazon Fraud Detector variables should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FraudDetector::Variable` **Amazon Config rule:** `frauddetector-variable-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Fraud Detector variable has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the variable doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the variable isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation **To add tags to an Amazon Fraud Detector variable (console)** 1. Open the Amazon Fraud Detector console at [https://console.aws.amazon.com/frauddetector](https://console.amazonaws.cn/frauddetector/). 1. In the navigation pane, choose **Variables**. 1. Select a variable from the list. 1. In the **variables tags** section, choose **Manage tags**. 1. Choose **Add new tag**. Enter the key and value for the tag. Repeat for additional key-value pairs. 1. When you are finished adding tags, choose **Save**. # Security Hub CSPM controls for Amazon FSx Amazon FSx controls These Amazon Security Hub CSPM controls evaluate the Amazon FSx service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FSx::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/fsx-openzfs-copy-tags-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes. Identification and inventory of your IT assets is an important aspect of governance and security. Tags help you categorize your Amazon resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type because you can quickly identify a specific resource based on the tags that you assigned to it. ### Remediation For information about configuring an FSx for OpenZFS file system to copy tags to backups and volumes, see [Updating a file system](https://docs.amazonaws.cn/fsx/latest/OpenZFSGuide/updating-file-system.html) in the *Amazon FSx for OpenZFS User Guide*. ## [FSx.2] FSx for Lustre file systems should be configured to copy tags to backups **Related requirements:** NIST.800-53.r5 CP-9, NIST.800-53.r5 CM-8 **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::FSx::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html](https://docs.amazonaws.cn/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon FSx for Lustre file system is configured to copy tags to backups and volumes. The control fails if the Lustre file system isn't configured to copy tags to backups and volumes. Identification and inventory of your IT assets is an important aspect of governance and security. Tags help you categorize your Amazon resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type because you can quickly identify a specific resource based on the tags that you assigned to it. ### Remediation For information about configuring an FSx for Lustre file system to copy tags to backups, see [Copying backups within the same Amazon Web Services account](https://docs.amazonaws.cn/fsx/latest/LustreGuide/copying-backups-same-account.html) in the *Amazon FSx for Lustre User Guide*. ## [FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::FSx::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/fsx-openzfs-deployment-type-check.html](https://docs.amazonaws.cn/config/latest/developerguide/fsx-openzfs-deployment-type-check.html) **Schedule type:** Periodic **Parameters:** `deploymentTypes: MULTI_AZ_1` (not customizable) This control checks whether an Amazon FSx for OpenZFS file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use the Multi-AZ deployment type. Amazon FSx for OpenZFS supports several deployment types for file systems: *Multi-AZ (HA)*, *Single-AZ (HA)*, and *Single-AZ (non-HA)*. The deployment types offer different levels of availability and durability. Multi-AZ (HA) file systems are composed of a high-availability (HA) pair of file servers that are spread across two Availability Zones (AZs). We recommend using the Multi-AZ (HA) deployment type for most production workloads due to the high availability and durability model that it provides. ### Remediation You can configure an Amazon FSx for OpenZFS file system to use the Multi-AZ deployment type when you create the file system. You can't change the deployment type for an existing FSx for OpenZFS file system. For information about deployment types and options for FSx for OpenZFS file systems, see [Availability and durability for Amazon FSx for OpenZFS](https://docs.amazonaws.cn/fsx/latest/OpenZFSGuide/availability-durability.html) and [Managing file system resources](https://docs.amazonaws.cn/fsx/latest/OpenZFSGuide/managing-file-systems.html) in the *Amazon FSx for OpenZFS User Guide*. ## [FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::FSx::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/fsx-ontap-deployment-type-check.html](https://docs.amazonaws.cn/config/latest/developerguide/fsx-ontap-deployment-type-check.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `deploymentTypes` | A list of deployment types to include in the evaluation. The control generates a `FAILED` finding if a file system isn't configured to use a deployment type specified in the list. | Enum | `MULTI_AZ_1`, `MULTI_AZ_2` | `MULTI_AZ_1`, `MULTI_AZ_2` | This control checks whether an Amazon FSx for NetApp ONTAP file system is configured to use a multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use a Multi-AZ deployment type. You can optionally specify a list of deployment types to include in the evaluation. Amazon FSx for NetApp ONTAP supports several deployment types for file systems: *Single-AZ 1*, *Single-AZ 2*, *Multi-AZ 1*, and *Multi-AZ 2*. The deployment types offer different levels of availability and durability. We recommend using a Multi-AZ deployment type for most production workloads due to the high availability and durability model that Multi-AZ deployment types provide. Multi-AZ file systems support all the availability and durability features of Single-AZ file systems. In addition, they're designed to provide continuous availability to data even when an Availability Zone (AZ) is unavailable. ### Remediation You can't change the deployment type for an existing Amazon FSx for NetApp ONTAP file system. However, you can back up the data, and then restore it on a new file system that uses a Multi-AZ deployment type. For information about deployment types and options for FSx for ONTAP file systems, see [Availability, durability, and deployment options](https://docs.amazonaws.cn/fsx/latest/ONTAPGuide/high-availability-AZ.html) and [Managing file systems](https://docs.amazonaws.cn/fsx/latest/ONTAPGuide/managing-file-systems.html) in the *FSx for ONTAP User Guide*. ## [FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::FSx::FileSystem` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/fsx-windows-deployment-type-check.html](https://docs.amazonaws.cn/config/latest/developerguide/fsx-windows-deployment-type-check.html) **Schedule type:** Periodic **Parameters:** `deploymentTypes: MULTI_AZ_1` (not customizable) This control checks whether an Amazon FSx for Windows File Server file system is configured to use the multiple Availability Zones (Multi-AZ) deployment type. The control fails if the file system isn't configured to use the Multi-AZ deployment type. Amazon FSx for Windows File Server supports two deployment types for file systems: *Single-AZ* and *Multi-AZ*. The deployment types offer different levels of availability and durability. Single-AZ file systems are composed of a single Windows file server instance and a set of storage volumes within a single Availability Zone (AZ). Multi-AZ file systems are composed of a high-availability cluster of Windows file servers spread across two Availability Zones. We recommend using the Multi-AZ deployment type for most production workloads due to the high availability and durability model that it provides. ### Remediation You can configure an Amazon FSx for Windows File Server file system to use the Multi-AZ deployment type when you create the file system. You can't change the deployment type for an existing FSx for Windows File Server file system. For information about deployment types and options for FSx for Windows File Server file systems, see [Availability and durability: Single-AZ and Multi-AZ file systems](https://docs.amazonaws.cn/fsx/latest/WindowsGuide/high-availability-multiAZ.html) and [Getting started with Amazon FSx for Windows File Server](https://docs.amazonaws.cn/fsx/latest/WindowsGuide/getting-started.html) in the *Amazon FSx for Windows File Server User Guide*. # Security Hub CSPM controls for Global Accelerator Amazon Global Accelerator controls These Amazon Security Hub CSPM controls evaluate the Amazon Global Accelerator service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [GlobalAccelerator.1] Global Accelerator accelerators should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::GlobalAccelerator::Accelerator` **Amazon Config rule:** `tagged-globalaccelerator-accelerator` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Global Accelerator accelerator has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the accelerator doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the accelerator isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Global Accelerator global accelerator, see see [Tagging in Amazon Global Accelerator](https://docs.amazonaws.cn/global-accelerator/latest/dg/tagging-in-global-accelerator.html) in the *Amazon Global Accelerator Developer Guide*. # Security Hub CSPM controls for Amazon Glue Amazon Glue controls These Amazon Security Hub CSPM controls evaluate the Amazon Glue service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Glue.1] Amazon Glue jobs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Glue::Job` **Amazon Config rule:** `tagged-glue-job` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Glue job has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the job doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the job isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Amazon Glue job, see [Amazon tags in Amazon Glue](https://docs.amazonaws.cn/glue/latest/dg/monitor-tags.html) in the *Amazon Glue User Guide*. ## [Glue.3] Amazon Glue machine learning transforms should be encrypted at rest **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::Glue::MLTransform` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/glue-ml-transform-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/glue-ml-transform-encrypted-at-rest.html) **Schedule type:** Change triggered **Parameters:** No This control checks whether an Amazon Glue machine learning transform is encrypted at rest. The control fails if the machine learning transform isn't encrypted at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To configure encryption for Amazon Glue machine learning transforms, see [Working with machine learning transforms](https://docs.amazonaws.cn/glue/latest/dg/console-machine-learning-transforms.html) in the *Amazon Glue User Guide*. ## [Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5) **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::Glue::Job` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/glue-spark-job-supported-version.html](https://docs.amazonaws.cn/config/latest/developerguide/glue-spark-job-supported-version.html) **Schedule type:** Change triggered **Parameters:** `minimumSupportedGlueVersion`: `3.0` (not customizable) This control checks whether an Amazon Glue for Spark job is configured to run on a supported version of Amazon Glue. The control fails if the Spark job is configured to run on a version of Amazon Glue that's earlier than the minimum supported version. **Note** This control also generates a `FAILED` finding for an Amazon Glue for Spark job if the Amazon Glue version (`GlueVersion`) property doesn’t exist or is null in the configuration item (CI) for the job. In such cases, the finding includes the following annotation: `GlueVersion is null or missing in glueetl job configuration`. To address this type of `FAILED` finding, add the `GlueVersion` property to the job’s configuration. For a list of supported versions and runtime environments, see [Amazon Glue Versions](https://docs.amazonaws.cn/glue/latest/dg/release-notes.html#release-notes-versions) in the *Amazon Glue User Guide*. Running Amazon Glue Spark jobs on current versions of Amazon Glue can optimize performance, security, and access to the latest features of Amazon Glue. It can also help safeguard against security vulnerabilities. For example, a new version might be released to provide security updates, address issues, or introduce new features. ### Remediation For information about migrating a Spark job to a supported version of Amazon Glue, see [Migrating Amazon Glue for Spark jobs](https://docs.amazonaws.cn/glue/latest/dg/migrating-version-40.html) in the *Amazon Glue User Guide*. # Security Hub CSPM controls for Amazon GuardDuty Amazon GuardDuty controls These Amazon Security Hub CSPM controls evaluate the Amazon GuardDuty service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [GuardDuty.1] GuardDuty should be enabled **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 CA-7, NIST.800-53.r5 CM-8(3), NIST.800-53.r5 RA-3(4), NIST.800-53.r5 SA-11(1), NIST.800-53.r5 SA-11(6), NIST.800-53.r5 SA-15(2), NIST.800-53.r5 SA-15(8), NIST.800-53.r5 SA-8(19), NIST.800-53.r5 SA-8(21), NIST.800-53.r5 SA-8(25), NIST.800-53.r5 SC-5, NIST.800-53.r5 SC-5(1), NIST.800-53.r5 SC-5(3), NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(1), NIST.800-53.r5 SI-4(13), NIST.800-53.r5 SI-4(2), NIST.800-53.r5 SI-4(22), NIST.800-53.r5 SI-4(25), NIST.800-53.r5 SI-4(4), NIST.800-53.r5 SI-4(5), NIST.800-171.r2 3.4.2, NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7, PCI DSS v3.2.1/11.4, PCI DSS v4.0.1/11.5.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-enabled-centralized.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-enabled-centralized.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region. It is highly recommended that you enable GuardDuty in all supported Amazon Regions. Doing so allows GuardDuty to generate findings about unauthorized or unusual activity, even in Regions that you do not actively use. This also allows GuardDuty to monitor CloudTrail events for global Amazon Web Services services such as IAM. ### Remediation To enable GuardDuty, see [Getting started with GuardDuty](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_settingup.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.2] GuardDuty filters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::GuardDuty::Filter` **Amazon Config rule:** `tagged-guardduty-filter` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon GuardDuty filter has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the filter doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the filter isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a GuardDuty filter, see [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html) in the *Amazon GuardDuty API Reference*. ## [GuardDuty.3] GuardDuty IPSets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::GuardDuty::IPSet` **Amazon Config rule:** `tagged-guardduty-ipset` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon GuardDuty IPSet has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the IPSet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the IPSet isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a GuardDuty IPSet, see [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html) in the *Amazon GuardDuty API Reference*. ## [GuardDuty.4] GuardDuty detectors should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::GuardDuty::Detector` **Amazon Config rule:** `tagged-guardduty-detector` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon GuardDuty detector has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the detector doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the detector isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a GuardDuty detector, see [https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html](https://docs.amazonaws.cn/guardduty/latest/APIReference/API_TagResource.html) in the *Amazon GuardDuty API Reference*. ## [GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-eks-protection-audit-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-eks-protection-audit-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty EKS Audit Log Monitoring is enabled. For a standalone account, the control fails if GuardDuty EKS Audit Log Monitoring is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have EKS Audit Log Monitoring enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the EKS Audit Log Monitoring feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty EKS Audit Log Monitoring enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. GuardDuty EKS Audit Log Monitoring helps you detect potentially suspicious activities in your Amazon Elastic Kubernetes Service (Amazon EKS) clusters. EKS Audit Log Monitoring uses Kubernetes audit logs to capture chronological activities from users, applications using the Kubernetes API, and the control plane. ### Remediation To enable GuardDuty EKS Audit Log Monitoring, see [EKS Audit Log Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty-eks-audit-log-monitoring.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.6] GuardDuty Lambda Protection should be enabled **Related requirements:** PCI DSS v4.0.1/11.5.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-lambda-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-lambda-protection-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty Lambda Protection is enabled. For a standalone account, the control fails if GuardDuty Lambda Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have Lambda Protection enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the Lambda Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty Lambda Protection enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. GuardDuty Lambda Protection helps you identify potential security threats when an Amazon Lambda function gets invoked. After your enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your Amazon Web Services account. When a Lambda function gets invoked and GuardDuty identifies suspicious network traffic that indicates the presence of a potentially malicious piece of code in your Lambda function, GuardDuty generates a finding. ### Remediation To enable GuardDuty Lambda Protection, see [Configuring Lambda Protection](https://docs.amazonaws.cn/guardduty/latest/ug/configuring-lambda-protection.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled **Related requirements:** PCI DSS v4.0.1/11.5.1 **Category:** Detect > Detection Services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-eks-protection-runtime-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty EKS Runtime Monitoring with automated agent management is enabled. For a standalone account, the control fails if GuardDuty EKS Runtime Monitoring with automated agent management is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have EKS Runtime Monitoring with automated agent management enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the EKS Runtime Monitoring feature with automated agent management for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty EKS Runtime Monitoring enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. EKS Protection in Amazon GuardDuty provides threat detection coverage to help you protect Amazon EKS clusters within your Amazon environment. EKS Runtime Monitoring uses operating system-level events to help you detect potential threats in EKS nodes and containers within your EKS clusters. ### Remediation To enable EKS Runtime Monitoring with automated agent management, see [Enabling GuardDuty Runtime Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-malware-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-malware-protection-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty Malware Protection is enabled. For a standalone account, the control fails if GuardDuty Malware Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have Malware Protection enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the Malware Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty Malware Protection enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. GuardDuty Malware Protection for EC2 helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads. Malware Protection provides scan options where you can decide if you want to include or exclude specific EC2 instances and container workloads at the time of scanning. It also provides an option to retain the snapshots of EBS volumes attached to the EC2 instances or container workloads, in your GuardDuty accounts. The snapshots get retained only when malware is found and Malware Protection findings are generated. ### Remediation To enable GuardDuty Malware Protection for EC2, see [Configuring GuardDuty-initiated malware scan](https://docs.amazonaws.cn/guardduty/latest/ug/gdu-initiated-malware-scan-configuration.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.9] GuardDuty RDS Protection should be enabled **Related requirements:** PCI DSS v4.0.1/11.5.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-rds-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-rds-protection-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty RDS Protection is enabled. For a standalone account, the control fails if GuardDuty RDS Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have RDS Protection enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the RDS Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty RDS Protection enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. RDS Protection in GuardDuty analyzes and profiles RDS login activity for potential access threats to your Amazon Aurora databases (Aurora MySQL-Compatible Edition and Aurora PostgreSQL-Compatible Edition). This feature allows you to identify potentially suspicious login behavior. RDS Protection doesn't require additional infrastructure; it is designed so as not to affect the performance of your database instances. When RDS Protection detects a potentially suspicious or anomalous login attempt that indicates a threat to your database, GuardDuty generates a new finding with details about the potentially compromised database. ### Remediation To enable GuardDuty RDS Protection, see [GuardDuty RDS Protection](https://docs.amazonaws.cn/guardduty/latest/ug/rds-protection.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.10] GuardDuty S3 Protection should be enabled **Related requirements:** PCI DSS v4.0.1/11.5.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-s3-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-s3-protection-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether GuardDuty S3 Protection is enabled. For a standalone account, the control fails if GuardDuty S3 Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have S3 Protection enabled. In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the S3 Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty S3 Protection enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in GuardDuty. S3 Protection enables GuardDuty to monitor object-level API operations to identify potential security risks for data within your Amazon Simple Storage Service (Amazon S3) buckets. GuardDuty monitors threats against your S3 resources by analyzing Amazon CloudTrail management events and CloudTrail S3 data events. ### Remediation To enable GuardDuty S3 Protection, see [Amazon S3 Protection in Amazon GuardDuty](https://docs.amazonaws.cn/guardduty/latest/ug/s3-protection.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.11] GuardDuty Runtime Monitoring should be enabled **Category:** Detect > Detection Services **Severity:** High **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-runtime-monitoring-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-runtime-monitoring-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Runtime Monitoring is enabled in Amazon GuardDuty. For a standalone account, the control fails if GuardDuty Runtime Monitoring is disabled for the account. In a multi-account environment, the control fails if GuardDuty Runtime Monitoring is disabled for the delegated GuardDuty administrator account and all member accounts. In a multi-account environment, only the delegated GuardDuty administrator can enable or disable GuardDuty Runtime Monitoring for accounts in their organization. In addition, only the GuardDuty administrator can configure and manage the security agents that GuardDuty uses for runtime monitoring of Amazon workloads and resources for accounts in the organization. GuardDuty member accounts can't enable, configure, or disable Runtime Monitoring for their own accounts. GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific Amazon workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats, such as Amazon EKS clusters and Amazon EC2 instances. ### Remediation For information about configuring and enabling GuardDuty Runtime Monitoring, see [GuardDuty Runtime Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/runtime-monitoring.html) and [Enabling GuardDuty Runtime Monitoring](https://docs.amazonaws.cn/guardduty/latest/ug/runtime-monitoring-configuration.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled **Category:** Detect > Detection Services **Severity:** Medium **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-ecs-protection-runtime-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-ecs-protection-runtime-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon ECS clusters on Amazon Fargate. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts. In a multi-account environment, this control generates findings only in the delegated GuardDuty administrator account. This is because only the delegated GuardDuty administrator can enable or disable Runtime Monitoring of ECS-Fargate resources for accounts in their organization. GuardDuty member accounts can't do this for their own accounts. In addition, this control generates `FAILED` findings if GuardDuty is suspended for a member account and Runtime Monitoring of ECS-Fargate resources is disabled for the member account. To receive a `PASSED` finding, the GuardDuty administrator must disassociate the suspended member account from their administrator account by using GuardDuty. GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific Amazon workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats. This includes Amazon ECS clusters on Amazon Fargate. ### Remediation To enable and manage the security agent for GuardDuty Runtime Monitoring of ECS-Fargate resources, you must use GuardDuty directly. You can't enable or manage it manually for ECS-Fargate resources. For information about enabling and managing the security agent, see [Prerequisites for Amazon Fargate (Amazon ECS only) support](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html) and [Managing the automated security agent for Amazon Fargate (Amazon ECS only)](https://docs.amazonaws.cn/guardduty/latest/ug/managing-gdu-agent-ecs-automated.html) in the *Amazon GuardDuty User Guide*. ## [GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled **Category:** Detect > Detection Services **Severity:** Medium **Resource type:** `AWS::GuardDuty::Detector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/guardduty-ec2-protection-runtime-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/guardduty-ec2-protection-runtime-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the Amazon GuardDuty automated security agent is enabled for runtime monitoring of Amazon EC2 instances. For a standalone account, the control fails if the security agent is disabled for the account. In a multi-account environment, the control fails if the security agent is disabled for the delegated GuardDuty administrator account and all member accounts. In a multi-account environment, this control generates findings only in the delegated GuardDuty administrator account. This is because only the delegated GuardDuty administrator can enable or disable Runtime Monitoring of Amazon EC2 instances for accounts in their organization. GuardDuty member accounts can't do this for their own accounts. In addition, this control generates `FAILED` findings if GuardDuty is suspended for a member account and Runtime Monitoring of EC2 instances is disabled for the member account. To receive a `PASSED` finding, the GuardDuty administrator must disassociate the suspended member account from their administrator account by using GuardDuty. GuardDuty Runtime Monitoring observes and analyzes operating system-level, networking, and file events to help you detect potential threats in specific Amazon workloads in your environment. It uses GuardDuty security agents that add visibility into runtime behavior, such as file access, process execution, command line arguments, and network connections. You can enable and manage the security agent for each type of resource that you want to monitor for potential threats. This includes Amazon EC2 instances. ### Remediation For information about configuring and managing the automated security agent for GuardDuty Runtime Monitoring of EC2 instances, see [Prerequisites for Amazon EC2 instance support](https://docs.amazonaws.cn/guardduty/latest/ug/prereq-runtime-monitoring-ec2-support.html) and [Enabling the automated security agent for Amazon EC2 instances](https://docs.amazonaws.cn/guardduty/latest/ug/managing-gdu-agent-ec2-automated.html) in the *Amazon GuardDuty User Guide*. # Security Hub CSPM controls for Amazon Identity and Access Management Amazon Identity and Access Management controls These Amazon Security Hub CSPM controls evaluate the Amazon Identity and Access Management (IAM) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IAM.1] IAM policies should not allow full "\$1" administrative privileges **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.22, CIS Amazon Foundations Benchmark v1.4.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.4, PCI DSS v3.2.1/7.2.1 **Category:** Protect > Secure access management **Severity:** High **Resource type:** `AWS::IAM::Policy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-no-statements-with-admin-access.html) **Schedule type:** Change triggered **Parameters:** + `excludePermissionBoundaryPolicy: true` (not customizable) This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access by including a statement with `"Effect": "Allow"` with `"Action": "*"` over `"Resource": "*"`. The control fails if you have IAM policies with such a statement. The control only checks the customer managed policies that you create. It does not check inline and Amazon managed policies. IAM policies define a set of privileges that are granted to users, groups, or roles. Following standard security advice, Amazon recommends that you grant least privilege, which means to grant only the permissions that are required to perform a task. When you provide full administrative privileges instead of the minimum set of permissions that the user needs, you expose the resources to potentially unwanted actions. Instead of allowing full administrative privileges, determine what users need to do and then craft policies that let the users perform only those tasks. It is more secure to start with a minimum set of permissions and grant additional permissions as necessary. Do not start with permissions that are too lenient and then try to tighten them later. You should remove IAM policies that have a statement with `"Effect": "Allow" `with `"Action": "*"` over `"Resource": "*"`. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To modify your IAM policies so that they do not allow full "\$1" administrative privileges, see [Editing IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *IAM User Guide*. ## [IAM.2] IAM users should not have IAM policies attached **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.14, CIS Amazon Foundations Benchmark v3.0.0/1.15, CIS Amazon Foundations Benchmark v1.2.0/1.16, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.1, NIST.800-171.r2 3.1.2, NIST.800-171.r2 3.1.7, NIST.800-171.r2 3.3.9, NIST.800-171.r2 3.13.3, PCI DSS v3.2.1/7.2.1 **Category:** Protect > Secure access management **Severity:** Low **Resource type:** `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-user-no-policies-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-user-no-policies-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether your IAM users have policies attached. The control fails if your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or assume a role. By default, IAM users, groups, and roles have no access to Amazon resources. IAM policies grant privileges to users, groups, or roles. We recommend that you apply IAM policies directly to groups and roles but not to users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity might in turn reduce the opportunity for a principal to inadvertently receive or retain excessive privileges. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, you can disable this control in all Regions except the Region where you record global resources. ### Remediation To resolve this issue, [create an IAM group](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups_create.html), and attach the policy to the group. Then, [add the users to the group](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups_manage_add-remove-users.html). The policy is applied to each user in the group. To remove a policy attached directly to a user, see [Adding and removing IAM identity permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *IAM User Guide*. ## [IAM.3] IAM users' access keys should be rotated every 90 days or less **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.13, CIS Amazon Foundations Benchmark v3.0.0/1.14, CIS Amazon Foundations Benchmark v1.4.0/1.14, CIS Amazon Foundations Benchmark v1.2.0/1.4, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3(15), PCI DSS v4.0.1/8.3.9, PCI DSS v4.0.1/8.6.3 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/access-keys-rotated.html](https://docs.amazonaws.cn/config/latest/developerguide/access-keys-rotated.html) **Schedule type:** Periodic **Parameters:** + `maxAccessKeyAge`: `90` (not customizable) This control checks whether the active access keys are rotated within 90 days. We highly recommend that you do not generate and remove all access keys in your account. Instead, the recommended best practice is to either create one or more IAM roles or to use [federation](https://www.amazonaws.cn/identity/federation/) through Amazon IAM Identity Center. You can use these methods to allow your users to access the Amazon Web Services Management Console and Amazon CLI. Each approach has its use cases. Federation is generally better for enterprises that have an existing central directory or plan to need more than the current limit on IAM users. Applications that run outside of an Amazon environment need access keys for programmatic access to Amazon resources. However, if the resources that need programmatic access run inside Amazon, the best practice is to use IAM roles. Roles allow you to grant a resource access without hardcoding an access key ID and secret access key into the configuration. To learn more about protecting your access keys and account, see [Best practices for managing Amazon access keys](https://docs.amazonaws.cn/general/latest/gr/aws-access-keys-best-practices.html) in the *Amazon Web Services General Reference*. Also see the blog post [Guidelines for protecting your Amazon Web Services account while using programmatic access](https://amazonaws-china.com/blogs/security/guidelines-for-protecting-your-aws-account-while-using-programmatic-access/). If you already have an access key, Security Hub CSPM recommends that you rotate the access keys every 90 days. Rotating access keys reduces the chance that an access key that is associated with a compromised or terminated account is used. It also ensures that data cannot be accessed with an old key that might have been lost, cracked, or stolen. Always update your applications after you rotate access keys. Access keys consist of an access key ID and a secret access key. They are used to sign programmatic requests that you make to Amazon. Users need their own access keys to make programmatic calls to Amazon from the Amazon CLI, Tools for Windows PowerShell, the Amazon SDKs, or direct HTTP calls using the API operations for individual Amazon Web Services services. If your organization uses Amazon IAM Identity Center (IAM Identity Center), your users can sign in to Active Directory, a built-in IAM Identity Center directory, or [another identity provider (IdP) connected to IAM Identity Center](https://docs.amazonaws.cn/singlesignon/latest/userguide/manage-your-identity-source-idp.html). They can then be mapped to an IAM role that enables them to run Amazon CLI commands or call Amazon API operations without the need for access keys. To learn more, see [Configuring the Amazon CLI to use Amazon IAM Identity Center](https://docs.amazonaws.cn/cli/latest/userguide/cli-configure-sso.html) in the *Amazon Command Line Interface User Guide*. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To rotate access keys that are older than 90 days, see [Rotating access keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey) in the *IAM User Guide*. Follow the instructions for any user with an **Access key age** greater than 90 days. ## [IAM.4] IAM root user access key should not exist **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.3, CIS Amazon Foundations Benchmark v3.0.0/1.4, CIS Amazon Foundations Benchmark v1.4.0/1.4, CIS Amazon Foundations Benchmark v1.2.0/1.12, PCI DSS v3.2.1/2.1, PCI DSS v3.2.1/2.2, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2) **Category:** Protect > Secure access management **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-root-access-key-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-root-access-key-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the root user access key is present. The root user is the most privileged user in an Amazon Web Services account. Amazon access keys provide programmatic access to a given account. Security Hub CSPM recommends that you remove all access keys that are associated with the root user. This limits that vectors that can be used to compromise your account. It also encourages the creation and use of role-based accounts that are least privileged. ### Remediation To delete the root user access key, see [Deleting access keys for the root user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_delete-key) in the *IAM User Guide*. To delete the root user access keys from an Amazon Web Services account in Amazon GovCloud (US), see [Deleting my Amazon GovCloud (US) account root user access keys](https://docs.amazonaws.cn/govcloud-us/latest/UserGuide/govcloud-account-root-user.html#delete-govcloud-root-access-key) in the *Amazon GovCloud (US) User Guide*. ## [IAM.5] MFA should be enabled for all IAM users that have a console password **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.9, CIS Amazon Foundations Benchmark v3.0.0/1.10, CIS Amazon Foundations Benchmark v1.4.0/1.10, CIS Amazon Foundations Benchmark v1.2.0/1.2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8), PCI DSS v4.0.1/8.4.2 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mfa-enabled-for-iam-console-access.html](https://docs.amazonaws.cn/config/latest/developerguide/mfa-enabled-for-iam-console-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon multi-factor authentication (MFA) is enabled for all IAM users that use a console password. Multi-factor authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an Amazon website, they are prompted for their user name and password. In addition, they are prompted for an authentication code from their Amazon MFA device. We recommend that you enable MFA for all accounts that have a console password. MFA is designed to provide increased security for console access. The authenticating principal must possess a device that emits a time-sensitive key and must have knowledge of a credential. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To add MFA for IAM users, see [Using multi-factor authentication (MFA) in Amazon](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa.html) in the *IAM User Guide*. ## [IAM.6] Hardware MFA should be enabled for the root user **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.5, CIS Amazon Foundations Benchmark v3.0.0/1.6, CIS Amazon Foundations Benchmark v1.4.0/1.6, CIS Amazon Foundations Benchmark v1.2.0/1.14, PCI DSS v3.2.1/8.3.1, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8), PCI DSS v4.0.1/8.4.2 **Category:** Protect > Secure access management **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/root-account-hardware-mfa-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/root-account-hardware-mfa-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether your Amazon Web Services account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials. The control fails if hardware MFA isn't enabled or virtual MFA devices are permitted for signing in with root user credentials. Virtual MFA might not provide the same level of security as hardware MFA devices. We recommend that you use a virtual MFA device only while you wait for hardware purchase approval or for your hardware to arrive. To learn more, see [ Assign a virtual MFA device (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) in the *IAM User Guide*. **Note** Security Hub CSPM evaluates this control based on the presence of root user credentials (login profile) in an Amazon Web Services account. The control generates `PASSED` findings in the following cases: Root user credentials are present in the account and hardware MFA is enabled for the root user. Root user credentials aren’t present in the account. The control generates a `FAILED` finding if root user credentials are present in the account and hardware MFA is not enabled for the root user. ### Remediation For information about enabling hardware MFA for the root user, see [Multi-factor authentication for an Amazon Web Services account root user](https://docs.amazonaws.cn/IAM/latest/UserGuide/enable-mfa-for-root.html) in the *IAM User Guide*. ## [IAM.7] Password policies for IAM users should have strong configurations **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-5(1), NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.3.7, PCI DSS v4.0.1/8.3.9, PCI DSS v4.0.1/8.3.10.1, PCI DSS v4.0.1/8.6.3 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `RequireUppercaseCharacters` | Require at least one uppercase character in password | Boolean | `true` or `false` | `true` | | `RequireLowercaseCharacters` | Require at least one lowercase character in password | Boolean | `true` or `false` | `true` | | `RequireSymbols` | Require at least one symbol in password | Boolean | `true` or `false` | `true` | | `RequireNumbers` | Require at least one number in password | Boolean | `true` or `false` | `true` | | `MinimumPasswordLength` | Minimum number of characters in the password | Integer | `8` to `128` | `8` | | `PasswordReusePrevention` | Number of password rotations before an old password can be reused | Integer | `12` to `24` | No default value | | `MaxPasswordAge` | Number of days before password expiration | Integer | `1` to `90` | No default value | This control checks whether the account password policy for IAM users uses strong configurations. The control fails if the password policy doesn't use strong configurations. Unless you provide custom parameter values, Security Hub CSPM uses the default values mentioned in the preceding table. The `PasswordReusePrevention` and `MaxPasswordAge` parameters have no default value, so if you exclude these parameters, Security Hub CSPM ignores number of password rotations and password age when evaluating this control. To access the Amazon Web Services Management Console, IAM users need passwords. As a best practice, Security Hub CSPM highly recommends that instead of creating IAM users, you use federation. Federation allows users to use their existing corporate credentials to log into the Amazon Web Services Management Console. Use Amazon IAM Identity Center (IAM Identity Center) to create or federate the user, and then assume an IAM role into an account. To learn more about identity providers and federation, see [Identity providers and federation](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_providers.html) in the *IAM User Guide*. To learn more about IAM Identity Center, see the [https://docs.amazonaws.cn/singlesignon/latest/userguide/what-is.html](https://docs.amazonaws.cn/singlesignon/latest/userguide/what-is.html). If you need to use IAM users, Security Hub CSPM recommends that you enforce the creation of strong user passwords. You can set a password policy on your Amazon Web Services account to specify complexity requirements and mandatory rotation periods for passwords. When you create or change a password policy, most of the password policy settings are enforced the next time users change their passwords. Some of the settings are enforced immediately. ### Remediation To update your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. ## [IAM.8] Unused IAM user credentials should be removed **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.3, NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-2(3), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-171.r2 3.1.2, PCI DSS v3.2.1/8.1.4, PCI DSS v4.0.1/8.2.6 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-user-unused-credentials-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-user-unused-credentials-check.html) **Schedule type:** Periodic **Parameters:** + `maxCredentialUsageAge`: `90` (not customizable) This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days. IAM users can access Amazon resources using different types of credentials, such as passwords or access keys. Security Hub CSPM recommends that you remove or deactivate all credentials that were unused for 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation When you view user information in the IAM console, there are columns for **Access key age**, **Password age**, and **Last activity**. If the value in any of these columns is greater than 90 days, make the credentials for those users inactive. You can also use [credential reports](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_getting-report.html#getting-credential-reports-console) to monitor users and identify those with no activity for 90 or more days. You can download credential reports in `.csv` format from the IAM console. After you identify the inactive accounts or unused credentials, deactivate them. For instructions, see [Creating, changing, or deleting an IAM user password (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console) in the *IAM User Guide*. ## [IAM.9] MFA should be enabled for the root user **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.4, PCI DSS v3.2.1/8.3.1, PCI DSS v4.0.1/8.4.2, CIS Amazon Foundations Benchmark v3.0.0/1.5, CIS Amazon Foundations Benchmark v1.4.0/1.5, CIS Amazon Foundations Benchmark v1.2.0/1.13, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8) **Category:** Protect > Secure access management **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/root-account-mfa-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/root-account-mfa-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether multi-factor authentication (MFA) is enabled for the IAM root user of an Amazon Web Services account to sign in to the Amazon Web Services Management Console. The control fails if MFA isn't enabled for the root user of the account. The IAM root user of an Amazon Web Services account has complete access to all the services and resources in the account. If MFA is enabled, the user must enter a username, a password, and an authentication code from their Amazon MFA device in order to sign in to the Amazon Web Services Management Console. MFA adds an extra layer of protection on top of a username and password. This control generates `PASSED` findings in the following cases: + Root user credentials are present in the account and MFA is enabled for the root user. + Root user credentials aren’t present in the account. The control generates `FAILED` findings if root user credentials are present in the account and MFA isn’t enabled for the root user. ### Remediation For information about enabling MFA for the root user of an Amazon Web Services account, see [Multi-factor authentication for the Amazon Web Services account root user](https://docs.amazonaws.cn/IAM/latest/UserGuide/enable-mfa-for-root.html) in the *Amazon Identity and Access Management User Guide*. ## [IAM.10] Password policies for IAM users should have strong configurations **Related requirements:** NIST.800-171.r2 3.5.2, NIST.800-171.r2 3.5.7, NIST.800-171.r2 3.5.8, PCI DSS v3.2.1/8.1.4, PCI DSS v3.2.1/8.2.3, PCI DSS v3.2.1/8.2.4, PCI DSS v3.2.1/8.2.5 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the account password policy for IAM users uses the following minimum PCI DSS configurations. + `RequireUppercaseCharacters` – Require at least one uppercase character in password. (Default = `true`) + `RequireLowercaseCharacters` – Require at least one lowercase character in password. (Default = `true`) + `RequireNumbers` – Require at least one number in password. (Default = `true`) + `MinimumPasswordLength` – Password minimum length. (Default = 7 or longer) + `PasswordReusePrevention` – Number of passwords before allowing reuse. (Default = 4) + `MaxPasswordAge` – Number of days before password expiration. (Default = 90) **Note** On May 30, 2025, Security Hub CSPM removed this control from the PCI DSS v4.0.1 standard. PCI DSS v4.0.1 now requires passwords to have a minimum of 8 characters. This control continues to apply to the PCI DSS v3.2.1 standard, which has different password requirements. To evaluate account password policies against PCI DSS v4.0.1 requirements, you can use the [IAM.7 control](#iam-7). This control requires passwords to have a minimum of 8 characters. It also supports custom values for password length and other parameters. The IAM.7 control is part of the PCI DSS v4.0.1 standard in Security Hub CSPM. ### Remediation To update your password policy to use the recommended configuration, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. ## [IAM.11] Ensure IAM password policy requires at least one uppercase letter **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.5, NIST.800-171.r2 3.5.7, PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.6.3 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one uppercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Password strength**, select **Require at least one uppercase letter from the Latin alphabet (A–Z)**. ## [IAM.12] Ensure IAM password policy requires at least one lowercase letter **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.6, NIST.800-171.r2 3.5.7, PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.6.3 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Password strength**, select **Require at least one lowercase letter from the Latin alphabet (A–Z)**. ## [IAM.13] Ensure IAM password policy requires at least one symbol **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.7, NIST.800-171.r2 3.5.7 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Password strength**, select **Require at least one nonalphanumeric character**. ## [IAM.14] Ensure IAM password policy requires at least one number **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.8, NIST.800-171.r2 3.5.7, PCI DSS v4.0.1/8.3.6, PCI DSS v4.0.1/8.6.3 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. CIS recommends that the password policy require at least one number. Setting a password complexity policy increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Password strength**, select **Require at least one number**. ## [IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.7, CIS Amazon Foundations Benchmark v3.0.0/1.8, CIS Amazon Foundations Benchmark v1.4.0/1.8, CIS Amazon Foundations Benchmark v1.2.0/1.9, NIST.800-171.r2 3.5.7 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. CIS recommends that the password policy require a minimum password length of 14 characters. Setting a password complexity policy increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Password minimum length**, enter **14** or a larger number. ## [IAM.16] Ensure IAM password policy prevents password reuse **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.8, CIS Amazon Foundations Benchmark v3.0.0/1.9, CIS Amazon Foundations Benchmark v1.4.0/1.9, CIS Amazon Foundations Benchmark v1.2.0/1.10, NIST.800-171.r2 3.5.8, PCI DSS v4.0.1/8.3.7 **Category:** Protect > Secure access management **Severity:** Low **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user. CIS recommends that the password policy prevent the reuse of passwords. Preventing password reuse increases account resiliency against brute force login attempts. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Prevent password reuse**, enter **24**. ## [IAM.17] Ensure IAM password policy expires passwords within 90 days or less **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.11, PCI DSS v4.0.1/8.3.9, PCI DSS v4.0.1/8.3.10.1 **Category:** Protect > Secure access management **Severity:** Low **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-password-policy.html) **Schedule type:** Periodic **Parameters:** None IAM password policies can require passwords to be rotated or expired after a given number of days. CIS recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts. Requiring regular password changes also helps in the following scenarios: + Passwords can be stolen or compromised without your knowledge. This can happen via a system compromise, software vulnerability, or internal threat. + Certain corporate and government web filters or proxy servers can intercept and record traffic even if it's encrypted. + Many people use the same password for many systems such as work, email, and personal. + Compromised end-user workstations might have a keystroke logger. ### Remediation To change your password policy, see [Setting an account password policy for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html) in the *IAM User Guide*. For **Turn on password expiration**, enter **90** or a smaller number. ## [IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.16, CIS Amazon Foundations Benchmark v3.0.0/1.17, CIS Amazon Foundations Benchmark v1.4.0/1.17, CIS Amazon Foundations Benchmark v1.2.0/1.20, NIST.800-171.r2 3.1.2, PCI DSS v4.0.1/12.10.3 **Category:** Protect > Secure access management **Severity:** Low **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-in-use.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-in-use.html) **Schedule type:** Periodic **Parameters:** + `policyARN`: `arn:partition:iam::aws:policy/AWSSupportAccess` (not customizable) + `policyUsageType`: `ANY` (not customizable) Amazon provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM role to allow authorized users to manage incidents with Amazon Support. By implementing least privilege for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to manage incidents with Amazon Web Services Support. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To remediate this issue, create a role to allow authorized users to manage Amazon Web Services Support incidents. **To create the role to use for Amazon Web Services Support access** 1. Open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/). 1. In the IAM navigation pane, choose **Roles**, then choose **Create role**. 1. For **Role type**, choose the **Another Amazon Web Services account**. 1. For **Account ID**, enter the Amazon Web Services account ID of the Amazon Web Services account to which you want to grant access to your resources. If the users or groups that will assume this role are in the same account, then enter the local account number. **Note** The administrator of the specified account can grant permission to assume this role to any user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the `sts:AssumeRole` action. In that policy, the resource must be the role ARN. 1. Choose **Next: Permissions**. 1. Search for the managed policy `AWSSupportAccess`. 1. Select the check box for the `AWSSupportAccess` managed policy. 1. Choose **Next: Tags**. 1. (Optional) To add metadata to the role, attach tags as key-value pairs. For more information about using tags in IAM, see [Tagging IAM users and roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. 1. Choose **Next: Review**. 1. For **Role name**, enter a name for your role. Role names must be unique within your Amazon Web Services account. They are not case sensitive. 1. (Optional) For **Role description**, enter a description for the new role. 1. Review the role, then choose **Create role**. ## [IAM.19] MFA should be enabled for all IAM users **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 IA-2(1), NIST.800-53.r5 IA-2(2), NIST.800-53.r5 IA-2(6), NIST.800-53.r5 IA-2(8), NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.5.3, NIST.800-171.r2 3.5.4, NIST.800-171.r2 3.7.5, PCI DSS v3.2.1/8.3.1, PCI DSS v4.0.1/8.4.2, **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-user-mfa-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-user-mfa-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the IAM users have multi-factor authentication (MFA) enabled. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To add MFA for IAM users, see [Enabling MFA devices for users in Amazon](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_enable.html) in the *IAM User Guide*. ## [IAM.20] Avoid the use of the root user **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** CIS Amazon Foundations Benchmark v1.2.0/1.1 **Category:** Protect > Secure access management **Severity:** Low **Resource type:** `AWS::IAM::User` **Amazon Config rule:** `use-of-root-account-test` (custom Security Hub CSPM rule) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Web Services account has restrictions on the usage of the root user. The control evaluates the following resources: + Amazon Simple Notification Service (Amazon SNS) topics + Amazon CloudTrail trails + Metric filters associated with the CloudTrail trails + Amazon CloudWatch alarms based on the filters This check results in a `FAILED` finding if one or more of the following statements is true: + No CloudTrail trails exist in the account. + A CloudTrail trail is enabled, but not configured with at-least one multi-Region trail that includes read and write management events. + A CloudTrail trail is enabled, but not associated with a CloudWatch Logs log group. + The exact metric filter prescribed by the Center for Internet Security (CIS) is not used. The prescribed metric filter is `'{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}'`. + No CloudWatch alarms based on the metric filter exist in the account. + CloudWatch alarms configured to send notification to the associated SNS topic don't trigger based on the alarm condition. + The SNS topic doesn't comply with the [constraints for sending a message to an SNS topic](https://docs.amazonaws.cn/sns/latest/api/API_Publish.html). + The SNS topic doesn't have at least one subscriber. This check results in a control status of `NO_DATA` if one or more of the following statements is true: + A multi-Region trail is based in a different Region. Security Hub CSPM can only generate findings in the Region where the trail is based. + A multi-Region trail belongs to a different account. Security Hub CSPM can only generate findings for the account that owns the trail. This check results in a control status of `WARNING` if one or more of the following statements is true: + The current account doesn't own the SNS topic referenced in the CloudWatch alarm. + The current account doesn't have access to the SNS topic when invoking the `ListSubscriptionsByTopic` SNS API. **Note** We recommend using organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the Amazon Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of NO\$1DATA for controls evaluated in organization member accounts. In member accounts, Security Hub CSPM only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub CSPM delegated administrator account by using cross-Region aggregation. As a best practice, use your root user credentials only when required to [ perform account and service management tasks](https://docs.amazonaws.cn/general/latest/gr/aws_tasks-that-require-root.html). Apply IAM policies directly to groups and roles but not to users. For instructions on setting up an administrator for daily use, see [ Creating your first IAM admin user and group](https://docs.amazonaws.cn/IAM/latest/UserGuide/getting-started_create-admin-group.html) in the *IAM User Guide*. ### Remediation The steps to remediate this issue include setting up an Amazon SNS topic, a CloudTrail trail, a metric filter, and an alarm for the metric filter. **To create an Amazon SNS topic** 1. Open the Amazon SNS console at [https://console.amazonaws.cn/sns/v3/home](https://console.amazonaws.cn/sns/v3/home). 1. Create an Amazon SNS topic that receives all CIS alarms. Create at least one subscriber to the topic. For more information, see [Getting started with Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-getting-started.html#CreateTopic) in the *Amazon Simple Notification Service Developer Guide*. Next, set up an active CloudTrail that applies to all Regions. To do so, follow the remediation steps in [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1). Make a note of the name of the CloudWatch Logs log group that you associate with the CloudTrail trail. You create the metric filter for that log group. Finally, create the metric filter and alarm. **To create a metric filter and alarm** 1. Open the CloudWatch console at [https://console.amazonaws.cn/cloudwatch/](https://console.amazonaws.cn/cloudwatch/). 1. In the navigation pane, choose **Log groups**. 1. Select the check box for the CloudWatch Logs log group that is associated with the CloudTrail trail that you created. 1. From **Actions**, choose **Create Metric Filter**. 1. Under **Define pattern**, do the following: 1. Copy the following pattern and then paste it into the **Filter Pattern** field. ``` {$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"} ``` 1. Choose **Next**. 1. Under **Assign Metric**, do the following: 1. In **Filter name**, enter a name for your metric filter. 1. For **Metric Namespace**, enter **LogMetrics**. If you use the same namespace for all of your CIS log metric filters, then all CIS Benchmark metrics are grouped together. 1. For **Metric Name**, enter a name for the metric. Remember the name of the metric. You will need to select the metric when you create the alarm. 1. For **Metric value**, enter **1**. 1. Choose **Next**. 1. Under **Review and create**, verify the information that you provided for the new metric filter. Then, choose **Create metric filter**. 1. In the navigation pane, choose **Log groups**, and then choose the filter you created under **Metric filters**. 1. Select the check box for the filter. Choose **Create alarm**. 1. Under **Specify metric and conditions**, do the following: 1. Under **Conditions**, for **Threshold**, choose **Static**. 1. For **Define the alarm condition**, choose **Greater/Equal**. 1. For **Define the threshold value**, enter **1**. 1. Choose **Next**. 1. Under **Configure actions**, do the following: 1. Under **Alarm state trigger**, choose **In alarm**. 1. Under **Select an SNS topic**, choose **Select an existing SNS topic**. 1. For **Send a notification to**, enter the name of the SNS topic that you created in the previous procedure. 1. Choose **Next**. 1. Under **Add name and description**, enter a **Name** and **Description** for the alarm, such as **CIS-1.1-RootAccountUsage**. Then choose **Next**. 1. Under **Preview and create**, review the alarm configuration. Then choose **Create alarm**. ## [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services **Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2), NIST.800-53.r5 AC-6(3), NIST.800-171.r2 3.1.1, NIST.800-171.r2 3.1.2, NIST.800-171.r2 3.1.5, NIST.800-171.r2 3.1.7, NIST.800-171.r2 3.3.8, NIST.800-171.r2 3.3.9, NIST.800-171.r2 3.13.3, NIST.800-171.r2 3.13.4 **Category:** Detect > Secure access management **Severity:** Low **Resource type:** `AWS::IAM::Policy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-no-statements-with-full-access.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-no-statements-with-full-access.html) **Schedule type:** Change triggered **Parameters:** + `excludePermissionBoundaryPolicy`: `True` (not customizable) This control checks whether the IAM identity-based policies that you create have Allow statements that use the \$1 wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes `"Effect": "Allow"` with `"Action": "Service:*"`. For example, the following statement in a policy results in a failed finding. ``` "Statement": [ { "Sid": "EC2-Wildcard", "Effect": "Allow", "Action": "ec2:*", "Resource": "*" } ``` The control also fails if you use `"Effect": "Allow"` with `"NotAction": "service:*"`. In that case, the `NotAction` element provides access to all of the actions in an Amazon Web Services service, except for the actions specified in `NotAction`. This control only applies to customer managed IAM policies. It does not apply to IAM policies that are managed by Amazon. When you assign permissions to Amazon Web Services services, it is important to scope the allowed IAM actions in your IAM policies. You should restrict IAM actions to only those actions that are needed. This helps you to provision least privilege permissions. Overly permissive policies might lead to privilege escalation if the policies are attached to an IAM principal that might not require the permission. In some cases, you might want to allow IAM actions that have a similar prefix, such as `DescribeFlowLogs` and `DescribeAvailabilityZones`. In these authorized cases, you can add a suffixed wildcard to the common prefix. For example, `ec2:Describe*`. This control passes if you use a prefixed IAM action with a suffixed wildcard. For example, the following statement in a policy results in a passed finding. ``` "Statement": [ { "Sid": "EC2-Wildcard", "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" } ``` When you group related IAM actions in this way, you can also avoid exceeding the IAM policy size limits. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, global resource recording can be enabled in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation To remediate this issue, update your IAM policies so that they do not allow full "\$1" administrative privileges. For details about how to edit an IAM policy, see [Editing IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-edit.html) in the *IAM User Guide*. ## [IAM.22] IAM user credentials unused for 45 days should be removed **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.11, CIS Amazon Foundations Benchmark v3.0.0/1.12, CIS Amazon Foundations Benchmark v1.4.0/1.12, NIST.800-171.r2 3.1.2 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::User` **Amazon Config rule: **[https://docs.amazonaws.cn/config/latest/developerguide/iam-user-unused-credentials-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-user-unused-credentials-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether your IAM users have passwords or active access keys that have not been used for 45 days or more. To do so, it checks whether the `maxCredentialUsageAge` parameter of the Amazon Config rule is equal to 45 or more. Users can access Amazon resources using different types of credentials, such as passwords or access keys. CIS recommends that you remove or deactivate all credentials that have been unused for 45 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. The Amazon Config rule for this control uses the [https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetCredentialReport.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GetCredentialReport.html) and [https://docs.amazonaws.cn/IAM/latest/APIReference/API_GenerateCredentialReport.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_GenerateCredentialReport.html) API operations, which are only updated every four hours. Changes to IAM users can take up to four hours to be visible to this control. **Note** Amazon Config should be enabled in all Regions in which you use Security Hub CSPM. However, you can enable recording of global resources in a single Region. If you only record global resources in a single Region, then you can disable this control in all Regions except the Region where you record global resources. ### Remediation When you view user information in the IAM console, there are columns for **Access key age**, **Password age**, and **Last activity**. If the value in any of these columns is greater than 45 days, make the credentials for those users inactive. You can also use [credential reports](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_getting-report.html#getting-credential-reports-console) to monitor users and identify those with no activity for 45 or more days. You can download credential reports in `.csv` format from the IAM console. After you identify the inactive accounts or unused credentials, deactivate them. For instructions, see [Creating, changing, or deleting an IAM user password (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console) in the *IAM User Guide*. ## [IAM.23] IAM Access Analyzer analyzers should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AccessAnalyzer::Analyzer` **Amazon Config rule: ** `tagged-accessanalyzer-analyzer` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an analyzer managed by Amazon Identity and Access Management Access Analyzer (IAM Access Analyzer) has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the analyzer doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the analyzer isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an analyzer, see [https://docs.amazonaws.cn/access-analyzer/latest/APIReference/API_TagResource.html](https://docs.amazonaws.cn/access-analyzer/latest/APIReference/API_TagResource.html) in the *Amazon IAM Access Analyzer API Reference*. ## [IAM.24] IAM roles should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IAM::Role` **Amazon Config rule: ** `tagged-iam-role` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Identity and Access Management (IAM) role has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the role doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the role isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an IAM role, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## [IAM.25] IAM users should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IAM::User` **Amazon Config rule: ** `tagged-iam-user` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Identity and Access Management (IAM) user has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the user doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the user isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an IAM user, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*. ## [IAM.26] Expired SSL/TLS certificates managed in IAM should be removed **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.18, CIS Amazon Foundations Benchmark v3.0.0/1.19 **Category:** Identify > Compliance **Severity:** Medium **Resource type:** `AWS::IAM::ServerCertificate` **Amazon Config rule: **[https://docs.amazonaws.cn/config/latest/developerguide/iam-server-certificate-expiration-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-server-certificate-expiration-check.html) **Schedule type:** Periodic **Parameters:** None This controls checks whether an active SSL/TLS server certificate that is managed in IAM has expired. The control fails if the expired SSL/TLS server certificate isn't removed. To enable HTTPS connections to your website or application in Amazon, you need an SSL/TLS server certificate. You can use IAM or Amazon Certificate Manager (ACM) to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in an Amazon Web Services Region that isn't supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with Amazon. You can't upload an ACM certificate to IAM. Additionally, you can't manage your certificates from the IAM console. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate is deployed accidentally to a resource, which can damage the credibility of the underlying application or website. ### Remediation To remove a server certificate from IAM, see [Managing server certificates in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_server-certs.html) in the *IAM User Guide*. ## [IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.21, CIS Amazon Foundations Benchmark v3.0.0/1.22 **Category:** Protect > Secure access management > Secure IAM policies **Severity:** Medium **Resource type:** `AWS::IAM::Role`, `AWS::IAM::User`, `AWS::IAM::Group` **Amazon Config rule: **[https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-blacklisted-check.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-policy-blacklisted-check.html) **Schedule type:** Change triggered **Parameters:** + "policyArns": "arn:aws-cn:iam::aws:policy/AWSCloudShellFullAccess,arn:aws-cn:iam::aws:policy/AWSCloudShellFullAccess, arn:aws-us-gov:iam::aws:policy/AWSCloudShellFullAccess" This control checks whether an IAM identity (user, role, or group) has the Amazon managed policy `AWSCloudShellFullAccess` attached. The control fails if an IAM identity has the `AWSCloudShellFullAccess` policy attached. Amazon CloudShell provides a convenient way to run CLI commands against Amazon Web Services services. The Amazon managed policy `AWSCloudShellFullAccess` provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment, a user has sudo permissions, and can access the internet. As a result, atttaching this managed policy to an IAM identity gives them the ability to install file transfer software and move data from CloudShell to external internet servers. We recommend following the principle of least privilege and attaching narrower permissions to your IAM identities. ### Remediation To detach the `AWSCloudShellFullAccess` policy from an IAM identity, see [Adding and removing IAM identity permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *IAM User Guide*. ## [IAM.28] IAM Access Analyzer external access analyzer should be enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/1.19, CIS Amazon Foundations Benchmark v3.0.0/1.20 **Category:** Detect > Detection services > Privileged usage monitoring **Severity:** High **Resource type:** `AWS::AccessAnalyzer::Analyzer` **Amazon Config rule: **[https://docs.amazonaws.cn/config/latest/developerguide/iam-external-access-analyzer-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-external-access-analyzer-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Web Services account has an IAM Access Analyzer external access analyzer enabled. The control fails if the account doesn't have an external access analyzer enabled in your currently selected Amazon Web Services Region. IAM Access Analyzer external access analyzers help identify resources, such as Amazon Simple Storage Service (Amazon S3) buckets or IAM roles, that are shared with an external entity. This helps you avoid unintended access to your resources and data. IAM Access Analyzer is Regional and must be enabled in each Region. To identify resources that are shared with external principals, an access analyzer uses logic-based reasoning to analyze resource-based policies in your Amazon environment. When you create an external access analyzer, you can create and enable it for your entire organization or individual accounts. **Note** If an account is part of an organization in Amazon Organizations, this control doesn't factor external access analyzers that specify the organization as the zone of trust and are enabled for the organization in the current Region. If your organization uses this type of configuration, consider disabling this control for individual member accounts in your organization in the Region. ### Remediation For information about enabling an external access analyzer in a specific Region, see [Getting started with IAM Access Analyzer](https://docs.amazonaws.cn/IAM/latest/UserGuide/access-analyzer-getting-started.html) in the *IAM User Guide*. You must enable an analyzer in each Region in which you want to monitor access to your resources. # Security Hub CSPM controls for Amazon Inspector Amazon Inspector controls These Amazon Security Hub CSPM controls evaluate the Amazon Inspector service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Inspector.1] Amazon Inspector EC2 scanning should be enabled **Related requirements:** PCI DSS v4.0.1/11.3.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/inspector-ec2-scan-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/inspector-ec2-scan-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Inspector EC2 scanning is enabled. For a standalone account, the control fails if Amazon Inspector EC2 scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have EC2 scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the EC2 scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector EC2 scanning enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector. Amazon Inspector EC2 scanning extracts metadata from your Amazon Elastic Compute Cloud (Amazon EC2) instance, and then compares this metadata against rules collected from security advisories to produce findings. Amazon Inspector scans instances for package vulnerabilities and network reachability issues. For information about supported operating systems, including which operating system can be scanned without an SSM agent, see [Supported operating systems: Amazon EC2 scanning](https://docs.amazonaws.cn/inspector/latest/user/supported.html#supported-os-ec2). ### Remediation To enable Amazon Inspector EC2 scanning, see [Activating scans](https://docs.amazonaws.cn/inspector/latest/user/activate-scans.html#activate-scans-proc) in the *Amazon Inspector User Guide*. ## [Inspector.2] Amazon Inspector ECR scanning should be enabled **Related requirements:** PCI DSS v4.0.1/11.3.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/inspector-ecr-scan-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/inspector-ecr-scan-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Inspector ECR scanning is enabled. For a standalone account, the control fails if Amazon Inspector ECR scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have ECR scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the ECR scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector ECR scanning enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector. Amazon Inspector scans container images stored in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities to generate package vulnerability findings. When you activate Amazon Inspector scans for Amazon ECR, you set Amazon Inspector as your preferred scanning service for your private registry. This replaces basic scanning, which is provided at no charge by Amazon ECR, with enhanced scanning, which is provided and billed through Amazon Inspector. Enhanced scanning gives you the benefit of vulnerability scanning for both operating system and programming language packages at the registry level. You can review findings discovered using enhanced scanning at the image level, for each layer of the image, on the Amazon ECR console. Additionally, you can review and work with these findings in other services not available for basic scanning findings, including Amazon Security Hub CSPM and Amazon EventBridge. ### Remediation To enable Amazon Inspector ECR scanning, see [Activating scans](https://docs.amazonaws.cn/inspector/latest/user/activate-scans.html#activate-scans-proc) in the *Amazon Inspector User Guide*. ## [Inspector.3] Amazon Inspector Lambda code scanning should be enabled **Related requirements:** PCI DSS v4.0.1/6.2.4, PCI DSS v4.0.1/6.3.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/inspector-lambda-code-scan-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/inspector-lambda-code-scan-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Inspector Lambda code scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda code scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda code scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda code scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector Lambda code scanning enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector. Amazon Inspector Lambda code scanning scans the custom application code within an Amazon Lambda function for code vulnerabilities based on Amazon security best practices. Lambda code scanning can detect injection flaws, data leaks, weak cryptography, or missing encryption in your code. This feature is available in [specific Amazon Web Services Regions only](https://docs.amazonaws.cn/inspector/latest/user/inspector_regions.html#ins-regional-feature-availability). You can activate Lambda code scanning together with Lambda standard scanning (see [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](#inspector-4)). ### Remediation To enable Amazon Inspector Lambda code scanning, see [Activating scans](https://docs.amazonaws.cn/inspector/latest/user/activate-scans.html#activate-scans-proc) in the *Amazon Inspector User Guide*. ## [Inspector.4] Amazon Inspector Lambda standard scanning should be enabled **Related requirements:** PCI DSS v4.0.1/6.2.4, PCI DSS v4.0.1/6.3.1 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/inspector-lambda-standard-scan-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/inspector-lambda-standard-scan-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Inspector Lambda standard scanning is enabled. For a standalone account, the control fails if Amazon Inspector Lambda standard scanning is disabled in the account. In a multi-account environment, the control fails if the delegated Amazon Inspector administrator account and all member accounts don't have Lambda standard scanning enabled. In a multi-account environment, the control generates findings in only the delegated Amazon Inspector administrator account. Only the delegated administrator can enable or disable the Lambda standard scanning feature for the member accounts in the organization. Amazon Inspector member accounts can't modify this configuration from their accounts. This control generates `FAILED` findings if the delegated administrator has a suspended member account that doesn't have Amazon Inspector Lambda standard scanning enabled. To receive a `PASSED` finding, the delegated administrator must disassociate these suspended accounts in Amazon Inspector. Amazon Inspector Lambda standard scanning identifies software vulnerabilities in the application package dependencies you add to your Amazon Lambda function code and layers. If Amazon Inspector detects a vulnerability in your Lambda function application package dependencies, Amazon Inspector produces a detailed `Package Vulnerability` type finding. You can activate Lambda code scanning together with Lambda standard scanning (see [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](#inspector-3)). ### Remediation To enable Amazon Inspector Lambda standard scanning, see [Activating scans](https://docs.amazonaws.cn/inspector/latest/user/activate-scans.html#activate-scans-proc) in the *Amazon Inspector User Guide*. # Security Hub CSPM controls for Amazon IoT Amazon IoT controls These Amazon Security Hub CSPM controls evaluate the Amazon IoT service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IoT.1] Amazon IoT Device Defender security profiles should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::SecurityProfile` **Amazon Config rule:** `tagged-iot-securityprofile` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Device Defender security profile has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the security profile doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the security profile isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Device Defender security profile, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. ## [IoT.2] Amazon IoT Core mitigation actions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::MitigationAction` **Amazon Config rule:** `tagged-iot-mitigationaction` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Core mitigation action has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the mitigation action doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the mitigation action isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Core mitigation action, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. ## [IoT.3] Amazon IoT Core dimensions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::Dimension` **Amazon Config rule:** `tagged-iot-dimension` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Core dimension has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the dimension doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the dimension isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Core dimension, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. ## [IoT.4] Amazon IoT Core authorizers should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::Authorizer` **Amazon Config rule:** `tagged-iot-authorizer` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Core authorizer has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the authorizer doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the authorizer isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Core authorizer, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. ## [IoT.5] Amazon IoT Core role aliases should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::RoleAlias` **Amazon Config rule:** `tagged-iot-rolealias` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Core role alias has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the role alias doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the role alias isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Core role alias, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. ## [IoT.6] Amazon IoT Core policies should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoT::Policy` **Amazon Config rule:** `tagged-iot-policy` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Core policy has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the policy doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the policy isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon IoT Core policy, see [Tagging your Amazon IoT resources](https://docs.amazonaws.cn/iot/latest/developerguide/tagging-iot.html) in the *Amazon IoT Developer Guide*. # Security Hub CSPM controls for Amazon IoT Events Amazon IoT Events controls These Amazon Security Hub CSPM controls evaluate the Amazon IoT Events service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IoTEvents.1] Amazon IoT Events inputs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTEvents::Input` **Amazon Config rule:** `iotevents-input-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Events input has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the input doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the input isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Events input, see [Tagging your Amazon IoT Events resources](https://docs.amazonaws.cn/iotevents/latest/developerguide/tagging-iotevents.html) in the *Amazon IoT Events Developer Guide*. ## [IoTEvents.2] Amazon IoT Events detector models should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTEvents::DetectorModel` **Amazon Config rule:** `iotevents-detector-model-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Events detector model has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the detector model doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the detector model isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Events detector model, see [Tagging your Amazon IoT Events resources](https://docs.amazonaws.cn/iotevents/latest/developerguide/tagging-iotevents.html) in the *Amazon IoT Events Developer Guide*. ## [IoTEvents.3] Amazon IoT Events alarm models should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTEvents::AlarmModel` **Amazon Config rule:** `iotevents-alarm-model-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Events alarm model has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the alarm model doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the alarm model isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Events alarm model, see [Tagging your Amazon IoT Events resources](https://docs.amazonaws.cn/iotevents/latest/developerguide/tagging-iotevents.html) in the *Amazon IoT Events Developer Guide*. # Security Hub CSPM controls for Amazon IoT SiteWise Amazon IoT SiteWise controls These Amazon Security Hub CSPM controls evaluate the Amazon IoT SiteWise service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTSiteWise::AssetModel` **Amazon Config rule:** `iotsitewise-asset-model-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT SiteWise asset model has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the asset model doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the asset model isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT SiteWise asset model, see [Tag your Amazon IoT SiteWise resources](https://docs.amazonaws.cn/iot-sitewise/latest/userguide/tag-resources.html) in the *Amazon IoT SiteWise User Guide*. ## [IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTSiteWise::Dashboard` **Amazon Config rule:** `iotsitewise-dashboard-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT SiteWise dashboard has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the dashboard doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the dashboard isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT SiteWise dashboard, see [Tag your Amazon IoT SiteWise resources](https://docs.amazonaws.cn/iot-sitewise/latest/userguide/tag-resources.html) in the *Amazon IoT SiteWise User Guide*. ## [IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTSiteWise::Gateway` **Amazon Config rule:** `iotsitewise-gateway-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT SiteWise gateway has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the gateway doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the gateway isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT SiteWise gateway, see [Tag your Amazon IoT SiteWise resources](https://docs.amazonaws.cn/iot-sitewise/latest/userguide/tag-resources.html) in the *Amazon IoT SiteWise User Guide*. ## [IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTSiteWise::Portal` **Amazon Config rule:** `iotsitewise-portal-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT SiteWise portal has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the portal doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the portal isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT SiteWise portal, see [Tag your Amazon IoT SiteWise resources](https://docs.amazonaws.cn/iot-sitewise/latest/userguide/tag-resources.html) in the *Amazon IoT SiteWise User Guide*. ## [IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTSiteWise::Project` **Amazon Config rule:** `iotsitewise-project-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT SiteWise project has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the project doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the project isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT SiteWise project, see [Tag your Amazon IoT SiteWise resources](https://docs.amazonaws.cn/iot-sitewise/latest/userguide/tag-resources.html) in the *Amazon IoT SiteWise User Guide*. # Security Hub CSPM controls for Amazon IoT TwinMaker Amazon IoT TwinMaker controls These Amazon Security Hub CSPM controls evaluate the Amazon IoT TwinMaker service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTTwinMaker::SyncJob` **Amazon Config rule:** `iottwinmaker-sync-job-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT TwinMaker sync job has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the sync job doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the sync job isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT TwinMaker sync job, see [https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html](https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html) in the *Amazon IoT TwinMaker User Guide*. ## [IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTTwinMaker::Workspace` **Amazon Config rule:** `iottwinmaker-workspace-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT TwinMaker workspace has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the workspace doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the workspace isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT TwinMaker workspace, see [https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html](https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html) in the *Amazon IoT TwinMaker User Guide*. ## [IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTTwinMaker::Scene` **Amazon Config rule:** `iottwinmaker-scene-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT TwinMaker scene has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the scene doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the scene isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT TwinMaker scene, see [https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html](https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html) in the *Amazon IoT TwinMaker User Guide*. ## [IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTTwinMaker::Entity` **Amazon Config rule:** `iottwinmaker-entity-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT TwinMaker entity has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the entity doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the entity isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT TwinMaker entity, see [https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html](https://docs.amazonaws.cn/iot-twinmaker/latest/apireference/API_TagResource.html) in the *Amazon IoT TwinMaker User Guide*. # Security Hub CSPM controls for Amazon IoT Wireless Amazon IoT Wireless controls These Amazon Security Hub CSPM controls evaluate the Amazon IoT Wireless service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTWireless::MulticastGroup` **Amazon Config rule:** `iotwireless-multicast-group-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Wireless multicast group has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the multicast group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the multicast group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Wireless multicast group, see [Tagging your Amazon IoT Wireless resources](https://docs.amazonaws.cn/iot-wireless/latest/developerguide/tagging-iotwireless.html) in the *Amazon IoT Wireless Developer Guide*. ## [IoTWireless.2] Amazon IoT Wireless service profiles should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTWireless::ServiceProfile` **Amazon Config rule:** `iotwireless-service-profile-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Wireless service profile has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the service profile doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the service profile isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Wireless service profile, see [Tagging your Amazon IoT Wireless resources](https://docs.amazonaws.cn/iot-wireless/latest/developerguide/tagging-iotwireless.html) in the *Amazon IoT Wireless Developer Guide*. ## [IoTWireless.3] Amazon IoT FUOTA tasks should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IoTWireless::FuotaTask` **Amazon Config rule:** `iotwireless-fuota-task-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IoT Wireless firmware update over-the-air (FUOTA) task has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the FUOTA task doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the FUOTA task isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon IoT Wireless FUOTA task, see [Tagging your Amazon IoT Wireless resources](https://docs.amazonaws.cn/iot-wireless/latest/developerguide/tagging-iotwireless.html) in the *Amazon IoT Wireless Developer Guide*. # Security Hub CSPM controls for Amazon IVS Amazon IVS controls These Amazon Security Hub CSPM controls evaluate the Amazon Interactive Video Service (IVS) service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [IVS.1] IVS playback key pairs should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IVS::PlaybackKeyPair` **Amazon Config rule:** `ivs-playback-key-pair-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IVS playback key pair has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the playback key pair doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the playback key pair isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an IVS playback key pair, see [https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html](https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html) in the *Amazon IVS Real-Time Streaming API Reference*. ## [IVS.2] IVS recording configurations should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IVS::RecordingConfiguration` **Amazon Config rule:** `ivs-recording configuration-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IVS recording configuration has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the recording configuration doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the recording configuration isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an IVS recording configuration, see [https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html](https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html) in the *Amazon IVS Real-Time Streaming API Reference*. ## [IVS.3] IVS channels should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::IVS::Channel` **Amazon Config rule:** `ivs-channel-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon IVS channel has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the channel doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the channel isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an IVS channel, see [https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html](https://docs.amazonaws.cn/ivs/latest/RealTimeAPIReference/API_TagResource.html) in the *Amazon IVS Real-Time Streaming API Reference*. # Security Hub CSPM controls for Amazon Keyspaces Amazon Keyspaces controls These Amazon Security Hub CSPM controls evaluate the Amazon Keyspaces service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Keyspaces.1] Amazon Keyspaces keyspaces should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Cassandra::Keyspace` **Amazon Config rule:** `cassandra-keyspace-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Keyspaces keyspace has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the keyspace doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the keyspace isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon Keyspaces keyspace, see [Add tags to a keyspace](https://docs.amazonaws.cn/keyspaces/latest/devguide/Tagging.Operations.existing.keyspace.html) in the *Amazon Keyspaces Developer Guide*. # Security Hub CSPM controls for Kinesis Amazon Kinesis controls These Amazon Security Hub CSPM controls evaluate the Amazon Kinesis service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Kinesis.1] Kinesis streams should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::Kinesis::Stream` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/kinesis-stream-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/kinesis-stream-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Kinesis Data Streams are encrypted at rest with server-side encryption. This control fails if a Kinesis stream is not encrypted at rest with server-side encryption. Server-side encryption is a feature in Amazon Kinesis Data Streams that automatically encrypts data before it's at rest by using an Amazon KMS key. Data is encrypted before it's written to the Kinesis stream storage layer, and decrypted after it's retrieved from storage. As a result, your data is encrypted at rest within the Amazon Kinesis Data Streams service. ### Remediation For information about enabling server-side encryption for Kinesis streams, see [How do I get started with server-side encryption?](https://docs.amazonaws.cn/streams/latest/dev/getting-started-with-sse.html) in the *Amazon Kinesis Developer Guide*. ## [Kinesis.2] Kinesis streams should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Kinesis::Stream` **Amazon Configrule:** `tagged-kinesis-stream` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Kinesis data stream has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the data stream doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the data stream isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Kinesis data stream, see [Tagging your streams in Amazon Kinesis Data Streams](https://docs.amazonaws.cn/streams/latest/dev/tagging.html) in the *Amazon Kinesis Developer Guide*. ## [Kinesis.3] Kinesis streams should have an adequate data retention period **Severity:** Medium **Resource type:** `Amazon::Kinesis::Stream` **Amazon Configrule:** [https://docs.amazonaws.cn/config/latest/developerguide/kinesis-stream-backup-retention-check.html](https://docs.amazonaws.cn/config/latest/developerguide/kinesis-stream-backup-retention-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | minimumBackupRetentionPeriod | Minimum number of hours that the data should be retained. | String | 24 to 8760 | 168 | This control checks whether an Amazon Kinesis data stream has a data retention period greater than or equal to the specified time frame. The control fails if the data retention period is less than the specified time frame. Unless you provide a custom parameter value for the data retention period, Security Hub CSPM uses a default value of 168 hours. In Kinesis Data Streams, a data stream is an ordered sequence of data records meant to be written to and read from in real time. Data records are stored in shards in your stream temporarily. The time period from when a record is added to when it is no longer accessible is called the retention period. Kinesis Data Streams almost immediately makes records older than the new retention period inaccessible after decreasing the retention period. For example, changing the retention period from 24 hours to 48 hours means that records added to the stream 23 hours 55 minutes prior are still available after 24 hours. ### Remediation To change the backup retention period for your Kinesis Data Streams, see [Change the data retention period](https://docs.amazonaws.cn/streams/latest/dev/kinesis-extended-retention.html) in the *Amazon Kinesis Data Streams Developer Guide*. # Security Hub CSPM controls for Amazon KMS Amazon KMS controls These Amazon Security Hub CSPM controls evaluate the Amazon Key Management Service (Amazon KMS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys **Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3) **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::IAM::Policy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-customer-policy-blocked-kms-actions.html) **Schedule type:** Change triggered **Parameters:** + `blockedActionsPatterns: kms:ReEncryptFrom, kms:Decrypt` (not customizable) + `excludePermissionBoundaryPolicy`: `True` (not customizable) Checks whether the default version of IAM customer managed policies allow principals to use the Amazon KMS decryption actions on all resources. The control fails if the policy is open enough to allow `kms:Decrypt` or `kms:ReEncryptFrom` actions on all KMS keys. The control only checks KMS keys in the Resource element and doesn't take into account any conditionals in the Condition element of a policy. In addition, the control evaluates both attached and unattached customer managed policies. It doesn't check inline policies or Amazon managed policies. With Amazon KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, Amazon recommends that you allow least privilege. In other words, you should grant to identities only the `kms:Decrypt` or `kms:ReEncryptFrom` permissions and only for the keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permissions for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow users to use only those keys. For example, do not allow `kms:Decrypt` permission on all KMS keys. Instead, allow `kms:Decrypt` only on keys in a particular Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data. ### Remediation To modify an IAM customer managed policy, see [Editing customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console) in the *IAM User Guide*. When editing your policy, for the `Resource` field, provide the Amazon Resource Name (ARN) of the specific key or keys that you want to allow decryption actions on. ## [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys **Related requirements:** NIST.800-53.r5 AC-2, NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(3) **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** + `AWS::IAM::Group` + `AWS::IAM::Role` + `AWS::IAM::User` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html](https://docs.amazonaws.cn/config/latest/developerguide/iam-inline-policy-blocked-kms-actions.html) **Schedule type:** Change triggered **Parameters:** + `blockedActionsPatterns: kms:ReEncryptFrom, kms:Decrypt` (not customizable) This control checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the Amazon KMS decryption and re-encryption actions on all KMS keys. The control fails if the policy is open enough to allow `kms:Decrypt` or `kms:ReEncryptFrom` actions on all KMS keys. The control only checks KMS keys in the Resource element and doesn't take into account any conditionals in the Condition element of a policy. With Amazon KMS, you control who can use your KMS keys and gain access to your encrypted data. IAM policies define which actions an identity (user, group, or role) can perform on which resources. Following security best practices, Amazon recommends that you allow least privilege. In other words, you should grant to identities only the permissions they need and only for keys that are required to perform a task. Otherwise, the user might use keys that are not appropriate for your data. Instead of granting permission for all keys, determine the minimum set of keys that users need to access encrypted data. Then design policies that allow the users to use only those keys. For example, do not allow `kms:Decrypt` permission on all KMS keys. Instead, allow the permission only on specific keys in a specific Region for your account. By adopting the principle of least privilege, you can reduce the risk of unintended disclosure of your data. ### Remediation To modify an IAM inline policy, see [Editing inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-inline-policy-console) in the *IAM User Guide*. When editing your policy, for the `Resource` field, provide the Amazon Resource Name (ARN) of the specific key or keys that you want to allow decryption actions on. ## [KMS.3] Amazon KMS keys should not be deleted unintentionally **Related requirements:** NIST.800-53.r5 SC-12, NIST.800-53.r5 SC-12(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Critical **Resource type:** `AWS::KMS::Key` **Amazon Config rule:** `kms-cmk-not-scheduled-for-deletion-2` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether KMS keys are scheduled for deletion. The control fails if a KMS key is scheduled for deletion. KMS keys cannot be recovered once deleted. Data encrypted under a KMS key is also permanently unrecoverable if the KMS key is deleted. If meaningful data has been encrypted under a KMS key scheduled for deletion, consider decrypting the data or re-encrypting the data under a new KMS key unless you are intentionally performing a *cryptographic erasure*. When a KMS key is scheduled for deletion, a mandatory waiting period is enforced to allow time to reverse the deletion, if it was scheduled in error. The default waiting period is 30 days, but it can be reduced to as short as 7 days when the KMS key is scheduled for deletion. During the waiting period, the scheduled deletion can be canceled and the KMS key will not be deleted. For additional information regarding deleting KMS keys, see [Deleting KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/deleting-keys.html) in the *Amazon Key Management Service Developer Guide*. ### Remediation To cancel a scheduled KMS key deletion, see **To cancel key deletion** under [Scheduling and canceling key deletion (console)](https://docs.amazonaws.cn/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html#deleting-keys-scheduling-key-deletion-console) in the *Amazon Key Management Service Developer Guide*. ## [KMS.4] Amazon KMS key rotation should be enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.6, CIS Amazon Foundations Benchmark v3.0.0/3.6, CIS Amazon Foundations Benchmark v1.4.0/3.8, CIS Amazon Foundations Benchmark v1.2.0/2.8, NIST.800-53.r5 SC-12, NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-28(3), PCI DSS v3.2.1/3.6.4, PCI DSS v4.0.1/3.7.4 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::KMS::Key` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cmk-backing-key-rotation-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/cmk-backing-key-rotation-enabled.html) **Schedule type:** Periodic **Parameters:** None Amazon KMS enables customers to rotate the backing key, which is key material stored in Amazon KMS and is tied to the key ID of the KMS key. It's the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all previous backing keys so that decryption of encrypted data can take place transparently. CIS recommends that you enable KMS key rotation. Rotating encryption keys helps reduce the potential impact of a compromised key because data encrypted with a new key can't be accessed with a previous key that might have been exposed. ### Remediation To enable KMS key rotation, see [How to enable and disable automatic key rotation](https://docs.amazonaws.cn/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable) in the *Amazon Key Management Service Developer Guide*. ## [KMS.5] KMS keys should not be publicly accessible **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Critical **Resource type:** `AWS::KMS::Key` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/kms-key-policy-no-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/kms-key-policy-no-public-access.html) **Schedule type:** Change triggered **Parameters:** None This controls checks whether an Amazon KMS key is publicly accessible. The control fails if the KMS key is publicly accessible. Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If the key policy for an Amazon KMS key allows access from external accounts, third parties might be able to encrypt and decrypt data by using the key. This could result in an internal or external threat exfiltrating data from Amazon Web Services services that use the key. **Note** This control also returns a `FAILED` finding for an Amazon KMS key if your configurations prevent Amazon Config from recording the key policy in the Configuration Item (CI) for the KMS key. For Amazon Config to populate the key policy in the CI for the KMS key, the [Amazon Config role](https://docs.amazonaws.cn/config/latest/developerguide/gs-cli-prereq.html#gs-cli-create-iamrole) must have access to read the key policy by using the [GetKeyPolicy](https://docs.amazonaws.cn/kms/latest/APIReference/API_GetKeyPolicy.html) API call. To resolve this type of `FAILED` finding, check policies that can prevent the Amazon Config role from having read access to the key policy for the KMS key. For example, check the following: The key policy for the KMS key. [Service control policies (SCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html) and [resource control policies (RCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_rcps.html) in Amazon Organizations that apply to your account. Permissions for the Amazon Config role, if you are not using the [Amazon Config service-linked role](https://docs.amazonaws.cn/config/latest/developerguide/using-service-linked-roles.html). In addition, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the key policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. ### Remediation For information about updating the key policy for an Amazon KMS key, see [Key policies in Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/key-policies.html#key-policy-overview) in the *Amazon Key Management Service Developer Guide*. # Security Hub CSPM controls for Amazon Lambda Amazon Lambda controls These Amazon Security Hub CSPM controls evaluate the Amazon Lambda service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Lambda.1] Lambda function policies should prohibit public access **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/7.2.1, PCI DSS v4.0.1/7.2.1 **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::Lambda::Function` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-public-access-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-public-access-prohibited.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The control fails if public access is permitted. The control also fails if a Lambda function is invoked from Amazon S3, and the policy doesn't include a condition to limit public access, such as `AWS:SourceAccount`. We recommend using other S3 conditions along with `AWS:SourceAccount` in your bucket policy for more refined access. **Note** This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the policy for the Lambda function must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. The Lambda function should not be publicly accessible, as this may allow unintended access to your function code. ### Remediation To remediate this issue, you must update your function's resource-based policy to remove permissions or to add the `AWS:SourceAccount` condition. You can only update the resource-based policy from the Lambda API or Amazon CLI. To start, [ review the resource-based policy](https://docs.amazonaws.cn/lambda/latest/dg/access-control-resource-based.html) on the Lambda console. Identify the policy statement that has `Principal` field values that make the policy public, such as `"*"` or `{ "AWS": "*" }`. You cannot edit the policy from the console. To remove permissions from the function, run the [https://docs.amazonaws.cn/cli/latest/reference/lambda/remove-permission.html](https://docs.amazonaws.cn/cli/latest/reference/lambda/remove-permission.html) command from the Amazon CLI. ``` $ aws lambda remove-permission --function-name --statement-id ``` Replace `` with the name of the Lambda function, and `` with the statement ID (`Sid`) of the statement that you want to remove. ## [Lambda.2] Lambda functions should use supported runtimes **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/12.3.4 **Category:** Protect > Secure development **Severity:** Medium **Resource type:** `AWS::Lambda::Function` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-settings-check.html](https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-settings-check.html) **Schedule type:** Change triggered **Parameters:** + `runtime`: `dotnet10, dotnet8, java25, java21, java17, java11, java8.al2, nodejs24.x, nodejs22.x, nodejs20.x, python3.14, python3.13, python3.12, python3.11, python3.10, ruby3.4, ruby3.3` (not customizable) This control checks whether Amazon Lambda function runtime settings match the expected values set for the supported runtimes in each language. The control fails if the Lambda function doesn't use a supported runtime, as noted in the Parameters section. Security Hub CSPM ignores functions that have a package type of `Image`. Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you can't create functions that use the deprecated runtime, the function is still available to process invocation events. We recommend ensuring that your Lambda functions are current and don't use deprecated runtime environments. For a list of supported runtimes, see [Lambda runtimes](https://docs.amazonaws.cn/lambda/latest/dg/lambda-runtimes.html) in the *Amazon Lambda Developer Guide*. ### Remediation For more information about supported runtimes and deprecation schedules, see [Runtime deprecation policy](https://docs.amazonaws.cn/lambda/latest/dg/runtime-support-policy.html) in the *Amazon Lambda Developer Guide*. When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language. We also recommend applying [runtime updates](https://docs.amazonaws.cn/lambda/latest/dg/runtimes-update.html#runtime-management-controls) to help reduce the risk of impact to your workloads in the rare event of a runtime version incompatibility. ## [Lambda.3] Lambda functions should be in a VPC **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity: ** Low **Resource type: ** `AWS::Lambda::Function` **Amazon Config rule: ** [https://docs.amazonaws.cn/config/latest/developerguide/lambda-inside-vpc.html](https://docs.amazonaws.cn/config/latest/developerguide/lambda-inside-vpc.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Lambda function is deployed in a virtual private cloud (VPC). The control fails if the Lambda function isn't deployed in a VPC. Security Hub CSPM doesn't evaluate the VPC subnet routing configuration to determine public reachability. You might see failed findings for Lambda@Edge resources. Deploying resources in a VPC strengthens security and control over network configurations. Such deployments also offer scalability and high fault tolerance across multiple Availability Zones. You can customize VPC deployments to meet diverse application requirements. ### Remediation To configure an existing function to connect to private subnets in your VPC, see [Configuring VPC access](https://docs.amazonaws.cn/lambda/latest/dg/configuration-vpc.html#vpc-configuring) in the *Amazon Lambda Developer Guide*. We recommend choosing at least two private subnets for high availability and at least one security group that meets the connectivity requirements of the function. ## [Lambda.5] VPC Lambda functions should operate in multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Lambda::Function` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/lambda-vpc-multi-az-check.html](https://docs.amazonaws.cn/config/latest/developerguide/lambda-vpc-multi-az-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `availabilityZones` | Minimum number of Availability Zones | Enum | `2, 3, 4, 5, 6` | `2` | This control checks if an Amazon Lambda function that connects to a virtual private cloud (VPC) operates in at least the specified number of Availability Zone (AZs). The control fails if the function doesn't operate in at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub CSPM uses a default value of two AZs. Deploying resources across multiple AZs is an Amazon best practice to ensure high availability within your architecture. Availability is a core pillar in the confidentiality, integrity, and availability triad security model. All Lambda functions that connect to a VPC should have a multi-AZ deployment to ensure that a single zone of failure doesn't cause a total disruption of operations. ### Remediation If you configure your function to connect to a VPC in your account, specify subnets in multiple AZs to ensure high availability. For instructions, see [Configuring VPC access](https://docs.amazonaws.cn/lambda/latest/dg/configuration-vpc.html#vpc-configuring) in the *Amazon Lambda Developer Guide*. Lambda automatically runs other functions in multiple AZs to ensure that it is available to process events in case of a service interruption in a single zone. ## [Lambda.6] Lambda functions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Lambda::Function` **Amazon Config rule:** `tagged-lambda-function` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Lambda function has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the function doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the function isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Lambda function, see [Using tags on Lambda functions](https://docs.amazonaws.cn/lambda/latest/dg/configuration-tags.html) in the *Amazon Lambda Developer Guide*. ## [Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled **Related requirements:** NIST.800-53.r5 CA-7 **Category:** Identify > Logging **Severity:** Low **Resource type:** `AWS::Lambda::Function` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-xray-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/lambda-function-xray-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether active tracing with Amazon X-Ray is enabled for an Amazon Lambda function. The control fails if active tracing with X-Ray is disabled for the Lambda function. Amazon X-Ray can provide tracing and monitoring capabilities for Amazon Lambda functions, which can save time and effort debugging and operating Lambda functions. It can help you diagnose errors and identify performance bottlenecks, slowdowns, and timeouts by breaking down latency for Lambda functions. It can also help with data privacy and compliance requirements. If you enable active tracing for a Lambda function, X-Ray provides a holistic view of data flow and processing within the Lambda function, which can help you identify potential security vulnerabilities or non-compliant data handling practices. This visibility can help you maintain data integrity, confidentiality, and compliance with relevant regulations. **Note** Amazon X-Ray tracing is currently not supported for Lambda functions with Amazon Managed Streaming for Apache Kafka (Amazon MSK), self-managed Apache Kafka, Amazon MQ with ActiveMQ and RabbitMQ, or Amazon DocumentDB event source mappings. ### Remediation For information about enabling active tracing for an Amazon Lambda function, see [Visualize Lambda function invocations using Amazon X-Ray](https://docs.amazonaws.cn/lambda/latest/dg/services-xray.html) in the *Amazon Lambda Developer Guide*. # Security Hub CSPM controls for Macie Amazon Macie controls These Amazon Security Hub CSPM controls evaluate the Amazon Macie service. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Macie.1] Amazon Macie should be enabled **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 RA-5, NIST.800-53.r5 SA-8(19), NIST.800-53.r5 SI-4 **Category:** Detect > Detection services **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/macie-status-check.html](https://docs.amazonaws.cn/config/latest/developerguide/macie-status-check.html) **Schedule type:** Periodic This control checks whether Amazon Macie is enabled for an account. The control fails if Macie isn't enabled for the account. Amazon Macie discovers sensitive data using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. Macie automatically and continually evaluates your Amazon Simple Storage Service (Amazon S3) buckets for security and access control, and generates findings to notify you of potential issues with the security or privacy of your Amazon S3 data. Macie also automates discovery and reporting of sensitive data, such as personally identifiable information (PII), to provide you with a better understanding of the data that you store in Amazon S3. To learn more, see the [https://docs.amazonaws.cn/macie/latest/user/what-is-macie.html](https://docs.amazonaws.cn/macie/latest/user/what-is-macie.html). ### Remediation To enable Macie, see [Enable Macie](https://docs.amazonaws.cn/macie/latest/user/getting-started.html#enable-macie) in the *Amazon Macie User Guide*. ## [Macie.2] Macie automated sensitive data discovery should be enabled **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 RA-5, NIST.800-53.r5 SA-8(19), NIST.800-53.r5 SI-4 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/macie-auto-sensitive-data-discovery-check.html](https://docs.amazonaws.cn/config/latest/developerguide/macie-auto-sensitive-data-discovery-check.html) **Schedule type:** Periodic This control checks whether automated sensitive data discovery is enabled for an Amazon Macie administrator account. The control fails if automated sensitive data discovery isn't enabled for a Macie administrator account. This control applies only to administrator accounts. Macie automates discovery and reporting of sensitive data, such as personally identifiable information (PII), in Amazon Simple Storage Service (Amazon S3) buckets. With automated sensitive data discovery, Macie continually evaluates your bucket inventory and uses sampling techniques to identify and select representative S3 objects from your buckets. Macie then analyzes the selected objects, inspecting them for sensitive data. As the analyses progress, Macie updates statistics, inventory data, and other information that it provides about your S3 data. Macie also generates findings to report sensitive data that it finds. ### Remediation To create and configure automated sensitive data discovery jobs to analyze objects in S3 buckets, see [Configuring automated sensitive data discovery for your account](https://docs.amazonaws.cn/macie/latest/user/discovery-asdd-account-manage.html) in the *Amazon Macie User Guide*. # Security Hub CSPM controls for Amazon MSK Amazon MSK controls These Amazon Security Hub CSPM controls evaluate the Amazon Managed Streaming for Apache Kafka (Amazon MSK) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [MSK.1] MSK clusters should be encrypted in transit among broker nodes **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::MSK::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/msk-in-cluster-node-require-tls.html](https://docs.amazonaws.cn/config/latest/developerguide/msk-in-cluster-node-require-tls.html) **Schedule type:** Change triggered **Parameters:** None This controls checks whether an Amazon MSK cluster is encrypted in transit with HTTPS (TLS) among the broker nodes of the cluster. The control fails if plain text communication is enabled for a cluster broker node connection. HTTPS offers an extra layer of security as it uses TLS to move data and can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. By default, Amazon MSK encrypts data in transit with TLS. However, you can override this default at the time that you create the cluster. We recommend using encrypted connections over HTTPS (TLS) for-broker node connections. ### Remediation For information about updating the encryption settings for an Amazon MSK cluster, see [Updating security settings of a cluster](https://docs.amazonaws.cn/msk/latest/developerguide/msk-update-security.html) in the *Amazon Managed Streaming for Apache Kafka Developer Guide*. ## [MSK.2] MSK clusters should have enhanced monitoring configured **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::MSK::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/msk-enhanced-monitoring-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/msk-enhanced-monitoring-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon MSK cluster has enhanced monitoring configured, specified by a monitoring level of at least `PER_TOPIC_PER_BROKER`. The control fails if the monitoring level for the cluster is set to `DEFAULT` or `PER_BROKER`. The `PER_TOPIC_PER_BROKER` monitoring level provides more granular insights into the performance of your MSK cluster, and also provides metrics related to resource utilization, such as CPU and memory usage. This helps you identify performance bottlenecks and resource utilization patterns for individual topics and brokers. This visibility, in turn, can optimize the performance of your Kafka brokers. ### Remediation To configure enhanced monitoring for an MSK cluster, complete the following steps: 1. Open the Amazon MSK console at [https://console.amazonaws.cn/msk/home?region=us-east-1\$1/home/](https://console.amazonaws.cn/msk/home?region=us-east-1#/home/). 1. In the navigation pane, choose **Clusters**. Then, choose a cluster. 1. For **Action**, select **Edit monitoring**. 1. Select the option for **Enhanced topic-level monitoring**. 1. Choose **Save changes**. For more information about monitoring levels, see [Amazon MSK metrics for monitoring Standard brokers with CloudWatch](https://docs.amazonaws.cn/msk/latest/developerguide/metrics-details.html) in the *Amazon Managed Streaming for Apache Kafka Developer Guide*. ## [MSK.3] MSK Connect connectors should be encrypted in transit **Related requirements:** PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::KafkaConnect::Connector` **Amazon Config rule:** `msk-connect-connector-encrypted` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon MSK Connect connector is encrypted in transit. This control fails if the connector isn't encrypted in transit. Data in transit refers to data that moves from one location to another, such as between nodes in your cluster or between your cluster and your application. Data may move across the internet or within a private network. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. ### Remediation You can enable encryption in transit when you create an MSK Connect connector. You can't change encryption settings after creating a connector. For more information, see [Create a connector](https://docs.amazonaws.cn/msk/latest/developerguide/mkc-create-connector-intro.html) in the *Amazon Managed Streaming for Apache Kafka Developer Guide*. ## [MSK.4] MSK clusters should have public access disabled **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Critical **Resource type:** `AWS::MSK::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/msk-cluster-public-access-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/msk-cluster-public-access-disabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether public access is disabled for an Amazon MSK cluster. The control fails if public access is enabled for the MSK cluster. By default, clients can access an Amazon MSK cluster only if they're in the same VPC as the cluster. All communication between Kafka clients and an MSK cluster are private by default and streaming data doesn't traverse the internet. However, if an MSK cluster is configured to allow public access, anyone on the internet can establish a connection to Apache Kafka brokers that are running within the cluster. This can lead to issues such as unauthorized access, data breaches, or exploitation of vulnerabilities. If you restrict access to a cluster by requiring authentication and authorization measures, you can help protect sensitive information and maintain the integrity of your resources. ### Remediation For information about managing public access to an Amazon MSK cluster, see [ Turn on public access to an MSK Provisioned cluster](https://docs.amazonaws.cn/msk/latest/developerguide/public-access.html) in the *Amazon Managed Streaming for Apache Kafka Developer Guide*. ## [MSK.5] MSK connectors should have logging enabled **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::KafkaConnect::Connector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/msk-connect-connector-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/msk-connect-connector-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether logging is enabled for an Amazon MSK connector. The control fails if logging is disabled for the MSK connector. Amazon MSK connectors integrate external systems and Amazon services with Apache Kafka by continuously copying streaming data from a data source into an Apache Kafka cluster, or continuously copying data from a cluster into a data sink. MSK Connect can write log events that can help debug a connector. When you create a connector, you can specify zero or more of the following log destinations: Amazon CloudWatch Logs, Amazon S3, and Amazon Data Firehose. **Note** Sensitive configuration values can appear in connector logs if a plugin does not define those values as secret. Kafka Connect treats undefined configuration values the same as any other plaintext value. ### Remediation To enable logging for an existing Amazon MSK connector, you have to re-create the connector with the appropriate logging configuration. For information about configuration options, see [Logging for MSK Connect](https://docs.amazonaws.cn/msk/latest/developerguide/msk-connect-logging.html) in the *Amazon Managed Streaming for Apache Kafka Developer Guide*. ## [MSK.6] MSK clusters should disable unauthenticated access **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::MSK::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/msk-unrestricted-access-check.html](https://docs.amazonaws.cn/config/latest/developerguide/msk-unrestricted-access-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether unauthenticated access is enabled for an Amazon MSK cluster. The control fails if unauthenticated access is enabled for the MSK cluster. Amazon MSK supports client authentication and authorization mechanisms to control access to a cluster. These mechanisms verify the identity of clients connecting to the cluster and determine which actions clients can perform. An MSK cluster can be configured to allow unauthenticated access, which allows any client with network connectivity to publish and subscribe to Kafka topics without providing credentials. Running an MSK cluster without requiring authentication violates the principle of least privilege and can expose the cluster to unauthorized access. It can allow any client to access, modify, or delete data in Kafka topics, potentially resulting in data breaches, unauthorized data modifications, or service disruptions. We recommend enabling authentication mechanisms such as IAM authentication, SASL/SCRAM, or mutual TLS to ensure proper access control and maintain security compliance. ### Remediation For information about changing the authentication settings for an Amazon MSK cluster, see the following sections of the *Amazon Managed Streaming for Apache Kafka Developer Guide*: [Update security settings of an Amazon MSK cluster](https://docs.amazonaws.cn/msk/latest/developerguide/msk-update-security.html) and [Authentication and authorization for Apache Kafka APIs](https://docs.amazonaws.cn/msk/latest/developerguide/kafka_apis_iam.html). # Security Hub CSPM controls for Amazon MQ Amazon MQ controls These Amazon Security Hub CSPM controls evaluate the Amazon MQ service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch **Related requirements:** NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-12, NIST.800-53.r5 SI-4, PCI DSS v4.0.1/10.3.3 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::AmazonMQ::Broker` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mq-cloudwatch-audit-log-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/mq-cloudwatch-audit-log-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon MQ ActiveMQ broker streams audit logs to Amazon CloudWatch Logs. The control fails if the broker doesn't stream audit logs to CloudWatch Logs. By publishing ActiveMQ broker logs to CloudWatch Logs, you can create CloudWatch alarms and metrics that increase the visibility of security-related information. ### Remediation To stream ActiveMQ broker logs to CloudWatch Logs, see [ Configuring Amazon MQ for ActiveMQ logs](https://docs.amazonaws.cn/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html) in the *Amazon MQ Developer Guide*. ## [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled **Important** Security Hub CSPM retired this control in January 2026. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** NIST.800-53.r5 CM-3, NIST.800-53.r5 SI-2, PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::AmazonMQ::Broker` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mq-auto-minor-version-upgrade-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/mq-auto-minor-version-upgrade-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon MQ broker has automatic minor version upgrade enabled. The control fails if the broker doesn't have automatic minor version upgrade enabled. As Amazon MQ releases and supports new broker engine versions, the changes are backward-compatible with an existing application and don't deprecate existing functionality. Automatic broker engine version updates protect you against security risks, help fix bugs, and improve functionality. **Note** When the broker associated with automatic minor version upgrade is on its latest patch and becomes unsupported, you must take manual action to upgrade. ### Remediation To enable automatic minor version upgrade for an MQ broker, see [ Automatically upgrading the minor engine version](https://docs.amazonaws.cn/amazon-mq/latest/developer-guide/upgrading-brokers.html#upgrading-brokers-automatic-upgrades.html) in the *Amazon MQ Developer Guide*. ## [MQ.4] Amazon MQ brokers should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::AmazonMQ::Broker` **Amazon Config rule:** `tagged-amazonmq-broker` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon MQ broker has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the broker doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the broker isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon MQ broker, see [Tagging resources](https://docs.amazonaws.cn/amazon-mq/latest/developer-guide/amazon-mq-tagging.html) in the *Amazon MQ Developer Guide*. ## [MQ.5] ActiveMQ brokers should use active/standby deployment mode **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Low **Resource type:** `AWS::AmazonMQ::Broker` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mq-active-deployment-mode.html](https://docs.amazonaws.cn/config/latest/developerguide/mq-active-deployment-mode.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the deployment mode for an Amazon MQ ActiveMQ broker is set to active/standby. The control fails if a single-instance broker (enabled by default) is set as the deployment mode. Active/standby deployment provides high availability for your Amazon MQ ActiveMQ brokers in an Amazon Web Services Region. The active/standby deployment mode includes two broker instances in two different Availability Zones, configured in a redundant pair. These brokers communicate synchronously with your application, which can reduce downtime and loss of data in the event of a failure. ### Remediation To create a new ActiveMQ broker with active/standby deployment mode, see [ Creating and configuring an ActiveMQ broker](https://docs.amazonaws.cn/amazon-mq/latest/developer-guide/amazon-mq-creating-configuring-broker.html) in the *Amazon MQ Developer Guide*. For **Deployment mode**, choose **Active/standby broker**. You can't change the deployment mode for an existing broker. Instead, you must create a new broker and copy the settings over from the old broker. ## [MQ.6] RabbitMQ brokers should use cluster deployment mode **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5 **Category:** Recover > Resilience > High availability **Severity:** Low **Resource type:** `AWS::AmazonMQ::Broker` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mq-rabbit-deployment-mode.html](https://docs.amazonaws.cn/config/latest/developerguide/mq-rabbit-deployment-mode.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the deployment mode for an Amazon MQ RabbitMQ broker is set to cluster deployment. The control fails if a single-instance broker (enabled by default) is set as the deployment mode. Cluster deployment provides high availability for your Amazon MQ RabbitMQ brokers in an Amazon Web Services Region. The cluster deployment is a logical grouping of three RabbitMQ broker nodes, each with its own Amazon Elastic Block Store (Amazon EBS) volume and a shared state. The cluster deployment ensures that data is replicated to all nodes in the cluster, which can reduce downtime and loss of data in the event of a failure. ### Remediation To create a new RabbitMQ broker with cluster deployment mode, see [ Creating and connecting to a RabbitMQ broker](https://docs.amazonaws.cn/amazon-mq/latest/developer-guide/getting-started-rabbitmq.html) in the *Amazon MQ Developer Guide*. For **Deployment mode**, choose **Cluster deployment**. You can't change the deployment mode for an existing broker. Instead, you must create a new broker and copy the settings over from the old broker. # Security Hub CSPM controls for Neptune Amazon Neptune controls These Amazon Security Hub CSPM controls evaluate the Amazon Neptune service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Neptune.1] Neptune DB clusters should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. Encrypting your Neptune DB clusters protects your data and metadata against unauthorized access. It also fulfills compliance requirements for data-at-rest encryption of production file systems. ### Remediation You can enable encryption at rest when you create a Neptune DB cluster. You can't change encryption settings after creating a cluster. For more information, see [ Encrypting Neptune resources at rest](https://docs.amazonaws.cn/neptune/latest/userguide/encrypt.html) in the *Neptune User Guide*. ## [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(1), NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-6(5), NIST.800-53.r5 AU-7(1), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-20, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-4(5), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.3.3 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-cloudwatch-log-export-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-cloudwatch-log-export-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. `EnableCloudWatchLogsExport` should be set to `Audit`. Amazon Neptune and Amazon CloudWatch are integrated so that you can gather and analyze performance metrics. Neptune automatically sends metrics to CloudWatch and also supports CloudWatch Alarms. Audit logs are highly customizable. When you audit a database, each operation on the data can be monitored and logged to an audit trail, including information about which database cluster is accessed and how. We recommend sending these logs to CloudWatch to help you monitor your Neptune DB clusters. ### Remediation To publish Neptune audit logs to CloudWatch Logs, see [Publishing Neptune logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/neptune/latest/userguide/cloudwatch-logs.html) in the *Neptune User Guide*. In the **Log exports** section, choose **Audit**. ## [Neptune.3] Neptune DB cluster snapshots should not be public **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Critical **Resource type:** `AWS::RDS::DBClusterSnapshot` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-snapshot-public-prohibited.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public. A Neptune DB cluster manual snapshot should not be public unless intended. If you share an unencrypted manual snapshot as public, the snapshot is available to all Amazon Web Services accounts. Public snapshots may result in unintended data exposure. ### Remediation To remove public access for Neptune manual DB cluster snapshots, see [Sharing a DB cluster snapshot](https://docs.amazonaws.cn/neptune/latest/userguide/backup-restore-share-snapshot.html) in the *Neptune User Guide*. ## [Neptune.4] Neptune DB clusters should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Low **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion protection enabled. Enabling cluster deletion protection offers an additional layer of protection against accidental database deletion or deletion by an unauthorized user. A Neptune DB cluster can't be deleted while deletion protection is enabled. You must first disable deletion protection before a delete request can succeed. ### Remediation To enable deletion protection for an existing Neptune DB cluster, see [ Modifying the DB cluster by using the console, CLI, and API](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.Modifying.html#Aurora.Modifying.Settings) in the *Amazon Aurora User Guide*. ## [Neptune.5] Neptune DB clusters should have automated backups enabled **Related requirements:** NIST.800-53.r5 SI-12 **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-backup-retention-check.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-backup-retention-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minimumBackupRetentionPeriod` | Minimum backup retention period in days | Integer | `7` to `35` | `7` | This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to the specified time frame. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the backup retention period, Security Hub CSPM uses a default value of 7 days. Backups help you recover more quickly from a security incident and strengthen the resilience of your systems. By automating backups for your Neptune DB clusters, you'll be able to restore your systems to a point in time and minimize downtime and data loss. ### Remediation To enable automated backups and set a backup retention period for your Neptune DB clusters, see [ Enabling automated backups](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.Enabling) in the *Amazon RDS User Guide*. For **Backup retention period**, choose a value greater than or equal to 7. ## [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(18) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBClusterSnapshot` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-snapshot-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-snapshot-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user gets access to it. Data in Neptune DB clusters snapshots should be encrypted at rest for an added layer of security. ### Remediation You can't encrypt an existing Neptune DB cluster snapshot. Instead, you must restore the snapshot to a new DB cluster and enable encryption on the cluster. You can create an encrypted snapshot from the encrypted cluster. For instructions, see [Restoring from a DB cluster snapshot](https://docs.amazonaws.cn/neptune/latest/userguide/backup-restore-restore-snapshot.html) and [Creating a DB cluster snapshot in Neptune](https://docs.amazonaws.cn/neptune/latest/userguide/backup-restore-create-snapshot.html) in the *Neptune User Guide*. ## [Neptune.7] Neptune DB clusters should have IAM database authentication enabled **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-iam-database-authentication.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-iam-database-authentication.html) **Schedule type:** Change triggered **Parameters:** None This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster. IAM database authentication for Amazon Neptune database clusters removes the need to store user credentials within the database configuration because authentication is managed externally using IAM. When IAM database authentication is enabled, each request needs to be signed using Amazon Signature Version 4. ### Remediation By default, IAM database authentication is disabled when you create a Neptune DB cluster. To enable it, see [ Enabling IAM database authentication in Neptune](https://docs.amazonaws.cn/neptune/latest/userguide/iam-auth-enable.html) in the *Neptune User Guide*. ## [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-copy-tags-to-snapshot-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-copy-tags-to-snapshot-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune DB cluster isn't configured to copy tags to snapshots. Identification and inventory of your IT assets is a crucial aspect of governance and security. You should tag snapshots in the same way as their parent Amazon RDS database clusters. Copying tags ensures that the metadata for the DB snapshots matches that of the parent database clusters, and that access policies for the DB snapshot also match those of the parent DB instance. ### Remediation To copy tags to snapshots for Neptune DB clusters, see [Copying tags in Neptune](https://docs.amazonaws.cn/neptune/latest/userguide/tagging.html#tagging-overview) in the *Neptune User Guide*. ## [Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-multi-az-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/neptune-cluster-multi-az-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if an Amazon Neptune DB cluster has read-replica instances in multiple Availability Zones (AZs). The control fails if the cluster is deployed in only one AZ. If an AZ is unavailable and during regular maintenance events, read-replicas serve as failover targets for the primary instance. That is, if the primary instance fails, Neptune promotes a read-replica instance to become the primary instance. By contrast, if your DB cluster doesn't include any read-replica instances, your DB cluster remains unavailable when the primary instance fails until it has been re-created. Re-creating the primary instance takes considerably longer than promoting a read-replica. To ensure high availability, we recommend that you create one or more read-replica instances that have the same DB instance class as the primary instance and are located in different AZs than the primary instance. ### Remediation To deploy a Neptune DB cluster in multiple AZs,, see [Read-replica DB instances in a Neptune DB cluster](https://docs.amazonaws.cn/neptune/latest/userguide/feature-overview-db-clusters.html#feature-overview-read-replicas) in the *Neptune User Guide*. # Security Hub CSPM controls for Amazon Network Firewall Amazon Network Firewall controls These Amazon Security Hub CSPM controls evaluate the Amazon Network Firewall service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::Firewall` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-multi-az-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-multi-az-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control evaluates whether a firewall managed through Amazon Network Firewall is deployed across multiple Availability Zones (AZs). The control fails if a firewall is deployed in only one AZ. Amazon global infrastructure includes multiple Amazon Web Services Regions. AZs are physically separated, isolated locations within each Region that are connected by low-latency, high-throughput, and highly redundant networking. By deploying a Network Firewall firewall across multiple AZs, you can balance and shift traffic among AZs, which helps you design highly available solutions. ### Remediation **Deploying a Network Firewall firewall across multiple AZs** 1. Open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/). 1. In the navigation pane, under **Network Firewall**, choose **Firewalls**. 1. On the **Firewalls** page, select the firewall that you want to edit. 1. On the firewall details page, choose the **Firewall details** tab. 1. In the **Associated policy and VPC** section, choose **Edit** 1. To add a new AZ, choose **Add New Subnet**. Select the AZ and subnet that you would like to use. Ensure that you select at least two AZs. 1. Choose **Save**. ## [NetworkFirewall.2] Network Firewall logging should be enabled **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-171.r2 3.1.20, NIST.800-171.r2 3.13.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::LoggingConfiguration` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-logging-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether logging is enabled for an Amazon Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist. Logging helps you maintain the reliability, availability, and performance of your firewalls. In Network Firewall, logging gives you detailed information about network traffic, including the time that the stateful engine received a packet flow, detailed information about the packet flow, and any stateful rule action taken against the packet flow. ### Remediation To enable logging for a firewall, see [Updating a firewall's logging configuration](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-update-logging-configuration.html) in the *Amazon Network Firewall Developer Guide*. ## [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.13.1 **Category:** Protect > Secure Network Configuration **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::FirewallPolicy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-rule-group-associated.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-rule-group-associated.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned. A firewall policy defines how your firewall monitors and handles traffic in Amazon Virtual Private Cloud (Amazon VPC). Configuration of stateless and stateful rule groups helps to filter packets and traffic flows, and defines default traffic handling. ### Remediation To add a rule group to a Network Firewall policy, see [Updating a firewall policy](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-policy-updating.html) in the *Amazon Network Firewall Developer Guide*. For information about creating and managing rule groups, see [Rule groups in Amazon Network Firewall](https://docs.amazonaws.cn/network-firewall/latest/developerguide/rule-groups.html). ## [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure Network Configuration **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::FirewallPolicy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-default-action-full-packets.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-default-action-full-packets.html) **Schedule type:** Change triggered **Parameters:** + `statelessDefaultActions: aws:drop,aws:forward_to_sfe` (not customizable) This control checks whether the default stateless action for full packets for a Network Firewall policy is drop or forward. The control passes if `Drop` or `Forward` is selected, and fails if `Pass` is selected. A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to `Pass` can allow unintended traffic. ### Remediation To change your firewall policy, see [Updating a firewall policy](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-policy-updating.html) in the *Amazon Network Firewall Developer Guide*. For **Stateless default actions**, choose **Edit**. Then, choose **Drop** or **Forward to stateful rule groups** as the **Action**. ## [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.1.14, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.13.6 **Category:** Protect > Secure Network Configuration **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::FirewallPolicy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-policy-default-action-fragment-packets.html) **Schedule type:** Change triggered **Parameters:** + `statelessFragDefaultActions (Required) : aws:drop, aws:forward_to_sfe` (not customizable) This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if `Drop` or `Forward` is selected, and fails if `Pass` is selected. A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to `Pass` can allow unintended traffic. ### Remediation To change your firewall policy, see [Updating a firewall policy](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-policy-updating.html) in the *Amazon Network Firewall Developer Guide*. For **Stateless default actions**, choose **Edit**. Then, choose **Drop** or **Forward to stateful rule groups** as the **Action**. ## [NetworkFirewall.6] Stateless Network Firewall rule group should not be empty **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(5), NIST.800-171.r2 3.1.3, NIST.800-171.r2 3.1.14, NIST.800-171.r2 3.13.1, NIST.800-171.r2 3.13.6 **Category:** Protect > Secure Network Configuration **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::RuleGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-stateless-rule-group-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-stateless-rule-group-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks if a stateless rule group in Amazon Network Firewall contains rules. The control fails if there are no rules in the rule group. A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group, when present in a firewall policy, might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic. ### Remediation To add rules to your Network Firewall rule group, see [ Updating a stateful rule group](https://docs.amazonaws.cn/network-firewall/latest/developerguide/rule-group-stateful-updating.html) in the *Amazon Network Firewall Developer Guide*. On the firewall details page, for **Stateless rule group**, choose **Edit** to add rules. ## [NetworkFirewall.7] Network Firewall firewalls should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::NetworkFirewall::Firewall` **Amazon Config rule:** `tagged-networkfirewall-firewall` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Network Firewall firewall has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the firewall doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the firewall isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Network Firewall firewall, see [Tagging Amazon Network Firewall resources](https://docs.amazonaws.cn/network-firewall/latest/developerguide/tagging.html) in the *Amazon Network Firewall Developer Guide*. ## [NetworkFirewall.8] Network Firewall firewall policies should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::NetworkFirewall::FirewallPolicy` **Amazon Config rule:** `tagged-networkfirewall-firewallpolicy` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Network Firewall firewall policy has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the firewall policy doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the firewall policy isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Network Firewall policy, see [Tagging Amazon Network Firewall resources](https://docs.amazonaws.cn/network-firewall/latest/developerguide/tagging.html) in the *Amazon Network Firewall Developer Guide*. ## [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Network Security **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::Firewall` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enabled for a firewall. Amazon Network Firewall is a stateful, managed network firewall and intrusion detection service that enables you to inspect and filter traffic to, from, or between your Virtual Private Clouds (VPCs). The deletion protection setting protects against accidental deletion of the firewall. ### Remediation To enable delete protection on an existing Network Firewall firewall, see [ Updating a firewall](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-updating.html) in the *Amazon Network Firewall Developer Guide*. For **Change protections**, select **Enable**. You can also enable deletion protection by invoking the [ UpdateFirewallDeleteProtection](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_UpdateFirewallDeleteProtection.html) API and setting the `DeleteProtection` field to `true`. ## [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Network Security **Severity:** Medium **Resource type:** `AWS::NetworkFirewall::Firewall` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/netfw-subnet-change-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/netfw-subnet-change-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether subnet change protection is enabled for an Amazon Network Firewall firewall. The control fails if subnet change protection isn't enabled for the firewall. Amazon Network Firewall is a stateful, managed network firewall and intrusion detection service that you can use to inspect and filter traffic to, from, or between your Virtual Private Clouds (VPCs). If you enable subnet change protection for a Network Firewall firewall, you can protect the firewall against accidental changes to the firewall's subnet associations. ### Remediation For information about enabling subnet change protection for an existing Network Firewall firewall, see [Updating a firewall](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-updating.html) in the *Amazon Network Firewall Developer Guide*. # Security Hub CSPM controls for Amazon OpenSearch Service Amazon OpenSearch Service controls These Amazon Security Hub CSPM controls evaluate the Amazon OpenSearch Service (OpenSearch Service) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Opensearch.1] OpenSearch domains should have encryption at rest enabled **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-encrypted-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled. For an added layer of security for sensitive data, you should configure your OpenSearch Service domain to be encrypted at rest. When you configure encryption of data at rest, Amazon KMS stores and manages your encryption keys. To perform the encryption, Amazon KMS uses the Advanced Encryption Standard algorithm with 256-bit keys (AES-256). To learn more about OpenSearch Service encryption at rest, see [Encryption of data at rest for Amazon OpenSearch Service](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/encryption-at-rest.html) in the *Amazon OpenSearch Service* *Developer Guide*. ### Remediation To enable encryption at rest for new and existing OpenSearch domains, see [Enabling encryption of data at rest](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.2] OpenSearch domains should not be publicly accessible **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** Critical **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-in-vpc-only.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-in-vpc-only.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that OpenSearch domains are not attached to public subnets. See [Resource-based policies](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ac.html#ac-types-resource) in the Amazon OpenSearch Service Developer Guide. You should also ensure that your VPC is configured according to the recommended best practices. See [Security best practices for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-security-best-practices.html) in the Amazon VPC User Guide. OpenSearch domains deployed within a VPC can communicate with VPC resources over the private Amazon network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit. VPCs provide a number of network controls to secure access to OpenSearch domains, including network ACL and security groups. Security Hub recommends that you migrate public OpenSearch domains to VPCs to take advantage of these controls. ### Remediation If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data. The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either [create another domain](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/createupdatedomains.html#es-createdomains) or disable this control. For instructions, see [Launching your Amazon OpenSearch Service domains within a VPC](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/vpc.html) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.3] OpenSearch domains should encrypt data sent between nodes **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2) **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-node-to-node-encryption-check.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-node-to-node-encryption-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether OpenSearch domains have node-to-node encryption enabled. This control fails if node-to-node encryption is disabled on the domain. HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for OpenSearch domains ensures that intra-cluster communications are encrypted in transit. There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option. ### Remediation To enable node-to-node encryption on an OpenSearch domain, see [Enabling node-to-node encryption](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ntn.html#enabling-ntn) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** + `logtype = 'error'` (not customizable) This control checks whether OpenSearch domains are configured to send error logs to CloudWatch Logs. This control fails if error logging to CloudWatch is not enabled for a domain. You should enable error logs for OpenSearch domains and send those logs to CloudWatch Logs for retention and response. Domain error logs can assist with security and access audits, and can help to diagnose availability issues. ### Remediation To enable log publishing, see [Enabling log publishing (console)](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html#createdomain-configure-slow-logs-console) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.5] OpenSearch domains should have audit logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-audit-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-audit-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** + `cloudWatchLogsLogGroupArnList` (not customizable) – Security Hub CSPM does not populate this parameter. Comma-separated list of CloudWatch Logs log groups that should be configured for audit logs. This control checks whether OpenSearch domains have audit logging enabled. This control fails if an OpenSearch domain does not have audit logging enabled. Audit logs are highly customizable. They allow you to track user activity on your OpenSearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries. ### Remediation For instructions on enabling audit logs, see [Enabling audit logs](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/audit-logs.html#audit-log-enabling) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.6] OpenSearch domains should have at least three data nodes **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-data-node-fault-tolerance.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-data-node-fault-tolerance.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether OpenSearch domains are configured with at least three data nodes and `zoneAwarenessEnabled` is `true`. This control fails for an OpenSearch domain if `instanceCount` is less than 3 or `zoneAwarenessEnabled` is `false`. To achieve cluster-level high availability and fault tolerance, an OpenSearch domain should have at least three data nodes. Deploying an OpenSearch domain with at least three data nodes ensures cluster operations if a node fails. ### Remediation **To modify the number of data nodes in an OpenSearch domain** 1. Sign in to the Amazon console and open the Amazon OpenSearch Service console at [https://console.aws.amazon.com/aos/](https://console.aws.amazon.com/aos/). 1. Under **My domains**, choose the name of the domain to edit, and choose **Edit**. 1. Under **Data nodes** set **Number of nodes** to a number greater than `3`. If you are deploying to three Availability Zones, set the number to a multiple of three to ensure equal distribution across Availability Zones. 1. Choose **Submit**. ## [Opensearch.7] OpenSearch domains should have fine-grained access control enabled **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-5, NIST.800-53.r5 AC-6 **Category:** Protect > Secure Access Management > Sensitive API actions restricted **Severity:** High **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-access-control-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-access-control-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires `advanced-security-options`in the OpenSearch parameter `update-domain-config` to be enabled. Fine-grained access control offers additional ways of controlling access to your data on Amazon OpenSearch Service. ### Remediation To enable fine-grained access control, see [Fine-grained access control in Amazon OpenSearch Service](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/fgac.html) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy **Related requirements:** NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-https-required.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-https-required.html) **Schedule type:** Change triggered **Parameters:** + `tlsPolicies: Policy-Min-TLS-1-2-PFS-2023-10` (not customizable) This controls checks whether an Amazon OpenSearch Service domain endpoint is configured to use the latest TLS security policy. The control fails if the OpenSearch domain endpoint isn't configured to use the latest supported policy or if HTTPs isn't enabled. HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. TLS 1.2 provides several security enhancements over previous versions of TLS. ### Remediation To enable TLS encryption, use the [UpdateDomainConfig](https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_UpdateDomainConfig.html) API operation. Configure the [DomainEndpointOptions](https://docs.amazonaws.cn/opensearch-service/latest/APIReference/API_DomainEndpointOptions.html) field to specify the value for `TLSSecurityPolicy`. For more information, see [Node-to-node encryption](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/ntn.html) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.9] OpenSearch domains should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** `tagged-opensearch-domain` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon OpenSearch Service domain has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the domain doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the domain isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an OpenSearch Service domain, see [Working with tags](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/managedomains-awsresourcetagging.html#managedomains-awsresourcetagging-console) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.10] OpenSearch domains should have the latest software update installed **Related requirements:** NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-update-check.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-update-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon OpenSearch Service domain has the latest software update installed. The control fails if a software update is available but not installed for the domain. OpenSearch Service software updates provide the latest platform fixes, updates, and features available for the environment. Keeping up-to-date with patch installation helps maintain domain security and availability. If no action is taken on required updates, the service software is updated automatically (typically after 2 weeks). We recommend scheduling updates during a time of low traffic to the domain to minimize service disruption. ### Remediation To install software updates for an OpenSearch domain, see [Starting an update](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/service-software.html#service-software-requesting) in the *Amazon OpenSearch Service Developer Guide*. ## [Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2, NIST.800-53.r5 SC-5, NIST.800-53.r5 SC-36, NIST.800-53.r5 SI-13 **Category:** Recover > Resilience > High availability **Severity:** Low **Resource type:** `AWS::OpenSearch::Domain` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/opensearch-primary-node-fault-tolerance.html](https://docs.amazonaws.cn/config/latest/developerguide/opensearch-primary-node-fault-tolerance.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon OpenSearch Service domain is configured with at least three dedicated primary nodes. The control fails if the domain has fewer than three dedicated primary nodes. OpenSearch Service uses dedicated primary nodes to increase cluster stability. A dedicated primary node performs cluster management tasks, but doesn't hold data or respond to data upload requests. We recommend that you use multi-AZ with standby, which adds three dedicated primary nodes to each production OpenSearch domain. ### Remediation To change the number of primary nodes for an OpenSearch domain, see [Creating and managing Amazon OpenSearch Service domains](https://docs.amazonaws.cn/opensearch-service/latest/developerguide/createupdatedomains.html) in the *Amazon OpenSearch Service Developer Guide*. # Security Hub CSPM controls for Amazon Private CA Amazon Private CA controls These Amazon Security Hub CSPM controls evaluate the Amazon Private Certificate Authority (Amazon Private CA) service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [PCA.1] Amazon Private CA root certificate authority should be disabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Low **Resource type:** `AWS::ACMPCA::CertificateAuthority` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/acm-pca-root-ca-disabled.html](https://docs.amazonaws.cn/config/latest/developerguide/acm-pca-root-ca-disabled.html) **Schedule type:** Periodic **Parameters:** None This control checks if Amazon Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled. With Amazon Private CA, you can create a CA hierarchy that includes a root CA and subordinate CAs. You should minimize the use of the root CA for daily tasks, especially in production environments. The root CA should only be used to issue certificates for intermediate CAs. This allows the root CA to be stored out of harm's way while the intermediate CAs perform the daily task of issuing end-entity certificates. ### Remediation To disable the root CA, see [Update CA status](https://docs.amazonaws.cn/privateca/latest/userguide/console-update.html#console-update-status-steps) in the *Amazon Private Certificate Authority User Guide*. ## [PCA.2] Amazon Private CA certificate authorities should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::ACMPCA::CertificateAuthority` **Amazon Config rule:** `acmpca-certificate-authority-tagged` **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Private CA certificate authority has tags with the specific keys defined in the parameter `requiredKeyTags`. The control fails if the certificate authority doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredKeyTags`. If the parameter `requiredKeyTags` isn't provided, the control only checks for the existence of a tag key and fails if the certificate authority isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Best practices and strategies](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Tagging Amazon Resources and Tag Editor User Guide*. ### Remediation To add tags to an Amazon Private CA authority, see [Add tags for your private CA](https://docs.amazonaws.cn/privateca/latest/userguide/PcaCaTagging.html) in the *Amazon Private Certificate Authority User Guide*. # Security Hub CSPM controls for Amazon RDS Amazon RDS controls These Amazon Security Hub CSPM controls evaluate the Amazon Relational Database Service (Amazon RDS) and Amazon RDS resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [RDS.1] RDS snapshot should be private **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBSnapshot` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-snapshots-public-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-snapshots-public-prohibited.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon RDS snapshots are public. The control fails if RDS snapshots are public. This control evaluates RDS instances, Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. RDS snapshots are used to back up the data on your RDS instances at a specific point in time. They can be used to restore previous states of RDS instances. An RDS snapshot must not be public unless intended. If you share an unencrypted manual snapshot as public, this makes the snapshot available to all Amazon Web Services accounts. This may result in unintended data exposure of your RDS instance. Note that if the configuration is changed to allow public access, the Amazon Config rule may not be able to detect the change for up to 12 hours. Until the Amazon Config rule detects the change, the check passes even though the configuration violates the rule. To learn more about sharing a DB snapshot, see [Sharing a DB snapshot](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html) in the *Amazon RDS User Guide*. ### Remediation To remove public access from RDS snapshots, see [Sharing a snapshot](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing) in the *Amazon RDS User Guide*. For **DB snapshot visibility**, we choose **Private**. ## [RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.2.3, CIS Amazon Foundations Benchmark v3.0.0/2.3.3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-public-access-check.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-public-access-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon RDS instances are publicly accessible by evaluating the `PubliclyAccessible` field in the instance configuration item. Neptune DB instances and Amazon DocumentDB clusters do not have the `PubliclyAccessible` flag and cannot be evaluated. However, this control can still generate findings for these resources. You can suppress these findings. The `PubliclyAccessible` value in the RDS instance configuration indicates whether the DB instance is publicly accessible. When the DB instance is configured with `PubliclyAccessible`, it is an Internet-facing instance with a publicly resolvable DNS name, which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance should not be configured with `PubliclyAccessible` value. Doing so might allow unnecessary traffic to your database instance. ### Remediation To remove public access from RDS DB instances, see [Modifying an Amazon RDS DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) in the *Amazon RDS User Guide*. For **Public access**, choose **No**. ## [RDS.3] RDS DB instances should have encryption at-rest enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.2.1, CIS Amazon Foundations Benchmark v3.0.0/2.3.1, CIS Amazon Foundations Benchmark v1.4.0/2.3.1, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-storage-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-storage-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether storage encryption is enabled for your Amazon RDS DB instances. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them. For an added layer of security for your sensitive data in RDS DB instances, you should configure your RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You do not need to modify your database client applications to use encryption. Amazon RDS encryption is currently available for all database engines and storage types. Amazon RDS encryption is available for most DB instance classes. To learn about DB instance classes that do not support Amazon RDS encryption, see [Encrypting Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.Encryption.html) in the *Amazon RDS User Guide*. ### Remediation For information about encrypting DB instances in Amazon RDS, see [Encrypting Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.Encryption.html) in the *Amazon RDS User Guide*. ## [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBClusterSnapshot`,` AWS::RDS::DBSnapshot` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-snapshot-encrypted.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-snapshot-encrypted.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an RDS DB snapshot is encrypted. The control fails if an RDS DB snapshot isn't encrypted. This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them. Encrypting data at rest reduces the risk that an unauthenticated user gets access to data that is stored on disk. Data in RDS snapshots should be encrypted at rest for an added layer of security. ### Remediation To encrypt an RDS snapshot, see [Encrypting Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.Encryption.html) in the *Amazon RDS User Guide*. When you encrypt an RDS DB instance, the encrypted data includes the underlying storage for the instance, its automated backups, read replicas, and snapshots. You can only encrypt an RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted snapshot, you can effectively add encryption to an unencrypted DB instance. That is, you can create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance. ## [RDS.5] RDS DB instances should be configured with multiple Availability Zones **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.2.4, NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-multi-az-support.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-multi-az-support.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether high availability is enabled for your RDS DB instances. The control fails if an RDS DB instance isn't configured with multiple Availability Zones (AZs). This control doesn't apply to RDS DB instances that are part of a Multi-AZ DB cluster deployment. Configuring Amazon RDS DB instances with AZs helps ensure the availability of stored data. Multi-AZ deployments allow for automated failover if there is an issue with AZ availability and during regular RDS maintenance. ### Remediation To deploy your DB instances in multiple AZs, [Modifying a DB instance to be a Multi-AZ DB instance deployment](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Concepts.MultiAZSingleStandby.html#Concepts.MultiAZ.Migrating) in the *Amazon RDS User Guide*. ## [RDS.6] Enhanced monitoring should be configured for RDS DB instances **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-enhanced-monitoring-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-enhanced-monitoring-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `monitoringInterval` | Number of seconds between monitoring metric collection intervals | Enum | `1`, `5`, `10`, `15`, `30`, `60` | No default value | This control checks whether enhanced monitoring is enabled for an Amazon Relational Database Service (Amazon RDS) DB instance. The control fails if enhanced monitoring isn't enabled for the instance. If you provide a custom value for the `monitoringInterval` parameter, the control passes only if enhanced monitoring metrics are collected for the instance at the specified interval. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. For more information, see [Enhanced Monitoring](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html) in the *Amazon RDS User Guide*. ### Remediation For detailed instructions on enabling Enhanced Monitoring for your DB instance, see [Setting up for and enabling Enhanced Monitoring](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.Enabling) in the *Amazon RDS User Guide*. ## [RDS.7] RDS clusters should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an RDS DB cluster has deletion protection enabled. The control fails if an RDS DB cluster doesn't have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them. Enabling cluster deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. When deletion protection is enabled, an RDS cluster cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled. ### Remediation To enable deletion protection for an RDS DB cluster, see [Modifying the DB cluster by using the console, CLI, and API](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.Modifying.html#Aurora.Modifying.Cluster) in the *Amazon RDS User Guide*. For **Deletion protection**, choose **Enable deletion protection**. ## [RDS.8] RDS DB instances should have deletion protection enabled **Related requirements:** NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category: **Protect > Data protection > Data deletion protection **Severity:** Low **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-deletion-protection-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-deletion-protection-enabled.html) **Schedule type:** Change triggered **Parameters:** + `databaseEngines`: `mariadb,mysql,custom-oracle-ee,oracle-ee-cdb,oracle-se2-cdb,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web` (not customizable) This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled. The control fails if an RDS DB instance doesn't have deletion protection enabled. Enabling instance deletion protection is an additional layer of protection against accidental database deletion or deletion by an unauthorized entity. While deletion protection is enabled, an RDS DB instance cannot be deleted. Before a deletion request can succeed, deletion protection must be disabled. ### Remediation To enable deletion protection for an RDS DB instance, see [Modifying an Amazon RDS DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) in the *Amazon RDS User Guide*. For **Deletion protection**, choose **Enable deletion protection**. ## [RDS.9] RDS DB instances should publish logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS DB instance is configured to publish the following logs to Amazon CloudWatch Logs. The control fails if the instance isn’t configured to publish the following logs to CloudWatch Logs: + Oracle: Alert, Audit, Trace, Listener + PostgreSQL: Postgresql, Upgrade + MySQL: Audit, Error, General, SlowQuery + MariaDB: Audit, Error, General, SlowQuery + SQL Server: Error, Agent + Aurora: Audit, Error, General, SlowQuery + Aurora-MySQL: Audit, Error, General, SlowQuery + Aurora-PostgreSQL: Postgresql RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues. ### Remediation For information about publishing RDS database logs to CloudWatch Logs, see [Specifying the logs to publish to CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_LogAccess.Procedural.UploadtoCloudWatch.html#integrating_cloudwatchlogs.configure) in the *Amazon RDS User Guide*. ## [RDS.10] IAM authentication should be configured for RDS instances **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-iam-authentication-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-iam-authentication-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an RDS DB instance has IAM database authentication enabled. The control fails if IAM authentication is not configured for RDS DB instances. This control only evaluates RDS instances with the following engine types: `mysql`, `postgres`, `aurora`, `aurora-mysql`, `aurora-postgresql`, and `mariadb`. An RDS instance must also be in one of the following states for a finding to be generated: `available`, `backing-up`, `storage-optimization`, or `storage-full`. IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL. For more information, see [IAM database authentication](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon Aurora User Guide*. ### Remediation To activate IAM database authentication on an RDS DB instance, see [Enabling and disabling IAM database authentication](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) in the *Amazon RDS User Guide*. ## [RDS.11] RDS instances should have automatic backups enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/db-instance-backup-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/db-instance-backup-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `backupRetentionMinimum` | Minimum backup retention period in days | Integer | `7` to `35` | `7` | | `checkReadReplicas` | Checks whether RDS DB instances have backups enabled for read replicas | Boolean | Not customizable | `false` | This control checks whether an Amazon Relational Database Service instance has automated backups enabled, and a backup retention period greater than or equal to the specified time frame. Read replicas are excluded from evaluation. The control fails if backups aren't enabled for the instance, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the backup retention period, Security Hub CSPM uses a default value of 7 days. Backups help you more quickly recover from a security incident and strengthens the resilience of your systems. Amazon RDS lets you configure daily full instance volume snapshots. For more information about Amazon RDS automated backups, see [Working with Backups](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html) in the *Amazon RDS User Guide*. ### Remediation To enable automated backups on an RDS DB instance, see [Enabling automated backups](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.Enabling) in the *Amazon RDS User Guide*. ## [RDS.12] IAM authentication should be configured for RDS clusters **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Passwordless authentication **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-iam-authentication-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-iam-authentication-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL. For more information, see [IAM database authentication](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) in the *Amazon Aurora User Guide*. ### Remediation To enable IAM authentication for a DB cluster, see [Enabling and disabling IAM database authentication](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.Enabling.html) in the *Amazon Aurora User Guide*. ## [RDS.13] RDS automatic minor version upgrades should be enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.2.2, CIS Amazon Foundations Benchmark v3.0.0/2.3.2, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** High **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-automatic-minor-version-upgrade-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-automatic-minor-version-upgrade-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether automatic minor version upgrades are enabled for the RDS database instance. Automatic minor version upgrades periodically update a database to recent database engine versions. However, the upgrade might not always include the latest database engine version. If you need to keep your databases on specific versions at particular times, we recommend that you manually upgrade to the database versions that you need according to your required schedule. In cases of critical security issues or when a version reaches its end-of-support date, Amazon RDS might apply a minor version upgrade even if you haven't enabled the **Auto minor version upgrade** option. For more information, see the Amazon RDS upgrade documentation for your specific database engine: + [Automatic minor version upgrades for RDS for MariaDB](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.MariaDB.Minor.html) + [Automatic minor version upgrades for RDS for MySQL](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.MySQL.Minor.html) + [Automatic minor version upgrades for RDS for PostgreSQL](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.PostgreSQL.Minor.html) + [Db2 on Amazon RDS versions](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Db2.Concepts.VersionMgmt.html) + [Oracle minor version upgrades](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Oracle.Minor.html) + [Upgrades of the Microsoft SQL Server DB engine](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.SQLServer.html) ### Remediation To enable automatic minor version upgrades for an existing DB instance, see [Modifying an Amazon RDS DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) in the *Amazon RDS User Guide*. For **Auto minor version upgrade**, select **Yes**. ## [RDS.14] Amazon Aurora clusters should have backtracking enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/aurora-mysql-backtracking-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/aurora-mysql-backtracking-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `BacktrackWindowInHours` | Number of hours to backtrack an Aurora MySQL cluster | Double | `0.1` to `72` | No default value | This control checks whether an Amazon Aurora cluster has backtracking enabled. The control fails if the cluster doesn't have backtracking enabled. If you provide a custom value for the `BacktrackWindowInHours` parameter, the control passes only if the cluster is backtracked for the specified length of time. Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so. ### Remediation To enable Aurora backtracking, see [Configuring backtracking](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html#AuroraMySQL.Managing.Backtrack.Configuring) in the *Amazon Aurora User Guide*. Note that you cannot enable backtracking on an existing cluster. Instead, you can create a clone that has backtracking enabled. For more information about the limitations of Aurora backtracking, see the list of limitations in [Overview of backtracking](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html). ## [RDS.15] RDS DB clusters should be configured for multiple Availability Zones **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.2.4, NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-multi-az-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-multi-az-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether high availability is enabled for your RDS DB clusters. The control fails if an RDS DB cluster isn't deployed in multiple Availability Zones (AZs). RDS DB clusters should be configured for multiple AZs to ensure availability of stored data. Deployment to multiple AZs allows for automated failover in the event of an AZ availability issue and during regular RDS maintenance events. ### Remediation To deploy your DB clusters in multiple AZs, [Modifying a DB instance to be a Multi-AZ DB instance deployment](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Concepts.MultiAZSingleStandby.html#Concepts.MultiAZ.Migrating) in the *Amazon RDS User Guide*. Remediation steps differ for Aurora global databases. To configure multiple Availability Zones for an Aurora global database, select your DB cluster. Then, choose **Actions** and **Add reader**, and specify multiple AZs. For more information, see [Adding Aurora Replicas to a DB cluster](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/aurora-replicas-adding.html) in the *Amazon Aurora User Guide*. ## [RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Inventory **Severity:** Low **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** `rds-cluster-copy-tags-to-snapshots-enabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Aurora DB cluster is configured to automatically copy tags to snapshots of the DB cluster when the snapshots are created. The control fails if the Aurora DB cluster isn't configured to automatically copy tags to snapshots of the cluster when the snapshots are created. Identification and inventory of your IT assets is a crucial aspect of governance and security. You need to have visibility of all your Amazon Aurora DB clusters so that you can assess their security posture and take action on potential areas of weakness. Aurora DB snapshots should have the same tags as their parent DB clusters. In Amazon Aurora, you can configure a DB cluster to automatically copy all the tags for the cluster to snapshots of the cluster. Enabling this setting ensures that DB snapshots inherit the same tags as their parent DB clusters. ### Remediation For information about configuring an Amazon Aurora DB cluster to automatically copy tags to DB snapshots, see [Modifying an Amazon Aurora DB cluster](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.Modifying.html) in the *Amazon Aurora User Guide*. ## [RDS.17] RDS DB instances should be configured to copy tags to snapshots **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) **Category:** Identify > Inventory **Severity:** Low **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** `rds-instance-copy-tags-to-snapshots-enabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created. Identification and inventory of your IT assets is a crucial aspect of governance and security. You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on potential areas of weakness. Snapshots should be tagged in the same way as their parent RDS database instances. Enabling this setting ensures that snapshots inherit the tags of their parent database instances. ### Remediation To automatically copy tags to snapshots for an RDS DB instance, see [Modifying an Amazon RDS DB instance ](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) in the *Amazon RDS User Guide*. Select **Copy tags to snapshots**. ## [RDS.18] RDS instances should be deployed in a VPC **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** High **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** `rds-deployed-in-vpc` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS instance is deployed on an EC2-VPC. VPCs provide a number of network controls to secure access to RDS resources. These controls include VPC Endpoints, network ACLs, and security groups. To take advantage of these controls, we recommend that you create your RDS instances on an EC2-VPC. ### Remediation For instructions on moving RDS instances to a VPC, see [Updating the VPC for a DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_VPC.VPC2VPC.html) in the *Amazon RDS User Guide*. ## [RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2 **Category:** Detect > Detection services > Application monitoring **Severity:** Low **Resource type:** `AWS::RDS::EventSubscription` **Amazon Config rule:** `rds-cluster-event-notifications-configured` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an existing Amazon RDS event subscription for database clusters has notifications enabled for the following source type and event category key-value pairs: ``` DBCluster: ["maintenance","failure"] ``` The control passes if there are no existing event subscriptions in your account. RDS event notifications uses Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response. For additional information about RDS event notifications, see [Using Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.html) in the *Amazon RDS User Guide*. ### Remediation To subscribe to RDS cluster event notifications, see [Subscribing to Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html) in the *Amazon RDS User Guide*. Use the following values: | Field | Value | | --- | --- | | Source type | Clusters | | Clusters to include | All clusters | | Event categories to include | Select specific event categories or All event categories | ## [RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2, PCI DSS v4.0.1/11.5.2 **Category:** Detect > Detection services > Application monitoring **Severity:** Low **Resource type:** `AWS::RDS::EventSubscription` **Amazon Config rule:** `rds-instance-event-notifications-configured` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an existing Amazon RDS event subscription for database instances has notifications enabled for the following source type and event category key-value pairs: ``` DBInstance: ["maintenance","configuration change","failure"] ``` The control passes if there are no existing event subscriptions in your account. RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response. For additional information about RDS event notifications, see [Using Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.html) in the *Amazon RDS User Guide*. ### Remediation To subscribe to RDS instance event notifications, see [Subscribing to Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html) in the *Amazon RDS User Guide*. Use the following values: | Field | Value | | --- | --- | | Source type | Instances | | Instances to include | All instances | | Event categories to include | Select specific event categories or All event categories | ## [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2, PCI DSS v4.0.1/11.5.2 **Category:** Detect > Detection services > Application monitoring **Severity:** Low **Resource type:** `AWS::RDS::EventSubscription` **Amazon Config rule:** `rds-pg-event-notifications-configured` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. The control passes if there are no existing event subscriptions in your account. ``` DBParameterGroup: ["configuration change"] ``` RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for rapid response. For additional information about RDS event notifications, see [Using Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.html) in the *Amazon RDS User Guide*. ### Remediation To subscribe to RDS database parameter group event notifications, see [Subscribing to Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html) in the *Amazon RDS User Guide*. Use the following values: | Field | Value | | --- | --- | | Source type | Parameter groups | | Parameter groups to include | All parameter groups | | Event categories to include | Select specific event categories or All event categories | ## [RDS.22] An RDS event notifications subscription should be configured for critical database security group events **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-2, PCI DSS v4.0.1/11.5.2 **Category:** Detect > Detection Services > Application monitoring **Severity:** Low **Resource type:** `AWS::RDS::EventSubscription` **Amazon Config rule:** `rds-sg-event-notifications-configured` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs. The control passes if there are no existing event subscriptions in your account. ``` DBSecurityGroup: ["configuration change","failure"] ``` RDS event notifications use Amazon SNS to make you aware of changes in the availability or configuration of your RDS resources. These notifications allow for a rapid response. For additional information about RDS event notifications, see [Using Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.html) in the *Amazon RDS User Guide*. ### Remediation To subscribe to RDS instance event notifications, see [Subscribing to Amazon RDS event notification](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Events.Subscribing.html) in the *Amazon RDS User Guide*. Use the following values: | Field | Value | | --- | --- | | Source type | Security groups | | Security groups to include | All security groups | | Event categories to include | Select specific event categories or All event categories | ## [RDS.23] RDS instances should not use a database engine default port **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5) **Category:** Protect > Secure network configuration **Severity:** Low **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** `rds-no-default-ports` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an RDS cluster or instance uses a port other than the default port of the database engine. The control fails if the RDS cluster or instance uses the default port. This control doesn't apply to RDS instances that are part of a cluster. If you use a known port to deploy an RDS cluster or instance, an attacker can guess information about the cluster or instance. The attacker can use this information in conjunction with other information to connect to an RDS cluster or instance or gain additional information about your application. When you change the port, you must also update the existing connection strings that were used to connect to the old port. You should also check the security group of the DB instance to ensure that it includes an ingress rule that allows connectivity on the new port. ### Remediation To modify the default port of an existing RDS DB instance, see [Modifying an Amazon RDS DB instance ](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html) in the *Amazon RDS User Guide*. To modify the default port of an existing RDS DB cluster, see [Modifying the DB cluster by using the console, CLI, and API ](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.Modifying.html#Aurora.Modifying.Cluster) in the *Amazon Aurora User Guide*. For **Database port**, change the port value to a non-default value. ## [RDS.24] RDS Database clusters should use a custom administrator username **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/2.2.2 **Category:** Identify > Resource Configuration **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** `[rds-cluster-default-admin-check](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-default-admin-check.html)` **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS database cluster has changed the admin username from its default value. The control does not apply to engines of the type neptune (Neptune DB) or docdb (DocumentDB). This rule will fail if the admin username is set to the default value. When creating an Amazon RDS database, you should change the default admin username to a unique value. Default usernames are public knowledge and should be changed during RDS database creation. Changing the default usernames reduces the risk of unintended access. ### Remediation For changing the admin username associated with the Amazon RDS database cluster, [create a new RDS database cluster](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html) and change the default admin username while creating the database. ## [RDS.25] RDS database instances should use a custom administrator username **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, PCI DSS v4.0.1/2.2.2 **Category:** Identify > Resource Configuration **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** `[rds-instance-default-admin-check](https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-default-admin-check.html)` **Schedule type:** Change triggered **Parameters:** None This control checks whether you've changed the administrative username for Amazon Relational Database Service (Amazon RDS) database instances from the default value. The control fails if the administrative username is set to the default value. The control doesn't apply to engines of the type neptune (Neptune DB) or docdb (DocumentDB), and to RDS instances that are part of a cluster. Default administrative usernames on Amazon RDS databases are public knowledge. When creating an Amazon RDS database, you should change the default administrative username to a unique value to reduce the risk of unintended access. ### Remediation To change the administrative username associated with an RDS database instance, first [create a new RDS database instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html). Change the default administrative username while creating the database. ## [RDS.26] RDS DB instances should be protected by a backup plan **Category:** Recover > Resilience > Backups enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5) **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-resources-protected-by-backup-plan.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-resources-protected-by-backup-plan.html) `` **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `backupVaultLockCheck` | The control produces a `PASSED` finding if the parameter is set to true and the resource uses Amazon Backup Vault Lock. | Boolean | `true` or `false` | No default value | This control evaluates if Amazon RDS DB instances are covered by a backup plan. This control fails if the RDS DB instance isn't covered by a backup plan. If you set the `backupVaultLockCheck` parameter equal to `true`, the control passes only if the instance is backed up in an Amazon Backup locked vault. **Note** This control doesn't evaluate Neptune and DocumentDB instances. It also doesn't evaluate RDS DB instances that are members of a cluster. Amazon Backup is a fully managed backup service that centralizes and automates the backing up of data across Amazon Web Services services. With Amazon Backup, you can create backup policies called backup plans. You can use these plans to define your backup requirements, such as how frequently to back up your data and how long to retain those backups. Including RDS DB instances in a backup plan helps you protect your data from unintended loss or deletion. ### Remediation To add an RDS DB instance to an Amazon Backup backup plan, see [Assigning resources to a backup plan](https://docs.amazonaws.cn/aws-backup/latest/devguide/assigning-resources.html) in the *Amazon Backup Developer Guide*. ## [RDS.27] RDS DB clusters should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-encrypted-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-encrypted-at-rest.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks if an RDS DB cluster is encrypted at rest. The control fails if an RDS DB cluster isn't encrypted at rest. Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. Encrypting your RDS DB clusters protects your data and metadata against unauthorized access. It also fulfills compliance requirements for data-at-rest encryption of production file systems. ### Remediation You can enable encryption at rest when you create an RDS DB cluster. You can't change encryption settings after creating a cluster. For more information, see [Encrypting an Amazon Aurora DB cluster](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.html#Overview.Encryption.Enabling) in the *Amazon Aurora User Guide*. ## [RDS.28] RDS DB clusters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBCluster` **Amazon Config rule:**`tagged-rds-dbcluster` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB cluster has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB cluster doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB cluster isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB cluster, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.29] RDS DB cluster snapshots should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBClusterSnapshot` **Amazon Config rule:**`tagged-rds-dbclustersnapshot` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB cluster snapshot has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB cluster snapshot doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB cluster snapshot isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB cluster snapshot, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.30] RDS DB instances should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBInstance` **Amazon Config rule:**`tagged-rds-dbinstance` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB instance has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB instance doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB instance isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB instance, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.31] RDS DB security groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBSecurityGroup` **Amazon Config rule:**`tagged-rds-dbsecuritygroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB security group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB security group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB security group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB security group, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.32] RDS DB snapshots should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBSnapshot` **Amazon Config rule:**`tagged-rds-dbsnapshot` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB snapshot has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB snapshot doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB snapshot isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB snapshot, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.33] RDS DB subnet groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::RDS::DBSubnetGroup` **Amazon Config rule:**`tagged-rds-dbsubnetgroups` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon RDS DB subnet group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the DB subnet group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the DB subnet group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an RDS DB subnet group, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon RDS User Guide*. ## [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-aurora-mysql-audit-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-aurora-mysql-audit-logging-enabled.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs. The control doesn't generate findings for Aurora Serverless v1 DB clusters. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes. When you configure an Aurora MySQL DB cluster to publish audit logs to a log group in Amazon CloudWatch Logs, you can perform real-time analysis of the log data. CloudWatch Logs retains logs in highly durable storage. You can also create alarms and view metrics in CloudWatch. **Note** An alternative way to publish audit logs to CloudWatch Logs is by enabling advanced auditing and setting the cluster-level DB parameter `server_audit_logs_upload` to `1`. The default for the `server_audit_logs_upload parameter` is `0`. However, we recommend you use the following remediation instructions instead to pass this control. ### Remediation To publish Aurora MySQL DB cluster audit logs to CloudWatch Logs, see [Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.html) in the *Amazon Aurora User Guide*. ## [RDS.35] RDS DB clusters should have automatic minor version upgrade enabled **Related requirements:** NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), PCI DSS v4.0.1/6.3.3 **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-auto-minor-version-upgrade-enable.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-auto-minor-version-upgrade-enable.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks if automatic minor version upgrade is enabled for an Amazon RDS Multi-AZ DB cluster. The control fails if automatic minor version upgrade isn't enabled for the Multi-AZ DB cluster. RDS provides automatic minor version upgrade so that you can keep your Multi-AZ DB cluster up to date. Minor versions can introduce new software features, bug fixes, security patches, and performance improvements. By enabling automatic minor version upgrade on RDS database clusters, the cluster, along with the instances in the cluster, will receive automatic updates to the minor version when new versions are available. The updates are applied automatically during the maintenance window. ### Remediation To enable automatic minor version upgrade on Multi-AZ DB clusters, see [Modifying a Multi-AZ DB cluster](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/modify-multi-az-db-cluster.html) in the *Amazon RDS User Guide*. ## [RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs **Related requirements:** PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-postgresql-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-postgresql-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `logTypes` | Comma-separated list of log types to be published to CloudWatch Logs | StringList | Not customizable | `postgresql` | This control checks whether an Amazon RDS for PostgreSQL DB instance is configured to publish logs to Amazon CloudWatch Logs. The control fails if the PostgreSQL DB instance isn't configured to publish the log types mentioned in the `logTypes` parameter to CloudWatch Logs. Database logging provides detailed records of requests made to an RDS instance. PostgreSQL generates event logs that contain useful information for administrators. Publishing these logs to CloudWatch Logs centralizes log management and helps you perform real-time analysis of the log data. CloudWatch Logs retains logs in highly durable storage. You can also create alarms and view metrics in CloudWatch. ### Remediation To publish PostgreSQL DB instance logs to CloudWatch Logs, see [Publishing PostgreSQL logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.Concepts.PostgreSQL.PublishtoCloudWatchLogs) in the *Amazon RDS User Guide*. ## [RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs **Related requirements:** PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-aurora-postgresql-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-aurora-postgresql-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Aurora PostgreSQL DB cluster is configured to publish logs to Amazon CloudWatch Logs. The control fails if the Aurora PostgreSQL DB cluster isn't configured to publish PostgreSQL logs to CloudWatch Logs. Database logging provides detailed records of requests made to an RDS cluster. Aurora PostgreSQL generates event logs that contain useful information for administrators. Publishing these logs to CloudWatch Logs centralizes log management and helps you perform real-time analysis of the log data. CloudWatch Logs retains logs in highly durable storage. You can also create alarms and view metrics in CloudWatch. ### Remediation To publish Aurora PostgreSQL DB cluster logs to CloudWatch Logs, see [Publishing Aurora PostgreSQL logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.CloudWatch.html) in the *Amazon RDS User Guide*. ## [RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-postgres-instance-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-postgres-instance-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether a connection to an Amazon RDS for PostgreSQL database (DB) instance is encrypted in transit. The control fails if the `rds.force_ssl` parameter for the parameter group associated with the instance is set to `0` (off). This control doesn't evaluate RDS DB instances that are part of a DB cluster. Data in transit refers to data that moves from one location to another, such as between nodes in your cluster or between your cluster and your application. Data may move across the internet or within a private network. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. ### Remediation To require all connections to your RDS for PostgreSQL DB instance to use SSL, see [Using SSL with a PostgreSQL DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html) in the *Amazon RDS User Guide*. ## [RDS.39] RDS for MySQL DB instances should be encrypted in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-mysql-instance-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-mysql-instance-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether a connection to an Amazon RDS for MySQL database (DB) instance is encrypted in transit. The control fails if the `rds.require_secure_transport` parameter for the parameter group associated with the instance is set to `0` (off). This control doesn't evaluate RDS DB instances that are part of a DB cluster. Data in transit refers to data that moves from one location to another, such as between nodes in your cluster or between your cluster and your application. Data may move across the internet or within a private network. Encrypting data in transit reduces the risk that an unauthorized user can eavesdrop on network traffic. ### Remediation To require all connections to your RDS for MySQL DB instance to use SSL, see [SSL/TLS support for MySQL DB instances on Amazon RDS](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/MySQL.Concepts.SSLSupport.html) in the *Amazon RDS User Guide*. ## [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-sql-server-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-sql-server-logs-to-cloudwatch.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `logTypes` | A list of the types of logs that an RDS for SQL Server DB instance should be configured to publish to CloudWatch Logs. This control fails if a DB instance isn't configured to publish a type of log specified in the list. | EnumList (maximum of 2 items) | `agent`, `error` | `agent`, `error` | This control checks whether an Amazon RDS for Microsoft SQL Server DB instance is configured to publish logs to Amazon CloudWatch Logs. The control fails if the RDS for SQL Server DB instance isn't configured to publish logs to CloudWatch Logs. You can optionally specify the types of logs that a DB instance should be configured to publish. Database logging provides detailed records of requests made to an Amazon RDS DB instance. Publishing logs to CloudWatch Logs centralizes log management and helps you perform real-time analysis of log data. CloudWatch Logs retains logs in highly durable storage. In addition, you can use it to create alarms for specific errors that can occur, such as frequent restarts that are recorded in an error log. Similarly, you can create alarms for errors or warnings that are recorded in SQL Server agent logs related to SQL agent jobs. ### Remediation For information about publishing logs to CloudWatch Logs for an RDS for SQL Server DB instance, see [Amazon RDS for Microsoft SQL Server database log files](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.SQLServer.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.41] RDS for SQL Server DB instances should be encrypted in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-sqlserver-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-sqlserver-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether a connection to an Amazon RDS for Microsoft SQL Server DB instance is encrypted in transit. The control fails if the `rds.force_ssl` parameter of the parameter group associated with the DB instance is set to `0 (off)`. Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic. ### Remediation For information about enabling SSL/TLS for connections to Amazon RDS DB instances running Microsoft SQL Server, see [Using SSL with a Microsoft SQL Server DB Instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/mariadb-publish-logs-to-cloudwatch-logs.html](https://docs.amazonaws.cn/config/latest/developerguide/mariadb-publish-logs-to-cloudwatch-logs.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `logTypes` | A list of the types of logs that a MariaDB DB instance should be configured to publish to CloudWatch Logs. The control generates a `FAILED` finding if a DB instance isn't configured to publish a log type specified in the list. | EnumList (maximum of 4 items) | `audit`, `error`, `general`, `slowquery` | `audit, error` | This control checks whether an Amazon RDS for MariaDB DB instance is configured to publish certain types of logs to Amazon CloudWatch Logs. The control fails if the MariaDB DB instance isn't configured to publish the logs to CloudWatch Logs. You can optionally specify which types of logs a MariaDB DB instance should be configured to publish. Database logging provides detailed records of requests made to an Amazon RDS for MariaDB DB instance. Publishing logs to Amazon CloudWatch Logs centralizes log management and helps you perform real-time analysis of the log data. In addition, CloudWatch Logs retains the logs in durable storage, which can support security, access, and availability reviews and audits. With CloudWatch Logs, you can also create alarms and review metrics. ### Remediation For information about configuring an Amazon RDS for MariaDB DB instance to publish logs to Amazon CloudWatch Logs, see [Publishing MariaDB logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_LogAccess.MariaDB.PublishtoCloudWatchLogs.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.43] RDS DB proxies should require TLS encryption for connections **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBProxy` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-proxy-tls-encryption.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-proxy-tls-encryption.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon RDS DB proxy requires TLS for all connections between the proxy and the underlying RDS DB instance. The control fails if the proxy doesn't require TLS for all connections between the proxy and the RDS DB instance. Amazon RDS Proxy can act as an additional layer of security between client applications and underlying RDS DB instances. For example, you can connect to an RDS proxy using TLS 1.3, even if the underlying DB instance supports an older version of TLS. By using RDS Proxy, you can enforce strong authentication requirements for database applications. ### Remediation For information about changing the settings for an Amazon RDS proxy to require TLS, see [Modifying an RDS proxy](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/rds-proxy-modifying-proxy.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.44] RDS for MariaDB DB instances should be encrypted in transit **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-mariadb-instance-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-mariadb-instance-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether connections to an Amazon RDS for MariaDB DB instance are encrypted in transit. The control fails if the DB parameter group associated with the DB instance is not in sync, or the `require_secure_transport` parameter of the parameter group is not set to `ON`. **Note** This control doesn't evaluate Amazon RDS DB instances that use MariaDB versions earlier than version 10.5. The `require_secure_transport` parameter is supported only for MariaDB versions 10.5 and later. Data in transit refers to data that moves from one location to another, such as between nodes in a DB cluster or between a DB cluster and a client application. Data can move across the internet or within a private network. Encrypting data in transit reduces the risk of unauthorized users eavesdropping on network traffic. ### Remediation For information about enabling SSL/TLS for connections to an Amazon RDS for MariaDB DB instance, see [Requiring SSL/TLS for all connections to a MariaDB DB instance](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/mariadb-ssl-connections.require-ssl.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.45] Aurora MySQL DB clusters should have audit logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/aurora-mysql-cluster-audit-logging.html](https://docs.amazonaws.cn/config/latest/developerguide/aurora-mysql-cluster-audit-logging.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Aurora MySQL DB cluster has audit logging enabled. The control fails if the DB parameter group associated with the DB cluster is not in sync, the `server_audit_logging` parameter is not set to `1`, or the `server_audit_events` parameter is set to an empty value. Database logs can assist with security and access audits and help diagnose availability issues. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes. ### Remediation For information about enabling logging for an Amazon Aurora MySQL DB cluster, see [Publishing Amazon Aurora MySQL logs to Amazon CloudWatch Logs](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.html) in the *Amazon Aurora User Guide*. ## [RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::RDS::DBInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-subnet-igw-check.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-instance-subnet-igw-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon RDS DB instance is deployed in a public subnet that has a route to an internet gateway. The control fails if the RDS DB instance is deployed in a subnet that has a route to an internet gateway and the destination is set to `0.0.0.0/0` or `::/0`. By provisioning your Amazon RDS resources in private subnets, you can prevent your RDS resources from receiving inbound traffic from the public internet, which can prevent unintended access to your RDS DB instances. If RDS resources are provisioned in a public subnet that is open to the internet, they might be vulnerable to risks such as data exfiltration. ### Remediation For information about provisioning a private subnet for an Amazon RDS DB instance, see [Working with a DB instance in a VPC](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-pgsql-cluster-copy-tags-to-snapshot-check.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-pgsql-cluster-copy-tags-to-snapshot-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS for PostgreSQL DB cluster is configured to automatically copy tags to snapshots of the DB cluster when the snapshots are created. The control fails if the `CopyTagsToSnapshot` parameter is set to `false` for the RDS for PostgreSQL DB cluster. Copying tags to DB snapshots helps maintain proper resource tracking, governance, and cost allocation across backup resources. This enables consistent resource identification, access control, and compliance monitoring across both active databases and their snapshots. Properly tagged snapshots improve security operations by ensuring backup resources inherit the same metadata as their source databases. ### Remediation For information about configuring an Amazon RDS for PostgreSQL DB cluster to automatically copy tags to DB snapshots, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-mysql-cluster-copy-tags-to-snapshot-check.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-mysql-cluster-copy-tags-to-snapshot-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon RDS for MySQL DB cluster is configured to automatically copy tags to snapshots of the DB cluster when the snapshots are created. The control fails if the `CopyTagsToSnapshot` parameter is set to `false` for the RDS for MySQL DB cluster. Copying tags to DB snapshots helps maintain proper resource tracking, governance, and cost allocation across backup resources. This enables consistent resource identification, access control, and compliance monitoring across both active databases and their snapshots. Properly tagged snapshots improve security operations by ensuring backup resources inherit the same metadata as their source databases. ### Remediation For information about configuring an Amazon RDS for MySQL DB cluster to automatically copy tags to DB snapshots, see [Tagging Amazon RDS resources](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_Tagging.html) in the *Amazon Relational Database Service User Guide*. ## [RDS.50] RDS DB clusters should have enough backup retention period set **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::RDS::DBCluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-backup-retention-check.html](https://docs.amazonaws.cn/config/latest/developerguide/rds-cluster-backup-retention-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `minimumBackupRetentionPeriod` | The minimum backup retention period in days for the control to check | Integer | `7` to `35` | `7` | This control checks whether an RDS DB cluster has a minimum backup retention period. The control fails if the backup retention period is less than the specified parameter value. Unless you provide a custom parameter value, Security Hub uses a default value of 7 days. This control checks whether an RDS DB cluster has a minimum backup retention period. The control fails if the backup retention period is less than the specified parameter value. Unless you provide a customer parameter value, Security Hub uses a default value of 7 days. This control applies to all types of RDS DB clusters including Aurora DB cluster, DocumentDB clusters, NeptuneDB clusters, etc. ### Remediation To configure the backup retention period for an RDS DB cluster, modify the cluster settings and set the backup retention period to at least 7 days (or the value specified in the control parameter). For detailed instructions, see [Backup retention period](https://docs.amazonaws.cn/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.BackupRetention.html) in the *Amazon Relational Database Service User Guide*. For Aurora DB clusters, see [Overview of backing up and restoring an Aurora DB cluster](https://docs.amazonaws.cn/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html) in the *Amazon Aurora User Guide for Aurora*. For other type of DB clusters (e.g. DocumentDB clusters), see the corresponding service user guide for how to update the backup retention period for the cluster. # Security Hub CSPM controls for Amazon Redshift Amazon Redshift controls These Amazon Security Hub CSPM controls evaluate the Amazon Redshift service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Redshift.1] Amazon Redshift clusters should prohibit public access **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Critical **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-public-access-check.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-public-access-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the `PubliclyAccessible` field in the cluster configuration item. The `PubliclyAccessible` attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with `PubliclyAccessible` set to `true`, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with `PubliclyAccessible` set to `true`. ### Remediation To update an Amazon Redshift cluster to disable public access, see [Modifying a cluster](https://docs.amazonaws.cn/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster) in the *Amazon Redshift Management Guide*. Set **Publicly accessible** to **No**. ## [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` `AWS::Redshift::ClusterParameterGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-require-tls-ssl.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-require-tls-ssl.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter `require_SSL` isn't set to `True`. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS. ### Remediation To update an Amazon Redshift parameter group to require encryption, see [Modifying a parameter group](https://docs.amazonaws.cn/redshift/latest/mgmt/managing-parameter-groups-console.html#parameter-group-modify) in the *Amazon Redshift Management Guide*. Set `require_ssl` to **True**. ## [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-13(5) **Category:** Recover > Resilience > Backups enabled **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-backup-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-backup-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `​MinRetentionPeriod` | Minimum snapshot retention period in days | Integer | `7` to `35` | `7` | This control checks whether an Amazon Redshift cluster has automated snapshots enabled, and a retention period greater than or equal to the specified time frame. The control fails if automated snapshots aren't enabled for the cluster, or if the retention period is less than the specified time frame. Unless you provide a custom parameter value for the snapshot retention period, Security Hub CSPM uses a default value of 7 days. Backups help you to recover more quickly from a security incident. They strengthen the resilience of your systems. Amazon Redshift takes periodic snapshots by default. This control checks whether automatic snapshots are enabled and retained for at least seven days. For more details on Amazon Redshift automated snapshots, see [Automated snapshots](https://docs.amazonaws.cn/redshift/latest/mgmt/working-with-snapshots.html#about-automated-snapshots) in the *Amazon Redshift Management Guide*. ### Remediation To update the snapshot retention period for an Amazon Redshift cluster, see [Modifying a cluster](https://docs.amazonaws.cn/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster) in the *Amazon Redshift Management Guide*. For **Backup**, set **Snapshot retention** to a value of 7 or greater. ## [Redshift.4] Amazon Redshift clusters should have audit logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** `redshift-cluster-audit-logging-enabled` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Redshift cluster has audit logging enabled. Amazon Redshift audit logging provides additional information about connections and user activities in your cluster. This data can be stored and secured in Amazon S3 and can be helpful in security audits and investigations. For more information, see [Database audit logging](https://docs.amazonaws.cn/redshift/latest/mgmt/db-auditing.html) in the *Amazon Redshift Management Guide*. ### Remediation To configure audit logging for an Amazon Redshift cluster, see [Configuring auditing using the console](https://docs.amazonaws.cn/redshift/latest/mgmt/db-auditing-console.html) in the *Amazon Redshift Management Guide*. ## [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5) **Category:** Identify > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-maintenancesettings-check.html) **Schedule type:** Change triggered **Parameters:** + `allowVersionUpgrade = true` (not customizable) This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster. Enabling automatic major version upgrades ensures that the latest major version updates to Amazon Redshift clusters are installed during the maintenance window. These updates might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems. ### Remediation To remediate this issue from the Amazon CLI, use the Amazon Redshift `modify-cluster` command, and set the `--allow-version-upgrade` attribute. `clustername` is the name of your Amazon Redshift cluster. ``` aws redshift modify-cluster --cluster-identifier clustername --allow-version-upgrade ``` ## [Redshift.7] Redshift clusters should use enhanced VPC routing **Related requirements:** NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration > API private access **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-enhanced-vpc-routing-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Redshift cluster has `EnhancedVpcRouting` enabled. Enhanced VPC routing forces all `COPY` and `UNLOAD` traffic between the cluster and data repositories to go through your VPC. You can then use VPC features such as security groups and network access control lists to secure network traffic. You can also use VPC Flow Logs to monitor network traffic. ### Remediation For detailed remediation instructions, see [Enabling enhanced VPC routing](https://docs.amazonaws.cn/redshift/latest/mgmt/enhanced-vpc-enabling-cluster.html) in the *Amazon Redshift Management Guide*. ## [Redshift.8] Amazon Redshift clusters should not use the default Admin username **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Identify > Resource Configuration **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-default-admin-check.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-default-admin-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Redshift cluster has changed the admin username from its default value. This control will fail if the admin username for a Redshift cluster is set to `awsuser`. When creating a Redshift cluster, you should change the default admin username to a unique value. Default usernames are public knowledge and should be changed upon configuration. Changing the default usernames reduces the risk of unintended access. ### Remediation You can't change the admin username for your Amazon Redshift cluster after creating it. To create a new cluster with a non-default username, see [Step 1: Create a sample Amazon Redshift cluster](https://docs.amazonaws.cn/redshift/latest/gsg/rs-gsg-prereq.html) in the *Amazon Redshift Getting Started Guide*. ## [Redshift.10] Redshift clusters should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-kms-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-kms-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if Amazon Redshift clusters are encrypted at rest. The control fails if a Redshift cluster isn't encrypted at rest or if the encryption key is different from the provided key in the rule parameter. In Amazon Redshift, you can turn on database encryption for your clusters to help protect data at rest. When you turn on encryption for a cluster, the data blocks and system metadata are encrypted for the cluster and its snapshots. Encryption of data at rest is a recommended best practice because it adds a layer of access management to your data. Encrypting Redshift clusters at rest reduces the risk that an unauthorized user can access the data stored on disk. ### Remediation To modify a Redshift cluster to use KMS encryption, see [Changing cluster encryption](https://docs.amazonaws.cn/redshift/latest/mgmt/changing-cluster-encryption.html) in the *Amazon Redshift Management Guide*. ## [Redshift.11] Redshift clusters should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** `tagged-redshift-cluster` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Redshift cluster has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Redshift cluster, see [Tagging resources in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/amazon-redshift-tagging.html) in the *Amazon Redshift Management Guide*. ## [Redshift.12] Redshift event notification subscriptions should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Redshift::EventSubscription` **Amazon Config rule:** `tagged-redshift-eventsubscription` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Redshift cluster snapshot has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster snapshot doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster snapshot isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Redshift event notification subscription, see [Tagging resources in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/amazon-redshift-tagging.html) in the *Amazon Redshift Management Guide*. ## [Redshift.13] Redshift cluster snapshots should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Redshift::ClusterSnapshot` **Amazon Config rule:** `tagged-redshift-clustersnapshot` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Redshift cluster snapshot has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster snapshot doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster snapshot isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Redshift cluster snapshot, see [Tagging resources in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/amazon-redshift-tagging.html) in the *Amazon Redshift Management Guide*. ## [Redshift.14] Redshift cluster subnet groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Redshift::ClusterSubnetGroup` **Amazon Config rule:** `tagged-redshift-clustersubnetgroup` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Redshift cluster subnet group has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the cluster subnet group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the cluster subnet group isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Redshift cluster subnet group, see [Tagging resources in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/amazon-redshift-tagging.html) in the *Amazon Redshift Management Guide*. ## [Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins **Related requirements:** PCI DSS v4.0.1/1.3.1 **Category:** Protect > Secure network configuration > Security group configuration **Severity:** High **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-unrestricted-port-access.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-unrestricted-port-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether a security group associated with an Amazon Redshift cluster has ingress rules that permit access to the cluster port from the internet (0.0.0.0/0 or ::/0). The control fails if the security group ingress rules permit access to the cluster port from the internet. Permitting unrestricted inbound access to the Redshift cluster port (IP address with a /0 suffix) can result in unauthorized access or security incidents. We recommend applying the principal of least privilege access when creating security groups and configuring inbound rules. ### Remediation To restrict ingress on the Redshift cluster port to restricted origins, see [Work with security group rules](https://docs.amazonaws.cn/vpc/latest/userguide/security-group-rules.html#working-with-security-group-rules) in the *Amazon VPC User Guide*. Update rules where the port range matches the Redshift cluster port and the IP port range is 0.0.0.0/0. ## [Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Redshift::ClusterSubnetGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-subnet-group-multi-az.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-subnet-group-multi-az.html) **Schedule type:** Change triggered **Parameters:** None The control checks whether an Amazon Redshift cluster subnet group has subnets from more than one Availability Zone (AZ). The control fails if the cluster subnet group doesn't have subnets from at least two different AZs. Configuring subnets across multiple AZs help ensure that your Redshift data warehouse can continue operating even when failure events occur. ### Remediation To modify a Redshift cluster subnet group to span multiple AZs, see [Modifying a cluster subnet group](https://docs.amazonaws.cn/redshift/latest/mgmt/modify-cluster-subnet-group.html) in the *Amazon Redshift Management Guide*. ## [Redshift.17] Redshift cluster parameter groups should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Redshift::ClusterParameterGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-parameter-group-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-parameter-group-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Redshift cluster parameter group has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the parameter group doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the parameter group doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Redshift cluster parameter group, see [Tag resources in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/amazon-redshift-tagging.html) in the *Amazon Redshift Management Guide*. ## [Redshift.18] Redshift clusters should have Multi-AZ deployments enabled **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::Redshift::Cluster` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-multi-az-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-cluster-multi-az-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether multiple Availability Zones (Multi-AZ) deployments are enabled for an Amazon Redshift cluster. The control fails if Multi-AZ deployments aren't enabled for the Amazon Redshift cluster. Amazon Redshift supports multiple Availability Zones (Multi-AZ) deployments for provisioned clusters. If Multi-AZ deployments are enabled for a cluster, an Amazon Redshift data warehouse can continue operating in failure scenarios when an unexpected event happens in an Availability Zone (AZ). A Multi-AZ deployment deploys compute resources in more than one AZ and these compute resources can be accessed through a single endpoint. In the event of an entire AZ failure, the remaining compute resources in another AZ are available to continue processing workloads. You can convert an existing Single-AZ data warehouse to a Multi-AZ data warehouse. Additional compute resources are then provisioned in a second AZ. ### Remediation For information about configuring Multi-AZ deployments for an Amazon Redshift cluster, see [Converting a Single-AZ data warehouse to a Multi-AZ data warehouse](https://docs.amazonaws.cn/redshift/latest/mgmt/convert-saz-to-maz.html) in the *Amazon Redshift Management Guide*. # Security Hub CSPM controls for Amazon Redshift Serverless Amazon Redshift Serverless controls These Amazon Security Hub CSPM controls evaluate the Amazon Redshift Serverless service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** High **Resource type:** `AWS::RedshiftServerless::Workgroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-routes-within-vpc.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-routes-within-vpc.html) **Schedule type:** Periodic **Parameters:** None This control checks whether enhanced VPC routing is enabled for an Amazon Redshift Serverless workgroup. The control fails if enhanced VPC routing is disabled for the workgroup. If enhanced VPC routing is disabled for an Amazon Redshift Serverless workgroup, Amazon Redshift routes traffic through the internet, including traffic to other services within the Amazon network. If you enable enhanced VPC routing for a workgroup, Amazon Redshift forces all `COPY` and `UNLOAD` traffic between your cluster and your data repositories through your virtual private cloud (VPC) based on the Amazon VPC service. With enhanced VPC routing, you can use standard VPC features to control the flow of data between your Amazon Redshift cluster and other resources. This includes features such as VPC security groups and endpoint policies, network access control lists (ACLs), and Domain Name System (DNS) servers. You can also use VPC flow logs to monitor `COPY` and `UNLOAD` traffic. ### Remediation For more information about enhanced VPC routing and how to enable it for a workgroup, see [Controlling network traffic with Redshift enhanced VPC routing](https://docs.amazonaws.cn/redshift/latest/mgmt/enhanced-vpc-routing.html) in the *Amazon Redshift Management Guide*. ## [RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::RedshiftServerless::Workgroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-encrypted-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-encrypted-in-transit.html) **Schedule type:** Periodic **Parameters:** None This control checks whether connections to an Amazon Redshift Serverless workgroup are required to encrypt data in transit. The control fails if the `require_ssl` configuration parameter for the workgroup is set to `false`. An Amazon Redshift Serverless workgroup is a collection of compute resources that groups together compute resources like RPUs, VPC subnet groups, and security groups. Properties of a workgroup include network and security settings. These settings specify whether connections to a workgroup should be required to use SSL to encrypt data in transit. ### Remediation For information about updating the settings for an Amazon Redshift Serverless workgroup to require SSL connections, see [Connecting to Amazon Redshift Serverless](https://docs.amazonaws.cn/redshift/latest/mgmt/serverless-connecting.html) in the *Amazon Redshift Management Guide*. ## [RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::RedshiftServerless::Workgroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-no-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-workgroup-no-public-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether public access is disabled for an Amazon Redshift Serverless workgroup. It evaluates the `publiclyAccessible` property of a Redshift Serverless workgroup. The control fails if public access is enabled (`true`) for the workgroup. The public access (`publiclyAccessible`) setting for an Amazon Redshift Serverless workgroup specifies whether the workgroup can be accessed from a public network. If public access is enabled (`true`) for a workgroup, Amazon Redshift creates an Elastic IP address that makes the workgroup publicly accessible from outside the VPC. If you don't want a workgroup to be publicly accessible, disable public access for it. ### Remediation For information about changing the public access setting for an Amazon Redshift Serverless workgroup, see [Viewing the properties for a workgroup](https://docs.amazonaws.cn/redshift/latest/mgmt/serverless-console-workgroups.html) in the *Amazon Redshift Management Guide*. ## [RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys **Related requirements:** NIST.800-53.r5 AU-9, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-12(2), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::RedshiftServerless::Namespace` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-namespace-cmk-encryption.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-namespace-cmk-encryption.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `kmsKeyArns` | A list of Amazon Resource Names (ARNs) of Amazon KMS keys to include in the evaluation. The control generates a `FAILED` finding if a Redshift Serverless namespace isn't encrypted with a KMS key in the list. | StringList (maximum of 3 items) | 1–3 ARNs of existing KMS keys. For example: `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`. | No default value | This control checks whether an Amazon Redshift Serverless namespace is encrypted at rest with a customer managed Amazon KMS key. The control fails if the Redshift Serverless namespace isn't encrypted with a customer managed KMS key. You can optionally specify a list of KMS keys for the control to include in the evaluation. In Amazon Redshift Serverless, a namespace defines a logical container for database objects. This control periodically checks whether the encryption settings for a namespace specify a customer managed Amazon KMS key, instead of an Amazon managed KMS key, for encryption of data in the namespace. With a customer managed KMS key, you have full control of the key. This includes defining and maintaining the key policy, managing grants, rotating cryptographic material, assigning tags, creating aliases, and enabling and disabling the key. ### Remediation For information about updating the encryption settings for an Amazon Redshift Serverless namespace and specifying a customer managed Amazon KMS key, see [Changing the Amazon KMS key for a namespace](https://docs.amazonaws.cn/redshift/latest/mgmt/serverless-workgroups-and-namespaces-rotate-kms-key.html) in the *Amazon Redshift Management Guide*. ## [RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username **Category:** Identify > Resource configuration **Severity:** Medium **Resource type:** `AWS::RedshiftServerless::Namespace` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-default-admin-check.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-default-admin-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the admin username for an Amazon Redshift Serverless namespace is the default admin username, `admin`. The control fails if the admin username for the Redshift Serverless namespace is `admin`. When creating an Amazon Redshift Serverless namespace, you should specify a custom admin username for the namespace. The default admin username is public knowledge. By specifying a custom admin username, you can, for example, help mitigate the risk or effectiveness of brute force attacks against the namespace. ### Remediation You can change the admin username for an Amazon Redshift Serverless namespace by using the Amazon Redshift Serverless console or API. To change it by using the console, choose the namespace configuration, and then choose **Edit admin credentials** on the **Actions** menu. To change it programmatically, use the [UpdateNamespace](https://docs.amazonaws.cn/redshift-serverless/latest/APIReference/API_UpdateNamespace.html) operation or, if you’re using the Amazon CLI, run the [update-namespace](https://docs.amazonaws.cn/cli/latest/reference/redshift-serverless/update-namespace.html) command. If you change the admin username, you must also change the admin password at the same time. ## [RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::RedshiftServerless::Namespace` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-publish-logs-to-cloudwatch.html](https://docs.amazonaws.cn/config/latest/developerguide/redshift-serverless-publish-logs-to-cloudwatch.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Redshift Serverless namespace is configured to export connection and user logs to Amazon CloudWatch Logs. The control fails if the Redshift Serverless namespace isn't configured to export the logs to CloudWatch Logs. If you configure Amazon Redshift Serverless to export connection log (`connectionlog`) and user log (`userlog`) data to a log group in Amazon CloudWatch Logs, you can collect and store your log records in durable storage, which can support security, access, and availability reviews and audits. With CloudWatch Logs, you can also perform real-time analysis of log data and use CloudWatch to create alarms and review metrics. ### Remediation To export log data for an Amazon Redshift Serverless namespace to Amazon CloudWatch Logs, the respective logs must be selected for export in the audit logging configuration settings for the namespace. For information about updating these settings, see [Editing security and encryption](https://docs.amazonaws.cn/redshift/latest/mgmt/serverless-console-configuration-edit-network-settings.html) in the *Amazon Redshift Management Guide*. # Security Hub CSPM controls for Route 53 Amazon Route 53 controls These Amazon Security Hub CSPM controls evaluate the Amazon Route 53 service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Route53.1] Route 53 health checks should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::Route53::HealthCheck` **Amazon Config rule:**`tagged-route53-healthcheck` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Route 53 health check has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the health check doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the health check isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Route 53 health check, see [ Naming and tagging health checks](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/health-checks-tagging.html) in the *Amazon Route 53 Developer Guide*. ## [Route53.2] Route 53 public hosted zones should log DNS queries **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::Route53::HostedZone` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/route53-query-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/route53-query-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. The control fails if DNS query logging isn't enabled for a Route 53 public hosted zone. Logging DNS queries for a Route 53 hosted zone addresses DNS security and compliance requirements and grants visibility. The logs include information such as the domain or subdomain that was queried, the date and time of the query, the DNS record type (for example, A or AAAA), and the DNS response code (for example, `NoError` or `ServFail`). When DNS query logging is enabled, Route 53 publishes the log files to Amazon CloudWatch Logs. ### Remediation To log DNS queries for Route 53 public hosted zones, see [ Configuring logging for DNS queries](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/query-logs.html#query-logs-configuring) in the *Amazon Route 53 Developer Guide*. # Security Hub CSPM controls for Amazon S3 Amazon S3 controls These Amazon Security Hub CSPM controls evaluate the Amazon Simple Storage Service (Amazon S3) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [S3.1] S3 general purpose buckets should have block public access settings enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.1.4, CIS Amazon Foundations Benchmark v3.0.0/2.1.4, CIS Amazon Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-account-level-public-access-blocks-periodic.html) **Schedule type:** Periodic **Parameters:** + `ignorePublicAcls`: `true` (not customizable) + `blockPublicPolicy`: `true` (not customizable) + `blockPublicAcls`: `true` (not customizable) + `restrictPublicBuckets`: `true` (not customizable) This control checks whether the preceding Amazon S3 block public access settings are configured at the account level for an S3 general purpose bucket. The control fails if one or more of the block public access settings are set to `false`. The control fails if any of the settings are set to `false`, or if any of the settings are not configured. Amazon S3 public access block is designed to provide controls across an entire Amazon Web Services account or at the individual S3 bucket level to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. Unless you intend to have your S3 buckets be publicly accessible, you should configure the account level Amazon S3 Block Public Access feature. To learn more, see [Using Amazon S3 Block Public Access](https://docs.amazonaws.cn/AmazonS3/latest/dev/access-control-block-public-access.html) in the *Amazon Simple Storage Service User Guide*. ### Remediation To enable Amazon S3 Block Public Access for your Amazon Web Services account, see [Configuring block public access settings for your account](https://docs.amazonaws.cn/AmazonS3/latest/userguide/configuring-block-public-access-account.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.2] S3 general purpose buckets should block public read access **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-public-read-prohibited](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-public-read-prohibited) **Schedule type:** Periodic and change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket permits public read access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if the bucket permits public read access. **Note** If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. Some use cases may require that everyone on the internet be able to read from your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly readable. ### Remediation To block public read access on your Amazon S3 buckets, see [Configuring block public access settings for your S3 buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.3] S3 general purpose buckets should block public write access **Related requirements:** PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration **Severity:** Critical **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-public-write-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-public-write-prohibited.html) **Schedule type:** Periodic and change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket permits public write access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL). The control fails if the bucket permits public write access. **Note** If an S3 bucket has a bucket policy, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the bucket policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. Some use cases require that everyone on the internet be able to write to your S3 bucket. However, those situations are rare. To ensure the integrity and security of your data, your S3 bucket should not be publicly writable. ### Remediation To block public write access on your Amazon S3 buckets, see [Configuring block public access settings for your S3 buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.5] S3 general purpose buckets should require requests to use SSL **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.1.1, CIS Amazon Foundations Benchmark v3.0.0/2.1.1, CIS Amazon Foundations Benchmark v1.4.0/2.1.2, NIST.800-53.r5 AC-17(2), NIST.800-53.r5 AC-4, NIST.800-53.r5 IA-5(1), NIST.800-53.r5 SC-12(3), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-23, NIST.800-53.r5 SC-23(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-8, NIST.800-53.r5 SC-8(1), NIST.800-53.r5 SC-8(2), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.8, NIST.800-171.r2 3.13.15, PCI DSS v3.2.1/4.1, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-ssl-requests-only.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-ssl-requests-only.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket has a policy that requires requests to use SSL. The control fails if the bucket policy doesn't require requests to use SSL. S3 buckets should have policies that require all requests (`Action: S3:*`) to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key `aws:SecureTransport`. ### Remediation To update an Amazon S3 bucket policy to deny nonsecure transport, see [Adding a bucket policy by using the Amazon S3 console](https://docs.amazonaws.cn/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*. Add a policy statement similar to the one in the following policy. Replace `amzn-s3-demo-bucket` with the name of the bucket you're modifying. ------ #### [ JSON ] **** ``` { "Id": "ExamplePolicy", "Version":"2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws-cn:s3:::amzn-s3-demo-bucket", "arn:aws-cn:s3:::amzn-s3-demo-bucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } ``` ------ For more information, see [What S3 bucket policy should I use to comply with the Amazon Config rule s3-bucket-ssl-requests-only?](https://www.amazonaws.cn/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/) in the *Amazon Official Knowledge Center*. ## [S3.6] S3 general purpose bucket policies should restrict access to other Amazon Web Services accounts **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-171.r2 3.13.4 **Category:** Protect > Secure access management > Sensitive API operations actions restricted **Severity:** High **Resource type:** `AWS::S3::Bucket` **Amazon Config** rule: [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-blacklisted-actions-prohibited.html) **Schedule type:** Change triggered **Parameters:** + `blacklistedactionpatterns`: `s3:DeleteBucketPolicy, s3:PutBucketAcl, s3:PutBucketPolicy, s3:PutEncryptionConfiguration, s3:PutObjectAcl` (not customizable) This control checks whether an Amazon S3 general purpose bucket policy prevents principals from other Amazon Web Services accounts from performing denied actions on resources in the S3 bucket. The control fails if the bucket policy allows one or more of the preceding actions for a principal in another Amazon Web Services account. Implementing least privilege access is fundamental to reducing security risk and the impact of errors or malicious intent. If an S3 bucket policy allows access from external accounts, it could result in data exfiltration by an insider threat or an attacker. The `blacklistedactionpatterns` parameter allows for successful evaluation of the rule for S3 buckets. The parameter grants access to external accounts for action patterns that are not included in the `blacklistedactionpatterns` list. ### Remediation To update an Amazon S3 bucket policy to remove permissions, see.[Adding a bucket policy by using the Amazon S3 console](https://docs.amazonaws.cn/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*. On the **Edit bucket policy** page, in the policy editing text box, take one of the following actions: + Remove the statements that grant other Amazon Web Services accounts access to denied actions. + Remove the permitted denied actions from the statements. ## [S3.7] S3 general purpose buckets should use cross-Region replication **Related requirements:** PCI DSS v3.2.1/2.2, NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-36(2), NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Protect > Secure access management **Severity: ** Low **Resource type:** `AWS::S3::Bucket` **Amazon Config rule: ** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-cross-region-replication-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-cross-region-replication-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket has cross-Region replication enabled. The control fails if the bucket doesn't have cross-Region replication enabled. Replication is the automatic, asynchronous copying of objects across buckets in the same or different Amazon Web Services Regions. Replication copies newly created objects and object updates from a source bucket to a destination bucket or buckets. Amazon best practices recommend replication for source and destination buckets that are owned by the same Amazon Web Services account. In addition to availability, you should consider other systems hardening settings. This control produces a `FAILED` finding for a replication destination bucket if it doesn't have cross-region replication enabled. If there's a legitimate reason that the destination bucket doesn't need cross-region replication to be enabled, you can suppress findings for this bucket. ### Remediation To enable Cross-Region Replication on an S3 bucket, see [Configuring replication for source and destination buckets owned by the same account](https://docs.amazonaws.cn/AmazonS3/latest/userguide/replication-walkthrough1.html) in the *Amazon Simple Storage Service User Guide*. For **Source bucket**, choose **Apply to all objects in the bucket**. ## [S3.8] S3 general purpose buckets should block public access **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.1.4, CIS Amazon Foundations Benchmark v3.0.02.1.4, CIS Amazon Foundations Benchmark v1.4.0/2.1.5, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure access management > Access control **Severity:** High **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-level-public-access-prohibited.html) **Schedule type:** Change triggered **Parameters:** + `excludedPublicBuckets` (not customizable) – A comma-separated list of known allowed public S3 bucket names This control checks whether an Amazon S3 general purpose bucket blocks public access at the bucket level. The control fails if any of the following settings are set to `false`: + `ignorePublicAcls` + `blockPublicPolicy` + `blockPublicAcls` + `restrictPublicBuckets` Block Public Access at the S3 bucket level provides controls to ensure that objects never have public access. Public access is granted to buckets and objects through access control lists (ACLs), bucket policies, or both. Unless you intend to have your S3 buckets publicly accessible, you should configure the bucket level Amazon S3 Block Public Access feature. ### Remediation For information on how to remove public access at a bucket level, see [Blocking public access to your Amazon S3 storage](https://docs.amazonaws.cn/AmazonS3/latest/dev/access-control-block-public-access.html) in the *Amazon S3 User Guide*. ## [S3.9] S3 general purpose buckets should have server access logging enabled **Related requirements:** NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8), NIST.800-171.r2 3.3.8, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether server access logging is enabled for an Amazon S3 general purpose bucket. The control fails if server access logging isn't enabled. When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same Amazon Web Services Region as the source bucket and must not have a default retention period configured. The target logging bucket does not need to have server access logging enabled, and you should suppress findings for this bucket. Server access logging provides detailed records of requests made to a bucket. Server access logs can assist in security and access audits. For more information, see [Security Best Practices for Amazon S3: Enable Amazon S3 server access logging](https://docs.amazonaws.cn/AmazonS3/latest/dev/security-best-practices.html). ### Remediation To enable Amazon S3 server access logging, see [Enabling Amazon S3 server access logging](https://docs.amazonaws.cn/AmazonS3/latest/userguide/enable-server-access-logging.html) in the *Amazon S3 User Guide*. ## [S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-version-lifecycle-policy-check.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-version-lifecycle-policy-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose versioned bucket has a Lifecycle configuration. The control fails if the bucket doesn't have a Lifecycle configuration. We recommended creating a Lifecycle configuration for your S3 bucket to help you define actions that you want Amazon S3 to take during an object's lifetime. ### Remediation For more information on configuring lifecycle on an Amazon S3 bucket, see [Setting lifecycle configuration on a bucket](https://docs.amazonaws.cn/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html) and [Managing your storage lifecycle](https://docs.amazonaws.cn/AmazonS3/latest/userguide/object-lifecycle-mgmt.html). ## [S3.11] S3 general purpose buckets should have event notifications enabled **Related requirements:** NIST.800-53.r5 CA-7, NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(4), NIST.800-171.r2 3.3.8 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-event-notifications-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-event-notifications-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `eventTypes` | List of preferred S3 event types | EnumList (maximum of 28 items) | `s3:IntelligentTiering, s3:LifecycleExpiration:*, s3:LifecycleExpiration:Delete, s3:LifecycleExpiration:DeleteMarkerCreated, s3:LifecycleTransition, s3:ObjectAcl:Put, s3:ObjectCreated:*, s3:ObjectCreated:CompleteMultipartUpload, s3:ObjectCreated:Copy, s3:ObjectCreated:Post, s3:ObjectCreated:Put, s3:ObjectRemoved:*, s3:ObjectRemoved:Delete, s3:ObjectRemoved:DeleteMarkerCreated, s3:ObjectRestore:*, s3:ObjectRestore:Completed, s3:ObjectRestore:Delete, s3:ObjectRestore:Post, s3:ObjectTagging:*, s3:ObjectTagging:Delete, s3:ObjectTagging:Put, s3:ReducedRedundancyLostObject, s3:Replication:*, s3:Replication:OperationFailedReplication, s3:Replication:OperationMissedThreshold, s3:Replication:OperationNotTracked, s3:Replication:OperationReplicatedAfterThreshold, s3:TestEvent` | No default value | This control checks whether S3 Event Notifications are enabled on an Amazon S3 general purpose bucket. The control fails if S3 Event Notifications are not enabled on the bucket. If you provide custom values for the `eventTypes` parameter, the control passes only if event notifications are enabled for the specified types of events. When you enable S3 Event Notifications, you receive alerts when specific events occur that impact your S3 buckets. For example, you can be notified of object creation, object removal, and object restoration. These notifications can alert relevant teams to accidental or intentional modifications that may lead to unauthorized data access. ### Remediation For information about detecting changes to S3 buckets and objects, see [Amazon S3 Event Notifications](https://docs.amazonaws.cn/AmazonS3/latest/userguide/NotificationHowTo.html) in the *Amazon S3 User Guide*. ## [S3.12] ACLs should not be used to manage user access to S3 general purpose buckets **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6 **Category:** Protect > Secure access management > Access control **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-acl-prohibited.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-acl-prohibited.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket provides user permissions with an access control list (ACL). The control fails if an ACL is configured for managing user access on the bucket. ACLs are legacy access control mechanisms that predate IAM. Instead of ACLs, we recommend using S3 bucket policies or Amazon Identity and Access Management (IAM) policies to manage access to your S3 buckets. ### Remediation To pass this control, you should disable ACLs for your S3 buckets. For instructions, see [Controlling ownership of objects and disabling ACLs for your bucket](https://docs.amazonaws.cn/AmazonS3/latest/userguide/about-object-ownership.html) in the *Amazon Simple Storage Service User Guide*. To create an S3 bucket policy, see [Adding a bucket policy by using the Amazon S3 console](https://docs.amazonaws.cn/AmazonS3/latest/userguide/add-bucket-policy.html). To create an IAM user policy on an S3 bucket, see [Controlling access to a bucket with user policies](https://docs.amazonaws.cn/AmazonS3/latest/userguide/walkthrough1.html#walkthrough-grant-user1-permissions). ## [S3.13] S3 general purpose buckets should have Lifecycle configurations **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) **Category:** Protect > Data protection **Severity:** Low **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-lifecycle-policy-check.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-lifecycle-policy-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `targetTransitionDays` | Number of days after object creation when objects are transitioned to a specified storage class | Integer | `1` to `36500` | No default value | | `targetExpirationDays` | Number of days after object creation when objects are deleted | Integer | `1` to `36500` | No default value | | `targetTransitionStorageClass` | Destination S3 storage class type | Enum | `STANDARD_IA, INTELLIGENT_TIERING, ONEZONE_IA, GLACIER, GLACIER_IR, DEEP_ARCHIVE` | No default value | This control checks whether an Amazon S3 general purpose bucket has a Lifecycle configuration. The control fails if the bucket doesn't have a Lifecycle configuration. If you provide custom values for one or more of the preceding parameters, the control passes only if the policy includes the specified storage class, deletion time, or transition time. Creating a Lifecycle configuration for your S3 bucket defines actions that you want Amazon S3 to take during an object's lifetime. For example, you can transition objects to another storage class, archive them, or delete them after a specified period of time. ### Remediation For information about configuring lifecycle policies on an Amazon S3 bucket, see [Setting lifecycle configuration on a bucket](https://docs.amazonaws.cn/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html) and see [Managing your storage lifecycle](https://docs.amazonaws.cn/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*. ## [S3.14] S3 general purpose buckets should have versioning enabled **Category:** Protect > Data protection > Data deletion protection **Related requirements:** NIST.800-53.r5 AU-9(2), NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6, NIST.800-53.r5 CP-6(1), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 CP-9, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-12, NIST.800-53.r5 SI-13(5), NIST.800-171.r2 3.3.8 **Severity:** Low **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-versioning-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-versioning-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket has versioning enabled. The control fails if versioning is suspended for the bucket. Versioning keeps multiple variants of an object in the same S3 bucket. You can use versioning to preserve, retrieve, and restore earlier versions of an object stored in your S3 bucket. Versioning helps you recover from both unintended user actions and application failures. **Tip** As the number of objects increases in a bucket because of versioning, you can set up a Lifecycle configuration to automatically archive or delete versioned objects based on rules. For more information, see [Amazon S3 Lifecycle Management for Versioned Objects](https://amazonaws-china.com/blogs/aws/amazon-s3-lifecycle-management-update/). ### Remediation To use versioning on an S3 bucket, see [Enabling versioning on buckets](https://docs.amazonaws.cn/AmazonS3/latest/userguide/manage-versioning-examples.html) in the *Amazon S3 User Guide*. ## [S3.15] S3 general purpose buckets should have Object Lock enabled **Category:** Protect > Data protection > Data deletion protection **Related requirements:** NIST.800-53.r5 CP-6(2), PCI DSS v4.0.1/10.5.1 **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-default-lock-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-default-lock-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `mode` | S3 Object Lock retention mode | Enum | `GOVERNANCE`, `COMPLIANCE` | No default value | This control checks whether an Amazon S3 general purpose bucket has Object Lock enabled. The control fails if Object Lock isn't enabled for the bucket. If you provide a custom value for the `mode` parameter, the control passes only if S3 Object Lock uses the specified retention mode. You can use S3 Object Lock to store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects in S3 buckets from being deleted or overwritten for a fixed amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements that require WORM storage, or add an extra layer of protection against object changes and deletion. ### Remediation To configure Object Lock for new and existing S3 buckets, see [Configuring S3 Object Lock](https://docs.amazonaws.cn/AmazonS3/latest/userguide/object-lock-configure.html) in the *Amazon S3 User Guide*. ## [S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys **Category:** Protect > Data Protection > Encryption of data-at-rest **Related requirements:** NIST.800-53.r5 SC-12(2), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 CA-9(1), NIST.800-53.r5 SI-7(6), NIST.800-53.r5 AU-9, NIST.800-171.r2 3.8.9, NIST.800-171.r2 3.13.11, NIST.800-171.r2 3.13.16, PCI DSS v4.0.1/3.5.1 **Severity:** Medium **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-default-encryption-kms.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-default-encryption-kms.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 general purpose bucket is encrypted with an Amazon KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3). Server-side encryption (SSE) is the encryption of data at its destination by the application or service that receives it. Unless you specify otherwise, S3 buckets use Amazon S3 managed keys (SSE-S3) by default for server-side encryption. However, for added control, you can choose to configure buckets to use server-side encryption with Amazon KMS keys (SSE-KMS or DSSE-KMS) instead. Amazon S3 encrypts your data at the object level as it writes it to disks in Amazon data centers and decrypts it for you when you access it. ### Remediation To encrypt an S3 bucket using SSE-KMS, see [Specifying server-side encryption with Amazon KMS (SSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/specifying-kms-encryption.html) in the *Amazon S3 User Guide*. To encrypt an S3 bucket using DSSE-KMS, see [Specifying dual-layer server-side encryption with Amazon KMS keys (DSSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/specifying-dsse-encryption.html) in the *Amazon S3 User Guide*. ## [S3.19] S3 access points should have block public access settings enabled **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Critical **Resource type:** `AWS::S3::AccessPoint` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-access-point-public-access-blocks.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-access-point-public-access-blocks.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point. The Amazon S3 Block Public Access feature helps you manage access to your S3 resources at three levels: the account, bucket, and access point levels. The settings at each level can be configured independently, allowing you to have different levels of public access restrictions for your data. The access point settings can't individually override the more restrictive settings at higher levels (account level or bucket assigned to the access point). Instead, the settings at the access point level are additive, meaning they complement and work alongside the settings at the other levels. Unless you intend an S3 access point to be publicly accessible, you should enable block public access settings. ### Remediation Amazon S3 currently doesn't support changing an access point's block public access settings after the access point has been created. All block public access settings are enabled by default when you create a new access point. We recommend that you keep all settings enabled unless you know that you have a specific need to disable any of them. For more information, see [Managing public access to access points](https://docs.amazonaws.cn/AmazonS3/latest/userguide/access-points-bpa-settings.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.20] S3 general purpose buckets should have MFA delete enabled **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/2.1.2, CIS Amazon Foundations Benchmark v3.0.0/2.1.2, CIS Amazon Foundations Benchmark v1.4.0/2.1.3, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-3, NIST.800-53.r5 SC-5(2) **Category:** Protect > Data protection > Data deletion protection **Severity:** Low **Resource type:** `AWS::S3::Bucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-mfa-delete-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/s3-bucket-mfa-delete-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether multi-factor authentication (MFA) delete is enabled for an Amazon S3 general purpose bucket. The control fails if MFA delete is not enabled for the bucket. The control doesn't produce findings for buckets that have a lifecycle configuration. If you enable versioning for an S3 general purpose bucket, you can optionally add another layer of security by configuring MFA delete for the bucket. If you do this, the bucket owner must include two forms of authentication in any request to delete a version of an object in the bucket or change the versioning state of the bucket. MFA delete provides added security if, for example, the bucket owner’s security credentials are compromised. MFA delete can also help prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code, which adds an extra layer of friction and security to the delete action. **Note** This control produces a `PASSED` finding only if MFA delete is enabled for the S3 general purpose bucket. To enable MFA delete for a bucket, versioning must also be enabled for the bucket. Bucket versioning is a method of storing multiple variations of an S3 object in the same bucket. In addition, only the bucket owner who is logged in as a root user can enable MFA delete and perform delete actions on the bucket. You cannot use MFA delete with a bucket that has a lifecycle configuration. ### Remediation For information about enabling versioning and configuring MFA delete for an S3 bucket, see [Configuring MFA delete](https://docs.amazonaws.cn/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.22] S3 general purpose buckets should log object-level write events **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.8, CIS Amazon Foundations Benchmark v3.0.0/3.8, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-all-write-s3-data-event-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-all-write-s3-data-event-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Web Services account has at least one Amazon CloudTrail multi-Region trail that logs all write data events for Amazon S3 buckets. The control fails if the account doesn't have a multi-Region trail that logs write data events for S3 buckets. S3 object-level operations, such as `GetObject`, `DeleteObject`, and `PutObject`, are called data events. By default, CloudTrail doesn't log data events, but you can configure trails to log data events for S3 buckets. When you enable object-level logging for write data events, you can log each individual object (file) access within an S3 bucket. Enabling object-level logging can help you meet data compliance requirements, perform comprehensive security analysis, monitor specific patterns of user behavior in your Amazon Web Services account, and take action on object-level API activity within your S3 buckets by using Amazon CloudWatch Events. This control produces a `PASSED` finding if you configure a multi-Region trail that logs write-only or all types of data events for all S3 buckets. ### Remediation To enable object-level logging for S3 buckets, see [Enabling CloudTrail event logging for S3 buckets and objects](https://docs.amazonaws.cn/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.23] S3 general purpose buckets should log object-level read events **Related requirements:** CIS Amazon Foundations Benchmark v5.0.0/3.9, CIS Amazon Foundations Benchmark v3.0.0/3.9, PCI DSS v4.0.1/10.2.1 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-all-read-s3-data-event-check.html](https://docs.amazonaws.cn/config/latest/developerguide/cloudtrail-all-read-s3-data-event-check.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Web Services account has at least one Amazon CloudTrail multi-Region trail that logs all read data events for Amazon S3 buckets. The control fails if the account doesn't have a multi-Region trail that logs read data events for S3 buckets. S3 object-level operations, such as `GetObject`, `DeleteObject`, and `PutObject`, are called data events. By default, CloudTrail doesn't log data events, but you can configure trails to log data events for S3 buckets. When you enable object-level logging for read data events, you can log each individual object (file) access within an S3 bucket. Enabling object-level logging can help you meet data compliance requirements, perform comprehensive security analysis, monitor specific patterns of user behavior in your Amazon Web Services account, and take action on object-level API activity within your S3 buckets by using Amazon CloudWatch Events. This control produces a `PASSED` finding if you configure a multi-Region trail that logs read-only or all types of data events for all S3 buckets. ### Remediation To enable object-level logging for S3 buckets, see [Enabling CloudTrail event logging for S3 buckets and objects](https://docs.amazonaws.cn/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) in the *Amazon Simple Storage Service User Guide*. ## [S3.24] S3 Multi-Region Access Points should have block public access settings enabled **Related requirements:** PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** High **Resource type:** `AWS::S3::MultiRegionAccessPoint` **Amazon Config rule:** `s3-mrap-public-access-blocked` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon S3 Multi-Region Access Point has block public access settings enabled. The control fails when the Multi-Region Access Point doesn't have block public access settings enabled. Publicly accessible resources can be lead to unauthorized access, data breaches, or exploitation of vulnerabilities. Restricting access through authentication and authorization measures helps to safeguard sensitive information and maintain the integrity of your resources. ### Remediation By default, all Block Public Access settings are enabled for an S3 Multi-Region Access Point. For more information , see [Blocking public access with Amazon S3 Multi-Region Access Points](https://docs.amazonaws.cn/AmazonS3/latest/userguide/multi-region-access-point-block-public-access.html) in the *Amazon Simple Storage Service User Guide*. You can't change the Block Public Access settings for a Multi-Region Access Point after it has been created. ## [S3.25] S3 directory buckets should have lifecycle configurations **Category:** Protect > Data Protection **Severity:** Low **Resource type:** `AWS::S3Express::DirectoryBucket` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/s3express-dir-bucket-lifecycle-rules-check.html](https://docs.amazonaws.cn/config/latest/developerguide/s3express-dir-bucket-lifecycle-rules-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `targetExpirationDays` | The number of days, after object creation, when objects should expire. | Integer | `1` to `2147483647` | No default value | This control checks whether lifecycle rules are configured for an S3 directory bucket. The control fails if lifecycle rules aren't configured for the directory bucket, or a lifecycle rule for the bucket specifies expiration settings that don't match the parameter value that you optionally specify. In Amazon S3, a lifecycle configuration is a set of rules that define actions for Amazon S3 to apply to a group of objects in a bucket. For an S3 directory bucket, you can create a lifecycle rule that specifies when objects expire based on age (in days). You can also create a lifecycle rule that deletes incomplete multipart uploads. Unlike other types of S3 buckets, such as general purpose buckets, directory buckets do not support other types of actions for lifecycle rules, such as transitioning objects between storage classes. ### Remediation To define a lifecycle configuration for an S3 directory bucket, create a lifecycle rule for the bucket. For more information, see [Creating and managing a lifecycle configuration for your directory bucket](https://docs.amazonaws.cn/AmazonS3/latest/userguide/directory-bucket-create-lc.html) in the *Amazon Simple Storage Service User Guide*. # Security Hub CSPM controls for SageMaker AI Amazon SageMaker AI controls These Amazon Security Hub CSPM controls evaluate the Amazon SageMaker AI service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9), PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/1.3.6, PCI DSS v4.0.1/1.4.4 **Category:** Protect > Secure network configuration **Severity:** High **Resource type:** `AWS::SageMaker::NotebookInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) **Schedule type:** Periodic **Parameters:** None This control checks whether direct internet access is disabled for an SageMaker AI notebook instance. The control fails if the `DirectInternetAccess` field is enabled for the notebook instance. If you configure your SageMaker AI instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to **Disable—Access the internet through a VPC**. To train or host models from a notebook, you need internet access. To enable internet access, your VPC must have either an interface endpoint (Amazon PrivateLink) or a NAT gateway and a security group that allows outbound connections. To learn more about how to connect a notebook instance to resources in a VPC, see [Connect a notebook instance to resources in a VPC](https://docs.amazonaws.cn/sagemaker/latest/dg/appendix-notebook-and-internet-access.html) in the *Amazon SageMaker AI Developer Guide*. You should also ensure that access to your SageMaker AI configuration is limited to only authorized users. Restrict IAM permissions that permit users to change SageMaker AI settings and resources. ### Remediation You can't change the internet access setting after creating a notebook instance. Instead, you can stop, delete, and recreate the instance with blocked internet access. To delete a notebook instance that permits direct internet access, see [Use notebook instances to build models: Clean up](https://docs.amazonaws.cn/sagemaker/latest/dg/ex1-cleanup.html) in the *Amazon SageMaker AI Developer Guide*. To recreate a notebook instance that denies internet access, see [Create a notebook instance](https://docs.amazonaws.cn/sagemaker/latest/dg/howitworks-create-ws.html). For **Network, Direct internet access**, choose **Disable—Access the internet through a VPC**. ## [SageMaker.2] SageMaker notebook instances should be launched in a custom VPC **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** High **Resource type:** `AWS::SageMaker::NotebookInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-inside-vpc.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-inside-vpc.html) **Schedule type:** Change triggered **Parameters:** None This control checks if an Amazon SageMaker AI notebook instance is launched within a custom virtual private cloud (VPC). This control fails if a SageMaker AI notebook instance is not launched within a custom VPC or if it is launched in the SageMaker AI service VPC. Subnets are a range of IP addresses within a VPC. We recommend keeping your resources inside a custom VPC whenever possible to ensure secure network protection of your infrastructure. An Amazon VPC is a virtual network dedicated to your Amazon Web Services account. With an Amazon VPC, you can control the network access and internet connectivity of your SageMaker AI Studio and notebook instances. ### Remediation You can't change the VPC setting after creating a notebook instance. Instead, you can stop, delete, and recreate the instance. For instructions, see [Use notebook instances to build models: Clean up](https://docs.amazonaws.cn/sagemaker/latest/dg/ex1-cleanup.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.3] Users should not have root access to SageMaker notebook instances **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 AC-6(10), NIST.800-53.r5 AC-6(2) **Category:** Protect > Secure access management > Root user access restrictions **Severity:** High **Resource type:** `AWS::SageMaker::NotebookInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-root-access-check.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-root-access-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether root access is turned on for an Amazon SageMaker AI notebook instance. The control fails if root access is turned on for a SageMaker AI notebook instance. In adherence to the principal of least privilege, it is a recommended security best practice to restrict root access to instance resources to avoid unintentionally over provisioning permissions. ### Remediation To restrict root access to SageMaker AI notebook instances, see [Control root access to a SageMaker AI notebook instance](https://docs.amazonaws.cn/sagemaker/latest/dg/nbi-root-access.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1 **Related requirements:** NIST.800-53.r5 CP-10, NIST.800-53.r5 SC-5, NIST.800-53.r5 SC-36, NIST.800-53.r5 SA-13 **Category:** Recover > Resilience > High availability **Severity:** Medium **Resource type:** `AWS::SageMaker::EndpointConfig` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-endpoint-config-prod-instance-count.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-endpoint-config-prod-instance-count.html) **Schedule type:** Periodic **Parameters:** None This control checks whether production variants of an Amazon SageMaker AI endpoint have an initial instance count greater than 1. The control fails if the endpoint's production variants have only 1 initial instance. Production variants running with an instance count greater than 1 permit multi-AZ instance redundancy managed by SageMaker AI. Deploying resources across multiple Availability Zones is an Amazon best practice to provide high availability within your architecture. High availability helps you to recover from security incidents. **Note** This control applies only to instance-based endpoint configuration. ### Remediation For more information about the parameters of endpoint configuration, see [Create an endpoint configuration](https://docs.amazonaws.cn/sagemaker/latest/dg/serverless-endpoints-create.html#serverless-endpoints-create-config) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.5] SageMaker models should have network isolation enabled **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Medium **Resource type:** `AWS::SageMaker::Model` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-isolation-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-isolation-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker AI hosted model has network isolation enabled. The control fails if the `EnableNetworkIsolation` parameter for the hosted model is set to `False`. SageMaker AI training and deployed inference containers are internet-enabled by default. If you don't want SageMaker AI to provide external network access to your training or inference containers, you can enable network isolation. If you enable network isolation, no inbound or outbound network calls can be made to or from the model container, including calls to or from other Amazon Web Services services. Additionally, no Amazon credentials are made available to the container runtime environment. Enabling network isolation helps prevent unintended access to your SageMaker AI resources from the internet. **Note** On August 13, 2025, Security Hub CSPM changed the title and description of this control. The new title and description more accurately reflect that the control checks the setting for the `EnableNetworkIsolation` parameter of Amazon SageMaker AI hosted models. Previously, the title of this control was: *SageMaker models should block inbound traffic*. ### Remediation For more information about network isolation for SageMaker AI models, see [Run training and inference containers in internet-free mode](https://docs.amazonaws.cn/sagemaker/latest/dg/mkt-algo-model-internet-free.html) in the *Amazon SageMaker AI Developer Guide*. When you create a model, you can enable network isolation by setting the value for the `EnableNetworkIsolation` parameter to `True`. ## [SageMaker.6] SageMaker app image configurations should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::SageMaker::AppImageConfig` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-app-image-config-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-app-image-config-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SageMaker AI app image configuration (`AppImageConfig`) has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the app image configuration doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the app image configuration doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation To add tags to an Amazon SageMaker AI app image configuration (`AppImageConfig`), you can use the [AddTags](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_AddTags.html) operation of the SageMaker AI API or, if you're using the Amazon CLI, run the [add-tags](https://docs.amazonaws.cn/cli/latest/reference/sagemaker/add-tags.html) command. ## [SageMaker.7] SageMaker images should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::SageMaker::Image` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-image-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-image-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SageMaker AI image has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the image doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the image doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation To add tags to an Amazon SageMaker AI image, you can use the [AddTags](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_AddTags.html) operation of the SageMaker AI API or, if you're using the Amazon CLI, run the [add-tags](https://docs.amazonaws.cn/cli/latest/reference/sagemaker/add-tags.html) command. ## [SageMaker.8] SageMaker notebook instances should run on supported platforms **Category:** Detect > Vulnerability, patch, and version management **Severity:** Medium **Resource type:** `AWS::SageMaker::NotebookInstance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-platform-version.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-notebook-instance-platform-version.html) **Schedule type:** Periodic **Parameters:** + `supportedPlatformIdentifierVersions`: `notebook-al2-v3` (not customizable) This control checks whether an Amazon SageMaker AI notebook instance is configured to run on a supported platform, based on the platform identifier specified for the notebook instance. The control fails if the notebook instance is configured to run on a platform that's no longer supported. If the platform for an Amazon SageMaker AI notebook instance is no longer supported, it might not receive security patches, bug fixes, or other types of updates. Notebook instances might continue to function, but they won't receive SageMaker AI security updates or critical bug fixes. You assume the risks associated with using an unsupported platform. For more information, see [JupyterLab versioning](https://docs.amazonaws.cn/sagemaker/latest/dg/nbi-jl.html) in the *Amazon SageMaker AI Developer Guide*. ### Remediation For information about the platforms that Amazon SageMaker AI currently supports and how to migrate to them, see [Amazon Linux 2 notebook instances](https://docs.amazonaws.cn/sagemaker/latest/dg/nbi-al2.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::SageMaker::DataQualityJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-data-quality-job-encrypt-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-data-quality-job-encrypt-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker AI data quality job definition has encryption enabled for inter-container traffic. The control fails if the definition for a job that monitors data quality and drift does not have encryption enabled for inter-container traffic. Enabling inter-container traffic encryption protects sensitive ML data during distributed processing for data quality analysis. ### Remediation For more information about inter-container traffic encryption for Amazon SageMaker AI, see [Protect Communications Between ML Compute Instances in a Distributed Training Job](https://docs.amazonaws.cn/sagemaker/latest/dg/train-encrypt.html) in the *Amazon SageMaker AI Developer Guide*. When you create a data quality job definition, you can enable inter-container traffic encryption by setting the value for the `EnableInterContainerTrafficEncryption` parameter to `True`. ## [SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::SageMaker::ModelExplainabilityJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-explainability-job-encrypt-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-explainability-job-encrypt-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker model explainability job definition has inter-container traffic encryption enabled. The control fails if the model explainability job definition does not have inter-container traffic encryption enabled. Enabling inter-container traffic encryption protects sensitive ML data such as model data, training datasets, intermediate processing results, parameters and model weights during distributed processing for explainability analysis. ### Remediation For an existing SageMaker model explainability job definition, inter-container traffic encryption cannot be updated in place. To create a new SageMaker model explainability job definition with inter-container traffic encryption enabled, use [API](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_CreateModelExplainabilityJobDefinition.html) or [CLI](https://docs.amazonaws.cn/cli/latest/reference/sagemaker/create-model-explainability-job-definition.html) or [ CloudFormation](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/aws-resource-sagemaker-modelexplainabilityjobdefinition.html) and set [https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MonitoringNetworkConfig.html#API_MonitoringNetworkConfig_Contents](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_MonitoringNetworkConfig.html#API_MonitoringNetworkConfig_Contents) to `True`. ## [SageMaker.11] SageMaker data quality job definitions should have network isolation enabled **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::SageMaker::DataQualityJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-data-quality-job-isolation.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-data-quality-job-isolation.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker AI data quality monitoring job definition has network isolation enabled. The control fails if the definition for a job that monitors data quality and drift has network isolation disabled. Network isolation reduces the attack. surface and prevents external access thereby protecting against unauthorized external access, accidental data exposure and potential data exfiltration. ### Remediation For more information about network isolation for SageMaker AI, see [Run training and inference containers in internet-free mode](https://docs.amazonaws.cn/sagemaker/latest/dg/mkt-algo-model-internet-free.html) in the *Amazon SageMaker AI Developer Guide*. When you create a data quality job definition, you can enable network isolation by setting the value for the `EnableNetworkIsolation` parameter to `True`. ## [SageMaker.12] SageMaker model bias job definitions should have network isolation enabled **Category:** Protect > Secure network configuration > Resources policy configuration **Severity:** Medium **Resource type:** `AWS::SageMaker::ModelBiasJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-bias-job-isolation.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-bias-job-isolation.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a SageMaker model bias job definition has network isolation enabled. The control fails if model bias job definition does not have network isolation enabled. Network isolation prevents SageMaker model bias jobs from communicating with external resources over the internet. By enabling network isolation, you ensure that the job's containers cannot make outbound connections, reducing the attack surface and protecting sensitive data from exfiltration. This is particularly important for jobs processing regulated or sensitive data. ### Remediation To enable network isolation, you must create a new model bias job definition with `EnableNetworkIsolation` parameter set to `True`. Network isolation cannot be modified after job definition creation. To create a new model bias job definition, see [ CreateModelBiasJobDefinition](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_CreateModelBiasJobDefinition.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::SageMaker::ModelQualityJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-quality-job-encrypt-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-quality-job-encrypt-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon SageMaker model quality job definitions have encryption in transit enabled for inter-container traffic. The control fails if a model quality job definition does not have inter-container traffic encryption enabled. Inter-container traffic encryption protects data transmitted between containers during distributed model quality monitoring jobs. By default, inter-container traffic is unencrypted. Enabling encryption helps maintain data confidentiality during processing and supports compliance with regulatory requirements for data in transit protection. ### Remediation To enable inter-container traffic encryption for your Amazon SageMaker model quality job definition, you must re-create the job definition with the appropriate in-transit encryption configuration. To create a model quality job definition, see [ CreateModelQualityJobDefinition](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_CreateModelQualityJobDefinition.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.14] SageMaker monitoring schedules should have network isolation enabled **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::SageMaker::MonitoringSchedule` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-monitoring-schedule-isolation.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-monitoring-schedule-isolation.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon SageMaker monitoring schedules have network isolation enabled. The control fails if a monitoring schedule has EnableNetworkIsolation set to false or not configured Network isolation prevents monitoring jobs from making outbound network calls, reducing the attack surface by eliminating internet access from containers. ### Remediation For information about configuring network isolation in the NetworkConfig parameter when creating or updating a monitoring schedule, see [CreateMonitoringSchedule](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_CreateMonitoringSchedule.html) or [ UpdateMonitoringSchedule](https://docs.amazonaws.cn/sagemaker/latest/APIReference/API_UpdateMonitoringSchedule.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::SageMaker::ModelBiasJobDefinition` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-bias-job-encrypt-in-transit.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-bias-job-encrypt-in-transit.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon SageMaker model bias job definitions have inter-container traffic encryption enabled when using multiple compute instances. The control fails if `EnableInterContainerTrafficEncryption` is set to false or is not configured for job definitions with an instance count of 2 or greater. EInter-container traffic encryption protects data transmitted between compute instances during distributed model bias monitoring jobs. Encryption prevents unauthorized access to model-related information such as weights that are transmitted between instances. ### Remediation To enable inter-container traffic encryption for SageMaker model bias job definitions, set the `EnableInterContainerTrafficEncryption` parameter to `True` when the job definition uses multiple compute instances. For information about protecting communications between ML compute instances, see [Protect Communications Between ML Compute Instances in a Distributed Training Job](https://docs.amazonaws.cn/sagemaker/latest/dg/train-encrypt.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.16] SageMaker models should use private registry in VPC for primary containers **Category:** Protect > Secure network configuration > Resources within VPC **Severity:** Medium **Resource type:** `AWS::SageMaker::Model` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-private-registry-required.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-model-private-registry-required.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker AI model pulls container image from a private registry in a VPC for the primary container. The control fails if the image is not configured or repository access mode is `Platform`. Using a private Docker registry in a VPC for SageMaker model containers ensures container images are pulled from trusted, controlled sources within your VPC. Also, it ensures container images are accessed through VPC endpoints, without traversing the public internet. ### Remediation To configure private docker registries for SageMaker AI real-time inference containers, see [Use a Private Docker Registry for Real-Time Inference Containers](https://docs.amazonaws.cn/sagemaker/latest/dg/your-algorithms-containers-inference-private.html) in the *Amazon SageMaker AI Developer Guide*. ## [SageMaker.17] SageMaker feature group offline stores should be encrypted with Amazon KMS keys **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::SageMaker::FeatureGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-featuregroup-encryption-at-rest.html](https://docs.amazonaws.cn/config/latest/developerguide/sagemaker-featuregroup-encryption-at-rest.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SageMaker offline store for a feature group is encrypted at rest with an Amazon KMS key. The control fails if the offline store S3 storage for a feature group is not encrypted with a KMS key. Using customer-managed Amazon KMS keys for encryption at rest of SageMaker feature group offline stores provide enhanced security. Customer-managed KMS keys provide you full control over encryption key lifecycle and key policies. Additionally, all encryption key usage can be logged and monitored through Amazon CloudTrail for auditability. ### Remediation For information on enabling encryption at rest for SageMaker Feature Store offline stores using Amazon KMS customer-managed keys, see [Security and access control](https://docs.amazonaws.cn/sagemaker/latest/dg/feature-store-security.html#feature-store-authorizing-use-cmk-offline-store) in the *Amazon SageMaker AI Developer Guide*. # Security Hub CSPM controls for Secrets Manager Amazon Secrets Manager controls These Amazon Security Hub CSPM controls evaluate the Amazon Secrets Manager service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), PCI DSS v4.0.1/8.6.3, PCI DSS v4.0.1/8.3.9 **Category:** Protect > Secure development **Severity:** Medium **Resource type:** `AWS::SecretsManager::Secret` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-rotation-enabled-check.html](https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-rotation-enabled-check.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `maximumAllowedRotationFrequency` | Maximum number of days allowed for secret rotation frequency | Integer | `1` to `365` | No default value | This control checks whether a secret stored in Amazon Secrets Manager is configured with automatic rotation. The control fails if the secret isn't configured with automatic rotation. If you provide a custom value for the `maximumAllowedRotationFrequency` parameter, the control passes only if the secret is automatically rotated within the specified window of time. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. To learn more about rotation, see [Rotating your Amazon Secrets Manager secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotating-secrets.html) in the *Amazon Secrets Manager User Guide*. ### Remediation To turn on automatic rotation for Secrets Manager secrets, see [Set up automatic rotation for Amazon Secrets Manager secrets using the console](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html) in the *Amazon Secrets Manager User Guide*. You must choose and configure an Amazon Lambda function for rotation. ## [SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), PCI DSS v4.0.1/8.6.3, PCI DSS v4.0.1/8.3.9 **Category:** Protect > Secure development **Severity:** Medium **Resource type:** `AWS::SecretsManager::Secret` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html](https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-scheduled-rotation-success-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if `RotationOccurringAsScheduled` is `false`. The control only evaluates secrets that have rotation turned on. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically. Secrets Manager can rotate secrets. You can use rotation to replace long-term secrets with short-term ones. Rotating your secrets limits how long an unauthorized user can use a compromised secret. For this reason, you should rotate your secrets frequently. In addition to configuring secrets to rotate automatically, you should ensure that those secrets rotate successfully based on the rotation schedule. To learn more about rotation, see [Rotating your Amazon Secrets Manager secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotating-secrets.html) in the *Amazon Secrets Manager User Guide*. ### Remediation If the automatic rotation fails, then Secrets Manager might have encountered errors with the configuration. To rotate secrets in Secrets Manager, you use a Lambda function that defines how to interact with the database or service that owns the secret. For help diagnosing and fixing common errors related to secrets rotation, see [Troubleshooting Amazon Secrets Manager rotation of secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/troubleshoot_rotation.html) in the *Amazon Secrets Manager User Guide*. ## [SecretsManager.3] Remove unused Secrets Manager secrets **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15) **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::SecretsManager::Secret` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-secret-unused.html](https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-secret-unused.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `unusedForDays` | Maximum number of days that a secret can remain unused | Integer | `1` to `365` | `90` | This control checks whether an Amazon Secrets Manager secret has been accessed within the specified time frame. The control fails if a secret is unused beyond the specified time frame. Unless you provide a custom parameter value for the access period, Security Hub CSPM uses a default value of 90 days. Deleting unused secrets is as important as rotating secrets. Unused secrets can be abused by their former users, who no longer need access to these secrets. Also, as more users get access to a secret, someone might have mishandled and leaked it to an unauthorized entity, which increases the risk of abuse. Deleting unused secrets helps revoke secret access from users who no longer need it. It also helps to reduce the cost of using Secrets Manager. Therefore, it is essential to routinely delete unused secrets. ### Remediation To delete inactive Secrets Manager secrets, see [Delete an Amazon Secrets Manager secret](https://docs.amazonaws.cn/secretsmanager/latest/userguide/manage_delete-secret.html) in the *Amazon Secrets Manager User Guide*. ## [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days **Related requirements:** NIST.800-53.r5 AC-2(1), NIST.800-53.r5 AC-3(15), PCI DSS v4.0.1/8.6.3, PCI DSS v4.0.1/8.3.9 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::SecretsManager::Secret` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html](https://docs.amazonaws.cn/config/latest/developerguide/secretsmanager-secret-periodic-rotation.html) **Schedule type:** Periodic **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `maxDaysSinceRotation` | Maximum number of days that a secret can remain unchanged | Integer | `1` to `180` | `90` | This control checks whether an Amazon Secrets Manager secret is rotated at least once within the specified time frame. The control fails if a secret isn't rotated at least this frequently. Unless you provide a custom parameter value for the rotation period, Security Hub CSPM uses a default value of 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your Amazon Web Services account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised. As more users get access to a secret, it can become more likely that someone mishandled and leaked it to an unauthorized entity. Secrets can be leaked through logs and cache data. They can be shared for debugging purposes and not changed or revoked once the debugging completes. For all these reasons, secrets should be rotated frequently. You can configure automatic rotation for secrets in Amazon Secrets Manager. With automatic rotation, you can replace long-term secrets with short-term ones, significantly reducing the risk of compromise. We recommend that you configure automatic rotation for your Secrets Manager secrets. For more information, see [Rotating your Amazon Secrets Manager secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotating-secrets.html) in the *Amazon Secrets Manager User Guide*. ### Remediation To turn on automatic rotation for Secrets Manager secrets, see [Set up automatic rotation for Amazon Secrets Manager secrets using the console](https://docs.amazonaws.cn/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html) in the *Amazon Secrets Manager User Guide*. You must choose and configure an Amazon Lambda function for rotation. ## [SecretsManager.5] Secrets Manager secrets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::SecretsManager::Secret` **Amazon Config rule:** `tagged-secretsmanager-secret` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Secrets Manager secret has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the secret doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the secret isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to a Secrets Manager secret, see [Tag Amazon Secrets Manager secrets](https://docs.amazonaws.cn/secretsmanager/latest/userguide/managing-secrets_tagging.html) in the *Amazon Secrets Manager User Guide*. # Security Hub CSPM controls for Amazon Service Catalog Amazon Service Catalog controls This Amazon Security Hub CSPM control evaluates the Amazon Service Catalog service and resources. The control might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only **Related requirements:** NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-6, NIST.800-53.r5 CM-8, NIST.800-53.r5 SC-7 **Category:** Protect > Secure access management **Severity:** Medium **Resource type:** `AWS::ServiceCatalog::Portfolio` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/service-catalog-shared-within-organization.html](https://docs.amazonaws.cn/config/latest/developerguide/service-catalog-shared-within-organization.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon Service Catalog shares portfolios within an organization when the integration with Amazon Organizations is enabled. The control fails if portfolios aren't shared within an organization. Portfolio sharing only within Organizations helps ensure that a portfolio isn't shared with incorrect Amazon Web Services accounts. To share a Service Catalog portfolio with an account in an organization, Security Hub CSPM recommends using `ORGANIZATION_MEMBER_ACCOUNT` instead of `ACCOUNT`. This simplifies administration by governing the access granted to the account across the organization. If you have a business need to share Service Catalog portfolios with an external account, you can [automatically suppress the findings](automation-rules.md) from this control or [disable it](disable-controls-overview.md). ### Remediation To enable portfolio sharing with Amazon Organizations, see [Sharing with Amazon Organizations](https://docs.amazonaws.cn/servicecatalog/latest/adminguide/catalogs_portfolios_sharing_how-to-share.html#portfolio-sharing-organizations) in the *Amazon Service Catalog Administrator Guide*. # Security Hub CSPM controls for Amazon SES Amazon Simple Email Service controls These Amazon Security Hub CSPM controls evaluate the Amazon Simple Email Service (Amazon SES) service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SES.1] SES contact lists should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::SES::ContactList` **Amazon Configrule:** `tagged-ses-contactlist` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SES contact list has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the contact list doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the contact list isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon SES contact list, see [TagResource](https://docs.amazonaws.cn/ses/latest/APIReference-V2/API_TagResource.html) in the *Amazon SES API v2 Reference*. ## [SES.2] SES configuration sets should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::SES::ConfigurationSet` **Amazon Configrule:** `tagged-ses-configurationset` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SES configuration set has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the configuration set doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the configuration set isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Amazon SES configuration set, see [TagResource](https://docs.amazonaws.cn/ses/latest/APIReference-V2/API_TagResource.html) in the *Amazon SES API v2 Reference*. ## [SES.3] SES configuration sets should have TLS enabled for sending emails **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `Amazon::SES::ConfigurationSet` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ses-sending-tls-required.html](https://docs.amazonaws.cn/config/latest/developerguide/ses-sending-tls-required.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SES configuration set requires TLS connections. The control fails if the TLS Policy is not set to `'REQUIRE'` for a configuration set. By default, Amazon SES uses opportunistic TLS, which means emails can be sent unencrypted if a TLS connection cannot be established with the receiving mail server. Enforcing TLS for email sending ensures that messages are only delivered when a secure encrypted connection can be established. This helps protect the confidentiality and integrity of email content during transmission between Amazon SES and the recipient's mail server. If a secure TLS connection cannot be established, the message will not be delivered, preventing potential exposure of sensitive information. **Note** While TLS 1.3 is the default delivery method for Amazon SES, without enforcing TLS requirement through configuration sets, messages could potentially be delivered in plaintext if a TLS connection fails. To pass this control, you must configure the TLS Policy to `'REQUIRE'` in your SES configuration set's delivery options. When TLS is required, messages are only delivered if a TLS connection can be established with the receiving mail server. ### Remediation To configure Amazon SES to require TLS connections for a configuration set, see [Amazon SES and security protocols](https://docs.amazonaws.cn/ses/latest/dg/security-protocols.html#security-ses-to-receiver) in the *Amazon SES Developer Guide*. # Security Hub CSPM controls for Amazon SNS Amazon SNS controls These Amazon Security Hub CSPM controls evaluate the Amazon Simple Notification Service (Amazon SNS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SNS.1] SNS topics should be encrypted at-rest using Amazon KMS **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6), NIST.800-171.r2 3.13.11, NIST.800-171.r2 3.13.16 **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::SNS::Topic` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sns-encrypted-kms.html](https://docs.amazonaws.cn/config/latest/developerguide/sns-encrypted-kms.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SNS topic is encrypted at rest using keys managed in Amazon Key Management Service (Amazon KMS). The controls fails if the SNS topic doesn't use a KMS key for server-side encryption (SSE). By default, SNS stores messages and files using disk encryption. To pass this control, you must choose to use a KMS key for encryption instead. This adds an additional layer of security and provides more access control flexibility. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to Amazon. API permissions are required to decrypt the data before it can be read. We recommend encrypting SNS topics with KMS keys for an added layer of security. ### Remediation To enable SSE for an SNS topic, see [Enabling server-side encryption (SSE) for an Amazon SNS topic](https://docs.amazonaws.cn/sns/latest/dg/sns-enable-encryption-for-topic.html) in the *Amazon Simple Notification Service Developer Guide*. Before you can use SSE, you must also configure Amazon KMS key policies to allow encryption of topics and encryption and decryption of messages. For more information, see [Configuring Amazon KMS permissions](https://docs.amazonaws.cn/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse) in the *Amazon Simple Notification Service Developer Guide*. ## [SNS.2] Logging of delivery status should be enabled for notification messages sent to a topic **Important** Security Hub CSPM retired this control in April 2024. For more information, see [Change log for Security Hub CSPM controls](controls-change-log.md). **Related requirements:** NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::SNS::Topic` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sns-topic-message-delivery-notification-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/sns-topic-message-delivery-notification-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled. Logging is an important part of maintaining the reliability, availability, and performance of services. Logging message delivery status helps provide operational insights, such as the following: + Knowing whether a message was delivered to the Amazon SNS endpoint. + Identifying the response sent from the Amazon SNS endpoint to Amazon SNS. + Determining the message dwell time (the time between the publish timestamp and the hand off to an Amazon SNS endpoint). ### Remediation To configure delivery status logging for a topic, see [Amazon SNS message delivery status](https://docs.amazonaws.cn/sns/latest/dg/sns-topic-attributes.html) in the *Amazon Simple Notification Service Developer Guide*. ## [SNS.3] SNS topics should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::SNS::Topic` **Amazon Config rule:** `tagged-sns-topic` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SNS topic has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the topic doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the topic isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an SNS topic, see [Configuring Amazon SNS topic tags](https://docs.amazonaws.cn/sns/latest/dg/sns-tags-configuring.html) in the *Amazon Simple Notification Service Developer Guide*. ## [SNS.4] SNS topic access policies should not allow public access **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Critical **Resource type:** `AWS::SNS::Topic` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sns-topic-no-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/sns-topic-no-public-access.html) **Schedule type:** Change triggered **Parameters:** None This control checks if the Amazon SNS topic access policy allows public access. This control fails if the SNS topic access policy allows public access. You use an Amazon SNS access policy with a particular topic to restrict who can work with that topic (for example, who can publish messages to it or who can subscribe to it). SNS policies can grant access to other Amazon Web Services accounts, or to users within your own Amazon Web Services account. Providing a wildcard (\$1) in the `Principal` field of the topic policy and a lack of conditions to limit the topic policy can result in data exfiltration, denial of service, or undesired injection of messages into your service by an attacker. **Note** This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the Amazon SNS access policy for a topic must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. ### Remediation To update access policies for an SNS topic, see [Overview of managing access in Amazon SNS](https://docs.amazonaws.cn/sns/latest/dg/sns-overview-of-managing-access.html) in the *Amazon Simple Notification Service Developer Guide*. # Security Hub CSPM controls for Amazon SQS Amazon SQS controls These Amazon Security Hub CSPM controls evaluate the Amazon Simple Queue Service (Amazon SQS) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SQS.1] Amazon SQS queues should be encrypted at rest **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-3(6), NIST.800-53.r5 SC-13, NIST.800-53.r5 SC-28, NIST.800-53.r5 SC-28(1), NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SI-7(6) **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::SQS::Queue` **Amazon Config rule:** `sqs-queue-encrypted` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon SQS queue is encrypted at rest. The control fails if the queue isn't encrypted with an SQS-managed key (SSE-SQS) or an Amazon Key Management Service (Amazon KMS) key (SSE-KMS). Encrypting data at rest reduces the risk of an unauthorized user accessing data stored on disk. Server-side encryption (SSE) protects the contents of messages in SQS queues using SQS-managed encryption keys (SSE-SQS) or Amazon KMS keys (SSE-KMS). ### Remediation To configure SSE for an SQS queue, see [ Configuring server-side encryption (SSE) for a queue (console)](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html) in the *Amazon Simple Queue Service Developer Guide*. ## [SQS.2] SQS queues should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::SQS::Queue` **Amazon Config rule:** `tagged-sqs-queue` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon SQS queue has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the queue doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the queue isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an existing queue using the Amazon SQS console, see [ Configuring cost allocation tags for an Amazon SQS queue (console)](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-tag-queue.html) in the *Amazon Simple Queue Service Developer Guide*. ## [SQS.3] SQS queue access policies should not allow public access **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Critical **Resource type:** `Amazon::SQS::Queue` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/sqs-queue-no-public-access.html](https://docs.amazonaws.cn/config/latest/developerguide/sqs-queue-no-public-access.html) **Schedule type:** Change triggered **Parameters:** None This controls checks whether an Amazon SQS access policy allows public access to an SQS queue. The control fails if an SQS access policy allows public access to the queue. An Amazon SQS access policy can allow public access to an SQS queue, which might allow an anonymous user or any authenticated Amazon IAM identity to access the queue. SQS access policies typically provide this access by specifying the wildcard character (`*`) in the `Principal` element of the policy, not using proper conditions to restrict access to the queue, or both. If an SQS access policy allows public access, third parties might be able to perform tasks such as receive messages from the queue, send messages to the queue, or modify the access policy for the queue. This could result in events such as data exfiltration, a denial of service, or injection of messages into the queue by a threat actor. **Note** This control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the Amazon SQS access policy for a queue must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_variables.html) in the *Amazon Identity and Access Management User Guide*. ### Remediation For information about configuring the SQS access policy for an SQS queue, see [Using custom policies with the Amazon SQS Access Policy Language](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon Simple Queue Service Developer Guide*. # Security Hub CSPM controls for Step Functions Amazon Step Functions controls These Amazon Security Hub CSPM controls evaluate the Amazon Step Functions service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [StepFunctions.1] Step Functions state machines should have logging turned on **Related requirements:** PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::StepFunctions::StateMachine` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/step-functions-state-machine-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/step-functions-state-machine-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | `logLevel` | Minimum logging level | Enum | `ALL, ERROR, FATAL` | No default value | This controls checks whether an Amazon Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the `logLevel` parameter, the control passes only if the state machine has the specified logging level turned on. Monitoring helps you maintain the reliability, availability, and performance of Step Functions. You should collect as much monitoring data from the Amazon Web Services services that you use so you can more easily debug multi-point failures. Having a logging configuration defined for your Step Functions state machines allows for you to track execution history and results in Amazon CloudWatch Logs. Optionally, you can track only errors or fatal events. ### Remediation To turn on logging for a Step Functions state machine, see [Configure logging](https://docs.amazonaws.cn/step-functions/latest/dg/cw-logs.html#monitoring-logging-configure) in the *Amazon Step Functions Developer Guide*. ## [StepFunctions.2] Step Functions activities should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `Amazon::StepFunctions::Activity` **Amazon Config rule:**`tagged-stepfunctions-activity` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Step Functions activity has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the activity doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the activity isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation To add tags to an Step Functions activity, see [Tagging in Step Functions](https://docs.amazonaws.cn/step-functions/latest/dg/concepts-tagging.html) in the *Amazon Step Functions Developer Guide*. # Security Hub CSPM controls for Systems Manager Amazon Systems Manager controls These Amazon Security Hub CSPM controls evaluate the Amazon Systems Manager (SSM) service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager **Related requirements:** PCI DSS v3.2.1/2.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1), NIST.800-53.r5 CM-8(2), NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SA-15(2), NIST.800-53.r5 SA-15(8), NIST.800-53.r5 SA-3, NIST.800-53.r5 SI-2(3) **Category:** Identify > Inventory **Severity:** Medium **Evaluated resource:** `AWS::EC2::Instance` **Required Amazon Config recording resources:** `AWS::EC2::Instance`, `AWS::SSM::ManagedInstanceInventory` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the stopped and running EC2 instances in your account are managed by Amazon Systems Manager. Systems Manager is an Amazon Web Services service that you can use to view and control your Amazon infrastructure. To help you maintain security and compliance, Systems Manager scans your stopped and running managed instances. A managed instance is a machine that's configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you configure and maintain your managed instances. To learn more, see the [Amazon Systems Manager User Guide](https://docs.amazonaws.cn/systems-manager/latest/userguide/what-is-systems-manager.html). **Note** This control generates `FAILED` findings for EC2 instances that are Amazon Elastic Disaster Recovery Replication Server instances managed by Amazon. A Replication Server instance is an EC2 Instance that’s automatically launched by Amazon Elastic Disaster Recovery to support continuous data replication from source servers. Amazon intentionally removes the Systems Manager (SSM) Agent from these instances to maintain isolation and help prevent potential unintended access paths. ### Remediation For information about managing EC2 instances with Amazon Systems Manager, see [Amazon EC2 host management](https://docs.amazonaws.cn/systems-manager/latest/userguide/quick-setup-host-management.html) in the *Amazon Systems Manager User Guide*. In the **Configuration options** section on the Amazon Systems Manager console, you can keep the default settings or change them as necessary for your preferred configuration. ## [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation **Related requirements:** NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(3), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5), NIST.800-171.r2 3.7.1, PCI DSS v3.2.1/6.2, PCI DSS v4.0.1/2.2.1, PCI DSS v4.0.1/6.3.3 **Category:** Detect > Detection services **Severity:** High **Resource type:** `AWS::SSM::PatchCompliance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the compliance status of Systems Manager patch compliance is `COMPLIANT` or `NON_COMPLIANT` after the patch installation on the instance. The control fails if the compliance status is `NON_COMPLIANT`. The control only checks instances that are managed by Systems Manager Patch Manager. Patching your EC2 instances as required by your organization reduces the attack surface of your Amazon Web Services accounts. ### Remediation Systems Manager recommends using [patch policies](https://docs.amazonaws.cn/systems-manager/latest/userguide/patch-manager-policies.html) to configure patching for your managed instances. You can also use [Systems Manager documents](https://docs.amazonaws.cn/systems-manager/latest/userguide/patch-manager-ssm-documents.html), as described in the following procedure, to patch an instance. **To remediate noncompliant patches** 1. Open the Amazon Systems Manager console at [https://console.amazonaws.cn/systems-manager/](https://console.amazonaws.cn/systems-manager/). 1. For **Node Management**, choose **Run Command**, and then choose **Run command**. 1. Choose the option for **Amazon-RunPatchBaseline**. 1. Change the **Operation** to **Install**. 1. Choose **Choose instances manually**, and then choose the noncompliant instances. 1. Choose **Run**. 1. After the command is complete, to monitor the new compliance status of your patched instances, choose **Compliance** in the navigation pane. ## [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1), NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SI-2(3), PCI DSS v3.2.1/2.4, PCI DSS v4.0.1/2.2.1, PCI DSS v4.0.1/6.3.3 **Category:** Detect > Detection services **Severity:** Low **Resource type:** `AWS::SSM::AssociationCompliance` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html](https://docs.amazonaws.cn/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether the status of the Amazon Systems Manager association compliance is `COMPLIANT` or `NON_COMPLIANT` after the association is run on an instance. The control fails if the association compliance status is `NON_COMPLIANT`. A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances or that certain ports must be closed. After you create one or more State Manager associations, compliance status information is immediately available to you. You can view the compliance status in the console or in response to Amazon CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance shows the compliance status (`Compliant` or `Non-compliant`). It also shows the severity level assigned to the association, such as `Critical` or `Medium`. To learn more about State Manager association compliance, see [About State Manager association compliance](https://docs.amazonaws.cn/systems-manager/latest/userguide/sysman-compliance-about.html#sysman-compliance-about-association) in the *Amazon Systems Manager User Guide*. ### Remediation A failed association can be related to different things, including targets and Systems Manager document names. To remediate this issue, you must first identify and investigate the association by viewing association history. For instructions on viewing association history, see [Viewing association histories](https://docs.amazonaws.cn/systems-manager/latest/userguide/state-manager-associations-history.html) in the *Amazon Systems Manager User Guide*. After investigating, you can edit the association to correct the identified issue. You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, Amazon Systems Manager creates a new version. For instructions on editing an association, see [Editing and creating a new version of an association](https://docs.amazonaws.cn/systems-manager/latest/userguide/state-manager-associations-edit.html) in the *Amazon Systems Manager User Guide*. ## [SSM.4] SSM documents should not be public **Related requirements:** NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) **Category:** Protect > Secure network configuration > Resources not publicly accessible **Severity:** Critical **Resource type:** `AWS::SSM::Document` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ssm-document-not-public.html](https://docs.amazonaws.cn/config/latest/developerguide/ssm-document-not-public.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon Systems Manager documents that are owned by an account are public. The control fails if Systems Manager documents that have `Self` as the owner are public. Systems Manager documents that are public might allow unintended access to your documents. A public Systems Manager document can expose valuable information about your account, resources, and internal processes. Unless your use case requires public sharing, we recommend that you block public sharing for Systems Manager documents that have `Self` as the owner. ### Remediation For information about configuring sharing for Systems Manager documents, see [Share an SSM document](https://docs.amazonaws.cn/systems-manager/latest/userguide/documents-ssm-sharing.html#ssm-how-to-share) in the *Amazon Systems Manager User Guide*. ## [SSM.5] SSM documents should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::SSM::Document` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ssm-document-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/ssm-document-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Systems Manager document has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the document doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the document doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. The control doesn't evaluate Systems Manager documents that are owned by Amazon. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation To add tags to an Amazon Systems Manager document, you can use the [AddTagsToResource](https://docs.amazonaws.cn/systems-manager/latest/APIReference/API_AddTagsToResource.html) operation of the Amazon Systems Manager API or, if you're using the Amazon CLI, run the [add-tags-to-resource](https://docs.amazonaws.cn/cli/latest/reference/ssm/add-tags-to-resource.html) command. You can also use the Amazon Systems Manager console. ## [SSM.6] SSM Automation should have CloudWatch logging enabled **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ssm-automation-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/ssm-automation-logging-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether Amazon CloudWatch logging is enabled for Amazon Systems Manager (SSM) Automation. The control fails if CloudWatch logging isn't enabled for SSM Automation. SSM Automation is an Amazon Systems Manager tool that helps you build automated solutions to deploy, configure, and manage Amazon resources at scale using predefined or custom runbooks. To meet operational or security requirements for your organization, you might need to provide a record of the scripts that it runs. You can configure SSM Automation to send the output from `aws:executeScript` actions in your runbooks to an Amazon CloudWatch Logs log group that you specify. With CloudWatch Logs, you can monitor, store, and access log files from various Amazon Web Services services. ### Remediation For information about enabling CloudWatch logging for SSM Automation, see [Logging Automation action output with CloudWatch Logs](https://docs.amazonaws.cn/systems-manager/latest/userguide/automation-action-logging.html) in the *Amazon Systems Manager User Guide*. ## [SSM.7] SSM documents should have the block public sharing setting enabled **Category:** Protect > Secure access management > Resource not publicly accessible **Severity:** Critical **Resource type:** `AWS::::Account` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/ssm-automation-block-public-sharing.html](https://docs.amazonaws.cn/config/latest/developerguide/ssm-automation-block-public-sharing.html) **Schedule type:** Periodic **Parameters:** None This control checks whether the block public sharing setting is enabled for Amazon Systems Manager documents. The control fails if the block public sharing setting is disabled for Systems Manager documents. The block public sharing setting for Amazon Systems Manager (SSM) documents is an account-level setting. Enabling this setting can prevent unwanted access to your SSM documents. If you enable this setting, your change doesn't affect any SSM documents that you're currently sharing with the public. Unless your use case requires you to share SSM documents with the public, we recommend that you enable the block public sharing setting. The setting can differ for each Amazon Web Services Region. ### Remediation For information about enabling the block public sharing setting for Amazon Systems Manager (SSM) documents, see [Block public sharing for SSM documents](https://docs.amazonaws.cn/systems-manager/latest/userguide/documents-ssm-sharing.html#block-public-access) in the *Amazon Systems Manager User Guide*. # Security Hub CSPM controls for Amazon Transfer Family Amazon Transfer Family controls These Amazon Security Hub CSPM controls evaluate the Amazon Transfer Family service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [Transfer.1] Amazon Transfer Family workflows should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Transfer::Workflow` **Amazon Config rule:** `tagged-transfer-workflow` (custom Security Hub CSPM rule) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredTagKeys | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Transfer Family workflow has tags with the specific keys defined in the parameter `requiredTagKeys`. The control fails if the workflow doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter `requiredTagKeys`. If the parameter `requiredTagKeys` isn't provided, the control only checks for the existence of a tag key and fails if the workflow isn't tagged with any key. System tags, which are automatically applied and begin with `aws:`, are ignored. A tag is a label that you assign to an Amazon resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to Amazon resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see [What is ABAC for Amazon?](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. **Note** Don’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many Amazon Web Services services, including Amazon Billing. For more tagging best practices, see [Tagging your Amazon resources](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-best-practices) in the *Amazon Web Services General Reference*. ### Remediation **To add tags to a Transfer Family workflow (console)** 1. Open the Amazon Transfer Family console. 1. In the navigation pane, choose **Workflows**. Then, select the workflow that you want to tag. 1. Choose **Manage tags**, and then add the tags. ## [Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection **Related requirements:** NIST.800-53.r5 CM-7, NIST.800-53.r5 IA-5, NIST.800-53.r5 SC-8, PCI DSS v4.0.1/4.2.1 **Category:** Protect > Data Protection > Encryption of data-in-transit **Severity:** Medium **Resource type:** `AWS::Transfer::Server` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-family-server-no-ftp.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-family-server-no-ftp.html) **Schedule type:** Periodic **Parameters:** None This control checks whether an Amazon Transfer Family server uses a protocol other than FTP for endpoint connection. The control fails if the server uses FTP protocol for a client to connect to the server's endpoint. FTP (File Transfer Protocol) establishes the endpoint connection through unencrypted channels, leaving data sent over these channels vulnerable to interception. Using SFTP (SSH File Transfer Protocol), FTPS (File Transfer Protocol Secure), or AS2 (Applicability Statement 2) offers an extra layer of security by encrypting your data in transit and can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. ### Remediation To modify the protocol for a Transfer Family server, see [Edit the file transfer protocols](https://docs.amazonaws.cn/transfer/latest/userguide/edit-server-config.html#edit-protocols) in the *Amazon Transfer Family User Guide*. ## [Transfer.3] Transfer Family connectors should have logging enabled **Related requirements:** NIST.800-53.r5 AC-2(12), NIST.800-53.r5 AC-2(4), NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AC-6(9), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 AU-9(7), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-3(8), NIST.800-53.r5 SI-4, NIST.800-53.r5 SI-4(20), NIST.800-53.r5 SI-7(8) **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::Transfer::Connector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-connector-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-connector-logging-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether Amazon CloudWatch logging is enabled for an Amazon Transfer Family connector. The control fails if CloudWatch logging isn't enabled for the connector. Amazon CloudWatch is a monitoring and observability service that provides visibility into your Amazon resources, including Amazon Transfer Family resources. For Transfer Family, CloudWatch provides consolidated auditing and logging for workflow progress and results. This includes several metrics that Transfer Family defines for workflows. You can configure Transfer Family to automatically log connector events in CloudWatch. To do this, you specify a logging role for the connector. For the logging role, you create an IAM role and a resource-based IAM policy that defines the permissions for the role. ### Remediation For information about enabling CloudWatch logging for a Transfer Family connector, see [Amazon CloudWatch logging for Amazon Transfer Family servers](https://docs.amazonaws.cn/transfer/latest/userguide/structured-logging.html) in the *Amazon Transfer Family User Guide*. ## [Transfer.4] Transfer Family agreements should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Transfer::Agreement` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-agreement-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-agreement-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Transfer Family agreement has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the agreement doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the agreement doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Transfer Family agreement, see [Resource tagging methods](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the *Tagging Amazon Resources and Tag Editor User Guide*. ## [Transfer.5] Transfer Family certificates should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Transfer::Certificate` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-certificate-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-certificate-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Transfer Family certificate has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the certificate doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the certificate doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Transfer Family certificate, see [Resource tagging methods](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the *Tagging Amazon Resources and Tag Editor User Guide*. ## [Transfer.6] Transfer Family connectors should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Transfer::Connector` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-connector-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-connector-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Transfer Family connector has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the connector doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the connector doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Transfer Family connector, see [Resource tagging methods](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the *Tagging Amazon Resources and Tag Editor User Guide*. ## [Transfer.7] Transfer Family profiles should be tagged **Category:** Identify > Inventory > Tagging **Severity:** Low **Resource type:** `AWS::Transfer::Profile` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/transfer-profile-tagged.html](https://docs.amazonaws.cn/config/latest/developerguide/transfer-profile-tagged.html) **Schedule type:** Change triggered **Parameters:** | Parameter | Description | Type | Allowed custom values | Security Hub CSPM default value | | --- | --- | --- | --- | --- | | requiredKeyTags | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [Amazon requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value | This control checks whether an Amazon Transfer Family profile has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the profile doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the profile doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. The control evaluates local profiles and partner profiles. A tag is a label that you create and assign to an Amazon resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. For more information about tags, see the [Tagging Amazon Resources and Tag Editor User Guide](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html). **Note** Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many Amazon Web Services services. They aren't intended to be used for private or sensitive data. ### Remediation For information about adding tags to an Amazon Transfer Family profile, see [Resource tagging methods](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#intro-tag-methods) in the *Tagging Amazon Resources and Tag Editor User Guide*. # Security Hub CSPM controls for Amazon WAF Amazon WAF controls These Amazon Security Hub CSPM controls evaluate the Amazon WAF service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::WAF::WebACL` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-classic-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/waf-classic-logging-enabled.html) **Schedule type:** Periodic **Parameters:** None This control checks whether logging is enabled for an Amazon WAF global web ACL. This control fails if logging is not enabled for the web ACL. Logging is an important part of maintaining the reliability, availability, and performance of Amazon WAF globally. It is a business and compliance requirement in many organizations, and allows you to troubleshoot application behavior. It also provides detailed information about the traffic that is analyzed by the web ACL that is attached to Amazon WAF. ### Remediation To enable logging for an Amazon WAF web ACL, see [ Logging web ACL traffic information](https://docs.amazonaws.cn/waf/latest/developerguide/classic-logging.html) in the *Amazon WAF Developer Guide*. ## [WAF.2] Amazon WAF Classic Regional rules should have at least one condition **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21) **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAFRegional::Rule` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-rule-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-rule-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule. A WAF Regional rule can contain multiple conditions. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF Regional rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring. ### Remediation To add a condition to an empty rule, see [Adding and removing conditions in a rule](https://docs.amazonaws.cn/waf/latest/developerguide/classic-web-acl-rules-editing.html) in the *Amazon WAF Developer Guide*. ## [WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21) **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAFRegional::RuleGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-rulegroup-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-rulegroup-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF Regional rule group has at least one rule. The control fails if no rules are present within a rule group. A WAF Regional rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF Regional rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring. ### Remediation To add rules and rule conditions to an empty rule group, see [Adding and deleting rules from an Amazon WAF Classic rule group](https://docs.amazonaws.cn/waf/latest/developerguide/classic-rule-group-editing.html) and [Adding and removing conditions in a rule](https://docs.amazonaws.cn/waf/latest/developerguide/classic-web-acl-rules-editing.html) in the *Amazon WAF Developer Guide*. ## [WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAFRegional::WebACL` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-webacl-not-empty](https://docs.amazonaws.cn/config/latest/developerguide/waf-regional-webacl-not-empty) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF Classic Regional web ACL contains any WAF rules or WAF rule groups. This control fails if a web ACL does not contain any WAF rules or rule groups. A WAF Regional web ACL can contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by WAF depending on the default action. ### Remediation To add rules or rule groups to an empty Amazon WAF Classic Regional web ACL, see [Editing a Web ACL](https://docs.amazonaws.cn/waf/latest/developerguide/classic-web-acl-editing.html) in the *Amazon WAF Developer Guide*. ## [WAF.6] Amazon WAF Classic global rules should have at least one condition **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAF::Rule` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-global-rule-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/waf-global-rule-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF global rule contains any conditions. The control fails if no conditions are present within a rule. A WAF global rule can contain multiple conditions. A rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any conditions, the traffic passes without inspection. A WAF global rule with no conditions, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring. ### Remediation For instructions on creating a rule and adding conditions, see [Creating a rule and adding conditions](https://docs.amazonaws.cn/waf/latest/developerguide/classic-web-acl-rules-creating.html) in the *Amazon WAF Developer Guide*. ## [WAF.7] Amazon WAF Classic global rule groups should have at least one rule **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAF::RuleGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-global-rulegroup-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/waf-global-rulegroup-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF global rule group has at least one rule. The control fails if no rules are present within a rule group. A WAF global rule group can contain multiple rules. The rule's conditions allow for traffic inspection and take a defined action (allow, block, or count). Without any rules, the traffic passes without inspection. A WAF global rule group with no rules, but with a name or tag suggesting allow, block, or count, could lead to the wrong assumption that one of those actions is occurring. ### Remediation For instructions on adding a rule to a rule group, see [Creating an Amazon WAF Classic rule group](https://docs.amazonaws.cn/waf/latest/developerguide/classic-create-rule-group.html) in the *Amazon WAF Developer Guide*. ## [WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group **Related requirements:** NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21) **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAF::WebACL` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/waf-global-webacl-not-empty](https://docs.amazonaws.cn/config/latest/developerguide/waf-global-webacl-not-empty) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups. A WAF global web ACL can contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by WAF depending on the default action. ### Remediation To add rules or rule groups to an empty Amazon WAF global web ACL, see [Editing a web ACL](https://docs.amazonaws.cn/waf/latest/developerguide/classic-web-acl-editing.html) in the *Amazon WAF Developer Guide*. For **Filter**, choose **Global (CloudFront)**. ## [WAF.10] Amazon WAF web ACLs should have at least one rule or rule group **Related requirements:** NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 **Category:** Protect > Secure network configuration **Severity:** Medium **Resource type:** `AWS::WAFv2::WebACL` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/wafv2-webacl-not-empty.html](https://docs.amazonaws.cn/config/latest/developerguide/wafv2-webacl-not-empty.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAFV2 web access control list (web ACL) contains at least one rule or rule group. The control fails if a web ACL does not contain any rules or rule groups. A web ACL gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. A web ACL should contain a collection of rules and rule groups that inspect and control web requests. If a web ACL is empty, the web traffic can pass without being detected or acted upon by Amazon WAF depending on the default action. ### Remediation To add rules or rule groups to an empty WAFV2 web ACL, see [Editing a Web ACL](https://docs.amazonaws.cn/waf/latest/developerguide/web-acl-editing.html) in the *Amazon WAF Developer Guide*. ## [WAF.11] Amazon WAF web ACL logging should be enabled **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8), PCI DSS v4.0.1/10.4.2 **Category:** Identify > Logging **Severity:** Low **Resource type:** `AWS::WAFv2::WebACL` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/wafv2-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/wafv2-logging-enabled.html) `` **Schedule type:** Periodic **Parameters:** None This control checks whether logging is activated for an Amazon WAFV2 web access control list (web ACL). This control fails if logging is deactivated for the web ACL. **Note** This control doesn't check whether Amazon WAF web ACL logging is enabled for an account through Amazon Security Lake. Logging maintains the reliability, availability, and performance of Amazon WAF. In addition, logging is a business and compliance requirement in many organizations. By logging traffic that's analyzed by your web ACL, you can troubleshoot application behavior. ### Remediation To activate logging for an Amazon WAF web ACL, see [Managing logging for a web ACL](https://docs.amazonaws.cn/waf/latest/developerguide/logging-management.html) in the *Amazon WAF Developer Guide*. ## [WAF.12] Amazon WAF rules should have CloudWatch metrics enabled **Related requirements:** NIST.800-53.r5 AC-4(26), NIST.800-53.r5 AU-10, NIST.800-53.r5 AU-12, NIST.800-53.r5 AU-2, NIST.800-53.r5 AU-3, NIST.800-53.r5 AU-6(3), NIST.800-53.r5 AU-6(4), NIST.800-53.r5 CA-7, NIST.800-53.r5 SC-7(10), NIST.800-53.r5 SC-7(9), NIST.800-53.r5 SI-7(8), NIST.800-171.r2 3.14.6, NIST.800-171.r2 3.14.7 **Category:** Identify > Logging **Severity:** Medium **Resource type:** `AWS::WAFv2::RuleGroup` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/wafv2-rulegroup-logging-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/wafv2-rulegroup-logging-enabled.html) `` **Schedule type:** Change triggered **Parameters:** None This control checks whether an Amazon WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled. Configuring CloudWatch metrics on Amazon WAF rules and rule groups provides visibility into traffic flow. You can see which ACL rules are triggered and which requests are accepted and blocked. This visibility can help you identify malicious activity on your associated resources. ### Remediation To enable CloudWatch metrics on an Amazon WAF rule group, invoke the [ UpdateRuleGroup](https://docs.amazonaws.cn/waf/latest/APIReference/API_UpdateRuleGroup.html) API. To enable CloudWatch metrics on an Amazon WAF rule, invoke the [ UpdateWebACL](https://docs.amazonaws.cn/waf/latest/APIReference/API_UpdateWebACL.html) API. Set the `CloudWatchMetricsEnabled` field to `true`. When you use the Amazon WAF console to create rules or rule groups, CloudWatch metrics are automatically enabled. # Security Hub CSPM controls for WorkSpaces Amazon WorkSpaces controls These Amazon Security Hub CSPM controls evaluate the Amazon WorkSpaces service and resources. These controls may not be available in all Amazon Web Services Regions. For more information, see [Availability of controls by Region](securityhub-regions.md#securityhub-regions-control-support). ## [WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::WorkSpaces::Workspace` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/workspaces-user-volume-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/workspaces-user-volume-encryption-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a user volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace user volume isn't encrypted at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To encrypt a WorkSpaces user volume, see [ Encrypt a WorkSpace](https://docs.amazonaws.cn/workspaces/latest/adminguide/encrypt-workspaces.html#encrypt_workspace) in the *Amazon WorkSpaces Administration Guide*. ## [WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest **Category:** Protect > Data Protection > Encryption of data-at-rest **Severity:** Medium **Resource type:** `AWS::WorkSpaces::Workspace` **Amazon Config rule:** [https://docs.amazonaws.cn/config/latest/developerguide/workspaces-root-volume-encryption-enabled.html](https://docs.amazonaws.cn/config/latest/developerguide/workspaces-root-volume-encryption-enabled.html) **Schedule type:** Change triggered **Parameters:** None This control checks whether a root volume in an Amazon WorkSpaces WorkSpace is encrypted at rest. The control fails if the WorkSpace root volume isn't encrypted at rest. Data at rest refers to data that's stored in persistent, non-volatile storage for any duration. Encrypting data at rest helps you protect its confidentiality, which reduces the risk that an unauthorized user can access it. ### Remediation To encrypt a WorkSpaces root volume, see [ Encrypt a WorkSpace](https://docs.amazonaws.cn/workspaces/latest/adminguide/encrypt-workspaces.html#encrypt_workspace) in the *Amazon WorkSpaces Administration Guide*. # Required permissions to configure controls in Security Hub CSPM Permissions to configure controls To view information about security controls and enable and disable security controls in standards, the Amazon Identity and Access Management (IAM) role that you use to access Amazon Security Hub CSPM needs permissions to call the following operations of the Security Hub CSPM API. To get the necessary permissions, you can use [Security Hub CSPM managed policies](https://docs.amazonaws.cn/securityhub/latest/userguide/security-iam-awsmanpol.html). Alternatively, you can update custom IAM policies to include permissions for these actions. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html)** – Returns information about a batch of security controls for the current account and Amazon Web Services Region. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)** – Returns information about security controls that apply to a specified standard. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html)** – Identifies whether a security control is currently enabled in or disabled from each enabled standard in the account. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetStandardsControlAssociations.html)** – For a batch of security controls, identifies whether each control is currently enabled in or disabled from a specified standard. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)** – Used to enable a security control in standards that include the control, or to disable a control in standards. This is a batch substitute for the existing [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html) operation. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)** – Used to enable or disable a batch of security controls in standards that include the controls. This is a batch substitute for the existing [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html) operation. + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html)** – Used to enable or disable a single security control in standards that include the control + **[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandardsControls.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DescribeStandardsControls.html)** – Returns details about specified security controls. In addition to the preceding APIs, you should add permission to call `BatchGetControlEvaluations` to your IAM role. This permission is necessary to view the enablement and compliance status of a control, the findings count for a control, and the overall security score for controls on the Security Hub CSPM console. Because only the console calls `BatchGetControlEvaluations`, this permission doesn't directly correspond to publicly documented Security Hub CSPM APIs or Amazon CLI commands. # Enabling controls in Security Hub CSPM Enabling controls In Amazon Security Hub CSPM, a control is a safeguard within a security standard that helps an organization protect the confidentiality, integrity, and availability of its information. Each Security Hub CSPM control is related to a specific Amazon resource. When you enable a control, Security Hub CSPM begins to run security checks for the control and generates findings for it. Security Hub CSPM also considers all enabled controls when calculating security scores. You can choose to enable a control across all of the security standards that it applies to. Alternatively, you can configure the enablement status differently in different standards. We recommend the former option, in which the enablement status of a control is aligned across all of your enabled standards. For instructions on enabling a control across all standards that it applies it, see [Enabling a control across standards](enable-controls-overview.md). For instructions on enabling a control in specific standards, see [Enabling a control in a specific standard](controls-configure.md). If you enable cross-Region aggregation and sign in to an aggregation Region, the Security Hub CSPM console shows controls that are available in at least one linked Region. If a control is available in a linked Region but not in the aggregation Region, you can't enable or disable that control from the aggregation Region. You can enable and disable controls in each Region by using the Security Hub CSPM console, Security Hub CSPM API, or Amazon CLI. The instructions for enabling and disabling controls vary based on whether or not you use [central configuration](central-configuration-intro.md). This topic describes the differences. Central configuration is available to users who integrate Security Hub CSPM and Amazon Organizations. We recommend using central configuration to simplify the process of enabling and disabling controls in multi-account, multi-Region environments. If you use central configuration, you can enable a control across multiple accounts and Regions through the use of configuration policies. If you don't use central configuration, you must enable a control separately in each Region and account. # Enabling a control across standards We recommend enabling a Amazon Security Hub CSPM control across all of the standards that the control applies to. If you turn on consolidated control findings, you receive one finding per control check even if a control belongs to more than one standard. ## Cross-standard enablement in multi-account, multi-Region environments To enable a security control across multiple Amazon Web Services accounts and Amazon Web Services Regions, you must be signed in to the delegated Security Hub CSPM administrator account and use [central configuration](central-configuration-intro.md). Under central configuration, the delegated administrator can create Security Hub CSPM configuration policies that enable specified controls across enabled standards. You can then associate the configuration policy with specific accounts and organizational units (OUs) or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions. Configuration policies offer customization. For example, you can choose to enable all controls in one OU, and you can choose to enable only Amazon Elastic Compute Cloud (EC2) controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that enables specified controls across standards, see [Creating and associating configuration policies](create-associate-policy.md). **Note** The delegated administrator can create configuration policies to manage controls in all standards except the [Service-Managed Standard: Amazon Control Tower](https://docs.amazonaws.cn/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). Controls for this standard should be configured in the Amazon Control Tower service. If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region. ## Cross-standard enablement in single account and Region If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally enable controls in multiple accounts and Regions. However, you can use the following steps to enable a control in a single account and Region. ------ #### [ Security Hub CSPM console ] **To enable a control across standards in one account and Region** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Controls** from the navigation pane. 1. Choose the **Disabled** tab. 1. Choose the option next to a control. 1. Choose **Enable Control** (this option doesn't appear for a control that's already enabled). 1. Repeat in each Region in which you want to enable the control. ------ #### [ Security Hub CSPM API ] **To enable a control across standards in one account and Region** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html) API. Provide a security control ID. **Example request:** ``` { "SecurityControlId": "IAM.1" } ``` 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html) API. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html). 1. Set the `AssociationStatus` parameter equal to `ENABLED`. If you follow these steps for a control that's already enabled, the API returns an HTTP status code 200 response. **Example request:** ``` { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}] } ``` 1. Repeat in each Region in which you want to enable the control. ------ #### [ Amazon CLI ] **To enable a control across standards in one account and Region** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html) command. Provide a security control ID. ``` aws securityhub --region us-east-1 [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html) --security-control-id CloudTrail.1 ``` 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html) command. Provide the Amazon Resource Name (ARN) of any standards that the control isn't enabled in. To obtain standard ARNs, run the `describe-standards` command. 1. Set the `AssociationStatus` parameter equal to `ENABLED`. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response. ``` aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "ENABLED"}]' ``` 1. Repeat in each Region in which you want to enable the control. ------ # Enabling a control in a specific standard When you enable a standard in Amazon Security Hub CSPM, all of the controls that apply to it are automatically enabled in that standard (the exception to this is service-managed standards). You can then disable and re-enable specific controls in the standard. However, we recommend aligning the enablement status of a control across all of your enabled standards. For instructions on enabling a control across all standards, see [Enabling a control across standards](enable-controls-overview.md). The details page for a standard contains the list of applicable controls for the standard, and information about which controls are currently enabled in and disabled in that standard. On the standards details page, you can also enable controls in specific standards. You must enable controls in specific standards separately in each Amazon Web Services account and Amazon Web Services Region. When you enable a control in specific standards, it only impacts the current account and Region. To enable a control in a standard, you must first enable at least one standard to which the control applies. For instructions on enabling a standard, see [Enabling a security standard](enable-standards.md). When you enable a control in one or more standards, Security Hub CSPM starts to generate findings for that control. Security Hub CSPM includes the [control status](https://docs.amazonaws.cn/securityhub/latest/userguide/controls-overall-status.html#controls-overall-status-values) in the calculation of the overall security score and standard security scores. Even if you enable a control in multiple standards, you'll receive a single finding per security check across standards if you turn on consolidated control findings. For more information, see [Consolidated control findings](https://docs.amazonaws.cn/securityhub/latest/userguide/controls-findings-create-update.html#consolidated-control-findings). To enable a control in a standard, the control must be available in your current Region. For more information, see [Availability of controls by Region](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-regions.html#securityhub-regions-control-support). Follow these steps to enable a Security Hub CSPM control in a *specific* standard. In lieu of the following steps, you can also use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateStandardsControl.html) API action to enable controls in a specific standard. For instructions on enabling a control in *all* standards, see [Cross-standard enablement in single account and Region](enable-controls-overview.md#enable-controls-all-standards). ------ #### [ Security Hub CSPM console ] **To enable a control in a specific standard** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Security standards** from the navigation pane. 1. Choose **View results** for the relevant standard. 1. Select a control. 1. Choose **Enable Control** (this option doesn't appear for a control that's already enabled). Confirm by choosing **Enable**. ------ #### [ Security Hub CSPM API ] **To enable a control in a specific standard** 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)`, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html). This API returns standard-agnostic security control IDs, not standard-specific control IDs. **Example request:** ``` { "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0" } ``` 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html)`, and provide a specific control ID to return the current enablement status of a control in each standard. **Example request:** ``` { "SecurityControlId": "IAM.1" } ``` 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)`. Provide the ARN of the standard that you want to enable the control in. 1. Set the `AssociationStatus` parameter equal to `ENABLED`. **Example request:** ``` { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "ENABLED"}] } ``` ------ #### [ Amazon CLI ] **To enable a control in a specific standard** 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html)` command, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run `describe-standards`. This command returns standard-agnostic security control IDs, not standard-specific control IDs. ``` aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0" ``` 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html)` command, and provide a specific control ID to return the current enablement status of a control in each standard. ``` aws securityhub --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1 ``` 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html)` command. Provide the ARN of the standard that you want to enable the control in. 1. Set the `AssociationStatus` parameter equal to `ENABLED`. ``` aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "ENABLED"}]' ``` ------ # Enabling new controls in enabled standards automatically Enabling new controls automatically Amazon Security Hub CSPM regularly releases new controls and adds them to one or more standards. You can choose whether to automatically enable new controls in your enabled standards. We recommend using Security Hub CSPM central configuration to automatically enable new security controls. You can create configuration policies that include a list of controls to be disabled across standards. All other controls, including newly released ones, are enabled by default. Alternatively, you can create policies that include a list of controls to be enabled across standards. All other controls, including newly released ones, are disabled by default. For more information, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). Security Hub CSPM doesn't enable new controls when they are added to a standard that you haven't enabled. The following instructions apply only if you don't use central configuration. Choose your preferred access method, and follow the steps to automatically enable new controls in enabled standards. **Note** When you automatically enable new controls using the following instructions, you can interact with the controls in the console and programmatically immediately after release. However, automatically enabled controls have a temporary default status of **Disabled**. It can take up to several days for Security Hub CSPM to process the control release and designate the control as **Enabled** in your account. During the processing period, you can manually enable or disable a control, and Security Hub CSPM will maintain that designation regardless of whether you have automatic control enablement turned on. ------ #### [ Security Hub CSPM console ] **To automatically enable new controls** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Settings**, and then choose the **General** tab. 1. Under **Controls**, choose **Edit**. 1. Turn on **Auto-enable new controls in enabled standards**. 1. Choose **Save**. ------ #### [ Security Hub CSPM API ] **To automatically enable new controls** 1. Run [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html). 1. To automatically enable new controls for enabled standards, set `AutoEnableControls` to `true`. If you don't want to automatically enable new controls, set `AutoEnableControls` to false. ------ #### [ Amazon CLI ] **To automatically enable new controls** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-security-hub-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-security-hub-configuration.html) command. 1. To automatically enable new controls for enabled standards, specify `--auto-enable-controls`. If you don't want to automatically enable new controls, specify `--no-auto-enable-controls`. ``` aws securityhub update-security-hub-configuration --auto-enable-controls | --no-auto-enable-controls ``` **Example command** ``` aws securityhub update-security-hub-configuration --auto-enable-controls ``` ------ If you don't automatically enable new controls, then you must enable them manually. For instructions, see [Enabling controls in Security Hub CSPM](securityhub-standards-enable-disable-controls.md). # Disabling controls in Security Hub CSPM Disabling controls To reduce finding noise, it can be helpful to disable controls that aren't relevant to your environment. In Amazon Security Hub CSPM, you can disable a control across all security standards or for only specific standards. If you disable a control across all standards, the following occurs: + Security checks for the control are no longer performed. + No additional findings are generated for the control. + Existing findings are no longer updated for the control. + Existing findings for the control are archived automatically, typically within 3–5 days on a best-effort basis. + Security Hub CSPM removes any related Amazon Config rules that it created for the control. If you disable a control for only specific standards, Security Hub CSPM stops running security checks for the control for only those standards. This also removes the control from [calculations of the security score](standards-security-score.md) for each of those standards. If the control is enabled in other standards, Security Hub CSPM retains the associated Amazon Config rule, if applicable, and continues running security checks for the control for the other standards. Security Hub CSPM also includes the control when it calculates the security score for each of the other standards, which affects your summary security score. If you disable a standard, all of the controls that apply to the standard are disabled automatically for that standard. However, the controls might continue to be enabled in other standards. When you disable a standard, Security Hub CSPM doesn't track which controls were disabled for the standard. Consequently, if you later re-enable the same standard, all the controls that apply to it are automatically enabled. For information about disabling a standard, see [Disabling a standard](disable-standards.md). Disabling a control isn't a permanent action. Suppose you disable a control, and then enable a standard that includes the control. The control is then enabled for that standard. When you enable a standard in Security Hub CSPM, all the controls that apply to the standard are automatically enabled. For information about enabling a standard, see [Enabling a standard](enable-standards.md). **Topics** + [ # Disabling a control across standards ](disable-controls-across-standards.md) + [ # Disabling a control in a specific standard ](disable-controls-standard.md) + [Suggested controls to disable](controls-to-disable.md) # Disabling a control across standards We recommend disabling an Amazon Security Hub CSPM control across standards to maintain alignment throughout your organization. If you disable a control in only specific standards, you continue to receive findings for the control if it is enabled in other standards. ## Cross-standard disablement in multiple accounts and Regions To disable a security control across multiple Amazon Web Services accounts and Amazon Web Services Regions, you must use [central configuration](central-configuration-intro.md). When you use central configuration, the delegated administrator can create Security Hub CSPM configuration policies that disable specified controls across enabled standards. You can then associate the configuration policy with specific accounts, OUs, or the root. A configuration policy takes effect in your home Region (also called an aggregation Region) and all linked Regions. Configuration policies offer customization. For example, you can choose to disable all Amazon CloudTrail controls in one OU, and you can choose to disable all IAM controls in another OU. The level of granularity depends on your intended goals for security coverage in your organization. For instructions on creating a configuration policy that disables specified controls across standards, see [Creating and associating configuration policies](create-associate-policy.md). **Note** The delegated administrator can create configuration policies to manage controls in all standards except the [Service-Managed Standard: Amazon Control Tower](https://docs.amazonaws.cn/securityhub/latest/userguide/service-managed-standard-aws-control-tower.html). Controls for this standard should be configured in the Amazon Control Tower service. If you want some accounts to configure their own controls rather than the delegated administrator, the delegated administrator can designate those accounts as self-managed. Self-managed accounts must configure controls separately in each Region. ## Cross-standard disablement in a single account and Region If you don't use central configuration or are a self-managed account, you can't use configuration policies to centrally disable controls in multiple accounts and Regions. However, you can disable a control in a single account and Region. ------ #### [ Security Hub CSPM console ] **To disable a control across standards in one account and Region** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Controls** from the navigation pane. 1. Choose the option next to a control. 1. Choose **Disable Control**. This option doesn't appear for a control that's already disabled. 1. Select a reason for disabling the control, and confirm by choosing **Disable**. 1. Repeat in each Region in which you want to disable the control. ------ #### [ Security Hub CSPM API ] **To disable a control across standards in one account and Region** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html) API. Provide a security control ID. **Example request:** ``` { "SecurityControlId": "IAM.1" } ``` 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html) API. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html). 1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response. **Example request:** ``` { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}}] } ``` 1. Repeat in each Region in which you want to disable the control. ------ #### [ Amazon CLI ] **To disable a control across standards in one account and Region** 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html) command. Provide a security control ID. ``` aws securityhub --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1 ``` 1. Run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html) command. Provide the ARN of any standards that the control is enabled in. To obtain standard ARNs, run the `describe-standards` command. 1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the command returns an HTTP status code 200 response. ``` aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}, {"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]' ``` 1. Repeat in each Region in which you want to disable the control. ------ # Disabling a control in a specific standard You can disable a control in only specific security standards, instead of across all standards. If the control applies to other enabled standards, Amazon Security Hub CSPM continues to run security checks for the control and you continue to receive findings for the control. We recommend aligning the enablement status of a control across all of the enabled standards that the control applies to. For information about disabling a control across all of the standards that it applies to, see [Disabling a control across standards](disable-controls-across-standards.md). On the standards details page, you can also disable controls in specific standards. You must disable controls in specific standards separately in each Amazon Web Services account and Amazon Web Services Region. When you disable a control in specific standards, it affects only the current account and Region. Choose your preferred method, and follow these steps to disable a control in one or more specific standards. ------ #### [ Security Hub CSPM console ] **To disable a control in a specific standard** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Security standards** from the navigation pane. Choose **View results** for the relevant standard. 1. Select a control. 1. Choose **Disable Control**. This option doesn't appear for a control that's already disabled. 1. Provide a reason for disabling the control, and confirm by choosing **Disable**. ------ #### [ Security Hub CSPM API ] **To disable a control in a specific standard** 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)`, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html). This API returns standard-agnostic security control IDs, not standard-specific control IDs. **Example request:** ``` { "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0" } ``` 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListStandardsControlAssociations.html)`, and provide a specific control ID to return the current enablement status of a control in each standard. **Example request:** ``` { "SecurityControlId": "IAM.1" } ``` 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html)`. Provide the ARN of the standard in which you want to disable the control. 1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already disabled, the API returns an HTTP status code 200 response. **Example request:** ``` { "StandardsControlAssociationUpdates": [{"SecurityControlId": "IAM.1", "StandardsArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}] } ``` ------ #### [ Amazon CLI ] **To disable a control in a specific standard** 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html)` command, and provide a standard ARN to get a list of available controls for a specific standard. To obtain a standard ARN, run `describe-standards`. This command returns standard-agnostic security control IDs, not standard-specific control IDs. ``` aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0" ``` 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-standards-control-associations.html)` command, and provide a specific control ID to return the current enablement status of a control in each standard. ``` aws securityhub --region us-east-1 list-standards-control-associations --security-control-id CloudTrail.1 ``` 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-standards-control-associations.html)` command. Provide the ARN of the standard in which you want to disable the control. 1. Set the `AssociationStatus` parameter equal to `DISABLED`. If you follow these steps for a control that's already enabled, the command returns an HTTP status code 200 response. ``` aws securityhub --region us-east-1 batch-update-standards-control-associations --standards-control-association-updates '[{"SecurityControlId": "CloudTrail.1", "StandardsArn": "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", "AssociationStatus": "DISABLED", "UpdatedReason": "Not applicable to environment"}]' ``` ------ # Suggested controls to disable in Security Hub CSPM Suggested controls to disable We recommend disabling some Amazon Security Hub CSPM controls to reduce finding noise and usage costs. ## Controls that use global resources Some Amazon Web Services services support global resources, which means that you can access the resource from any Amazon Web Services Region. To save on the cost of Amazon Config, you can disable recording of global resources in all but one Region. After you do this, however, Security Hub CSPM stills run security checks in all Regions where a control is enabled and charges you based on the number of checks per account per Region. Accordingly, to reduce finding noise and save on the cost of Security Hub CSPM, you should also disable controls that involve global resources in all Regions except the Region that records global resources. If a control involves global resources but is available in only one Region, disabling it in that Region prevents you from getting any findings for the underlying resource. In this case, we recommend keeping the control enabled. When using cross-Region aggregation, the Region in which the control is available should be the aggregation Region or one of the linked Regions. The following controls involve global resources but are available in only a single Region: + **All CloudFront controls** – Available only in the US East (N. Virginia) Region + **GlobalAccelerator.1** – Available only in the US West (Oregon) Region + **Route53.2** – Available only in the US East (N. Virginia) Region + **WAF.1, WAF.6, WAF.7, WAF.8** – Available only in the US East (N. Virginia) Region **Note** If you use central configuration, Security Hub CSPM automatically disables controls that involve global resources in all Regions except the home Region. Other controls that you choose to enable though a configuration policy are enabled in all Regions where they are available. To limit findings for these controls to just one Region, you can update your Amazon Config recorder settings and turn off global resource recording in all Regions except the home Region. If an enabled control that involves global resources isn't supported in the home Region, Security Hub CSPM tries to enable the control in one linked Region where the control is supported. With central configuration, you lack coverage for a control that isn't available in the home Region or any of the linked Regions. For more information about central configuration, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). For controls that have a *periodic* schedule type, disabling them in Security Hub CSPM is required to prevent billing. Setting the Amazon Config parameter `includeGlobalResourceTypes` to `false` doesn't affect periodic Security Hub CSPM controls. The following Security Hub CSPM controls use global resources: + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## CloudTrail logging controls The [CloudTrail.2](cloudtrail-controls.md#cloudtrail-2) control evaluates the use of Amazon Key Management Service (Amazon KMS) to encrypt Amazon CloudTrail trail logs. If you log these trails in a centralized logging account, you need to enable this control only in the account and Amazon Web Services Region where centralized logging takes place. If you use [central configuration](central-configuration-intro.md), the enablement status of a control is aligned across the home Region and linked Regions. You can't disable a control in some Regions and enable it in others. In this case, you can suppress findings from the CloudTrail.2 control to reduce finding noise. ## CloudWatch alarm controls If you prefer to use Amazon GuardDuty for anomaly detection instead of Amazon CloudWatch alarms, you can disable the following controls, which focus on CloudWatch alarms: + [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) + [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) + [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) + [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) + [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) + [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) + [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) + [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) + [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) + [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) + [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) + [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) + [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) + [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) # Understanding security checks and scores in Security Hub CSPM Security checks and scores For each control that you enable, Amazon Security Hub CSPM runs security checks. A security check produces a finding that tells you whether a specific Amazon resource is in compliance with the rules that the control includes. Some checks run on a periodic schedule. Other checks only run when there is a change to the resource state. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). Many security checks use Amazon Config managed or custom rules to establish the compliance requirements. To run these checks, you must set up Amazon Config and turn on resource recording for required resources. For more information on setting up Amazon Config, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). For a list of Amazon Config resources that you must record for each standard, see [Required Amazon Config resources for control findings](controls-config-resources.md). Other controls use custom Lambda functions, which are managed by Security Hub CSPM and don't require any prerequisites. As Security Hub CSPM runs security checks, it generates findings and assigns them a compliance status. For more information about compliance status, see [Evaluating the compliance status of Security Hub CSPM findings](controls-overall-status.md#controls-overall-status-compliance-status). Security Hub CSPM uses the compliance status of control findings to determine an overall control status. Based on the control status, Security Hub CSPM also calculates a security score across all enabled controls and for specific standards. For more information, see [Evaluating compliance status and control status](controls-overall-status.md) and [Calculating security scores](standards-security-score.md). If you've turned on consolidated control findings, Security Hub CSPM generates a single finding even when a control is associated with more than one standard. For more information, see [Consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Topics** + [ # Required Amazon Config resources for control findings ](controls-config-resources.md) + [ # Schedule for running security checks ](securityhub-standards-schedule.md) + [ # Generating and updating control findings ](controls-findings-create-update.md) + [ # Evaluating compliance status and control status ](controls-overall-status.md) + [ # Calculating security scores ](standards-security-score.md) # Required Amazon Config resources for control findings Required Amazon Config resources for control findings In Amazon Security Hub CSPM, some controls use service-linked Amazon Config rules that detect configuration changes in your Amazon resources. For Security Hub CSPM to generate accurate findings for these controls, you must enable Amazon Config and turn on resource recording in Amazon Config. For information about how Security Hub CSPM uses Amazon Config rules and how to enable and configure Amazon Config, see [Enabling and configuring Amazon Config for Security Hub CSPM](securityhub-setup-prereqs.md). For detailed information about resource recording, see [Working with the configuration recorder](https://docs.amazonaws.cn/config/latest/developerguide/stop-start-recorder.html) in the *Amazon Config Developer Guide*. To receive accurate control findings, you must turn on Amazon Config resource recording for enabled controls with a *change triggered* schedule type. Some controls with a *periodic* schedule type also require resource recording. This page lists the required resources for these Security Hub CSPM controls. Security Hub CSPM controls can rely on managed Amazon Config rules or custom Security Hub CSPM rules. Make sure there aren't any Amazon Identity and Access Management (IAM) policies or Amazon Organizations managed policies that prevent Amazon Config from having permission to record your resources. Security Hub CSPM controls evaluate resource configurations directly and don’t take Amazon Organizations policies into account. **Note** In Amazon Web Services Regions where a control isn't available, the corresponding resource isn't available in Amazon Config. For a list of these limits, see [Regional limits on Security Hub CSPM controls](regions-controls.md). **Topics** + [ ## Required resources for all Security Hub CSPM controls ](#all-controls-config-resources) + [ ## Required resources for the Amazon Foundational Security Best Practices standard ](#securityhub-standards-fsbp-config-resources) + [ ## Required resources for the CIS Amazon Foundations Benchmark ](#securityhub-standards-cis-config-resources) + [ ## Required resources for the NIST SP 800-53 Revision 5 standard ](#nist-config-resources) + [ ## Required resources for the NIST SP 800-171 Revision 2 standard ](#nist-800-171-config-resources) + [ ## Required resources for PCI DSS v3.2.1 ](#securityhub-standards-pci-config-resources) + [ ## Required resources for the Amazon Resource Tagging standard ](#tagging-config-resources) ## Required resources for all Security Hub CSPM controls For Security Hub CSPM to generate findings for change triggered controls that are enabled and use an Amazon Config rule, you must record the following types of resources in Amazon Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/controls-config-resources.html) ## Required resources for the Amazon Foundational Security Best Practices standard For Security Hub CSPM to accurately report findings for change triggered controls that apply to the Amazon Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see [Amazon Foundational Security Best Practices standard in Security Hub CSPM](fsbp-standard.md). | Amazon Web Services service | Resource types | | --- | --- | | Amazon API Gateway | `AWS::ApiGateway::DomainName`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` | | Amazon AppSync | `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi` | | Amazon Backup | `AWS::Backup::RecoveryPoint` | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon CloudFormation | `AWS::CloudFormation::Stack` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CodeBuild | `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup` | | Amazon Cognito | `AWS::Cognito::IdentityPool`, `AWS::Cognito::UserPool` | | Amazon CloudTrail | `AWS::CloudTrail::EventDataStore` | | Amazon Connect | `AWS::Connect::Instance` | | Amazon DataSync | `AWS::DataSync::Task` | | Amazon Database Migration Service (Amazon DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` | | Amazon DynamoDB | `AWS::DynamoDB::Table` | | Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` | | Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` | | Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::CapacityProvider`, `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem` | | Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::Nodegroup` | | Amazon Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` | | ElasticSearch | `AWS::Elasticsearch::Domain` | | Amazon EMR | `AWS::EMR::SecurityConfiguration` | | Amazon Glue | `AWS::Glue::Job`, `AWS::Glue::MLTransform` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` | | Amazon Kinesis | `AWS::Kinesis::Stream` | | Amazon Key Management Service (Amazon KMS) | `AWS::KMS::Key` | | Amazon Lambda | `AWS::Lambda::Function` | | Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector` | | Amazon Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` | | Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` | | Amazon Redshift Serverless | `AWS::RedshiftServerless::Workgroup` | | Amazon Route 53 | `AWS::Route53::HostedZone` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`, `AWS::S3Express::DirectoryBucket` | | Amazon SageMaker AI | `AWS::SageMaker::FeatureGroup`, `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` | | Amazon Secrets Manager | `AWS::SecretsManager::Secret` | | Amazon Step Functions | `AWS::StepFunctions::StateMachine` | | Amazon Transfer Family | `AWS::Transfer::Connector` | | Amazon WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` | | Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` | ## Required resources for the CIS Amazon Foundations Benchmark To run security checks for enabled controls that apply to the Center for Internet Security (CIS) Amazon Foundations Benchmark, Security Hub CSPM either runs through the exact audit steps prescribed for the checks or uses specific Amazon Config managed rules. For information about this standard in Security Hub CSPM, see [CIS Amazon Foundations Benchmark in Security Hub CSPM](cis-aws-foundations-benchmark.md). ### Required resources for CIS v5.0.0 For Security Hub CSPM to accurately report findings for enabled CIS v5.0.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config. | Amazon Web Services service | Resource types | | --- | --- | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::FileSystem` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | ### Required resources for CIS v3.0.0 For Security Hub CSPM to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config. | Amazon Web Services service | Resource types | | --- | --- | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | ### Required resources for CIS v1.4.0 For Security Hub CSPM to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config. | Amazon Web Services service | Resource types | | --- | --- | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | ### Required resources for CIS v1.2.0 For Security Hub CSPM to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an Amazon Config rule, you must record the following types of resources in Amazon Config. | Amazon Web Services service | Resource types | | --- | --- | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::SecurityGroup` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | ## Required resources for the NIST SP 800-53 Revision 5 standard For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see [NIST SP 800-53 Revision 5 in Security Hub CSPM](standards-reference-nist-800-53.md). | Amazon Web Services service | Resource types | | --- | --- | | Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` | | Amazon AppSync | `AWS::AppSync::GraphQLApi` | | Amazon Backup | `AWS::Backup::RecoveryPoint` | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon CloudFormation | `AWS::CloudFormation::Stack` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | Amazon CodeBuild | `AWS::CodeBuild::Project` | | Amazon Database Migration Service (Amazon DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` | | Amazon DynamoDB | `AWS::DynamoDB::Table` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` | | Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` | | Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` | | Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` | | Amazon Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` | | Amazon ElasticSearch | `AWS::Elasticsearch::Domain` | | Amazon EMR | `AWS::EMR::SecurityConfiguration` | | Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` | | Amazon Glue | `AWS::Glue::Job` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` | | Amazon Key Management Service (Amazon KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | Amazon Kinesis | `AWS::Kinesis::Stream` | | Amazon Lambda | `AWS::Lambda::Function` | | Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` | | Amazon MQ | `AWS::AmazonMQ::Broker` | | Amazon Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` | | Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` | | Amazon Route 53 | `AWS::Route53::HostedZone` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` | | Amazon Service Catalog | `AWS::ServiceCatalog::Portfolio` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` | | Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` | | Amazon SageMaker AI | `AWS::SageMaker::NotebookInstance` | | Amazon Secrets Manager | `AWS::SecretsManager::Secret` | | Amazon Transfer Family | `AWS::Transfer::Connector` | | Amazon WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` | ## Required resources for the NIST SP 800-171 Revision 2 standard For Security Hub CSPM to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see [NIST SP 800-171 Revision 2 in Security Hub CSPM](standards-reference-nist-800-171.md). | Amazon Web Services service | Resource types | | --- | --- | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon API Gateway | `AWS::ApiGateway::Stage` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudWatch | `AWS::CloudWatch::Alarm` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` | | Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | | Amazon Key Management Service (Amazon KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` | | Amazon Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Systems Manager (SSM) | `AWS::SSM::PatchCompliance` | | Amazon WAF | `AWS::WAFv2::RuleGroup` | ## Required resources for PCI DSS v3.2.1 For Security Hub CSPM to accurately report findings for controls that apply to v3.2.1 of the Payment Card Industry Data Security Standard (PCI DSS), are enabled, and use an Amazon Config rule, you must record the following types of resources in Amazon Config. For information about this standard, see [PCI DSS in Security Hub CSPM](pci-standard.md). | Amazon Web Services service | Resource types | | --- | --- | | Amazon CodeBuild | `AWS::CodeBuild::Project` | | Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` | | Amazon Lambda | `AWS::Lambda::Function` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot` | | Amazon Redshift | `AWS::Redshift::Cluster` | | Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` | | Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` | ## Required resources for the Amazon Resource Tagging standard All the controls that apply to the Amazon Resource Tagging standard are change triggered and use an Amazon Config rule. For Security Hub CSPM to accurately report findings for these controls, you must record the following types of resources in Amazon Config. For information about this standard, see [Amazon Resource Tagging standard in Security Hub CSPM](standards-tagging.md). | Amazon Web Services service | Resource types | | --- | --- | | Amazon Amplify | `AWS::Amplify::App`, `AWS::Amplify::Branch` | | Amazon AppFlow | `AWS::AppFlow::Flow` | | Amazon App Runner | `AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector` | | Amazon AppConfig | `AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation` | | Amazon AppSync | `AWS::AppSync::GraphQLApi` | | Amazon Athena | `AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup` | | Amazon Backup | `AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan` | | Amazon Batch | `AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy` | | Amazon Certificate Manager (ACM) | `AWS::ACM::Certificate` | | Amazon CloudFormation | `AWS::CloudFormation::Stack` | | Amazon CloudFront | `AWS::CloudFront::Distribution` | | Amazon CloudTrail | `AWS::CloudTrail::Trail` | | Amazon CodeArtifact | `AWS::CodeArtifact::Repository` | | Amazon CodeGuru | `AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation` | | Amazon Connect | `AWS::CustomerProfiles::ObjectType` | | Amazon Database Migration Service (Amazon DMS) | `AWS::DMS::Certificate`, `AWS::DMS::EventSubscription` `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup` | | Amazon DataSync | `AWS::DataSync::Task` | | Amazon Detective | `AWS::Detective::Graph` | | Amazon DynamoDB | `AWS::DynamoDB::Trail` | | Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway` | | Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` | | Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::PublicRepository` | | Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` | | Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` | | Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig` | | Amazon Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` | | ElasticSearch | `AWS::Elasticsearch::Domain` | | Amazon EventBridge | `AWS::Events::EventBus` | | Amazon Fraud Detector | `AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label` `AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable` | | Amazon Global Accelerator | `AWS::GlobalAccelerator::Accelerator` | | Amazon Glue | `AWS::Glue::Job` | | Amazon GuardDuty | `AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet` | | Amazon Identity and Access Management (IAM) | `AWS::IAM::Role`, `AWS::IAM::User` | | Amazon Identity and Access Management Access Analyzer (IAM Access Analyzer) | `AWS::AccessAnalyzer::Analyzer` | | Amazon IoT | `AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile` | | Amazon IoT Events | `AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input` | | Amazon IoT SiteWise | `AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project` | | Amazon IoT TwinMaker | `AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace` | | Amazon IoT Wireless | `AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile` | | Amazon Interactive Video Service (Amazon IVS) | `AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration` | | Amazon Keyspaces (for Apache Cassandra) | `AWS::Cassandra::Keyspace` | | Amazon Kinesis | `AWS::Kinesis::Stream` | | Amazon Lambda | `AWS::Lambda::Function` | | Amazon MQ | `AWS::AmazonMQ::Broker` | | Amazon Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy` | | Amazon OpenSearch Service | `AWS::OpenSearch::Domain` | | Amazon Private Certificate Authority | `AWS::ACMPCA::CertificateAuthority` | | Amazon Relational Database Service | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup` | | Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription` | | Amazon Route 53 | `AWS::Route53::HealthCheck` | | Amazon SageMaker AI | `AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image` | | Amazon Secrets Manager | `AWS::SecretsManager::Secret` | | Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet`, `AWS::SES::ContactList` | | Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` | | Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` | | Amazon Step Functions | `AWS::StepFunctions::Activity` | | Amazon Systems Manager (SSM) | `AWS::SSM::Document` | | Amazon Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow` | # Schedule for running security checks After you enable a security standard, Amazon Security Hub CSPM begins to run all checks within two hours. Most checks begin to run within 25 minutes. Security Hub CSPM runs checks by evaluating the rule underlying a control. Until a control completes its first run of checks, its status is **No data**. When you enable a new standard, it might take up to 24 hours for Security Hub CSPM to generate findings for controls that use the same underlying Amazon Config service-linked rule as enabled controls from other enabled standards. For example, if you enable the [Lambda.1](lambda-controls.md#lambda-1) control in the Amazon Foundational Security Best Practices (FSBP) standard, Security Hub CSPM creates the service-linked rule and typically generates findings within minutes. After this, if you enable the Lambda.1 control in the Payment Card Industry Data Security Standard (PCI DSS), it might take up to 24 hours for Security Hub CSPM to generate findings for the control because it uses the same service-linked rule. After the initial check, the schedule for each control can be either periodic or change triggered. For a control that is based on a managed Amazon Config rule, the control description includes a link to the rule description in the *Amazon Config Developer Guide*. That description specifies whether the rule is change triggered or periodic. ## Periodic security checks Periodic security checks run automatically within 12 or 24 hours after the most recent run. Security Hub CSPM determines the periodicity, and you can't change it. Periodic controls reflect an evaluation at the moment the check runs. If you update the workflow status of a periodic control finding, and then in the next check the compliance status of the finding stays the same, the workflow status remains in its modified state. For example, if you have a failed finding for the [KMS.4](kms-controls.md#kms-4) control (*Amazon KMS key rotation should be enabled*), and then remediate the finding, Security Hub CSPM changes the workflow status from `NEW` to `RESOLVED`. If you disable KMS key rotation before the next periodic check, the workflow status of the finding remains `RESOLVED`. Checks that use Security Hub CSPM custom Lambda functions are periodic. ## Change-triggered security checks Change-triggered security checks run when the associated resource changes state. Amazon Config lets you choose between *continuous recording* of changes in resource state and *daily recording*. If you choose daily recording, Amazon Config delivers resource configuration data at the end of each 24 hour period if there are changes in resource state. If there are no changes, no data is delivered. This may delay the generation of Security Hub CSPM findings until a 24-hour period is complete. Regardless of your chosen recording period, Security Hub CSPM checks at least once every 24 hours to ensure no resource updates from Amazon Config were missed. In general, Security Hub CSPM uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, it must support Amazon Config configuration items. # Generating and updating control findings Amazon Security Hub CSPM generates and updates control findings when it runs checks against security controls. Control findings use the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). Security Hub CSPM normally charges for each security check for a control. However, if multiple controls use the same Amazon Config rule, Security Hub CSPM charges only once for each check against the rule. For example, the Amazon Config `iam-password-policy` rule is used by multiple controls in the CIS Amazon Foundations Benchmark standard and the Amazon Foundational Security Best Practices standard. Each time Security Hub CSPM runs a check against that rule, it generates a separate control finding for each related control, but charges only once for the check. If the size of a control finding exceeds the maximum of 240 KB, Security Hub CSPM removes the `Resource.Details` object from the finding. For controls that are backed by Amazon Config resources, you can review resource details by using the Amazon Config console. **Topics** + [ ## Consolidated control findings ](#consolidated-control-findings) + [ ## Generating, updating, and archiving control findings ](#securityhub-standards-results-updating) + [ ## Automation and suppression of control findings ](#automation-control-findings) + [ ## Compliance details for control findings ](#control-findings-asff-compliance) + [ ## ProductFields details for control findings ](#control-findings-asff-productfields) + [ ## Severity levels for control findings ](#control-findings-severity) ## Consolidated control findings If consolidated control findings is enabled for your account, Security Hub CSPM generates a single finding or finding update for each security check of a control, even if a control applies to multiple enabled standards. For a list of controls and the standards that they apply to, see the [Control reference for Security Hub CSPM](securityhub-controls-reference.md). We recommend enabling consolidated control findings to reduce finding noise. If you enabled Security Hub CSPM for an Amazon Web Services account before February 23, 2023, you can enable consolidated control findings by following the instructions later in this section. If you enable Security Hub CSPM on or after February 23, 2023, consolidated control findings is enabled automatically for your account. If you use the [Security Hub CSPM integration with Amazon Organizations](securityhub-accounts-orgs.md) or invited member accounts through a [manual invitation process](account-management-manual.md), consolidated control findings is enabled for member accounts only if it's enabled for the administrator account. If the feature is disabled for the administrator account, it's disabled for member accounts. This behavior applies to new and existing member accounts. In addition, if the administrator uses [central configuration](central-configuration-intro.md) to manage Security Hub CSPM for multiple accounts, they cannot use central configuration policies to enable or disable consolidated control findings for the accounts. If you disable consolidated control findings for your account, Security Hub CSPM generates or updates a separate control finding for each enabled standard that includes a control. For example, if you enable four standards that share a control, you receive four separate findings after a security check for the control. If you enable consolidated control findings, you receive only one finding. When you enable consolidated control findings, Security Hub CSPM creates new standard-agnostic findings and archives the original standard-based findings. Some control finding fields and values will change, which might impact your existing workflows. For information about these changes, see [Consolidated control findings – ASFF changes](asff-changes-consolidation.md#securityhub-findings-format-consolidated-control-findings). Enabling consolidated control findings might also affect findings that integrated third-party products receive from Security Hub CSPM. If you use the [Automated Security Response on Amazon v2.0.0](https://www.amazonaws.cn/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution, note that it supports consolidated control findings. To enable or disable consolidated control findings, you must be signed in to an administrator account or a standalone account. **Note** After you enable consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new consolidated findings and archive the existing standard-based findings. Similarly, after disabling consolidated control findings, it can take up to 24 hours for Security Hub CSPM to generate new standard-based findings and archive the existing consolidated findings. During these times, you might see a mix of standard-agnostic and standard-based findings in your account. ------ #### [ Security Hub CSPM console ] **To enable or disable consolidated control findings** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, under **Settings**, choose **General**. 1. In the **Controls** section, choose **Edit**. 1. Use the **Consolidated control findings** switch to enable or disable consolidated control findings. 1. Choose **Save**. ------ #### [ Security Hub CSPM API ] To enable or disable consolidated control findings programmatically, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateSecurityHubConfiguration.html) operation of the Security Hub CSPM API. Or, if you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-security-hub-configuration.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-security-hub-configuration.html) command. For the `control-finding-generator` parameter, specify `SECURITY_CONTROL` to enable consolidated control findings. To disable consolidated control findings, specify `STANDARD_CONTROL`. For example, the following Amazon CLI command enables consolidated control findings. ``` $ aws securityhub --region us-east-1 update-security-hub-configuration --control-finding-generator SECURITY_CONTROL ``` The following Amazon CLI command disables consolidated control findings. ``` $ aws securityhub --region us-east-1 update-security-hub-configuration --control-finding-generator STANDARD_CONTROL ``` ------ ## Generating, updating, and archiving control findings Security Hub CSPM runs security checks on a [schedule](securityhub-standards-schedule.md). The first time Security Hub CSPM runs a security check for a control, it generates a new finding for each Amazon resource that the control checks. Each time Security Hub CSPM subsequently runs a security check for the control, it updates existing findings to report the results of the check. This means that you can use the data provided by individual findings to track compliance changes for particular resources against particular controls. For example, if the compliance status of a resource changes from `FAILED` to `PASSED` for a particular control, Security Hub CSPM doesn't generate a new finding. Instead, Security Hub CSPM updates the existing finding for the control and resource. In the finding, Security Hub CSPM changes the value for the compliance status (`Compliance.Status`) field to `PASSED`. Security Hub CSPM also updates the values for additional fields to reflect the results of the check—for example, the severity label, workflow status, and timestamps that indicate when Security Hub CSPM most recently ran the check and updated the finding. When reporting changes to compliance status, Security Hub CSPM might update any of the following fields in a control finding: + `Compliance.Status` – The new compliance status of the resource for the specified control. + `FindingProviderFields.Severity.Label` – The new qualitative representation of the severity of the finding, such as `LOW`, `MEDIUM`, or `HIGH`. + `FindingProviderFields.Severity.Original` – The new quantitative representation of the severity of the finding, such as `0` for a compliant resource. + `FirstObservedAt` – When the compliance status of the resource most recently changed. + `LastObservedAt` – When Security Hub CSPM most recently ran the security check for the specified control and resource. + `ProcessedAt` – When Security Hub CSPM most recently began processing the finding. + `ProductFields.PreviousComplianceStatus` – The previous compliance status (`Compliance.Status`) of the resource for the specified control. + `UpdatedAt` – When Security Hub CSPM most recently updated the finding. + `Workflow.Status` – The status of the investigation into the finding, based on the new compliance status of the resource for the specified control. Whether Security Hub CSPM updates a field depends primarily on the results of the latest security check for the applicable control and resource. For example, if the compliance status of a resource changes from `PASSED` to `FAILED` for a particular control, Security Hub CSPM changes the workflow status of the finding to `NEW`. To track updates to individual findings, you can refer to the history of a finding. For details about individual fields in findings, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). In certain cases, Security Hub CSPM generates new findings for subsequent checks by a control, instead of updating existing findings. This can occur if there's an issue with the Amazon Config rule that backs a control. If this happens, Security Hub CSPM archives the existing finding and generates a new finding for each check. In the new findings, the compliance status is `NOT_AVAILABLE` and the record state is `ARCHIVED`. After you address the issue with the Amazon Config rule, Security Hub CSPM generates new findings and begins updating them to track subsequent changes to the compliance status of individual resources. In addition to generating and updating control findings, Security Hub CSPM automatically archives control findings that meet certain criteria. Security Hub CSPM archives a finding if the control is disabled, the specified resource is deleted, or the specified resource no longer exists. A resource might not exist anymore because the associated service is no longer used. More specifically, Security Hub CSPM automatically archives a control finding if the finding meets one of the following criterion: + The finding hasn't been updated for 3‐5 days. Note that archival based on this time frame is on a best-effort basis and is not guaranteed. + The associated Amazon Config evaluation returned `NOT_APPLICABLE` for the compliance status of the specified resource. To determine whether a finding is archived, you can refer to the record state (`RecordState`) field of the finding. If a finding is archived, the value for this field is `ARCHIVED`. Security Hub CSPM stores archived control findings for 30 days. After 30 days, the findings expire and Security Hub CSPM permanently deletes them. To determine whether an archived control finding has expired, Security Hub CSPM bases its calculation on the value for the `UpdatedAt` field of the finding. To store archived control findings for more than 30 days, you can export the findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). **Note** Prior to July 3, 2025, Security Hub CSPM generated and updated control findings differently when the compliance status of a resource changed for a control. Previously, Security Hub CSPM created a new control finding and archived the existing finding for a resource. Therefore, you might have multiple archived findings for a particular control and resource until those findings expire (after 30 days). ## Automation and suppression of control findings You can use Security Hub CSPM automation rules to update or suppress specific control findings. If you suppress a finding, you can continue to access it. However, suppression indicates your belief that no action is needed to address the finding. By suppressing findings, you can reduce finding noise. For example, you might suppress control findings that are generated in test accounts. Or, you might suppress findings related to specific resources. To learn more about updating or suppressing findings automatically, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). Automation rules are appropriate when you want to update or suppress specific control findings. However, if a control isn't relevant to your organization or use case, we recommend [disabling the control](disable-controls-overview.md). If you disable a control, Security Hub CSPM doesn't run security checks for it and you aren't charged for it. ## Compliance details for control findings In findings generated by security checks for controls, the [Compliance](asff-top-level-attributes.md#asff-compliance) object and fields in the Amazon Security Finding Format (ASFF) provide compliance details for individual resources that a control checked. This includes the following information: + `AssociatedStandards` – The enabled standards that the control is enabled in. + `RelatedRequirements` – The related requirements for the control in all enabled standards. These requirements derive from third-party security frameworks for the control, such as the Payment Card Industry Data Security Standard (PCI DSS) or the NIST SP 800-171 Revision 2 standard. + `SecurityControlId` – The identifier for the control across the standards that Security Hub CSPM supports. + `Status` – The result of the most recent check that Security Hub CSPM ran for the control. The results of previous checks are retained in the history of the finding. + `StatusReasons` – An array that lists reasons for the value specified by the `Status` field. For each reason, this includes a reason code and a description. The following table lists reason codes and descriptions that a finding might include in the `StatusReasons` array. The remediation steps vary based on which control generated a finding with a specified reason code. To review the remediation guidance for a control, refer to the [Control reference for Security Hub CSPM](securityhub-controls-reference.md). | Reason code | Compliance status | Description | | --- | --- | --- | | `CLOUDTRAIL_METRIC_FILTER_NOT_VALID` | `FAILED` | The multi-Region CloudTrail trail does not have a valid metric filter. | | `CLOUDTRAIL_METRIC_FILTERS_NOT_PRESENT` | `FAILED` | Metric filters are not present for the multi-Region CloudTrail trail. | | `CLOUDTRAIL_MULTI_REGION_NOT_PRESENT` | `FAILED` | The account does not have a multi-Region CloudTrail trail with the required configuration. | | `CLOUDTRAIL_REGION_INVAILD` | `WARNING` | Multi-Region CloudTrail trails are not in the current Region. | | `CLOUDWATCH_ALARM_ACTIONS_NOT_VALID` | `FAILED` | No valid alarm actions are present. | | `CLOUDWATCH_ALARMS_NOT_PRESENT` | `FAILED` | CloudWatch alarms do not exist in the account. | | `CONFIG_ACCESS_DENIED` | `NOT_AVAILABLE` Amazon Config status is `ConfigError` | Amazon Config access denied. Verify that Amazon Config is enabled and has been granted sufficient permissions. | | `CONFIG_EVALUATIONS_EMPTY` | `PASSED` | Amazon Config evaluated your resources based on the rule. The rule did not apply to the Amazon resources in its scope, the specified resources were deleted, or the evaluation results were deleted. | | `CONFIG_RECORDER_CUSTOM_ROLE` | `FAILED` (for Config.1) | The Amazon Config recorder uses a custom IAM role instead of the Amazon Config service-linked role, and the `includeConfigServiceLinkedRoleCheck` custom parameter for Config.1 isn't set to `false`. | | `CONFIG_RECORDER_DISABLED` | `FAILED` (for Config.1) | Amazon Config isn't enabled with the configuration recorder turned on. | | `CONFIG_RECORDER_MISSING_REQUIRED_RESOURCE_TYPES` | `FAILED` (for Config.1) | Amazon Config isn't recording all resource types that correspond to enabled Security Hub CSPM controls. Turn on recording for the following resources: *Resources that aren't being recorded*. | | `CONFIG_RETURNS_NOT_APPLICABLE` | `NOT_AVAILABLE` | The compliance status is `NOT_AVAILABLE` because Amazon Config returned a status of **Not Applicable**. Amazon Config does not provide the reason for the status. Here are some possible reasons for the **Not Applicable** status: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/controls-findings-create-update.html) | | `CONFIG_RULE_EVALUATION_ERROR` | `NOT_AVAILABLE` Amazon Config status is `ConfigError` | This reason code is used for several different types of evaluation errors. The description provides the specific reason information. The type of error can be one of the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/controls-findings-create-update.html) | | `CONFIG_RULE_NOT_FOUND` | `NOT_AVAILABLE` Amazon Config status is `ConfigError` | The Amazon Config rule is in the process of being created. | | `INTERNAL_SERVICE_ERROR` | `NOT_AVAILABLE` | An unknown error occurred. | | `LAMBDA_CUSTOM_RUNTIME_DETAILS_NOT_AVAILABLE` | `FAILED` | Security Hub CSPM is unable to perform a check against a custom Lambda runtime. | | `S3_BUCKET_CROSS_ACCOUNT_CROSS_REGION` | `WARNING` | The finding is in a `WARNING` state because the S3 bucket that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located. | | `SNS_SUBSCRIPTION_NOT_PRESENT` | `FAILED` | The CloudWatch Logs metric filters do not have a valid Amazon SNS subscription. | | `SNS_TOPIC_CROSS_ACCOUNT` | `WARNING` | The finding is in a `WARNING` state. The SNS topic associated with this rule is owned by a different account. The current account cannot obtain the subscription information. The account that owns the SNS topic must grant to the current account the `sns:ListSubscriptionsByTopic` permission for the SNS topic. | | `SNS_TOPIC_CROSS_ACCOUNT_CROSS_REGION` | `WARNING` | The finding is in a `WARNING` state because the SNS topic that is associated with this rule is in a different Region or account. This rule does not support cross-Region or cross-account checks. It is recommended that you disable this control in this Region or account. Only run it in the Region or account where the resource is located. | | `SNS_TOPIC_INVALID` | `FAILED` | The SNS topic associated with this rule is invalid. | | `THROTTLING_ERROR` | `NOT_AVAILABLE` | The relevant API operation exceeded the allowed rate. | ## ProductFields details for control findings In findings generated by security checks for controls, the [ProductFields](asff-top-level-attributes.md#asff-productfields) attribute in the Amazon Security Finding Format (ASFF) can include the following fields. `ArchivalReasons:0/Description` Describes why Security Hub CSPM archived a finding. For example, Security Hub CSPM archives existing findings when you disable a control or standard, or you enable or disable [consolidated control findings](#consolidated-control-findings). `ArchivalReasons:0/ReasonCode` Specifies why Security Hub CSPM archived a finding. For example, Security Hub CSPM archives existing findings when you disable a control or standard, or you enable or disable [consolidated control findings](#consolidated-control-findings). `PreviousComplianceStatus` The previous compliance status (`Compliance.Status`) of the resource for the specified control, as of the most recent update to the finding. If the compliance status of the resource didn't change during the most recent update, this value is the same as the value for the `Compliance.Status` field of the finding. For a list of possible values, see [Evaluating compliance status and control status](controls-overall-status.md). `StandardsGuideArn` or `StandardsArn` The ARN of the standard associated with the control. For the CIS Amazon Foundations Benchmark standard, the field is `StandardsGuideArn`. For the PCI DSS and Amazon Foundational Security Best Practices standards, the field is `StandardsArn`. These fields are removed in favor of `Compliance.AssociatedStandards` if you enable [consolidated control findings](#consolidated-control-findings). `StandardsGuideSubscriptionArn` or `StandardsSubscriptionArn` The ARN of the account's subscription to the standard. For the CIS Amazon Foundations Benchmark standard, the field is `StandardsGuideSubscriptionArn`. For the PCI DSS and Amazon Foundational Security Best Practices standards, the field is `StandardsSubscriptionArn`. These fields are removed if you enable [consolidated control findings](#consolidated-control-findings). `RuleId` or `ControlId` The identifier for the control. For version 1.2.0 of the CIS Amazon Foundations Benchmark standard, the field is `RuleId`. For other standards, including subsequent versions of the CIS Amazon Foundations Benchmark standard, the field is `ControlId`. These fields are removed in favor of `Compliance.SecurityControlId` if you enable [consolidated control findings](#consolidated-control-findings). `RecommendationUrl` The URL for remediation information for the control. This field is removed in favor of `Remediation.Recommendation.Url` if you enable [consolidated control findings](#consolidated-control-findings). `RelatedAWSResources:0/name` The name of the resource associated with the finding. `RelatedAWSResource:0/type` The type of resource associated with the control. `StandardsControlArn` The ARN of the control. This field is removed if you enable [consolidated control findings](#consolidated-control-findings). `aws/securityhub/ProductName` For control findings, the product name is `Security Hub`. `aws/securityhub/CompanyName` For control findings, the company name is `Amazon`. `aws/securityhub/annotation` A description of the issue uncovered by the control. `aws/securityhub/FindingId` The identifier for the finding. This field doesn't reference a standard if you enable [consolidated control findings](#consolidated-control-findings). ## Severity levels for control findings The severity assigned to a Security Hub CSPM control indicates the importance of the control. The severity of a control determines the severity label assigned to the control findings. ### Severity criteria The severity of a control is determined based on an assessment of the following criteria: + **How difficult is it for a threat actor to take advantage of the configuration weakness associated with the control?** The difficulty is determined by the amount of sophistication or complexity that is required to use the weakness to carry out a threat scenario. + **How likely is it that the weakness will lead to a compromise of your Amazon Web Services accounts or resources?** A compromise of your Amazon Web Services accounts or resources means that confidentiality, integrity, or availability of your data or Amazon infrastructure is damaged in some way. The likelihood of compromise indicates how likely it is that the threat scenario will result in a disruption or breach of your Amazon Web Services services or resources. As an example, consider the following configuration weaknesses: + User access keys are not rotated every 90 days. + IAM root user key exists. Both weaknesses are equally difficult for an adversary to take advantage of. In both cases, the adversary can use credential theft or some other method to acquire a user key. They can then use it to access your resources in an unauthorized way. However, the likelihood of a compromise is much higher if the threat actor acquires the root user access key because this gives them greater access. As a result, the root user key weakness has a higher severity. The severity does not take into account the criticality of the underlying resource. Criticality is the level of importance of the resources that are associated with the finding. For example, a resource that is associated with a mission critical application is more critical than one that is associated with non-production testing. To capture resource criticality information, use the `Criticality` field of the Amazon Security Finding Format (ASFF). The following table maps the difficulty to exploit and the likelihood of compromise to the security labels. | | | | | | | --- |--- |--- |--- |--- | | | **Compromise highly likely** | **Compromise likely** | **Compromise unlikely** | **Compromise highly unlikely** | | **Very easy to exploit** | Critical | Critical | High | Medium | | **Somewhat easy to exploit** | Critical | High | Medium | Medium | | **Somewhat difficult to exploit** | High | Medium | Medium | Low | | **Very difficult to exploit** | Medium | Medium | Low | Low | ### Severity definitions The severity labels are defined as follows. **Critical – The issue should be remediated immediately to avoid it escalating.** For example, an open S3 bucket is considered a critical severity finding. Because so many threat actors scan for open S3 buckets, data in exposed S3 buckets is likely to be discovered and accessed by others. In general, resources that are publicly accessible are considered critical security issues. You should treat critical findings with the utmost urgency. You also should consider the criticality of the resource. **High – The issue must be addressed as a near-term priority.** For example, if a default VPC security group is open to inbound and outbound traffic, it is considered high severity. It is somewhat easy for a threat actor to compromise a VPC using this method. It is also likely that the threat actor will be able to disrupt or exfiltrate resources once they are in the VPC. Security Hub CSPM recommends that you treat a high severity finding as a near-term priority. You should take immediate remediation steps. You also should consider the criticality of the resource. **Medium – The issue should be addressed as a mid-term priority.** For example, lack of encryption for data in transit is considered a medium severity finding. It requires a sophisticated man-in-the-middle attack to take advantage of this weakness. In other words, it is somewhat difficult. It is likely that some data will be compromised if the threat scenario is successful. Security Hub CSPM recommends that you investigate the implicated resource at your earliest convenience. You also should consider the criticality of the resource. **Low – The issue does not require action on its own.** For example, failure to collect forensics information is considered low severity. This control can help to prevent future compromises, but the absence of forensics does not lead directly to a compromise. You do not need to take immediate action on low severity findings, but they can provide context when you correlate them with other issues. **Informational – No configuration weakness was found.** In other words, the status is `PASSED`, `WARNING`, or `NOT AVAILABLE`. There is no recommended action. Informational findings help customers to demonstrate that they are in a compliant state. # Evaluating compliance status and control status Compliance status and control status The `Compliance.Status` field of the Amazon Security Finding Format describes the result of a control finding. Amazon Security Hub CSPM uses the compliance status of control findings to determine an overall control status. The control status is displayed on the details page of a control on the Security Hub CSPM console. ## Evaluating the compliance status of Security Hub CSPM findings The compliance status for each finding is assigned one of the following values: + `PASSED` – Indicates that the control passed the security check for the finding. This automatically sets the Security Hub CSPM `Workflow.Status` to `RESOLVED`. + `FAILED` – Indicates that the control didn't pass the security check for the finding. + `WARNING` – Indicates that Security Hub CSPM can't determine whether the resource is in a `PASSED` or `FAILED` state. For example, [Amazon Config resource recording](securityhub-setup-prereqs.md#config-resource-recording) isn't turned on for the corresponding resource type. + `NOT_AVAILABLE` – Indicates that the check can't be completed because a server failed, the resource was deleted, or the result of the Amazon Config evaluation was `NOT_APPLICABLE`. If the Amazon Config evaluation result was `NOT_APPLICABLE`, Security Hub CSPM automatically archives the finding. If the compliance status for a finding changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`, and `Workflow.Status` was either `NOTIFIED` or `RESOLVED`, Security Hub CSPM automatically changes `Workflow.Status` to `NEW`. If you don't have resources corresponding to a control, Security Hub CSPM produces a `PASSED` finding at the account level. If you have a resource corresponding to a control but then delete the resource, Security Hub CSPM creates a `NOT_AVAILABLE` finding and archives it immediately. After 18 hours, you receive a `PASSED` finding because you no longer have resources corresponding to the control. ## Deriving control status from compliance status Security Hub CSPM derives an overall control status from the compliance status of the control findings. When determining control status, Security Hub CSPM ignores findings that have a `RecordState` of `ARCHIVED` and findings that have a `Workflow.Status` of `SUPPRESSED`. Control status is assigned one of the following values: + **Passed** – Indicates that all findings have a compliance status of `PASSED`. + **Failed** – Indicates that at least one finding has a compliance status of `FAILED`. + **Unknown** – Indicates that at least one finding has a compliance status of `WARNING` or `NOT_AVAILABLE`. No findings have a compliance status of `FAILED`. + **No data** – Indicates that there are no findings for the control. For example, a newly enabled control has this status until Security Hub CSPM starts to generate findings for it. A control also has this status if all of its findings are `SUPPRESSED` or it's unavailable in the current Amazon Web Services Region. + **Disabled** – Indicates that the control is disabled in the current account and Region. No security checks are currently being performed for this control in the current account and Region. However, the findings of a disabled control may have a value for compliance status for up to 24 hours after disablement. For an administrator account, control status reflects the control status for the administrator account and the member accounts. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the administrator account or any of the member accounts. If you have set an aggregation Region, the control status in the aggregation Region reflects the control status in the aggregation Region and the linked Regions. Specifically, the overall status of a control appears as **Failed** if the control has one or more failed findings in the aggregation Region or any of the linked Regions. Security Hub CSPM typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or the **Security standards** page on the Security Hub CSPM console. You must have [Amazon Config resource recording](controls-config-resources.md) configured for the control status to appear. After control statuses are generated for the first time, Security Hub CSPM updates control statuses every 24 hours based on the findings from the previous 24 hours. A timestamp on the control details page indicates when control status was last updated. **Note** After enabling a control for first time, it can take up to 24 hours for control statuses to be generated in the China Regions and the Amazon GovCloud (US) Region. # Calculating security scores On the Amazon Security Hub CSPM console, the **Summary** page and the **Controls** page display a summary security score across all of your enabled standards. On the **Security standards** page, Security Hub CSPM also displays a security score from 0–100 percent for each enabled standard. When you first enable Security Hub CSPM, Security Hub CSPM calculates the summary security score and standard security scores within 30 minutes of your first visit to the **Summary** or **Security standards** page on the console. Scores are generated only for standards that are enabled when you visit those pages on the console. In addition, Amazon Config resource recording must be configured for the scores to appear. The summary security score is the average of the standard security scores. To review a list of standards that are currently enabled, you can use the [GetEnabledStandards](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetEnabledStandards.html) operation of the Security Hub CSPM API. After first-time score generation, Security Hub CSPM updates security scores every 24 hours. Security Hub CSPM displays a timestamp to indicate when a security score was last updated. Note that it can take up to 24 hours for first-time security scores to be generated in the China Regions and Amazon GovCloud (US) Regions. If you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings), it can take up to 24 hours for your security scores to update. In addition, enabling a new aggregation Region or updating linked Regions resets existing security scores. It can take up to 24 hours for Security Hub CSPM to generate new security scores that include data from the updated Regions. ## Method of calculating security scores Security scores represent the proportion of **Passed** controls to enabled controls. The score is displayed as a percentage rounded up or down to the nearest whole number. Security Hub CSPM calculates a summary security score across all of your enabled standards. Security Hub CSPM also calculates a security score for each enabled standard. For purposes of score calculation, enabled controls include controls with a status of **Passed**, **Failed**, and **Unknown**. Controls with a status of **No data** are excluded from the score calculation. Security Hub CSPM ignores archived and suppressed findings when calculating control status. This can impact security scores. For example, if you suppress all failed findings for a control, its status becomes **Passed**, which can in turn improve your security scores. For more information about control status, see [Evaluating compliance status and control status](controls-overall-status.md). **Scoring example:** | Standard | Passed controls | Failed controls | Unknown controls | Standard score | | --- | --- | --- | --- | --- | | Amazon Foundational Security Best Practices v1.0.0 | 168 | 22 | 0 | 88% | | CIS Amazon Foundations Benchmark v1.4.0 | 8 | 29 | 0 | 22% | | CIS Amazon Foundations Benchmark v1.2.0 | 6 | 35 | 0 | 15% | | NIST Special Publication 800-53 Revision 5 | 159 | 56 | 0 | 74% | | PCI DSS v3.2.1 | 28 | 17 | 0 | 62% | When calculating the summary security score, Security Hub CSPM counts each control only once across standards. For example, if you have enabled a control that applies to three enabled standards, it only counts as one enabled control for scoring purposes. In this example, although the total number of enabled controls across enabled standards is 528, Security Hub CSPM counts each unique control only once for scoring purposes. The number of unique enabled controls is likely lower than 528. If we assume the number of unique enabled controls is 515, and the number of unique passed controls is 357, the summary score is 69%. This score is calculated by dividing the number of unique passed controls by the number of unique enabled controls. You might have a summary score that differs from the standard security score, even if you've enabled only one standard in your account in the current Region. This can occur if you're signed in to an administrator account and member accounts have additional standards or different standards enabled. This can also occur if you're viewing the score from the aggregation Region and additional standards or different standards are enabled in linked Regions. ## Security scores for administrator accounts If you're signed in to an administrator account, the summary security score and standard scores account for control statuses in the administrator account and all of the member accounts. If the status of a control is **Failed** in even one member account, its status is **Failed** in the administrator account and impacts the administrator account scores. If you're signed in to an administrator account and are viewing scores in an aggregation Region, security scores account for control statuses in all member accounts *and* all linked Regions. ## Security scores if you have set an aggregation Region If you have set an aggregation Amazon Web Services Region, the summary security score and standard scores account for control statuses in all
 linked Regions. If the status of a control is **Failed** in even one linked Region, its status is **Failed** in the aggregation Region and impacts the aggregation Region scores. If you're signed in to an administrator account and are viewing scores in an aggregation Region, security scores account for control statuses in all member accounts *and* all linked Regions. # Control categories in Security Hub CSPM Control categories Each control is assigned a category. The category for a control reflects the security function that the control applies to. The category value contains the category, the subcategory within the category, and, optionally, a classifier within the subcategory. For example: + Identify > Inventory + Protect > Data protection > Encryption of data in transit Here are the descriptions of the available categories, subcategories, and classifiers. ## Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. **Inventory** Has the service implemented the correct resource tagging strategies? Do the tagging strategies include the resource owner? What resources does the service use? Are they approved resources for this service? Do you have visibility into the approved inventory? For example, do you use services such as Amazon EC2 Systems Manager and Service Catalog? **Logging** Have you securely enabled all relevant logging for the service? Examples of log files include the following: + Amazon VPC Flow Logs + Elastic Load Balancing access logs + Amazon CloudFront logs + Amazon CloudWatch Logs + Amazon Relational Database Service logging + Amazon OpenSearch Service slow index logs + X-Ray tracing + Amazon Directory Service logs + Amazon Config items + Snapshots ## Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services and secure coding practices. **Secure access management** Does the service use least privilege practices in its IAM or resource policies? Are passwords and secrets sufficiently complex? Are they rotated appropriately? Does the service use multi-factor authentication (MFA)? Does the service avoid the root user? Do resource-based policies allow public access? **Secure network configuration** Does the service avoid public and insecure remote network access? Does the service use VPCs properly? For example, are jobs required to run in VPCs? Does the service properly segment and isolate sensitive resources? **Data protection** Encryption of data at rest – Does the service encrypt data at rest? Encryption of data in transit – Does the service encrypt data in transit? Data integrity – Does the service validate data for integrity? Data deletion protection – Does the service protect data from accidental deletion? Data management / usage – Do you use services such as Amazon Macie to track the location of your sensitive data? **API protection** Does the service use Amazon PrivateLink to protect the service API operations? **Protective services** Are the correct protective services in place? Do they provide the correct amount of coverage? Protective services help you deflect attacks and compromises that are directed at the service. Examples of protective services in Amazon include Amazon Control Tower, Amazon WAF, Amazon Shield Advanced, Vanta, Secrets Manager, IAM Access Analyzer, and Amazon Resource Access Manager. **Secure development** Do you use secure coding practices? Do you avoid vulnerabilities such as the Open Web Application Security Project (OWASP) Top Ten? ## Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. **Detection services** Are the correct detection services in place? Do they provide the correct amount of coverage? Examples of Amazon detection services include Amazon GuardDuty, Amazon Security Hub CSPM, Amazon Inspector, Amazon Detective, Amazon CloudWatch Alarms, Amazon IoT Device Defender, and Amazon Trusted Advisor. ## Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. **Response actions** Do you respond to security events swiftly? Do you have any active critical or high severity findings? **Forensics** Can you securely acquire forensic data for the service? For example, do you acquire Amazon EBS snapshots associated with true positive findings? Have you set up a forensic account? ## Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. **Resilience** Does the service configuration support graceful failovers, elastic scaling, and high availability? Have you established backups? # Reviewing the details of controls in Security Hub CSPM Reviewing the details of controls Selecting a control on the **Controls** page or standard details page of the Security Hub CSPM console takes you to a page of control details. The top of the control details page indicates the control status. The control status summarizes the performance of a control based on the compliance status of the control findings. Security Hub CSPM typically generates the initial control status within 30 minutes after your first visit to the **Summary** page or **Security standards** page on the Security Hub CSPM console. Statuses are only available for controls that are enabled when you visit those pages. The control details page also provides a breakdown of the compliance status of the control findings for the past 24 hours. For more information about control status and compliance status, see [Evaluating compliance status and control status](controls-overall-status.md). Amazon Config resource recording must be configured for the control status to appear. After control statuses are generated for the first time, Security Hub CSPM updates the control status every 24 hours based on findings from the previous 24 hours. Administrator accounts see an aggregated control status across the administrator account and member accounts. If you have set an aggregation Region, the control status includes findings across all linked Regions. For more information about control status, see [Evaluating compliance status and control status](controls-overall-status.md). You can also enable or disable the control from the control details page. **Note** It can take up to 24 hours after enabling a control for first-time control statuses to be generated in the China Regions and Amazon GovCloud (US) Regions. The **Standards and Requirements** tab lists the standards that a control can be enabled for and the requirements related to the control from different compliance frameworks. The **Checks** tab lists active findings for the control for the past 24 hours. Control findings are generated and updated when Security Hub CSPM runs security checks for the control. The list on this tab doesn't include archived findings. For each finding, the list provides access to finding details such as the compliance status and related resource. You can also set the workflow status of each finding and send findings to custom actions. For more information, see [Reviewing and managing control findings](securityhub-control-manage-findings.md). ## Viewing details for a control Choose your preferred access method, and follow these steps to review details for a control. Details apply to the current account and Region and include the following: + The title and description of the control. + A link to remediation guidance for failed control findings. + The severity of the control. + The status of the control. On the console, you can also review a list of recent findings for the control. To do this programmatically, you can use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API. ------ #### [ Security Hub CSPM console ] 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Choose **Controls** in the navigation pane. 1. Select a control. ------ #### [ Security Hub CSPM API ] 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html)`, and provide one or more standard ARNs to get a list of control IDs for that standard. To obtain standard ARNs, run [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeStandards.html). If you don't provide a standard ARN, this API returns all Security Hub CSPM control IDs. This API returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases. **Example request:** ``` { "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0" } ``` 1. Run `[https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html)` to get details about one or more controls in the current Amazon Web Services account and Amazon Web Services Region. **Example request:** ``` { "SecurityControlIds": ["Config.1", "IAM.1"] } ``` ------ #### [ Amazon CLI ] 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-security-control-definitions.html)` command, and provide one or more standard ARNs to get a list of control IDs. To obtain standard ARNs, run the `describe-standards` command. If you don't provide a standard ARN, this command returns all Security Hub CSPM control IDs. This command returns standard-agnostic security control IDs, not the standard-based control IDs that existed prior to these feature releases. ``` aws securityhub --region us-east-1 list-security-control-definitions --standards-arn "arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0" ``` 1. Run the `[https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-get-security-controls.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-get-security-controls.html)` command to get details about one or more controls in the current Amazon Web Services account and Amazon Web Services Region. ``` aws securityhub --region us-east-1 batch-get-security-controls --security-control-ids '["Config.1", "IAM.1"]' ``` ------ # Filtering and sorting controls in Security Hub CSPM Filtering and sorting controls On the Amazon Security Hub CSPM console, you can use the **Controls** page to review a table of the controls that are available in the current Amazon Web Services Region. The exception is an aggregation Region. If you [configured an aggregation Region](finding-aggregation.md) and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions. To focus on a specific subset of controls, you can sort and filter the table of controls. The **Filter by** options next to the table can help you quickly focus on these specific subsets: + All enabled controls, which are controls that are enabled in at least one enabled standard. + All disabled controls, which are controls that are disabled in all standards. + All enabled controls that have a specific control status, such as **Failed**. The **No data** option displays only those controls that don't currently have findings. For information about control status, see [Evaluating compliance status and control status](controls-overall-status.md). In addition to the **Filter by** options, you can filter the table by entering filter criteria in the **Filter controls** box above the table. For example, you can filter by control ID or severity. By default, controls with a **Failed** status are listed first, in descending order by severity. You can change the sort order by choosing a different column heading. **Tip** If you have automated workflows based on control findings, we recommend using the `SecurityControlId` or `SecurityControlArn` [ASFF fields](securityhub-findings-format.md) as filters, rather than the `Title` or `Description` fields. The latter fields can change occasionally, whereas control ID and ARN are static identifiers. If you're signed in to a Security Hub CSPM administrator account, **Enabled** controls include controls that are enabled in at least one member account. If you configured an aggregation Region, **Enabled** controls include controls that are enabled in at least one linked Region. If you select the option next to an enabled a control, a panel appears and displays the standards in which the control is currently enabled. You can also see the standards in which the control is currently disabled. From this panel, you can disable a control in all standards. For more information, see [Disabling controls in Security Hub CSPM](disable-controls-overview.md). For administrator accounts, the information in the panel reflects settings for all of your member accounts. To retrieve a list of controls programmatically, you can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation of the Security Hub CSPM API. To retrieve the details of individual controls, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html) operation. # Understanding control parameters in Security Hub CSPM Control parameters Some controls in Amazon Security Hub CSPM use parameters that affect how the control is evaluated. Typically, such controls are evaluated against the default parameter values that Security Hub CSPM defines. However, for a subset of these controls, you can modify the parameter values. When you modify a control parameter value, Security Hub CSPM starts evaluating the control against the value that you specify. If the resource underlying the control satisfies the custom value, Security Hub CSPM generates a `PASSED` finding. If the resource doesn't satisfy the custom value, Security Hub CSPM generates a `FAILED` finding. By customizing control parameters, you can refine the security best practices recommended and monitored by Security Hub CSPM to align with your business requirements and security expectations. Instead of suppressing findings for a control, you can customize one or more of its parameters to get findings that suit your security needs. Here are some sample use cases for modifying control parameters and setting custom values: + **[CloudWatch.16] – CloudWatch log groups should be retained for a specified time period** You can specify the retention time period. + **[IAM.7] – Password policies for IAM users should have strong configurations** You can specify parameters related to password strength. + **[EC2.18] – Security groups should only allow unrestricted incoming traffic for authorized ports** You can specify which ports are authorized to permit unrestricted incoming traffic. + **[Lambda.5] – VPC Lambda functions should operate in multiple Availability Zones** You can specify the minimum number of Availability Zones that produces a passed finding. This section covers things to consider when you modify control parameters. ## Effect of modifying control parameter values When you change a parameter value, you also trigger a new security check that evaluates the control based on the new value. Security Hub CSPM then generates new control findings based on the new value. During periodic updates to control findings, Security Hub CSPM also uses the new parameter value. If you change parameter values for a control, but haven't enabled any standards that include the control, Security Hub CSPM doesn't conduct any security checks using the new values. You have to enable at least one relevant standard for Security Hub CSPM to evaluate the control based on the new parameter value. A control can have one or more customizable parameters. Possible data types for each control parameter include the following: + Boolean + Double + Enum + EnumList + Integer + IntegerList + String + StringList Custom parameter values apply across your enabled standards. You can't customize the parameters for a control that's not supported in your current Region. For a list of Regional limits for individual controls, see [Regional limits on Security Hub CSPM controls](regions-controls.md). For some controls, acceptable parameter values must fall into a specified range to be valid. In these cases, Security Hub CSPM provides the acceptable range. Security Hub CSPM chooses default parameter values and might occasionally update them. After you customize a control parameter, its value continues to be the value that you specified for the parameter unless your change it. That is to say, the parameter stops tracking updates to the default Security Hub CSPM value, even if the custom value of the parameter matches the current, default value defined by Security Hub CSPM. Here's an example for the control **[ACM.1] – Imported and ACM-issued certificates should be renewed after a specified time period**: ``` { "SecurityControlId": "ACM.1", "Parameters": { "daysToExpiration": { "ValueType": "CUSTOM", "Value": { "Integer": 30 } } } } ``` In the preceding example, the `daysToExpiration` parameter has a custom value of `30`. The current default value for this parameter is also `30`. If Security Hub CSPM changes the default value to `14`, the parameter in this example won't track that change. It will retain a value of `30`. If you want to track updates to the default Security Hub CSPM value for a parameter, set the `ValueType` field to `DEFAULT` instead of `CUSTOM`. For more information, see [Reverting to default control parameters in a single account and Region](revert-default-parameter-values.md#revert-default-parameter-values-local-config). ## Controls that support custom parameters For a list of security controls that support custom parameters, see the **Controls** page of the Security Hub CSPM console or the [Control reference for Security Hub CSPM](securityhub-controls-reference.md). To retrieve this list programmatically, you can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListSecurityControlDefinitions.html) operation. In the response, the `CustomizableProperties` object indicates which controls support customizable parameters. # Reviewing current control parameter values It can be helpful to know the current value of a control parameter before you modify it. You can review the current values for individual control parameters in your account. If you use central configuration, the delegated Amazon Security Hub CSPM administrator can also review parameter values that are specified in a configuration policy. Choose your preferred method, and follow the steps to review current control parameter values. ------ #### [ Security Hub CSPM console ] **To review current control parameter values (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Controls**. Choose a control. 1. Choose the **Parameters** tab. This tab shows the current parameter values for the control. ------ #### [ Security Hub CSPM API ] **To review current control parameter values (API)** Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchGetSecurityControls.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchGetSecurityControls.html) API, and provide one or more security control IDs or ARNs. The `Parameters` object in the response shows the current parameter values for the specified controls. For example, the following Amazon CLI command shows the current parameter values for `APIGatway.1`, `CloudWatch.15`, and `IAM.7`. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub batch-get-security-controls \ --region us-east-1 \ --security-control-ids '["APIGateway.1", "CloudWatch.15", "IAM.7"]' ``` ------ Choose your preferred method to view the current parameter values in a central configuration policy. ------ #### [ Security Hub CSPM console ] **To review current control parameter values in a configuration policy (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. On the **Policies** tab, select the configuration policy, and then choose **View details**. The policy details then appear, including current parameter values. ------ #### [ Security Hub CSPM API ] **To review current control parameter values in a configuration policy (API)** 1. Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetConfigurationPolicy.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetConfigurationPolicy.html) API from the delegated administrator account in the home Region. 1. Provide the ARN or ID of the configuration policy whose details you want to see. The response includes current parameter values. For example, the following Amazon CLI command retrieves the current control parameter values in the specified configuration policy. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub get-configuration-policy \ --region us-east-1 \ --identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` ------ Control findings also include the current values of control parameters. In the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md), these values appear in the `Parameters` field of the `Compliance` object. To review findings on the Security Hub CSPM console, choose **Findings** in the navigation pane. To review findings programmatically, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API. # Customizing control parameter values Customizing control parameters The instructions for customizing control parameters vary based on whether you use [central configuration](central-configuration-intro.md) in Amazon Security Hub CSPM. Central configuration is a feature that the delegated Security Hub CSPM administrator can use to configure Security Hub CSPM capabilities across Amazon Web Services Regions, accounts, and organizational units (OUs). If your organization uses central configuration, the delegated administrator can create configuration policies that include custom control parameters. These policies can be associated with centrally managed member accounts and OUs, and they take effect in your home Region and all linked Regions. The delegated administrator can also designate one or more accounts as self-managed, which allows the account owner to configure its own parameters separately in each Region. If your organization doesn't use central configuration, you must customize control parameters separately in each account and Region. We recommend using central configuration because it allows you to align control parameter values across different parts of your organization. For example, all of your test accounts might use certain parameter values, and all production accounts might use different values. ## Customizing control parameters in multiple accounts and Regions If you're the delegated Security Hub CSPM administrator for an organization that uses central configuration, choose your preferred method, and follow the steps to customize control parameters across multiple accounts and Regions. ------ #### [ Security Hub CSPM console ] **To customize control parameter values in multiple accounts and Regions (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Ensure that you're signed in to the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. Choose the **Policies** tab. 1. To create a new configuration policy that includes custom parameters, choose **Create policy**. To specify custom parameters in an existing configuration policy, select the policy, and then choose **Edit**. **To create a new configuration policy with custom control parameter values** 1. In the **Custom policy** section, choose the security standards and controls that you want to enable. 1. Select **Customize control parameters**. 1. Select a control, and then specify custom values for one or more parameters. 1. To customize parameters for more controls, choose **Customize additional control**. 1. In the **Accounts** section, select the accounts or OUs that you want to apply the policy to. 1. Choose **Next**. 1. Choose **Create policy and apply**. In your home Region and all linked Regions, this action overrides the existing configuration settings of accounts and OUs that are associated with this configuration policy. Accounts and OUs can be associated with a configuration policy through direct application or inheritance from a parent. **To customize control parameter values in an existing configuration policy** 1. In the **Controls** section, under **Custom policy**, specify the new custom parameter values that you want. 1. If this is your first time customizing control parameters in this policy, select **Customize control parameters**, and then select a control to customize. To customize parameters for more controls, choose **Customize additional control**. 1. In the **Accounts** section, verify the accounts or OUs that you want to apply the policy to. 1. Choose **Next**. 1. Review your changes, and verify that they're correct. When you finish, choose **Save policy and apply**. In your home Region and all linked Regions, this action overrides the existing configuration settings of accounts and OUs that are associated with this configuration policy. Accounts and OUs can be associated with a configuration policy through direct application or inheritance from a parent. ------ #### [ Security Hub CSPM API ] **To customize control parameter values in multiple accounts and Regions (API)** **To create a new configuration policy with custom control parameter values** 1. Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_CreateConfigurationPolicy.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_CreateConfigurationPolicy.html) API from the delegated administrator account in the home Region. 1. For the `SecurityControlCustomParameters` object, provide the identifier of each control that you want to customize. 1. For the `Parameters` object, provide the name of each parameter that you want to customize. For each parameter that you customize, provide `CUSTOM` for `ValueType`. For `Value`, provide the data type of the parameter and the custom value. The `Value` field can't be empty when `ValueType` is `CUSTOM`. If your request omits a parameter that the control supports, that parameter retains its current value. You can find supported parameters, data types, and valid values for a control by invoking the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html) API. **To customize control parameter values in an existing configuration policy** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html) API from the delegated administrator account in the home Region. 1. For the `Identifier` field, provide the Amazon Resource Name (ARN) or ID of the configuration policy that you want to update. 1. For the `SecurityControlCustomParameters` object, provide the identifier of each control that you want to customize. 1. For the `Parameters` object, provide the name of each parameter that you want to customize. For each parameter that you customize, provide `CUSTOM` for `ValueType`. For `Value`, provide the data type of the parameter and the custom value. If your request omits a parameter that the control supports, that parameter retains its current value. You can find supported parameters, data types, and valid values for a control by invoking the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html) API. For example, the following Amazon CLI command creates a new configuration policy with a custom value for the `daysToExpiration` parameter of `ACM.1`. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-configuration-policy \ --region us-east-1 \ --name "SampleConfigurationPolicy" \ --description "Configuration policy for production accounts" \ --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "CUSTOM", "Value": "Integer": 15}}}]}}}' ``` ------ ## Customizing control parameters in a single account and Region If you don't use central configuration or have a self-managed account, you can customize control parameters for your account in one Region at a time only. Choose your preferred method, and follow the steps to customize control parameters. Your changes apply only to your account in the current Region. To customize the control parameters in additional Regions, repeat the following steps in each additional account and Region in which you want to customize parameters. The same control can use different parameter values in different Regions. ------ #### [ Security Hub CSPM console ] **To customize control parameter values in one account and Region (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Controls**. In the table, choose a control that supports custom parameters and you want to change the parameters for. The **Custom parameters** column indicates which controls support custom parameters. 1. On the details page for the control, choose the **Parameters** tab, and then choose **Edit**. 1. Specify the parameter values that you want. 1. Optionally, in the **Reason for change** section, select a reason for customizing the parameters. 1. Choose **Save**. ------ #### [ Security Hub CSPM API ] **To customize control parameter values in one account and Region (API)** 1. Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateSecurityControl.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateSecurityControl.html) API. 1. For `SecurityControlId`, provide the ID of the control that you want to customize. 1. For the `Parameters` object, provide the name of each parameter that you want to customize. For each parameter that you customize, provide `CUSTOM` for `ValueType`. For `Value`, provide the data type of the parameter and the custom value. If your request omits a parameter that the control supports, that parameter retains its current value. You can find supported parameters, data types, and valid values for a control by invoking the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetSecurityControlDefinition.html) API. 1. Optionally, for `LastUpdateReason`, provide a reason for customizing the control parameters. For example, the following Amazon CLI command defines a custom value for the `daysToExpiration` parameter of `ACM.1`. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub update-security-control \ --region us-east-1 \ --security-control-id ACM.1 \ --parameters '{"daysToExpiration": {"ValueType": "CUSTOM", "Value": {"Integer": 15}}}' \ --last-update-reason "Internal compliance requirement" ``` ------ # Reverting to default control parameter values Reverting to default control parameters A control parameter can have a default value that Amazon Security Hub CSPM defines. Occasionally, Security Hub CSPM updates the default value for a parameter to reflect evolving security best practices. If you haven't specified a custom value for a control parameter, the control automatically tracks those updates and uses the new default value. You can revert to using default parameter values for a control. The instructions for reversion depend on whether you use [central configuration](central-configuration-intro.md) in Security Hub CSPM. Central configuration is a feature that the delegated Security Hub CSPM administrator can use to configure Security Hub CSPM capabilities across Amazon Web Services Regions, accounts, and organizational units (OUs). **Note** Not all control parameters have a default Security Hub CSPM value. In such cases, when `ValueType` is set to `DEFAULT`, there isn't a specific default value that Security Hub CSPM uses. Rather, Security Hub CSPM ignores the parameter in the absence of a custom value. ## Reverting to default control parameters in multiple accounts and Regions If you use central configuration, you can revert control parameters for multiple, centrally managed accounts and OUs in the home Region and linked Regions. Choose your preferred method, and follow the steps to revert to default parameter values across multiple accounts and Regions using central configuration. ------ #### [ Security Hub CSPM console ] **To revert to default control parameter values in multiple accounts and Regions (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). Sign in using the credentials of the delegated Security Hub CSPM administrator account in the home Region. 1. In the navigation pane, choose **Settings** and **Configuration**. 1. Choose the **Policies** tab. 1. Select a policy, and then choose **Edit**. 1. Under **Custom policy**, the **Controls** section shows a list of controls that you specified custom parameters for. 1. Find the control that has one or more parameter values to revert. Then, choose **Remove** to revert to the default values. 1. In the **Accounts** section, verify the accounts or OUs that you want to apply the policy to. 1. Choose **Next**. 1. Review your changes, and verify that they're correct. When you finish, choose **Save policy and apply**. In your home Region and all linked Regions, this action overrides the existing configuration settings of accounts and OUs that are associated with this configuration policy. Accounts and OUs can be associated with a configuration policy through direct application or inheritance from a parent. ------ #### [ Security Hub CSPM API ] **To revert to default control parameter values in multiple accounts and Regions (API)** 1. Invoke the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_UpdateConfigurationPolicy.html) API from the delegated administrator account in the home Region. 1. For the `Identifier` field, provide the Amazon Resource Name (ARN) or ID of the policy that you want to update. 1. For the `SecurityControlCustomParameters` object, provide the identifier of each control for which you want to revert one or more parameters. 1. In the `Parameters` object, for each parameter that you want to revert, provide `DEFAULT` for the `ValueType` field. When `ValueType` is set to `DEFAULT`, you don't need to provide a value for the `Value` field. If a value is included in your request, Security Hub CSPM ignores it. If your request omits a parameter that the control supports, that parameter retains its current value. **Warning** If you omit a control object from the `SecurityControlCustomParameters` field, Security Hub CSPM reverts all custom parameters for the control to their default values. A completely empty list for `SecurityControlCustomParameters` reverts custom parameters for all controls to their default values. For example, the following Amazon CLI command reverts the `daysToExpiration` control parameter for `ACM.1` to its default value in the specified configuration policy. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-configuration-policy \ --region us-east-1 \ --identifier "arn:aws-cn:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \ --name "TestConfigurationPolicy" \ --description "Updated configuration policy" \ --updated-reason "Revert ACM.1 parameter to default value" --configuration-policy '{"SecurityHub": {"ServiceEnabled": true, "EnabledStandardIdentifiers": ["arn:aws-cn:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0","arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"],"SecurityControlsConfiguration":{"DisabledSecurityControlIdentifiers": ["CloudTrail.2"], "SecurityControlCustomParameters": [{"SecurityControlId": "ACM.1", "Parameters": {"daysToExpiration": {"ValueType": "DEFAULT"}}}]}}}' ``` ------ ## Reverting to default control parameters in a single account and Region If you don't use central configuration or have a self-managed account, you can revert to using default parameter values for your account in one Region at a time. Choose your preferred method, and follow the steps to revert to default parameter values for your account in a single Region. To revert to default parameter values in additional Regions, repeat these steps in each additional Region. **Note** If you disable Security Hub CSPM, your custom control parameters are reset. If you enable Security Hub CSPM again in the future, all controls will use default parameter values to start. ------ #### [ Security Hub CSPM console ] **To revert to default control parameter values in one account and Region (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Controls**. Choose the control that you want to revert to default parameter values. 1. On the `Parameters` tab, choose **Customized** next to a control parameter. Then, choose **Remove customization**. This parameter now uses the default Security Hub CSPM value and tracks future updates to the default value. 1. Repeat the preceding step for each parameter value that you want to revert. ------ #### [ Security Hub CSPM API ] **To revert to default control parameter values in one account and Region (API)** 1. Invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateSecurityControl.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateSecurityControl.html) API. 1. For `SecurityControlId`, provide the ARN or ID of the control whose parameters you want to revert. 1. In the `Parameters` object, for each parameter that you want to revert, provide `DEFAULT` for the `ValueType` field. When `ValueType` is set to `DEFAULT`, you don't need to provide a value for the `Value` field. If a value is included in your request, Security Hub CSPM ignores it. 1. Optionally, for `LastUpdateReason`, provide a reason for reverting to default parameter values. For example, the following Amazon CLI command reverts the `daysToExpiration` control parameter for `ACM.1` to its default value. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub update-security-control \ --region us-east-1 \ --security-control-id ACM.1 \ --parameters '{"daysToExpiration": {"ValueType": "DEFAULT"}}' \ --last-update-reason "New internal requirement" ``` ------ # Checking the status of control parameter changes When you attempt to customize a control parameter or revert to the default value, you can validate whether the desired changes were effective. This helps ensure that a control works as you expect and provides the intended security value. If a parameter update is unsuccessful, Security Hub CSPM retains the current value for the parameter. To verify that a parameter update was successful, you can review the details of the control on the Security Hub CSPM console. On the console, choose **Controls** on the navigation pane. Then, choose a control to display its details. The **Parameters** tab shows the status of the parameter change. Programmatically, if your request to update a parameter is valid, the value of the `UpdateStatus` field is `UPDATING` in a response to the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetSecurityControls.html) operation. This means that the update was valid, but all findings might not yet include the updated parameter values. When the value of `UpdateState` changes to `READY`, Security Hub CSPM uses the updated control parameter values when running security checks of the control. Findings include the updated parameter values. The `UpdateSecurityControl` operation returns an `InvalidInputException` response for invalid parameter values. The response provides additional details about the reason for failure. For example, you might have specified a value that's outside the valid range for a parameter. Or, you might have specified a value that doesn't use the correct data type. Submit your request again with valid input. If an internal failure occurs when you try to update a parameter value, Security Hub CSPM automatically retries if you have Amazon Config enabled. For more information, see [Considerations before enabling and configuring Amazon Config](securityhub-setup-prereqs.md#securityhub-prereq-config). # Reviewing and managing control findings in Security Hub CSPM Reviewing and managing control findings The control details page displays a list of active findings for a control. The list does not include archived findings. The control details page supports cross-Region aggregation. If you have set an aggregation Region, the control status and list of security checks on the control details page include checks from all linked Amazon Web Services Regions. The list provides tools to filter and sort the findings, so that you can focus on more urgent findings first. A finding may include links to resource details in the related service console. For controls that are based on Amazon Config rules, you can view details about the rule. You can also use the Amazon Security Hub CSPM API to retrieve a list of findings and finding details. For more information, see [Reviewing finding details and history](securityhub-findings-viewing.md#finding-view-details-console). To reflect the current status of your investigation of a control finding, you set the workflow status. For more information, see [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md). You can also send selected Security Hub CSPM findings to a custom action in Amazon EventBridge. For more information, see [Sending findings to a custom Security Hub CSPM action](findings-custom-action.md). **Topics** + [ # Filtering and sorting control findings ](control-finding-list.md) + [ # Samples of control findings ](sample-control-findings.md) # Filtering and sorting control findings Selecting a control from the **Controls** page of the Amazon Security Hub CSPM console or from the details page of a standard takes you to the control details page. The control details page shows the title and description of the control, the overall control status, and a breakdown of security checks for the control in the last 24 hours. Use the **Filter by** options next to the control checks list to quickly focus on findings with a specific [workflow status](findings-workflow-status.md) or [compliance status](controls-overall-status.md#controls-overall-status-compliance-status). In addition to the **Filter by** options, you can use the **Add filter** box to filter the checks list by other fields, such as Amazon Web Services account ID or resource ID. By default, findings with a compliance status of **PASSED** are listed first. You can change the default sorting by choosing a different option in the column headers. From the control details page, you can choose **Download** to download the current page of control findings to a .csv file. If you filter the finding list, then the download only includes the controls that match the filter. If you select specific findings from the list, then the download only includes the selected findings. For more information about filtering findings, see [Filtering findings in Security Hub CSPM](securityhub-findings-manage.md). # Samples of control findings Samples of control findings The following samples provide examples of Amazon Security Hub CSPM control findings in the Amazon Security Finding Format (ASFF). The contents of control findings vary depending on whether you enabled consolidated control findings. If you enable consolidated control findings, Security Hub CSPM generates a single finding for a control, even if the control applies to multiple enabled standards. If you don't enable this feature, Security Hub CSPM generates a separate control finding for each enabled standard that a control applies to. For example, if you enable two standards and a control applies to both of them, you receive two separate findings for the control, one for each standard. If you enable consolidated control findings, you receive only one finding for the control. For more information, see [Consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). The samples on this page provide examples for both scenarios. The samples include: control findings for individual Security Hub CSPM standards when consolidated control findings is disabled, and a control finding for multiple Security Hub CSPM standards when consolidated control findings is enabled. **Topics** + [ ## Sample finding for the Amazon Foundational Security Best Practices standard ](#sample-finding-fsbp) + [ ## Sample finding for CIS Amazon Foundations Benchmark v5.0.0 ](#sample-finding-cis-5) + [ ## Sample finding for CIS Amazon Foundations Benchmark v3.0.0 ](#sample-finding-cis-3) + [ ## Sample finding for CIS Amazon Foundations Benchmark v1.4.0 ](#sample-finding-cis-1.4) + [ ## Sample finding for CIS Amazon Foundations Benchmark v1.2.0 ](#sample-finding-cis-1.2) + [ ## Sample finding for the NIST SP 800-53 Revision 5 standard ](#sample-finding-nist-800-53) + [ ## Sample finding for the NIST SP 800-171 Revision 2 standard ](#sample-finding-nist-800-171) + [ ## Sample finding for Payment Card Industry Data Security Standard v3.2.1 ](#sample-finding-pcidss-v321) + [ ## Sample finding for the Amazon Resource Tagging standard ](#sample-finding-tagging) + [ ## Sample finding for the Amazon Control Tower service-managed standard ](#sample-finding-service-managed-aws-control-tower) + [ ## Sample consolidated finding for multiple standards ](#sample-finding-consolidation) **Note** Control findings reference different fields and values in the China Regions and the Amazon GovCloud (US) Regions. For more information, see [Impact of consolidation on ASFF fields and values](asff-changes-consolidation.md). ## Sample finding for the Amazon Foundational Security Best Practices standard The following sample provides an example of a finding for a control that applies to the Amazon Foundational Security Best Practices (FSBP) standard. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/Amazon-Foundational-Security-Best-Practices" ], "FirstObservedAt": "2020-08-06T02:18:23.076Z", "LastObservedAt": "2021-09-28T16:10:06.956Z", "CreatedAt": "2020-08-06T02:18:23.076Z", "UpdatedAt": "2021-09-28T16:10:00.093Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/aws-foundation-best-practices/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/Amazon-Foundational-Security-Best-Practices" ] } } ``` ## Sample finding for CIS Amazon Foundations Benchmark v5.0.0 The following sample provides an example of a finding for a control that applies to CIS Amazon Foundations Benchmark v5.0.0. In this sample, consolidated control findings is disabled. ``` { "AwsAccountId": "123456789012", "CompanyName": "Amazon", "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.7", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v5.0.0/5.1.1" ], "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/5.0.0" } ] }, "CreatedAt": "2025-10-10T17:04:00.952Z", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" } }, "FirstObservedAt": "2025-10-10T17:03:57.895Z", "GeneratorId": "cis-aws-foundations-benchmark/v/5.0.0/5.1.1", "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111", "LastObservedAt": "2025-10-14T05:22:28.667Z", "ProcessedAt": "2025-10-14T05:22:50.099Z", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/5.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0", "ControlId": "5.1.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2a99554f", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/5.0.0/5.1.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111", "PreviousComplianceStatus": "FAILED" }, "ProductName": "Security Hub CSPM", "RecordState": "ACTIVE", "Region": "us-west-1", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "Resources": [ { "Id": "Amazon::::Account:123456789012", "Partition": "aws", "Region": "us-west-1", "Type": "AwsAccount" } ], "SchemaVersion": "2018-10-08", "Severity": { "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM", "Product": 40 }, "Title": "5.1.1 EBS default encryption should be enabled", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "UpdatedAt": "2025-10-14T05:22:38.671Z", "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW" } ``` ## Sample finding for CIS Amazon Foundations Benchmark v3.0.0 The following sample provides an example of a finding for a control that applies to CIS Amazon Foundations Benchmark v3.0.0. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2024-04-18T07:46:18.193Z", "LastObservedAt": "2024-04-23T07:47:01.137Z", "CreatedAt": "2024-04-18T07:46:18.193Z", "UpdatedAt": "2024-04-23T07:46:46.165Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.2.1 EBS default encryption should be enabled", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/3.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0", "ControlId": "2.2.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2843ed9e", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c" }, "Resources": [ { "Type": "AwsAccount", "Id": "Amazon::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v3.0.0/2.2.1" ], "SecurityControlId": "EC2.7", "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] }, "ProcessedAt": "2024-04-23T07:47:07.088Z" } ``` ## Sample finding for CIS Amazon Foundations Benchmark v1.4.0 The following sample provides an example of a finding for a control that applies to CIS Amazon Foundations Benchmark v1.4.0. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/3.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2022-10-21T22:14:48.913Z", "LastObservedAt": "2022-12-22T22:24:56.980Z", "CreatedAt": "2022-10-21T22:14:48.913Z", "UpdatedAt": "2022-12-22T22:24:52.409Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "Amazon CloudTrail is a web service that records Amazon API calls for an account and makes those logs available to users and resources in accordance with IAM policies. Amazon Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and Amazon KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0", "ControlId": "3.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-855f82d1", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.4.0/3.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS Amazon Foundations Benchmark v1.4.0/3.7" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] } } ``` ## Sample finding for CIS Amazon Foundations Benchmark v1.2.0 The following sample provides an example of a finding for a control that applies to CIS Amazon Foundations Benchmark v1.2.0. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ], "FirstObservedAt": "2020-08-29T04:10:06.337Z", "LastObservedAt": "2021-09-28T16:10:05.350Z", "CreatedAt": "2020-08-29T04:10:06.337Z", "UpdatedAt": "2021-09-28T16:10:00.087Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "Amazon Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "2.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/2.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS Amazon Foundations Benchmark" ] } } ``` ## Sample finding for the NIST SP 800-53 Revision 5 standard The following sample provides an example of a finding for a control that applies to the NIST SP 800-53 Revision 5 standard. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "nist-800-53/v/5.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2023-02-17T14:22:46.726Z", "LastObservedAt": "2023-02-17T14:22:50.846Z", "CreatedAt": "2023-02-17T14:22:46.726Z", "UpdatedAt": "2023-02-17T14:22:46.726Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, consult the Amazon Security Hub CSPM NIST 800-53 R5 documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/nist-800-53/v/5.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.9/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail",
 "Id": "arn:aws-cn:cloudtrail:us-east-1:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT",
 "Partition": "aws",
 "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [         "NIST.800-53.r5 AU-9",         "NIST.800-53.r5 CA-9(1)",         "NIST.800-53.r5 CM-3(6)",         "NIST.800-53.r5 SC-13",         "NIST.800-53.r5 SC-28",         "NIST.800-53.r5 SC-28(1)",         "NIST.800-53.r5 SC-7(10)",         "NIST.800-53.r5 SI-7(6)" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [ { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2023-02-17T14:22:53.572Z" } ``` ## Sample finding for the NIST SP 800-171 Revision 2 standard The following sample provides an example of a finding for a control that applies to the NIST SP 800-171 Revision 2 standard. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "nist-800-171/v/2.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "AwsAccountName": "TestAcct", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2025-05-29T05:23:58.690Z", "LastObservedAt": "2025-05-30T05:50:11.898Z", "CreatedAt": "2025-05-29T05:24:24.772Z", "UpdatedAt": "2025-05-30T05:50:34.292Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/nist-800-171/v/2.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-0ab1c2d4", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/nist-800-171/v/2.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "Partition": "aws", "Region": "us-east-1", "Type": "AwsCloudTrailTrail" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "NIST.800-171.r2/3.3.8" ], "AssociatedStandards": [ { "StandardsId": "standards/nist-800-171/v/2.0.0" } ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T05:50:40.297Z" } ``` ## Sample finding for Payment Card Industry Data Security Standard v3.2.1 The following sample provides an example of a finding for a control that applies to Payment Card Industry Data Security Standard (PCI DSS) v3.2.1. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-2", "GeneratorId": "pci-dss/v/3.2.1/PCI.CloudTrail.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FirstObservedAt": "2020-08-06T02:18:23.089Z", "LastObservedAt": "2021-09-28T16:10:06.942Z", "CreatedAt": "2020-08-06T02:18:23.089Z", "UpdatedAt": "2021-09-28T16:10:00.090Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using Amazon KMS CMKs", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.CloudTrail.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAmazonResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAmazonResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-2:123456789012:control/pci-dss/v/3.2.1/PCI.CloudTrail.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-2::product/aws/securityhub/arn:aws-cn:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AmazonMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "PCI DSS 3.4" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/pci-dss/v/3.2.1" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] } } ``` ## Sample finding for the Amazon Resource Tagging standard The following sample provides an example of a finding for a control that applies to the Amazon Resource Tagging standard. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:eu-central-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "eu-central-1", "GeneratorId": "security-control/EC2.44", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-02-19T21:00:32.206Z", "LastObservedAt": "2024-04-29T13:01:57.861Z", "CreatedAt": "2024-02-19T21:00:32.206Z", "UpdatedAt": "2024-04-29T13:01:41.242Z", "Severity": { "Label": "LOW", "Normalized": 1, "Original": "LOW" }, "Title": "EC2 subnets should be tagged", "Description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn't have any tag keys or if it doesn't have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-6ceafede", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/annotation": "No tags are present.", "Resources:0/Id": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsEc2Subnet", "Id": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsEc2Subnet": { "AssignIpv6AddressOnCreation": false, "AvailabilityZone": "eu-central-1b", "AvailabilityZoneId": "euc1-az3", "AvailableIpAddressCount": 4091, "CidrBlock": "10.24.34.0/23", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "OwnerId": "123456789012", "State": "available", "SubnetArn": "arn:aws-cn:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "SubnetId": "subnet-1234567890abcdef0", "VpcId": "vpc-021345abcdef6789" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.44", "AssociatedStandards": [ { "StandardsId": "standards/aws-resource-tagging-standard/v/1.0.0" } ], "SecurityControlParameters": [ { "Name": "requiredTagKeys", "Value": [ "peepoo" ] } ], }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "LOW" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2024-04-29T13:02:03.259Z" } ``` ## Sample finding for the Amazon Control Tower service-managed standard The following sample provides an example of a finding for a control that applies to the Amazon Control Tower service-managed standard. In this sample, consolidated control findings is disabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "Amazon", "Region": "us-east-1", "GeneratorId": "service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2022-11-17T01:25:30.296Z", "LastObservedAt": "2022-11-17T01:25:45.805Z", "CreatedAt": "2022-11-17T01:25:30.296Z", "UpdatedAt": "2022-11-17T01:25:30.296Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CT.CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This Amazon control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws-cn:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0", "StandardsSubscriptionArn": "arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0", "ControlId": "CT.CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "Amazon::Config::ConfigRule", "StandardsControlArn": "arn:aws-cn:securityhub:us-east-1:123456789012:control/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "Amazon", "Resources:0/Id": "arn:aws-cn:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "Amazon::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] } } ``` ## Sample consolidated finding for multiple standards The following sample provides an example of a finding for a control that applies to multiple enabled standards. In this sample, consolidated control findings is enabled. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "security-control/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-08-09T14:57:04.521Z", "LastObservedAt": "2025-05-30T03:30:17.407Z", "CreatedAt": "2024-08-09T14:57:04.521Z", "UpdatedAt": "2025-05-30T03:30:32.781Z", "Severity": { "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether Amazon CloudTrail is configured to use the server side encryption (SSE) Amazon Key Management Service (Amazon KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-01a2b345", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "Partition": "aws", "Region": "us-east-1", "Details": { "AwsCloudTrailTrail": { "HasCustomEventSelectors": false, "IncludeGlobalServiceEvents": true, "LogFileValidationEnabled": true, "HomeRegion": "us-east-1", "IsMultiRegionTrail": true, "S3BucketName": "cloudtrail-awslogs-do-not-delete", "IsOrganizationTrail": false, "Name": "TestTrail-DO-NOT-DELETE" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.2.0/2.7", "CIS AWS Foundations Benchmark v1.4.0/3.7", "CIS AWS Foundations Benchmark v3.0.0/3.5", "NIST.800-171.r2/3.3.8", "PCI DSS v3.2.1/3.4", "PCI DSS v4.0.1/10.3.2" ], "AssociatedStandards": [ { "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0"}, { "StandardsId": "standards/nist-800-171/v/2.0.0"}, { "StandardsId": "standards/pci-dss/v/3.2.1"}, { "StandardsId": "standards/pci-dss/v/4.0.1"} ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T03:31:00.831Z" } ``` # Understanding integrations in Security Hub CSPM Integrations Amazon Security Hub CSPM can ingest security findings from several Amazon Web Services services and supported third-party Amazon Partner Network security solutions. These integrations can help you get a comprehensive view of security and compliance across your Amazon environment. Security Hub CSPM ingests findings from integrated solutions and converts them to the Amazon Security Finding Format (ASFF). **Important** For supported Amazon and third-party product integrations, Security Hub CSPM receives and consolidates findings that are generated only after you enable Security Hub CSPM for your Amazon Web Services accounts. The service doesn't retroactively receive and consolidate security findings that were generated before you enabled Security Hub CSPM. The **Integrations** page of the Security Hub CSPM console provides access to available Amazon and third-party product integrations. The Security Hub CSPM API also has operations for managing integrations. An integration might not be available in all Amazon Web Services Regions. If an integration isn't supported in the Region that you are currently signed in to on the Security Hub CSPM console, it doesn't appear on the **Integrations** page of the console. For a list of integrations that are available in the China Regions and Amazon GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support). In addition to Amazon Web Services service and built-in third-party integrations, you can integrate custom security products with Security Hub CSPM. You can then send findings from these products to Security Hub CSPM by using the Security Hub CSPM API. You can also use the API to update existing findings that Security Hub CSPM received from a custom security product. **Topics** + [ # Reviewing a list of Security Hub CSPM integrations ](securityhub-integrations-view-filter.md) + [ # Enabling the flow of findings from a Security Hub CSPM integration ](securityhub-integration-enable.md) + [ # Disabling the flow of findings from a Security Hub CSPM integration ](securityhub-integration-disable.md) + [ # Viewing findings from a Security Hub CSPM integration ](securityhub-integration-view-findings.md) + [ # Amazon Web Services service integrations with Security Hub CSPM ](securityhub-internal-providers.md) + [ # Third-party product integrations with Security Hub CSPM ](securityhub-partner-providers.md) + [ # Integrating Security Hub CSPM with custom products ](securityhub-custom-providers.md) # Reviewing a list of Security Hub CSPM integrations Reviewing a list of integrations Choose your preferred method, and follow the steps to review a list of integrations in Amazon Security Hub CSPM or details about a specific integration. ------ #### [ Security Hub CSPM console ] **To review integration options and details (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the Security Hub CSPM navigation pane, choose **Integrations**. On the **Integrations** page, integrations with other Amazon Web Services services are listed first, followed by integrations with third-party products. For each integration, the **Integrations** page provides the following information: + The name of the company + The name of the product + A description of the integration + The categories that the integration applies to + How to enable the integration + The current status of the integration You can filter the list by entering text from the following fields: + Company name + Product name + Integration description + Categories ------ #### [ Security Hub CSPM API ] **To review integration options and details (API)** To get a list of integrations, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeProducts.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeProducts.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-products.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-products.html) command. To retrieve details for a specific product integration, use the `ProductArn` parameter to specify the Amazon Resource Name (ARN) of the integration. For example, the following Amazon CLI command retrieves details about the Security Hub CSPM integration with 3CORESec. ``` $ aws securityhub describe-products --product-arn "arn:aws-cn:securityhub:us-east-1::product/3coresec/3coresec" ``` ------ # Enabling the flow of findings from a Security Hub CSPM integration Enabling the flow of findings from an integration On the **Integrations** page of the Amazon Security Hub CSPM console, you can see the required steps to enable each integration. For most of the integrations with other Amazon Web Services services, the only required step to enable the integration is to enable the other service. The integration information includes a link to the other service's home page. When you enable the other service, a resource-level permission that allows Security Hub CSPM to receive findings from the service is then automatically created and applied. For third-party product integrations, you may need to purchase the integration from the Amazon Web Services Marketplace, and then configure the integration. The integration information provides links to complete these tasks. If more than one version of a product is available in Amazon Web Services Marketplace, select the version that you wan to subscribe to, and then choose **Continue to Subscribe**. For example, some products offer a standard version and an Amazon GovCloud (US) version. When you enable a product integration, a resource policy is automatically attached to that product subscription. This resource policy defines the permissions that Security Hub CSPM needs to receive findings from that product. After you complete any preliminary steps to enable an integration, you can then disable and re-enable the flow of findings from that integration. On the **Integrations** page, for integrations that send findings, the **Status** information indicates whether you are currently accepting findings. ------ #### [ Security Hub CSPM console ] **To enable the flow of findings from an integration (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the Security Hub CSPM navigation pane, choose **Integrations**. 1. For integrations that send findings, the **Status** information indicates whether Security Hub CSPM is currently accepting findings from that integration. 1. Choose **Accept findings**. ------ #### [ Security Hub CSPM API ] Use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_EnableImportFindingsForProduct.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-import-findings-for-product.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/enable-import-findings-for-product.html) command. To enable Security Hub to receive findings from an integration, you need the product ARN. To obtain the ARNs for the available integrations, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeProducts.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DescribeProducts.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-products.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/describe-products.html). For example, the following Amazon CLI command enables Security Hub CSPM to receive findings from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub enable-import-findings-for product --product-arn "arn:aws-cn:securityhub:us-east-1:123456789333:product/crowdstrike/crowdstrike-falcon" ``` ------ # Disabling the flow of findings from a Security Hub CSPM integration Disabling the flow of findings from an integration Choose your preferred method, and follow the steps to disable the flow of findings from an Amazon Security Hub CSPM integration. ------ #### [ Security Hub CSPM console ] **To disable the flow of findings from an integration (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the Security Hub CSPM navigation pane, choose **Integrations**. 1. For integrations that send findings, the **Status** information indicates whether Security Hub CSPM is currently accepting findings from that integration. 1. Choose **Stop accepting findings**. ------ #### [ Security Hub CSPM API ] Use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DisableImportFindingsForProduct.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DisableImportFindingsForProduct.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/disable-import-findings-for-product.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disable-import-findings-for-product.html) command. To disable the flow of findings from an integration, you need the subscription ARN for the enabled integration. To obtain the subscription ARN, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListEnabledProductsForImport.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_ListEnabledProductsForImport.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-enabled-products-for-import.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/list-enabled-products-for-import.html). For example, the following Amazon CLI command disables the flow of findings to Security Hub CSPM from the CrowdStrike Falcon integration. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub disable-import-findings-for-product --product-subscription-arn "arn:aws-cn:securityhub:us-west-1:123456789012:product-subscription/crowdstrike/crowdstrike-falcon" ``` ------ # Viewing findings from a Security Hub CSPM integration Viewing findings from an integration When you start accepting findings from an Amazon Security Hub CSPM integration, the **Integrations** page of the Security Hub CSPM console displays the **Status** of the integration as **Accepting findings**. To review a list of findings from the integration, choose **See findings**. The findings list shows the active findings for the selected integration that have a workflow status of `NEW` or `NOTIFIED`. If you enable cross-Region aggregation, then in the aggregation Region, the list includes findings from the aggregation Region and from linked Regions where the integration is enabled. Security Hub does not automatically enable integrations based on the cross-Region aggregation configuration. In other Regions, the finding list for an integration only contains findings from the current Region. For information on how to configure cross-Region aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). From the findings list, you can perform the following actions. + [Change the filters and grouping for the list](securityhub-findings-manage.md) + [View details for individual findings](securityhub-findings-viewing.md#finding-view-details-console) + [Update the workflow status of findings](findings-workflow-status.md) + [Send findings to custom actions](findings-custom-action.md) # Amazon Web Services service integrations with Security Hub CSPM Amazon Web Services service integrations Amazon Security Hub CSPM supports integrations with several other Amazon Web Services services. These integrations can help you get a comprehensive view of security and compliance across your Amazon environment. Unless indicated otherwise below, Amazon Web Services service integrations that send findings to Security Hub CSPM are activated automatically after you enable Security Hub CSPM and the other service. Integrations that receive Security Hub CSPM findings might require additional steps for activation. Review the information about each integration to learn more. Some integrations aren't available in all Amazon Web Services Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't supported in the current Region. For a list of integrations that are available in the China Regions and Amazon GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support). ## Overview of Amazon service integrations with Security Hub CSPM The following table provides an overview of Amazon services that send findings to Security Hub CSPM or receive findings from Security Hub CSPM. | Integrated Amazon service | Direction | | --- | --- | | [Amazon Config](#integration-config) | Sends findings | | [Amazon Firewall Manager](#integration-aws-firewall-manager) | Sends findings | | [Amazon GuardDuty](#integration-amazon-guardduty) | Sends findings | | [Amazon Health](#integration-health) | Sends findings | | [Amazon Identity and Access Management Access Analyzer](#integration-iam-access-analyzer) | Sends findings | | [Amazon Inspector](#integration-amazon-inspector) | Sends findings | | [Amazon IoT Device Defender](#integration-iot-device-defender) | Sends findings | | [Amazon Macie](#integration-amazon-macie) | Sends findings | | [Amazon Route 53 Resolver DNS Firewall](#integration-amazon-r53rdnsfirewall) | Sends findings | | [Amazon Systems Manager Patch Manager](#patch-manager) | Sends findings | | [Amazon Audit Manager](#integration-aws-audit-manager) | Receives findings | | [Amazon Q Developer in chat applications](#integration-chatbot) | Receives findings | | [Amazon Detective](#integration-amazon-detective) | Receives findings | | [Amazon Security Lake](#integration-security-lake) | Receives findings | | [Amazon Systems Manager Explorer and OpsCenter](#integration-ssm-explorer-opscenter) | Receives and updates findings | | [Amazon Trusted Advisor](#integration-trusted-advisor) | Receives findings | ## Amazon Web Services services that send findings to Security Hub CSPM The following Amazon Web Services services integrate with and can send findings to Security Hub CSPM. Security Hub CSPM converts the findings to the [Amazon Security Finding Format](securityhub-findings-format.md). ### Amazon Config (Sends findings) Amazon Config is a service that allows you to assess, audit, and evaluate the configurations of your Amazon resources. Amazon Config continuously monitors and records your Amazon resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. By using the integration with Amazon Config, you can see the results of Amazon Config managed and custom rule evaluations as findings in Security Hub CSPM. These findings can be viewed alongside other Security Hub CSPM findings, providing a comprehensive overview of your security posture. Amazon Config uses Amazon EventBridge to send Amazon Config rule evaluations to Security Hub CSPM. Security Hub CSPM transforms the rule evaluations into findings that follow the [Amazon Security Finding Format](securityhub-findings-format.md). Security Hub CSPM then enriches the findings on a best-effort basis by getting more information about the impacted resources, such as the Amazon Resource Name (ARN), resource tags, and creation date. For more information about this integration, see the following sections. #### How Amazon Config sends findings to Security Hub CSPM All findings in Security Hub CSPM use the standard JSON format of ASFF. ASFF includes details about the origin of the finding, the affected resource, and the current status of the finding. Amazon Config sends managed and custom rule evaluations to Security Hub CSPM through EventBridge. Security Hub CSPM transforms the rule evaluations into findings that follow ASFF and enriches the findings on a best-effort basis. ##### Types of findings that Amazon Config sends to Security Hub CSPM After the integration is activated, Amazon Config sends evaluations of all Amazon Config managed rules and custom rules to Security Hub CSPM. Only evaluations that were performed after Security Hub CSPM was enabled are sent. For example, suppose that an Amazon Config rule evaluation reveals five failed resources. If you enable Security Hub CSPM after that evaluation and the rule then reveals a sixth failed resource, Amazon Config sends only the sixth resource evaluation to Security Hub CSPM. Evaluations from [service-linked Amazon Config rules](securityhub-setup-prereqs.md), such as those used to run checks for Security Hub CSPM controls, are excluded. The exception is findings generated by service-linked rules that Amazon Control Tower creates and manages in Amazon Config. Including findings for these rules helps ensure that your findings data includes the results of proactive checks performed by Amazon Control Tower. ##### Sending Amazon Config findings to Security Hub CSPM When the integration is activated, Security Hub CSPM will automatically assign the permissions necessary to receive findings from Amazon Config. Security Hub CSPM uses service-to-service level permissions that provide you with a safe way to activate this integration and import findings from Amazon Config via Amazon EventBridge. ##### Latency for sending findings When Amazon Config creates a new finding, you can usually view the finding in Security Hub CSPM within five minutes. ##### Retrying when Security Hub CSPM is not available Amazon Config sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries delivery for up to 24 hours or 185 times, whichever comes first. ##### Updating existing Amazon Config findings in Security Hub CSPM After Amazon Config sends a finding to Security Hub CSPM, it can send updates to the same finding to Security Hub CSPM to reflect additional observations of the finding activity. Updates are only sent for `ComplianceChangeNotification` events. If no compliance change occurs, updates aren't sent to Security Hub CSPM. Security Hub CSPM deletes findings 90 days after the most recent update or 90 days after creation if no update occurs. Security Hub CSPM doesn't archive findings that are sent from Amazon Config even if you delete the associated resource. ##### Regions in which Amazon Config findings exist Amazon Config findings occur on a Regional basis. Amazon Config sends findings to Security Hub CSPM in the same Region or Regions where the findings occur. ### Viewing Amazon Config findings in Security Hub CSPM To view your Amazon Config findings, choose **Findings** from the Security Hub CSPM navigation pane. To filter the findings to display only Amazon Config findings, choose **Product name** in the search bar drop down. Enter **Config**, and choose **Apply**. #### Interpreting Amazon Config finding names in Security Hub CSPM Security Hub CSPM transforms Amazon Config rule evaluations into findings that follow the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). Amazon Config rule evaluations use a different event pattern compared to ASFF. The following table maps the Amazon Config rule evaluation fields with their ASFF counterpart as they appear in Security Hub CSPM. | Config rule evaluation finding type | ASFF finding type | Hardcoded value | | --- | --- | --- | | detail.awsAccountId | AwsAccountId | | | detail.newEvaluationResult.resultRecordedTime | CreatedAt | | | detail.newEvaluationResult.resultRecordedTime | UpdatedAt | | | | ProductArn | "arn::securityhub:::product/aws/config" | | | ProductName | "Config" | | | CompanyName | "Amazon" | | | Region | "eu-central-1" | | configRuleArn | GeneratorId, ProductFields | | | detail.ConfigRuleARN/finding/hash | Id | | | detail.configRuleName | Title, ProductFields | | | detail.configRuleName | Description | "This finding is created for a resource compliance change for config rule: \$1\$1detail.ConfigRuleName\$1" | | Configuration Item "ARN" or Security Hub CSPM computed ARN | Resources[i].id | | | detail.resourceType | Resources[i].Type | "AwsS3Bucket" | | | Resources[i].Partition | "aws" | | | Resources[i].Region | "eu-central-1" | | Configuration Item "configuration" | Resources[i].Details | | | | SchemaVersion | "2018-10-08" | | | Severity.Label | See "Interpreting Severity Label" below | | | Types | ["Software and Configuration Checks"] | | detail.newEvaluationResult.complianceType | Compliance.Status | "FAILED", "NOT\$1AVAILABLE", "PASSED", or "WARNING" | | | Workflow.Status | "RESOLVED" if an Amazon Config finding is generated with a Compliance.Status of "PASSED," or if the Compliance.Status changes from "FAILED" to "PASSED." Otherwise, Workflow.Status will be "NEW." You can change this value with the [BatchUpdateFindings](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. | #### Interpreting severity label All findings from Amazon Config rule evaluations have a default severity label of **MEDIUM** in the ASFF. You can update the severity label of a finding with the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. #### Typical finding from Amazon Config Security Hub CSPM transforms Amazon Config rule evaluations into findings that follow the ASFF. The following is an example of a typical finding from Amazon Config in the ASFF. **Note** If the description is more than 1,024 characters, it will be truncated to 1,024 characters and will say "(truncated)" at the end. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/45g070df80cb50b68fa6a43594kc6fda1e517932", "ProductArn": "arn:aws-cn:securityhub:eu-central-1::product/aws/config", "ProductName": "Config", "CompanyName": "AWS", "Region": "eu-central-1", "GeneratorId": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks" ], "CreatedAt": "2022-04-15T05:00:37.181Z", "UpdatedAt": "2022-04-19T21:20:15.056Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "s3-bucket-level-public-access-prohibited-config-integration-demo", "Description": "This finding is created for a resource compliance change for config rule: s3-bucket-level-public-access-prohibited-config-integration-demo", "ProductFields": { "aws/securityhub/ProductName": "Config", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/FindingId": "arn:aws-cn:securityhub:eu-central-1::product/aws/config/arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq/finding/46f070df80cd50b68fa6a43594dc5fda1e517902", "aws/config/ConfigRuleArn": "arn:aws-cn:config:eu-central-1:123456789012:config-rule/config-rule-mburzq", "aws/config/ConfigRuleName": "s3-bucket-level-public-access-prohibited-config-integration-demo", "aws/config/ConfigComplianceType": "NON_COMPLIANT" }, "Resources": [{ "Type": "AwsS3Bucket", "Id": "arn:aws-cn:s3:::amzn-s3-demo-bucket", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsS3Bucket": { "OwnerId": "4edbba300f1caa608fba2aad2c8fcfe30c32ca32777f64451eec4fb2a0f10d8c", "CreatedAt": "2022-04-15T04:32:53.000Z" } } }], "Compliance": { "Status": "FAILED" }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Software and Configuration Checks" ] } } ``` ### Enabling and configuring the integration After you enable Security Hub CSPM, this integration is activated automatically. Amazon Config immediately begins to send findings to Security Hub CSPM. ### Stopping the publication of findings to Security Hub CSPM To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API. For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md). ### Amazon Firewall Manager (Sends findings) Firewall Manager sends findings to Security Hub CSPM when a web application firewall (WAF) policy for resources or a web access control list (web ACL) rule is not in compliance. Firewall Manager also sends findings when Amazon Shield Advanced is not protecting resources, or when an attack is identified. After you enable Security Hub CSPM, this integration is automatically activated. Firewall Manager immediately begins to send findings to Security Hub CSPM. To learn more about the integration, view the **Integrations** page in the Security Hub CSPM console. To learn more about Firewall Manager, see the [https://docs.amazonaws.cn/waf/latest/developerguide/](https://docs.amazonaws.cn/waf/latest/developerguide/). ### Amazon GuardDuty (Sends findings) GuardDuty sends all of the finding types that it generates to Security Hub CSPM. Some finding types have prerequisites, enablement requirements, or Regional limitations. For more information, see [GuardDuty finding types](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*. New findings from GuardDuty are sent to Security Hub CSPM within five minutes. Updates to findings are sent based on the **Updated findings** setting for Amazon EventBridge in GuardDuty settings. When you generate GuardDuty sample findings using the GuardDuty **Settings** page, Security Hub CSPM receives the sample findings and omits the prefix `[Sample]` in the finding type. For example, the sample finding type in GuardDuty `[SAMPLE] Recon:IAMUser/ResourcePermissions` is displayed as `Recon:IAMUser/ResourcePermissions` in Security Hub CSPM. After you enable Security Hub CSPM, this integration is automatically activated. GuardDuty immediately begins to send findings to Security Hub CSPM. For more information about the GuardDuty integration, see [Integrating with Amazon Security Hub CSPM](https://docs.amazonaws.cn/guardduty/latest/ug/securityhub-integration.html) in the *Amazon GuardDuty User Guide*. ### Amazon Health (Sends findings) Amazon Health provides ongoing visibility into your resource performance and the availability of your Amazon Web Services services and Amazon Web Services accounts. You can use Amazon Health events to learn how service and resource changes might affect your applications that run on Amazon. The integration with Amazon Health does not use `BatchImportFindings`. Instead, Amazon Health uses service-to-service event messaging to send findings to Security Hub CSPM. For more information about the integration, see the following sections. #### How Amazon Health sends findings to Security Hub CSPM In Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by other Amazon services or by third-party partners. Security Hub CSPM also has a set of rules that it uses to detect security issues and generate findings. Security Hub CSPM provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. See [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md). You can also track the status of an investigation into a finding. See [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md). All findings in Security Hub CSPM use a standard JSON format called the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. Amazon Health is one of the Amazon services that sends findings to Security Hub CSPM. ##### Types of findings that Amazon Health sends to Security Hub CSPM After the integration is enabled, Amazon Health sends findings that meet one or more of the listed specifications to Security Hub CSPM. Security Hub CSPM ingests the findings in the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). + Findings that contain any of the following values for Amazon Web Services service: + `RISK` + `ABUSE` + `ACM` + `CLOUDHSM` + `CLOUDTRAIL` + `CONFIG` + `CONTROLTOWER` + `DETECTIVE` + `EVENTS` + `GUARDDUTY` + `IAM` + `INSPECTOR` + `KMS` + `MACIE` + `SES` + `SECURITYHUB` + `SHIELD` + `SSO` + `COGNITO` + `IOTDEVICEDEFENDER` + `NETWORKFIREWALL` + `ROUTE53` + `WAF` + `FIREWALLMANAGER` + `SECRETSMANAGER` + `BACKUP` + `AUDITMANAGER` + `ARTIFACT` + `CLOUDENDURE` + `CODEGURU` + `ORGANIZATIONS` + `DIRECTORYSERVICE` + `RESOURCEMANAGER` + `CLOUDWATCH` + `DRS` + `INSPECTOR2` + `RESILIENCEHUB` + Findings with the words `security`, `abuse`, or `certificate` in the Amazon Health `typeCode` field + Findings where the Amazon Health service is `risk` or `abuse` ##### Sending Amazon Health findings to Security Hub CSPM When you choose to accept findings from Amazon Health, Security Hub CSPM will automatically assign the permissions necessary to receive the findings from Amazon Health. Security Hub CSPM uses service-to-service level permissions that provide you with a safe, easy way to enable this integration and import findings from Amazon Health via Amazon EventBridge on your behalf. Choosing **Accept Findings** grants Security Hub CSPM permission to consume findings from Amazon Health. ##### Latency for sending findings When Amazon Health creates a new finding, it is usually sent to Security Hub CSPM within five minutes. ##### Retrying when Security Hub CSPM is not available Amazon Health sends findings to Security Hub CSPM on a best-effort basis through EventBridge. When an event isn't successfully delivered to Security Hub CSPM, EventBridge retries sending the event for 24 hours. ##### Updating existing findings in Security Hub CSPM After Amazon Health sends a finding to Security Hub CSPM, it can send updates to the same finding to reflect additional observations of the finding activity to Security Hub CSPM. ##### Regions in which findings exist For global events, Amazon Health sends findings to Security Hub CSPM in us-east-1 (Amazon partition), cn-northwest-1 (China partition), and gov-us-west-1 (GovCloud partition). Amazon Health sends Region-specific events to Security Hub CSPM in the same Region or Regions where the events occur. #### Viewing Amazon Health findings in Security Hub CSPM To view your Amazon Health findings in Security Hub CSPM, choose **Findings** from the navigation panel. To filter the findings to display only Amazon Health findings, choose **Health** from the **Product name** field. ##### Interpreting Amazon Health finding names in Security Hub CSPM Amazon Health sends the findings to Security Hub CSPM using the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). Amazon Health finding uses a different event pattern compared to Security Hub CSPM ASFF format. The table below details all the Amazon Health finding fields with their ASFF counterpart as they appear in Security Hub CSPM. | Health finding type | ASFF finding type | Hardcoded value | | --- | --- | --- | | account | AwsAccountId | | | detail.startTime | CreatedAt | | | detail.eventDescription.latestDescription | Description | | | detail.eventTypeCode | GeneratorId | | | detail.eventArn (including account) \$1 hash of detail.startTime | Id | | | "arn:aws-cn:securityhub:::product/aws/health" | ProductArn | | | account or resourceId | Resources[i].id | | | | Resources[i].Type | "Other" | | | SchemaVersion | "2018-10-08" | | | Severity.Label | See "Interpreting Severity Label" below | | “Amazon Health -" detail.eventTypeCode | Title | | | - | Types | ["Software and Configuration Checks"] | | event.time | UpdatedAt | | | URL of the event on Health console | SourceUrl | | ##### Interpreting severity label The severity label in the ASFF finding is determined using the following logic: + Severity **CRITICAL** if: + The `service` field in the Amazon Health finding has the value `Risk` + The `typeCode` field in the Amazon Health finding has the value `AWS_S3_OPEN_ACCESS_BUCKET_NOTIFICATION` + The `typeCode` field in the Amazon Health finding has the value `AWS_SHIELD_INTERNET_TRAFFIC_LIMITATIONS_PLACED_IN_RESPONSE_TO_DDOS_ATTACK` + The `typeCode` field in the Amazon Health finding has the value `AWS_SHIELD_IS_RESPONDING_TO_A_DDOS_ATTACK_AGAINST_YOUR_AWS_RESOURCES` Severity **HIGH** if: + The `service` field in the Amazon Health finding has the value `Abuse` + The `typeCode` field in the Amazon Health finding contains the value `SECURITY_NOTIFICATION` + The `typeCode` field in the Amazon Health finding contains the value `ABUSE_DETECTION` Severity **MEDIUM** if: + The `service` field in the finding is any of the following: `ACM`, `ARTIFACT`, `AUDITMANAGER`, `BACKUP`,`CLOUDENDURE`, `CLOUDHSM`, `CLOUDTRAIL`, `CLOUDWATCH`, `CODEGURGU`, `COGNITO`, `CONFIG`, `CONTROLTOWER`, `DETECTIVE`, `DIRECTORYSERVICE`, `DRS`, `EVENTS`, `FIREWALLMANAGER`, `GUARDDUTY`, `IAM`, `INSPECTOR`, `INSPECTOR2`, `IOTDEVICEDEFENDER`, `KMS`, `MACIE`, `NETWORKFIREWALL`, `ORGANIZATIONS`, `RESILIENCEHUB`, `RESOURCEMANAGER`, `ROUTE53`, `SECURITYHUB`, `SECRETSMANAGER`, `SES`, `SHIELD`, `SSO`, or `WAF` + The **typeCode** field in the Amazon Health finding contains the value `CERTIFICATE` + The **typeCode** field in the Amazon Health finding contains the value `END_OF_SUPPORT` ##### Typical finding from Amazon Health Amazon Health sends findings to Security Hub CSPM using the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). The following is an example of a typical finding from Amazon Health. **Note** If the description is more than 1024 characters, it will be truncated to 1024 characters and will say *(truncated)* at the end. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws-cn:health:us-east-1:123456789012:event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96/101F7FBAEFC663977DA09CFF56A29236602834D2D361E6A8CA5140BFB3A69B30", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/health", "GeneratorId": "AWS_SES_CMF_PENDING_TO_SUCCESS", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks" ], "CreatedAt": "2022-01-07T16:34:04.000Z", "UpdatedAt": "2022-01-07T19:17:43.000Z", "Severity": { "Label": "MEDIUM", "Normalized": 40 }, "Title": "AWS Health - AWS_SES_CMF_PENDING_TO_SUCCESS", "Description": "Congratulations! Amazon SES has successfully detected the MX record required to use 4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com as a custom MAIL FROM domain for verified identity cmf.pinpoint.sysmon-iad.adzel.com in Amazon Region US East (N. Virginia).\\n\\nYou can now use this MAIL FROM domain with cmf.pinpoint.sysmon-iad.adzel.com and any other verified identity that is configured to use it. For information about how to configure a verified identity to use a custom MAIL FROM domain, see http://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from-set.html .\\n\\nPlease note that this email only applies to Amazon Region US East (N. Virginia).", "SourceUrl": "https://phd.aws.amazon.com/phd/home#/event-log?eventID=arn:aws-cn:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96", "ProductFields": { "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/health/arn:aws-cn:health:us-east-1::event/SES/AWS_SES_CMF_PENDING_TO_SUCCESS/AWS_SES_CMF_PENDING_TO_SUCCESS_303388638044_33fe2115-8dad-40ce-b533-78e29f49de96", "aws/securityhub/ProductName": "Health", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "Other", "Id": "4557227d-9257-4e49-8d5b-18a99ced4be9.cmf.pinpoint.sysmon-iad.adzel.com" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM" }, "Types": [ "Software and Configuration Checks" ] } } ] } ``` #### Enabling and configuring the integration After you enable Security Hub CSPM, this integration is automatically activated. Amazon Health immediately begins to send findings to Security Hub CSPM. #### Stopping the publication of findings to Security Hub CSPM To stop sending findings to Security Hub CSPM, you can use the Security Hub CSPM console or Security Hub CSPM API. For instructions on stopping the flow of findings, see [Enabling the flow of findings from a Security Hub CSPM integration](securityhub-integration-enable.md). ### Amazon Identity and Access Management Access Analyzer (Sends findings) With IAM Access Analyzer, all findings are sent to Security Hub CSPM. IAM Access Analyzer uses logic-based reasoning to analyze resource-based policies that are applied to supported resources in your account. IAM Access Analyzer generates a finding when it detects a policy statement that lets an external principal access a resource in your account. In IAM Access Analyzer, only the administrator account can see findings for analyzers that apply to an organization. For organization analyzers, the `AwsAccountId` ASFF field reflects the administrator account ID. Under `ProductFields`, the `ResourceOwnerAccount` field indicates the account in which the finding was discovered. If you enable analyzers individually for each account, Security Hub CSPM generates multiple findings, one that identifies the administrator account ID and one that identifies the resource account ID. For more information, see [Integration with Amazon Security Hub CSPM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access-analyzer-securityhub-integration.html) in the *IAM User Guide*. ### Amazon Inspector (Sends findings) Amazon Inspector is a vulnerability management service that continuously scans your Amazon workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images that reside in the Amazon Elastic Container Registry. The scan looks for software vulnerabilities and unintended network exposure. After you enable Security Hub CSPM, this integration is automatically activated. Amazon Inspector immediately begins to send all of the findings that it generates to Security Hub CSPM. For more information about the integration, see [Integration with Amazon Security Hub CSPM](https://docs.amazonaws.cn/inspector/latest/user/securityhub-integration.html) in the *Amazon Inspector User Guide*. Security Hub CSPM can also receive findings from Amazon Inspector Classic. Amazon Inspector Classic sends findings to Security Hub CSPM that are generated through assessment runs for all supported rules packages. For more information about the integration, see [Integration with Amazon Security Hub CSPM](https://docs.amazonaws.cn/inspector/latest/userguide/securityhub-integration.html) in the *Amazon Inspector Classic User Guide*. Findings for Amazon Inspector and Amazon Inspector Classic use the same product ARN. Amazon Inspector findings have the following entry in `ProductFields`: ``` "aws/inspector/ProductVersion": "2", ``` **Note** Security findings generated by [Amazon Inspector Code Security](https://docs.amazonaws.cn/inspector/latest/user/code-security-assessments.html) are not available for this integration. However, you can access these particular findings in the Amazon Inspector console and through the [Amazon Inspector API](https://docs.amazonaws.cn/inspector/v2/APIReference/Welcome.html). ### Amazon IoT Device Defender (Sends findings) Amazon IoT Device Defender is a security service that audits the configuration of your IoT devices, monitors connected devices to detect abnormal behavior, and helps mitigate security risks. After enabling both Amazon IoT Device Defender and Security Hub CSPM, visit the [Integrations page of the Security Hub CSPM console](https://console.amazonaws.cn/securityhub/home#/integrations), and choose **Accept findings** for Audit, Detect, or both. Amazon IoT Device Defender Audit and Detect begin to send all findings to Security Hub CSPM. Amazon IoT Device Defender Audit sends check summaries to Security Hub CSPM, which contain general information for a specific audit check type and audit task. Amazon IoT Device Defender Detect sends violation findings for machine learning (ML), statistical, and static behaviors to Security Hub CSPM. Audit also sends finding updates to Security Hub CSPM. For more information about this integration, see [Integration with Amazon Security Hub CSPM](https://docs.amazonaws.cn/iot/latest/developerguide/securityhub-integration.html) in the *Amazon IoT Developer Guide*. ### Amazon Macie (Sends findings) Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. A finding from Macie can indicate that a potential policy violation or sensitive data exists in your Amazon S3 data estate. After you enable Security Hub CSPM, Macie automatically starts sending policy findings to Security Hub CSPM. You can configure the integration to also send sensitive data findings to Security Hub CSPM. In Security Hub CSPM, the finding type for a policy or sensitive data finding is changed to a value that is compatible with ASFF. For example, the `Policy:IAMUser/S3BucketPublic` finding type in Macie is displayed as `Effects/Data Exposure/Policy:IAMUser-S3BucketPublic` in Security Hub CSPM. Macie also sends generated sample findings to Security Hub CSPM. For sample findings, the name of the affected resource is `macie-sample-finding-bucket` and the value for the `Sample` field is `true`. For more information, see [Evaluating Macie findings with Security Hub](https://docs.amazonaws.cn/macie/latest/user/securityhub-integration.html) in the *Amazon Macie User Guide*. ### Amazon Route 53 Resolver DNS Firewall (Sends findings) With Amazon Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). You do this by creating reusable collections of filtering rules in DNS Firewall rule groups, associating the rule groups with your VPC, and then monitoring activity in DNS Firewall logs and metrics. Based on the activity, you can adjust DNS Firewall behavior. DNS Firewall is a feature of Route 53 Resolver. Route 53 Resolver DNS Firewall can send several types of findings to Security Hub CSPM: + Findings related to queries blocked or alerted on for domains associated with Amazon Managed Domain Lists, which are domain lists that Amazon manages. + Findings related to queries blocked or alerted on for domains associated with a custom domain list that you define. + Findings related to queries blocked or alerted on by DNS Firewall Advanced, which is a Route 53 Resolver feature that can detect queries associated with advanced DNS threats such as Domain Generation Algorithms (DGAs) and DNS Tunneling. After you enable Security Hub CSPM and Route 53 Resolver DNS Firewall, DNS Firewall automatically starts sending findings for Amazon Managed Domain Lists and DNS Firewall Advanced to Security Hub CSPM. To also send findings for a custom domain list to Security Hub CSPM, manually enable the integration in Security Hub CSPM. In Security Hub CSPM, all findings from Route 53 Resolver DNS Firewall have the following type: `TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation`. For more information, see [Sending findings from Route 53 Resolver DNS Firewall to Security Hub](https://docs.amazonaws.cn/Route53/latest/DeveloperGuide/securityhub-integration.html) in the *Amazon Route 53 Developer Guide*. ### Amazon Systems Manager Patch Manager (Sends findings) Amazon Systems Manager Patch Manager sends findings to Security Hub CSPM when instances in a customer's fleet go out of compliance with their patch compliance standard. Patch Manager automates the process of patching managed instances with both security related and other types of updates. After you enable Security Hub CSPM, this integration is automatically activated. Systems Manager Patch Manager immediately begins to send findings to Security Hub CSPM. For more information about using Patch Manager, see [Amazon Systems Manager Patch Manager](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-patch.html) in the *Amazon Systems Manager User Guide*. ## Amazon services that receive findings from Security Hub CSPM The following Amazon services are integrated with Security Hub CSPM and receive findings from Security Hub CSPM. Where noted, the integrated service may also update findings. In this case, finding updates that you make in the integrated service will also be reflected in Security Hub CSPM. ### Amazon Audit Manager (Receives findings) Amazon Audit Manager receives findings from Security Hub CSPM. These findings help Audit Manager users to prepare for audits. To learn more about Audit Manager, see the [https://docs.amazonaws.cn/audit-manager/latest/userguide/what-is.html](https://docs.amazonaws.cn/audit-manager/latest/userguide/what-is.html). [Amazon Security Hub CSPM checks supported by Amazon Audit Manager](https://docs.amazonaws.cn/audit-manager/latest/userguide/control-data-sources-ash.html) lists the controls for which Security Hub CSPM sends findings to Audit Manager. ### Amazon Q Developer in chat applications (Receives findings) Amazon Q Developer in chat applications is an interactive agent that helps you to monitor and interact with your Amazon resources in your Slack channels and Amazon Chime chat rooms. Amazon Q Developer in chat applications receives findings from Security Hub CSPM. To learn more about the Amazon Q Developer in chat applications integration with Security Hub CSPM, see the [Security Hub CSPM integration overview](https://docs.amazonaws.cn/chatbot/latest/adminguide/related-services.html#security-hub) in the *Amazon Q Developer in chat applications Administrator Guide*. ### Amazon Detective (Receives findings) Detective automatically collects log data from your Amazon resources and uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations. The Security Hub CSPM integration with Detective allows you to pivot from Amazon GuardDuty findings in Security Hub CSPM into Detective. You can then use the Detective tools and visualizations to investigate them. The integration does not require any additional configuration in Security Hub CSPM or Detective. For findings received from other Amazon Web Services services, the finding details panel on the Security Hub CSPM console includes an **Investigate in Detective** subsection. That subsection contains a link to Detective where you can further investigate the security issue that the finding flagged. You can also build a behavior graph in Detective based on Security Hub CSPM findings to conduct more effective investigations. For more information, see [Amazon security findings ](https://docs.amazonaws.cn/detective/latest/adminguide/source-data-types-asff.html) in the *Amazon Detective Administration Guide*. If cross-Region aggregation is enabled, then when you pivot from the aggregation Region, Detective opens in the Region where the finding originated. If a link does not work, then for troubleshooting advice, see [Troubleshooting the pivot](https://docs.amazonaws.cn/detective/latest/userguide/profile-pivot-from-service.html#profile-pivot-troubleshooting). ### Amazon Security Lake (Receives findings) Security Lake is a fully-managed security data lake service. You can use Security Lake to automatically centralize security data from cloud, on-premises, and custom sources into a data lake that's stored in your account. Subscribers can consume data from Security Lake for investigative and analytics use cases. To activate this integration, you must enable both services and add Security Hub CSPM as a source in the Security Lake console, Security Lake API, or Amazon CLI. Once you complete these steps, Security Hub CSPM begins to send all findings to Security Lake. Security Lake automatically normalizes Security Hub CSPM findings and converts them to a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF). In Security Lake, you can add one or more subscribers to consume Security Hub CSPM findings. For more information about this integration, including instructions on adding Security Hub CSPM as a source and creating subscribers, see [Integration with Amazon Security Hub CSPM](https://docs.amazonaws.cn/security-lake/latest/userguide/securityhub-integration.html) in the *Amazon Security Lake User Guide*. ### Amazon Systems Manager Explorer and OpsCenter (Receives and updates findings) Amazon Systems Manager Explorer and OpsCenter receive findings from Security Hub CSPM, and update those findings in Security Hub CSPM. Explorer provides you with a customizable dashboard, providing key insights and analysis into the operational health and performance of your Amazon environment. OpsCenter provides you with a central location to view, investigate, and resolve operational work items. For more information about Explorer and OpsCenter, see [Operations management](https://docs.amazonaws.cn/systems-manager/latest/userguide/systems-manager-ops-center.html) in the *Amazon Systems Manager User Guide*. ### Amazon Trusted Advisor (Receives findings) Trusted Advisor draws upon best practices learned from serving hundreds of thousands of Amazon customers. Trusted Advisor inspects your Amazon environment, and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. When you enable both Trusted Advisor and Security Hub CSPM, the integration is updated automatically. Security Hub CSPM sends the results of its Amazon Foundational Security Best Practices checks to Trusted Advisor. For more information about the Security Hub CSPM integration with Trusted Advisor, see [Viewing Amazon Security Hub CSPM controls in Amazon Trusted Advisor](https://docs.amazonaws.cn/awssupport/latest/user/security-hub-controls-with-trusted-advisor.html) in the *Amazon Support User Guide*. # Third-party product integrations with Security Hub CSPM Third-party integrations Amazon Security Hub CSPM integrates with multiple third-party partner products. An integration can perform one or more of the following actions: + Send findings that it generates to Security Hub CSPM + Receive findings from Security Hub CSPM + Update findings in Security Hub CSPM Integrations that send findings to Security Hub CSPM have an Amazon Resource Name (ARN). An integration might not be available in all Amazon Web Services Regions. If an integration isn't supported in the Region that you are currently signed in to on the Security Hub CSPM console, it doesn't appear on the **Integrations** page of the console. For a list of integrations that are available in the China Regions and Amazon GovCloud (US) Regions, see [Availability of integrations by Region](securityhub-regions.md#securityhub-regions-integration-support). If you have a security solution and are interested in becoming a Security Hub CSPM partner, send email to securityhub-partners@amazon.com. For more information, see the [Partner Integration Guide](https://docs.amazonaws.cn/securityhub/latest/partnerguide/integration-overview.html). ## Overview of third-party integrations with Security Hub CSPM The following table provides an overview of the third-party integrations that can send findings to Security Hub CSPM or receive findings from Security Hub CSPM. | Integration | Direction | ARN (if applicable) | | --- | --- | --- | | [3CORESec – 3CORESec NTA](#integration-3coresec-nta) | Sends findings | `arn:aws-cn:securityhub:::product/3coresec/3coresec` | | [Alert Logic – SIEMless Threat Management](#integration-alert-logic-siemless) | Sends findings | `arn:aws-cn:securityhub::733251395267:product/alertlogic/althreatmanagement` | | [Aqua Security – Aqua Cloud Native Security Platform](#integration-aqua-security-cloud-native-security-platform) | Sends findings | `arn:aws-cn:securityhub:::product/aquasecurity/aquasecurity` | | [Aqua Security – Kube-bench](#integration-aqua-security-kubebench) | Sends findings | `arn:aws-cn:securityhub:::product/aqua-security/kube-bench` | | [Armor – Armor Anywhere](#integration-armor-anywhere) | Sends findings | `arn:aws-cn:securityhub::679703615338:product/armordefense/armoranywhere` | | [AttackIQ – AttackIQ](#integration-attackiq) | Sends findings | `arn:aws-cn:securityhub:::product/attackiq/attackiq-platform` | | [Barracuda Networks – Cloud Security Guardian](#integration-barracuda-cloud-security-guardian) | Sends findings | `arn:aws-cn:securityhub::151784055945:product/barracuda/cloudsecurityguardian` | | [BigID – BigID Enterprise](#integration-bigid-enterprise) | Sends findings | `arn:aws-cn:securityhub:::product/bigid/bigid-enterprise` | | [Blue Hexagon – Blue Hexagon forAmazon](#integration-blue-hexagon-for-aws) | Sends findings | `arn:aws-cn:securityhub:::product/blue-hexagon/blue-hexagon-for-aws` | | [Check Point – CloudGuard IaaS](#integration-checkpoint-cloudguard-iaas) | Sends findings | `arn:aws-cn:securityhub::758245563457:product/checkpoint/cloudguard-iaas` | | [Check Point – CloudGuard Posture Management](#integration-checkpoint-cloudguard-posture-management) | Sends findings | `arn:aws-cn:securityhub::634729597623:product/checkpoint/dome9-arc` | | [Claroty – xDome](#integration-claroty-xdome) | Sends findings | `arn:aws-cn:securityhub:::product/claroty/xdome` | | [Cloud Storage Security – Antivirus for Amazon S3](#integration-checkpoint-cloudguard-posture-management) | Sends findings | `arn:aws-cn:securityhub:::product/cloud-storage-security/antivirus-for-amazon-s3` | | [Contrast Security](#integration-contrast-security) | Sends findings | `arn:aws-cn:securityhub:::product/contrast-security/security-assess` | | [CrowdStrike – CrowdStrike Falcon](#integration-crowdstrike-falcon) | Sends findings | `arn:aws-cn:securityhub::517716713836:product/crowdstrike/crowdstrike-falcon` | | [CyberArk – Privileged Threat Analytics](#integration-cyberark-privileged-threat-analytics) | Sends findings | `arn:aws-cn:securityhub::749430749651:product/cyberark/cyberark-pta` | | [Data Theorem – Data Theorem](#integration-data-theorem) | Sends findings | `arn:aws-cn:securityhub:::product/data-theorem/api-cloud-web-secure` | | [Drata](#integration-drata) | Sends findings | `arn:aws-cn:securityhub:::product/drata/drata-integration` | | [Forcepoint – Forcepoint CASB](#integration-forcepoint-casb) | Sends findings | `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-casb` | | [Forcepoint – Forcepoint Cloud Security Gateway](#integration-forcepoint-cloud-security-gateway) | Sends findings | `arn:aws-cn:securityhub:::product/forcepoint/forcepoint-cloud-security-gateway` | | [Forcepoint – Forcepoint DLP](#integration-forcepoint-dlp) | Sends findings | `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-dlp` | | [Forcepoint – Forcepoint NGFW](#integration-forcepoint-ngfw) | Sends findings | `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-ngfw` | | [Fugue – Fugue](#integration-fugue) | Sends findings | `arn:aws-cn:securityhub:::product/fugue/fugue` | | [Guardicore – Centra 4.0](#integration-guardicore-centra) | Sends findings | `arn:aws-cn:securityhub:::product/guardicore/guardicore` | | [HackerOne – Vulnerability Intelligence](#integration-hackerone-vulnerability-intelligence) | Sends findings | `arn:aws-cn:securityhub:::product/hackerone/vulnerability-intelligence` | | [JFrog – Xray](#integration-jfrog-xray) | Sends findings | `arn:aws-cn:securityhub:::product/jfrog/jfrog-xray` | | [Juniper Networks – vSRX Next Generation Firewall](#integration-junipernetworks-vsrxnextgenerationfirewall) | Sends findings | `arn:aws-cn:securityhub:::product/juniper-networks/vsrx-next-generation-firewall` | | [k9 Security – Access Analyzer](#integration-k9-security-access-analyzer) | Sends findings | `arn:aws-cn:securityhub:::product/k9-security/access-analyzer` | | [Lacework – Lacework](#integration-lacework) | Sends findings | `arn:aws-cn:securityhub:::product/lacework/lacework` | | [McAfee – MVISION Cloud Native Application Protection Platform (CNAPP)](#integration-mcafee-mvision-cnapp) | Sends findings | `arn:aws-cn:securityhub:::product/mcafee-skyhigh/mcafee-mvision-cloud-aws` | | [NETSCOUT – NETSCOUT Cyber Investigator](#integration-netscout-cyber-investigator) | Sends findings | `arn:aws-cn:securityhub:us-east-1::product/netscout/netscout-cyber-investigator` | | [Orca Cloud Security Platform](#integration-orca-cloud-security-platform) | Sends findings | `arn:aws-cn:securityhub:::product/orca-security/orca-security` | | [Palo Alto Networks – Prisma Cloud Compute](#integration-palo-alto-prisma-cloud-compute) | Sends findings | `arn:aws-cn:securityhub::496947949261:product/twistlock/twistlock-enterprise` | | [Palo Alto Networks – Prisma Cloud Enterprise](#integration-palo-alto-prisma-cloud-enterprise) | Sends findings | `arn:aws-cn:securityhub::188619942792:product/paloaltonetworks/redlock` | | [Plerion – Cloud Security Platform](#integration-plerion) | Sends findings | `arn:aws-cn:securityhub:::product/plerion/cloud-security-platform` | | [Prowler – Prowler](#integration-prowler) | Sends findings | `arn:aws-cn:securityhub:::product/prowler/prowler` | | [Qualys – Vulnerability Management](#integration-qualys-vulnerability-management) | Sends findings | `arn:aws-cn:securityhub::805950163170:product/qualys/qualys-vm` | | [Rapid7 – InsightVM](#integration-rapid7-insightvm) | Sends findings | `arn:aws-cn:securityhub::336818582268:product/rapid7/insightvm` | | [SentinelOne – SentinelOne](#integration-sentinelone) | Sends findings | `arn:aws-cn:securityhub:::product/sentinelone/endpoint-protection` | | [Snyk](#integration-snyk) | Sends findings | `arn:aws-cn:securityhub:::product/snyk/snyk` | | [Sonrai Security – Sonrai Dig](#integration-sonrai-dig) | Sends findings | `arn:aws-cn:securityhub:::product/sonrai-security/sonrai-dig` | | [Sophos – Server Protection](#integration-sophos-server-protection) | Sends findings | `arn:aws-cn:securityhub::062897671886:product/sophos/sophos-server-protection` | | [StackRox – StackRox Kubernetes Security](#integration-stackrox-kubernetes-security) | Sends findings | `arn:aws-cn:securityhub:::product/stackrox/kubernetes-security` | | [Sumo Logic – Machine Data Analytics](#integration-sumologic-machine-data-analytics) | Sends findings | `arn:aws-cn:securityhub::956882708938:product/sumologicinc/sumologic-mda` | | [Symantec – Cloud Workload Protection](#integration-symantec-cloud-workload-protection) | Sends findings | `arn:aws-cn:securityhub::754237914691:product/symantec-corp/symantec-cwp` | | [Tenable – Tenable.io](#integration-tenable-tenableio) | Sends findings | `arn:aws-cn:securityhub::422820575223:product/tenable/tenable-io` | | [Trend Micro – Cloud One](#integration-trend-micro) | Sends findings | `arn:aws-cn:securityhub:::product/trend-micro/cloud-one` | | [Vectra – Cognito Detect](#integration-vectra-ai-cognito-detect) | Sends findings | `arn:aws-cn:securityhub::978576646331:product/vectra-ai/cognito-detect` | | [Wiz](#integration-wiz) | Sends findings | `arn:aws-cn:securityhub:::product/wiz-security/wiz-security` | | [Atlassian - Jira Service Management](#integration-atlassian-jira-service-management) | Receives and updates findings | Not applicable | | [Atlassian - Jira Service Management Cloud](#integration-atlassian-jira-service-management-cloud) | Receives and updates findings | Not applicable | | [Atlassian – Opsgenie](#integration-atlassian-opsgenie) | Receives findings | Not applicable | | [Dynatrace](#integration-dynatrace) | Receives findings | Not applicable | | [Elastic](#integration-elastic) | Receives findings | Not applicable | | [Fortinet – FortiCNP](#integration-fortinet-forticnp) | Receives findings | Not applicable | | [IBM – QRadar](#integration-ibm-qradar) | Receives findings | Not applicable | | [Logz.io Cloud SIEM](#integration-logzio-cloud-siem) | Receives findings | Not applicable | | [MetricStream](#integration-metricstream) | Receives findings | Not applicable | | [MicroFocus – MicroFocus Arcsight](#integration-microfocus-arcsight) | Receives findings | Not applicable | | [New Relic Vulnerability Management](#integration-new-relic-vulnerability-management) | Receives findings | Not applicable | | [PagerDuty – PagerDuty](#integration-pagerduty) | Receives findings | Not applicable | | [Palo Alto Networks – Cortex XSOAR](#integration-palo-alto-cortex-xsoar) | Receives findings | Not applicable | | [Palo Alto Networks – VM-Series](#integration-palo-alto-vmseries) | Receives findings | Not applicable | | [Rackspace Technology – Cloud Native Security](#integration-rackspace-cloud-native-security) | Receives findings | Not applicable | | [Rapid7 – InsightConnect](#integration-rapid7-insightconnect) | Receives findings | Not applicable | | [RSA – RSA Archer](#integration-rsa-archer) | Receives findings | Not applicable | | [ServiceNow – ITSM](#integration-servicenow-itsm) | Receives and updates findings | Not applicable | | [Slack – Slack](#integration-slack) | Receives findings | Not applicable | | [Splunk – Splunk Enterprise](#integration-splunk-enterprise) | Receives findings | Not applicable | | [Splunk – Splunk Phantom](#integration-splunk-phantom) | Receives findings | Not applicable | | [ThreatModeler](#integration-threatmodeler) | Receives findings | Not applicable | | [Trellix – Trellix Helix](#integration-fireeye-helix) | Receives findings | Not applicable | | [Caveonix – Caveonix Cloud](#integration-caveonix-cloud) | Sends and receives findings | `arn:aws-cn:securityhub:::product/caveonix/caveonix-cloud` | | [Cloud Custodian – Cloud Custodian](#integration-cloud-custodian) | Sends and receives findings | `arn:aws-cn:securityhub:::product/cloud-custodian/cloud-custodian` | | [DisruptOps, Inc. – DisruptOPS](#integration-disruptops) | Sends and receives findings | `arn:aws-cn:securityhub:::product/disruptops-inc/disruptops` | | [Kion](#integration-kion) | Sends and receives findings | `arn:aws-cn:securityhub:::product/cloudtamerio/cloudtamerio` | | [Turbot – Turbot](#integration-turbot) | Sends and receives findings | `arn:aws-cn:securityhub::453761072151:product/turbot/turbot` | ## Third-party integrations that send findings to Security Hub CSPM The following third-party partner product integrations can send findings to Security Hub CSPM. Security Hub CSPM transforms the findings into the [Amazon Security Finding Format](securityhub-findings-format.md). ### 3CORESec – 3CORESec NTA **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/3coresec/3coresec` 3CORESec provides managed detection services for both on-premises and Amazon systems. Their integration with Security Hub CSPM allows visibility into threats such as malware, privilege escalation, lateral movement, and improper network segmentation. [Product link](https://3coresec.com) [Partner documentation](https://docs.google.com/document/d/1TPUuuyoAVrMKRVnGKouRy384ZJ1-3xZTnruHkIHJqWQ/edit?usp=sharing) ### Alert Logic – SIEMless Threat Management **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::733251395267:product/alertlogic/althreatmanagement` Get the right level of coverage: vulnerability and asset visibility, threat detection and incident management, Amazon WAF, and assigned SOC analyst options. [Product link](https://www.alertlogic.com/solutions/platform/aws-security/) [Partner documentation](https://docs.alertlogic.com/configure/aws-security-hub.htm) ### Aqua Security – Aqua Cloud Native Security Platform **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/aquasecurity/aquasecurity` Aqua Cloud Native Security Platform (CSP) provides full lifecycle security for container-based and serverless applications, from your CI/CD pipeline to runtime production environments. [Product link](https://blog.aquasec.com/aqua-aws-security-hub) [Partner documentation](https://github.com/aquasecurity/aws-security-hub-plugin) ### Aqua Security – Kube-bench **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/aqua-security/kube-bench` Kube-bench is an open-source tool that runs the Center for Internet Security (CIS) Kubernetes Benchmark against your environment. [Product link](https://github.com/aquasecurity/kube-bench/blob/master/README.md) [Partner documentation](https://github.com/aquasecurity/kube-bench/blob/master/README.md) ### Armor – Armor Anywhere **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::679703615338:product/armordefense/armoranywhere` Armor Anywhere delivers managed security and compliance for Amazon. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=797425f4-6823-4cf6-82b5-634f9a9ec347) [Partner documentation](https://amp.armor.com/account/cloud-connections) ### AttackIQ – AttackIQ **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/attackiq/attackiq-platform` AttackIQ Platform emulates real adversarial behavior aligned with the MITRE ATT&CK Framework to help validate and improve your overall security posture. [Product link](https://go.attackiq.com/BD-AWS-Security-Hub_LP.html) [Partner documentation](https://github.com/AttackIQ/attackiq.github.io) ### Barracuda Networks – Cloud Security Guardian **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::151784055945:product/barracuda/cloudsecurityguardian` Barracuda Cloud Security Sentry helps organizations stay secure while building applications in, and moving workloads to, the public cloud. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/B07KF2X7QJ) [Product link](https://www.barracuda.com/solutions/aws) ### BigID – BigID Enterprise **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/bigid/bigid-enterprise` The BigID Enterprise Privacy Management Platform helps companies manage and protect sensitive data (PII) across all their systems. [Product link](https://github.com/bigexchange/aws-security-hub) [Partner documentation](https://github.com/bigexchange/aws-security-hub) ### Blue Hexagon – Blue Hexagon for Amazon **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/blue-hexagon/blue-hexagon-for-aws` Blue Hexagon is a real time threat detection platform. It uses deep learning principles to detect known and unknown threats, including malware and network anomalies. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-fvt5ts3ulhrtk?sr=0-1&ref_=beagle&applicationId=AWSMPContessa) [Partner documentation](https://bluehexagonai.atlassian.net/wiki/spaces/BHDOC/pages/395935769/Deploying+Blue+Hexagon+with+AWS+Traffic+Mirroring#DeployingBlueHexagonwithAWSTrafficMirroringDeployment-Integrations) ### Check Point – CloudGuard IaaS **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::758245563457:product/checkpoint/cloudguard-iaas` Check Point CloudGuard easily extends comprehensive threat prevention security to Amazon while protecting assets in the cloud. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f) [Partner documentation](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk140412) ### Check Point – CloudGuard Posture Management **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::634729597623:product/checkpoint/dome9-arc` A SaaS platform that delivers verifiable cloud network security, advanced IAM protection, and comprehensive compliance and governance. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=a979fc8a-dd48-42c8-84cc-63d5d50e3a2f) [Partner documentation](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144592&partition=General&product=CloudGuard) ### Claroty – xDome **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/claroty/xdome` Claroty xDome helps organizations secure their cyber-physical systems across the Extended Internet of Things (XIoT) within industrial (OT), healthcare (IoMT), and enterprise (IoT) environments. [Product link](https://claroty.com/) [Partner documentation](https://claroty.com/resources/integration-briefs/the-claroty-aws-securityhub-integration-guide) ### Cloud Storage Security – Antivirus for Amazon S3 **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/cloud-storage-security/antivirus-for-amazon-s3` Cloud Storage Security provides cloud native anti-malware and antivirus scanning for Amazon S3 objects. Antivirus for Amazon S3 offers real time and scheduled scans of objects and files in Amazon S3 for malware and threats. It provides visibility and remediation for problem and infected files. [Product link](https://cloudstoragesec.com/) [Partner documentation](https://help.cloudstoragesec.com/console-overview/console-settings/#send-scan-result-findings-to-aws-security-hub) ### Contrast Security – Contrast Assess **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/contrast-security/security-assess` Contrast Security Contrast Assess is an IAST tool that offers real-time vulnerability detection in web apps, APIs, and microservices. Contrast Assess integrates with Security Hub CSPM to help provide centralized visibility and response for all your workloads. [Product link](https://www.amazonaws.cn/marketplace/pp/prodview-g5df2jw32felw) [Partner documentation](https://docs.contrastsecurity.com/en/securityhub.html) ### CrowdStrike – CrowdStrike Falcon **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::517716713836:product/crowdstrike/crowdstrike-falcon` The CrowdStrike Falcon single, lightweight sensor unifies next-generation antivirus, endpoint detection and response, and 24/7 managed hunting through the cloud. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/seller-profile?id=f4fb055a-5333-4b6e-8d8b-a4143ad7f6c7) [Partner documentation](https://github.com/CrowdStrike/falcon-integration-gateway) ### CyberArk – Privileged Threat Analytics **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::749430749651:product/cyberark/cyberark-pta` Privileged Threat Analytics collect, detect, alert, and respond to high-risk activity and behavior of privileged accounts to contain in-progress attacks. [Product link](https://www.cyberark.com/solutions/digital-transformation/cloud-virtualization-security/) [Partner documentation](https://cyberark-customers.force.com/mplace/s/#a352J000000dZATQA2-a392J000001Z3eaQAC) ### Data Theorem – Data Theorem **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/data-theorem/api-cloud-web-secure` Data Theorem continuously scans web applications, APIs, and cloud resources in search of security flaws and data privacy gaps to prevent AppSec data breaches. [Product link](https://www.datatheorem.com/partners/aws/) [Partner documentation](https://datatheorem.atlassian.net/wiki/spaces/PKB/pages/1730347009/AWS+Security+Hub+Integration) ### Drata **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/drata/drata-integration` Drata is a compliance automation platform that helps you achieve and maintain compliance with various frameworks, such as SOC2, ISO, and GDPR. The integration between Drata and Security Hub CSPM helps you centralize your security findings in one location. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-3ubrmmqkovucy) [Partner documentation](https://drata.com/partner/aws) ### Forcepoint – Forcepoint CASB **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-casb` Forcepoint CASB allows you to discover cloud application use, analyze risk, and enforce appropriate controls for SaaS and custom applications. [Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads) [Partner documentation](https://frcpnt.com/casb-securityhub) ### Forcepoint – Forcepoint Cloud Security Gateway **Integration type:** Send Product ARN: `arn:aws-cn:securityhub:::product/forcepoint/forcepoint-cloud-security-gateway` Forcepoint Cloud Security Gateway is a converged cloud security service that provides visibility, control, and threat protection for users and data, wherever they are. [Product link](https://www.forcepoint.com/product/cloud-security-gateway) [Partner documentation](https://forcepoint.github.io/docs/csg_and_aws_security_hub/#forcepoint-cloud-security-gateway-and-aws-security-hub) ### Forcepoint – Forcepoint DLP **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-dlp` Forcepoint DLP addresses human-centric risk with visibility and control everywhere your people work and everywhere your data resides. [Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads) [Partner documentation](https://frcpnt.com/dlp-securityhub) ### Forcepoint – Forcepoint NGFW **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::365761988620:product/forcepoint/forcepoint-ngfw` Forcepoint NGFW lets you connect your Amazon environment into your enterprise network with the scalability, protection, and insights needed to manage your network and respond to threats. [Product link](https://www.forcepoint.com/platform/technology-partners/securing-your-amazon-web-services-aws-workloads) [Partner documentation](https://frcpnt.com/ngfw-securityhub) ### Fugue – Fugue **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/fugue/fugue` Fugue is an agent-less, scalable cloud-native platform that automates the continuous validation of infrastructure-as-code and cloud runtime environments using the same policies. [Product link](https://www.fugue.co/aws-security-hub-integration) [Partner documentation](https://docs.fugue.co/integrations-aws-security-hub.html) ### Guardicore – Centra 4.0 **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/guardicore/guardicore` Guardicore Centra provides flow visualization, micro-segmentation, and breach detection for workloads in modern data centers and clouds. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=21127457-7622-49be-81a6-4cb5dd77a088) [Partner documentation](https://customers.guardicore.com/login) ### HackerOne – Vulnerability Intelligence **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/hackerone/vulnerability-intelligence` The HackerOne platform partners with the global hacker community to uncover the most relevant security issues. Vulnerability Intelligence enables your organization to go beyond automated scanning. It shares vulnerabilities that HackerOne ethical hackers have validated and provided steps to reproduce. [Amazon marketplace link](https://www.amazonaws.cn/marketplace/seller-profile?id=10857e7c-011b-476d-b938-b587deba31cf) [Partner documentation](https://docs.hackerone.com/en/articles/8562571-aws-security-hub-integration) ### JFrog – Xray **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/jfrog/jfrog-xray` JFrog Xray is a universal application security Software Composition Analysis (SCA) tool that continuously scans binaries for license compliance and security vulnerabilities so that you can run a secure software supply chain. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/seller-profile?id=68002c4f-c9d1-4fa7-b827-fd7204523fb7) [Partner documentation](https://www.jfrog.com/confluence/display/JFROG/Xray+Integration+with+AWS+Security+Hub) ### Juniper Networks – vSRX Next Generation Firewall **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/juniper-networks/vsrx-next-generation-firewall` Juniper Networks' vSRX Virtual Next Generation Firewall delivers a complete cloud-based virtual firewall with advanced security, secure SD-WAN, robust networking, and built-in automation. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-z7jcugjx442hw) [Partner documentation](https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-aws/topics/topic-map/security-aws-cloudwatch-security-hub-and-logs.html#id-enable-and-configure-security-hub-on-vsrx) [Product link](https://www.juniper.net/documentation/us/en/software/vsrx/vsrx-consolidated-deployment-guide/vsrx-aws/topics/topic-map/security-aws-cloudwatch-security-hub-and-logs.html) ### k9 Security – Access Analyzer **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/k9-security/access-analyzer` k9 Security notifies you when important access changes occur in your Amazon Identity and Access Management account. With k9 Security, you can understand the access that users and IAM roles have to critical Amazon Web Services services and your data. k9 Security is built for continuous delivery, allowing you to operationalize IAM with actionable access audits and simple policy automation for Amazon CDK and Terraform. [Product link](https://www.k9security.io/lp/operationalize-aws-iam-security-hub) [Partner documentation](https://www.k9security.io/docs/how-to-configure-k9-access/) ### Lacework – Lacework **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/lacework/lacework` Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform automates cloud security at scale so you can innovate with speed and safety. [Product link](https://www.lacework.com/platform/aws/) [Partner documentation](https://www.lacework.com/platform/aws/) ### McAfee – MVISION Cloud Native Application Protection Platform (CNAPP) **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/mcafee-skyhigh/mcafee-mvision-cloud-aws` McAfee MVISION Cloud Native Application Protection Platform (CNAPP) offers Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for your Amazon environment. [Product link](https://aws.amazon.com/marketplace/pp/prodview-ol6txkzkdyacc) [Partner documentation](https://success.myshn.net/Cloud_Native_Application_Protection_Platform_(IaaS)/Amazon_Web_Services_(AWS)/Integrate_MVISION_Cloud_with_AWS_Security_Hub) ### NETSCOUT – NETSCOUT Cyber Investigator **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/netscout/netscout-cyber-investigator` NETSCOUT Cyber Investigator is an enterprise-wide network threat, risk investigation, and forensic analysis platform that helps to reduce the impact of cyber threats on businesses. [Product link](https://www.amazonaws.cn/marketplace/pp/prodview-reujxcu2cv3f4?qid=1608874215786&sr=0-1&ref_=srh_res_product_title) [Partner documentation](https://www.netscout.com/solutions/cyber-investigator-aws) ### Orca Cloud Security Platform **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/orca-security/orca-security` The Orca Cloud Security Platform identifies, prioritizes, and remediates risks and compliance issues across your entire cloud estate. Orca’s agentless-first, AI-driven platform offers comprehensive coverage detecting vulnerabilities, misconfigurations, lateral movement, API risks, sensitive data, anomalous events and behaviors, and overly permissive identities. Orca integrates with Security Hub CSPM to bring deep cloud security telemetry into Security Hub CSPM. Orca, using its SideScanning technology, prioritizes risk across cloud infrastructure, workloads, applications, data, APIs, identities, and more. [Product link](https://orca.security/partners/technology/amazon-web-services-aws/) [Partner documentation](https://docs.orcasecurity.io/docs/integrating-amazon-security-hub) ### Palo Alto Networks – Prisma Cloud Compute **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::496947949261:product/twistlock/twistlock-enterprise` Prisma Cloud Compute is a cloud native cybersecurity platform that protects VMs, containers, and serverless platforms. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314) [Partner documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alerts/aws_security_hub.html) ### Palo Alto Networks – Prisma Cloud Enterprise **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::188619942792:product/paloaltonetworks/redlock` Protects your Amazon deployment with cloud security analytics, advanced threat detection, and compliance monitoring. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314) [Partner documentation](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-external-integrations-on-prisma-cloud/integrate-prisma-cloud-with-aws-security-hub) ### Plerion – Cloud Security Platform **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/plerion/cloud-security-platform` Plerion is a Cloud Security Platform with a unique threat-led, risk-driven approach that offers preventative, detective, and corrective action across your workloads. The integration between Plerion and Security Hub CSPM allows customers to centralize and act upon their security findings in one place. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/seller-profile?id=464b7833-edb8-43ee-b083-d8a298b7ba08) [Partner documentation](https://au.app.plerion.com/resource-center/platform-documentation/integrations/outbound/securityHub) ### Prowler – Prowler **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/prowler/prowler` Prowler is an open source security tool to perform Amazon checks related to security best practices, hardening, and continuous monitoring. [Product link](https://github.com/prowler-cloud/prowler) [Partner documentation](https://github.com/prowler-cloud/prowler#security-hub-integration) ### Qualys – Vulnerability Management **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::805950163170:product/qualys/qualys-vm` Qualys Vulnerability Management (VM) continuously scans and identifies vulnerabilities, protecting your assets. [Product link](https://www.qualys.com/public-cloud/#aws) [Partner documentation](https://qualys-secure.force.com/discussions/s/article/000005831) ### Rapid7 – InsightVM **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::336818582268:product/rapid7/insightvm` Rapid7 InsightVM provides vulnerability management for modern environments, allowing you to efficiently find, prioritize, and remediate vulnerabilities. [Product link](https://www.rapid7.com/products/insightvm/) [Partner documentation](https://docs.rapid7.com/insightvm/aws-security-hub/) #### SentinelOne – SentinelOne **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/sentinelone/endpoint-protection` SentinelOne is an autonomous extended detection and response (XDR) platform encompassing AI-powered prevention, detection, response, and hunting across endpoints, containers, cloud workloads, and IoT devices. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-2qxvr62fng6li?sr=0-2&ref_=beagle&applicationId=AWSMPContessa) [Product link](https://www.sentinelone.com/press/sentinelone-announces-integration-with-aws-security-hub/) ### Snyk **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/snyk/snyk` Snyk provides a security platform that scans app components for security risks in workloads running on Amazon. These risks are sent to Security Hub CSPM as findings, helping developers and security teams visualize and prioritize them along with the rest of their Amazon security findings. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/seller-profile?id=bb528b8d-079c-455e-95d4-e68438530f85) [Partner documentation](https://docs.snyk.io/integrations/event-forwarding/aws-security-hub) ### Sonrai Security – Sonrai Dig **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/sonrai-security/sonrai-dig` Sonrai Dig monitors and remediates cloud misconfigurations and policy violations, so you can improve your security and compliance posture. [Product link](https://sonraisecurity.com/solutions/amazon-web-services-aws-and-sonrai-security/) [Partner documentation](https://sonraisecurity.com/blog/monitor-privilege-escalation-risk-of-identities-from-aws-security-hub-with-integration-from-sonrai/) ### Sophos – Server Protection **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::062897671886:product/sophos/sophos-server-protection` Sophos Server Protection defends the critical applications and data at the core of your organization, using comprehensive defense-in-depth techniques. [Product link](https://www.sophos.com/en-us/products/cloud-native-security/aws) ### StackRox – StackRox Kubernetes Security **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/stackrox/kubernetes-security` StackRox helps enterprises secure their container and Kubernetes deployments at scale by enforcing their compliance and security policies across the entire container life cycle – build, deploy, and run. [Product link](https://www.amazonaws.cn/marketplace/pp/B07RP4B4P1) [Partner documentation](https://help.stackrox.com/docs/integrate-with-other-tools/integrate-with-aws-security-hub/) ### Sumo Logic – Machine Data Analytics **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::956882708938:product/sumologicinc/sumologic-mda` Sumo Logic is a secure, machine data analytics platform that enables development and security operations teams to build, run, and secure their Amazon applications. [Product link](https://www.sumologic.com/application/aws-security-hub/) [Partner documentation](https://help.sumologic.com/07Sumo-Logic-Apps/01Amazon_and_AWS/AWS_Security_Hub) ### Symantec – Cloud Workload Protection **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::754237914691:product/symantec-corp/symantec-cwp` Cloud Workload Protection provides complete protection for your Amazon EC2 instances with antimalware, intrusion prevention, and file integrity monitoring. [Product link](https://www.broadcom.com/products/cyber-security/endpoint/hybrid-cloud/cloud-workload-protection) [Partner documentation](https://help.symantec.com/cs/scwp/SCWP/v130271667_v111037498/Intergration-with-AWS-Security-Hub/?locale=EN_US&sku=CWP_COMPUTE) ### Tenable – Tenable.io **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::422820575223:product/tenable/tenable-io` Accurately identify, investigate, and prioritize vulnerabilities. Managed in the cloud. [Product link](https://www.tenable.com/) [Partner documentation](https://github.com/tenable/Security-Hub) ### Trend Micro – Cloud One **Integration type:** Send **Product ARN:** `arn:aws:securityhub:::product/trend-micro/cloud-one` Trend Micro Cloud One provides the right security information to teams at the right time and place. This integration sends security findings to Security Hub CSPM in real time, enhancing visibility into your Amazon resources and Trend Micro Cloud One event details in Security Hub CSPM. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-g232pyu6l55l4) [Partner documentation](https://cloudone.trendmicro.com/docs/integrations/aws-security-hub/) ### Vectra – Cognito Detect **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub::978576646331:product/vectra-ai/cognito-detect` Vectra is transforming cybersecurity by applying advanced AI to detect and respond to hidden cyberattackers before they can steal or cause damage. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-x2mabtjqsjb2w) [Partner documentation](https://cognito-resource-guide.s3.us-west-2.amazonaws.com/Vectra_AWS_SecurityHub_Integration_Guide.pdf) ### Wiz – Wiz Security **Integration type:** Send **Product ARN:** `arn:aws-cn:securityhub:::product/wiz-security/wiz-security` Wiz continuously analyzes configurations, vulnerabilities, networks, IAM settings, secrets, and more across your Amazon Web Services accounts, users, and workloads to discover critical issues that represent actual risk. Integrate Wiz with Security Hub CSPM to visualize and respond to issues that Wiz detects from the Security Hub CSPM console. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-wgtgfzwbk4ahy) [Partner documentation](https://docs.wiz.io/wiz-docs/docs/security-hub-integration) ## Third-party integrations that receive findings from Security Hub CSPM The following third-party partner product integrations can receive findings from Security Hub CSPM. Where noted, the product might also update findings. In this case, updates that you make to findings in the partner product are also reflected in Security Hub CSPM. ### Atlassian - Jira Service Management **Integration type:** Receive and update The Amazon Service Management Connector for Jira sends findings from Security Hub CSPM to Jira. Jira issues are created based on the findings. When the Jira issues are updated, the corresponding findings are updated in Security Hub CSPM. The integration only supports Jira Server and Jira Data Center. [Product link](https://www.atlassian.com/software/jira/service-management) [Partner documentation](https://docs.amazonaws.cn/servicecatalog/latest/adminguide/integrations-jiraservicedesk.html) ### Atlassian - Jira Service Management Cloud **Integration type:** Receive and update Jira Service Management Cloud is the cloud component of Jira Service Management. The Amazon Service Management Connector for Jira sends findings from Security Hub CSPM to Jira. The findings trigger the creation of issues in Jira Service Management Cloud. When you update those issues in Jira Service Management Cloud, the corresponding findings are also updated in Security Hub CSPM. [Product link](https://marketplace.atlassian.com/apps/1221283/aws-service-management-connector-for-jsm?tab=overview&hosting=cloud) [Partner documentation](https://docs.aws.amazon.com/smc/latest/ag/integrations-jsmcloud.html) ### Atlassian – Opsgenie **Integration type:** Receive Opsgenie is a modern incident management solution for operating always-on services, empowering development and operations teams to plan for service disruptions and stay in control during incidents. Integrating with Security Hub CSPM ensures that mission critical security-related incidents are routed to the appropriate teams for immediate resolution. [Product link](https://www.atlassian.com/software/opsgenie) [Partner documentation](https://docs.opsgenie.com/docs/amazon-security-hub-integration-bidirectional) ### Dynatrace **Integration type:** Receive The Dynatrace integration with Security Hub CSPM helps to unify, visualize, and automate security findings across tools and environments. Adding Dynatrace runtime context to security findings allows smarter prioritization, helps reduce noise from alerts, and focuses your DevSecOps teams on efficiently remedying the critical issues that affect your production environments and applications. [Product link](https://www.dynatrace.com/solutions/application-security/) [Partner documentation](https://docs.dynatrace.com/docs/secure/threat-observability/security-events-ingest/ingest-aws-security-hub) ### Elastic **Integration type:** Receive Elastic builds search-powered solutions for security, observability, and search. With the Security Hub CSPM integration, Elastic ingests findings and insights from Security Hub CSPM programmatically, normalizes them for correlation and analytics, and presents unified dashboards and detections in Elastic Security, enabling faster triage and investigation without deploying agents. [Product link](https://www.elastic.co/blog/elastic-integrates-leading-cloud-security-vendors) [Partner documentation](https://www.elastic.co/docs/reference/integrations/aws/securityhub) ### Fortinet – FortiCNP **Integration type:** Receive FortiCNP is a Cloud Native Protection product that aggregates security findings into actionable insights and prioritizes security insights based on risk score to reduce alert fatigue and accelerate remediation. [Amazon Marketplace link](https://aws.amazon.com/marketplace/pp/prodview-vl24vc3mcb5ak) [Partner documentation](https://docs.fortinet.com/document/forticnp/22.3.a/online-help/467775/aws-security-hub-configuration) ### IBM – QRadar **Integration type:** Receive IBM QRadar SIEM provides security teams with the ability to quickly and accurately detect, prioritize, investigate, and respond to threats. [Product link](https://www.ibm.com/docs/en/qradar-common?topic=app-aws-security-hub-integration) [Partner documentation](https://www.ibm.com/docs/en/qradar-common?topic=configuration-integrating-aws-security-hub) ### Logz.io Cloud SIEM **Integration type:** Receive Logz.io is a provider of Cloud SIEM that provides advanced correlation of log and event data to help security teams to detect, analyze, and respond to security threats in real time. [Product link](https://logz.io/solutions/cloud-monitoring-aws/) [Partner documentation](https://docs.logz.io/shipping/security-sources/aws-security-hub.html) ### MetricStream – CyberGRC **Integration type:** Receive MetricStream CyberGRC helps you manage, measure, and mitigate cybersecurity risks. By receiving Security Hub CSPM findings, CyberGRC provides more visibility into these risks, so you can prioritize cybersecurity investments and comply with IT policies. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-5ph5amfrrmyx4?qid=1616170904192&sr=0-1&ref_=srh_res_product_title) [Product link](https://www.metricstream.com/) ### MicroFocus – MicroFocus Arcsight **Integration type:** Receive ArcSight accelerates effective threat detection and response in real time, integrating event correlation and supervised and unsupervised analytics with response automation and orchestration. [Product link](https://www.amazonaws.cn/marketplace/pp/B07RM918H7) [Partner documentation](https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/2768/smartconnector-for-amazon-web-services-security-hub) ### New Relic Vulnerability Management **Integration type:** Receive New Relic Vulnerability Management receives security findings from Security Hub CSPM, so you can get a centralized view of security alongside performance telemetry in context across your stack. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-yg3ykwh5tmolg) [Partner documentation](https://docs.newrelic.com/docs/vulnerability-management/integrations/aws/) ### PagerDuty – PagerDuty **Integration type:** Receive The PagerDuty digital operations management platform empowers teams to proactively mitigate customer-impacting issues by automatically turning any signal into the right insight and action. Amazon users can use the PagerDuty set of Amazon integrations to scale their Amazon and hybrid environments with confidence. When coupled with Security Hub CSPM aggregated and organized security alerts, PagerDuty allows teams to automate their threat response process and quickly set up custom actions to prevent potential issues. PagerDuty users who are undertaking a cloud migration project can move quickly, while decreasing the impact of issues that occur throughout the migration lifecycle. [Product link](https://www.amazonaws.cn/marketplace/pp/prodview-5sf6wkximaixc?ref_=srh_res_product_title) [Partner documentation](https://support.pagerduty.com/docs/aws-security-hub-integration-guide-pagerduty) ### Palo Alto Networks – Cortex XSOAR **Integration type:** Receive Cortex XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform that integrates with your entire security product stack to accelerate incident response and security operations. [Product link](https://www.amazonaws.cn/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314) [Partner documentation](https://xsoar.pan.dev/docs/reference/integrations/aws---security-hub) ### Palo Alto Networks – VM-Series **Integration type:** Receive Palo Alto VM-Series integration with Security Hub CSPM collects threat intelligence and sends it to the VM-Series next-generation firewall as an automatic security policy update that blocks malicious IP address activity. [Product link](https://github.com/PaloAltoNetworks/pan_aws_security_hub) [Partner documentation](https://github.com/PaloAltoNetworks/pan_aws_security_hub) ### Rackspace Technology – Cloud Native Security **Integration type:** Receive Rackspace Technology provides managed security services on top of native Amazon security products for 24x7x365 monitoring by Rackspace SOC, advanced analysis, and threat remediation. [Product link](https://www.rackspace.com/managed-aws/capabilities/security) ### Rapid7 – InsightConnect **Integration type:** Receive Rapid7 InsightConnect is a security orchestration and automation solution that enables your team to optimize SOC operations with little to no code. [Product link](https://www.rapid7.com/platform/) [Partner documentation](https://docs.rapid7.com/insightconnect/aws-security-hub/) ### RSA – RSA Archer **Integration type:** Receive RSA Archer IT and Security Risk Management allows you to determine which assets are critical to your business, establish and communicate security policies and standards, detect and respond to attacks, identify and remediate security deficiencies, and establish clear IT risk management best practices. [Product link](https://community.rsa.com/docs/DOC-111898) [Partner documentation](https://community.rsa.com/docs/DOC-111898) ### ServiceNow – ITSM **Integration type:** Receive and update The ServiceNow integration with Security Hub CSPM allows security findings from Security Hub CSPM to be viewed within ServiceNow ITSM. You can also configure ServiceNow to automatically create an incident or problem when it receives a finding from Security Hub CSPM. Any updates to these incidents and problems result in updates to the findings in Security Hub CSPM. [Product link](https://docs.amazonaws.cn/servicecatalog/latest/adminguide/integrations-servicenow.html) [Partner documentation](https://docs.amazonaws.cn/servicecatalog/latest/adminguide/securityhub-config.html) ### Slack – Slack **Integration type:** Receive Slack is a layer of the business technology stack that brings together people, data, and applications. It is a single place where people can effectively work together, find important information, and access hundreds of thousands of critical applications and services to do their best work. [Product link](https://github.com/aws-samples/aws-securityhub-to-slack) [Partner documentation](https://docs.amazonaws.cn/chatbot/latest/adminguide/related-services.html) ### Splunk – Splunk Enterprise **Integration type:** Receive Splunk uses Amazon CloudWatch Events as a consumer of Security Hub CSPM findings. Send your data to Splunk for advanced security analytics and SIEM. [Product link](https://splunkbase.splunk.com/app/5767) [Partner documentation](https://github.com/splunk/splunk-for-securityHub) ### Splunk – Splunk Phantom **Integration type:** Receive With the Splunk Phantom application for Amazon Security Hub CSPM, findings are sent to Phantom for automated context enrichment with additional threat intelligence information or to perform automated response actions. [Product link](https://splunkbase.splunk.com/app/5767) [Partner documentation](https://splunkphantom.s3.amazonaws.com/phantom-sechub-setup.html) ### ThreatModeler **Integration type:** Receive ThreatModeler is an automated threat modeling solution that secures and scales the enterprise software and cloud development life cycle. [Product link](https://aws.amazon.com/marketplace/pp/B07S65ZLPQ) [Partner documentation](https://threatmodeler-setup-quickstart.s3.amazonaws.com/ThreatModeler+Setup+Guide/ThreatModeler+Setup+%26+Deployment+Guide.pdf) ### Trellix – Trellix Helix **Integration type:** Receive Trellix Helix is a cloud-hosted security operations platform that allows organizations to take control of any incident from alert to fix. [Product link](https://www.trellix.com/en-us/products/helix.html) [Partner documentation](https://docs.trellix.com/bundle/fe-helix-enterprise-landing/) ## Third-party integrations that send findings to and receive findings from Security Hub CSPM The following third-party partner product integrations can send findings to and receive findings from Security Hub CSPM. ### Caveonix – Caveonix Cloud **Integration type:** Send and receive **Product ARN:** `arn:aws-cn:securityhub:::product/caveonix/caveonix-cloud` The Caveonix AI-powered platform automates visibility, assessment, and mitigation in hybrid clouds, covering cloud-native services, VMs, and containers. Integrated with Amazon Security Hub CSPM, Caveonix merges Amazon data and advanced analytics for insights into security alerts and compliance. [Amazon Marketplace link](https://www.amazonaws.cn/marketplace/pp/prodview-v6nlnxa5e67es) [Partner documentation](https://support.caveonix.com/hc/en-us/articles/18171468832529-App-095-How-to-Integration-AWS-Security-Hub-with-Caveonix-Cloud-) ### Cloud Custodian – Cloud Custodian **Integration type:** Send and receive **Product ARN:** `arn:aws-cn:securityhub:::product/cloud-custodian/cloud-custodian` Cloud Custodian enables users to be well managed in the cloud. The simple YAML DSL allows easily defined rules to enable a well-managed cloud infrastructure that's both secure and cost optimized. [Product link](https://cloudcustodian.io/docs/aws/topics/securityhub.html) [Partner documentation](https://cloudcustodian.io/docs/aws/topics/securityhub.html) ### DisruptOps, Inc. – DisruptOPS **Integration type:** Send and receive **Product ARN:** `arn:aws-cn:securityhub:::product/disruptops-inc/disruptops` The DisruptOps Security Operations Platform helps organizations maintain best security practices in your cloud through the use of automated guardrails. [Product link](https://disruptops.com/ad/securityhub-isa/) [Partner documentation](https://disruptops.com/securityhub/) ### Kion **Integration type:** Send and receive **Product ARN:** `arn:aws-cn:securityhub:::product/cloudtamerio/cloudtamerio` Kion (formerly cloudtamer.io) is a complete cloud governance solution for Amazon. Kion gives stakeholders visibility into cloud operations and helps cloud users manage accounts, control budget and cost, and ensure continuous compliance. [Product link](https://kion.io/partners/aws) [Partner documentation](https://support.kion.io/hc/en-us/articles/360046647551-AWS-Security-Hub) ### Turbot – Turbot **Integration type:** Send and receive **Product ARN:** `arn:aws-cn:securityhub:::product/turbot/turbot` Turbot ensures that your cloud infrastructure is secure, compliant, scalable, and cost optimized. [Product link](https://turbot.com/features/) [Partner documentation](https://turbot.com/blog/2018/11/aws-security-hub/) # Integrating Security Hub CSPM with custom products Custom product integrations In addition to findings generated by integrated Amazon services and third-party products, Amazon Security Hub CSPM can consume findings that are generated by other custom security products. You can send these findings to Security Hub CSPM by using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. You can use the same operation to update findings from custom products that you already sent to Security Hub CSPM. When setting up the custom integration, use the [guidelines and checklists](https://docs.amazonaws.cn/securityhub/latest/partnerguide/integration-guidelines-checklists.html) provided in the *Security Hub CSPM Partner Integration Guide*. ## Requirements and recommendations for custom product integrations Before you can successfully invoke the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) API operation, you must enable Security Hub CSPM. You must also provide finding details for the custom product using the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). Review the following requirements and recommendations for custom product integrations: **Setting the product ARN** When you enable Security Hub CSPM, a default product Amazon Resource Name (ARN) for Security Hub CSPM is generated in your current account. This product ARN has the following format: `arn:aws-cn:securityhub:::product//default`. For example, `arn:aws-cn:securityhub:us-west-2:123456789012:product/123456789012/default`. Use this product ARN as the value for the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-ProductArn](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-ProductArn) attribute when invoking the `BatchImportFindings` API operation. **Setting the company and product names** You can use `BatchImportFindings` to set a preferred company name and product name for the custom integration that is sending findings to Security Hub CSPM. Your specified names replace the preconfigured company name and product name, called personal name and default name respectively, and appear in the Security Hub CSPM console and the JSON of each finding. See [BatchImportFindings for finding providers](finding-update-batchimportfindings.md). **Setting the finding IDs** You must supply, manage, and increment your own finding IDs, using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id) attribute. Each new finding should have a unique finding ID. If the custom product sends multiple findings with the same finding ID, Security Hub CSPM only processes the first finding. **Setting the account ID** You must specify your own account ID, using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-AwsAccountId](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-AwsAccountId) attribute. **Setting the created at and updated at dates** You must supply your own timestamps for the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-CreatedAt](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-CreatedAt) and [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt) attributes. ## Updating findings from custom products In addition to sending new findings from custom products, you can also use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) API operation to update existing findings from custom products. To update existing findings, use the existing finding ID (via the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-Id) attribute). Resend the full finding with the appropriate information updated in the request, including a modified [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_AwsSecurityFinding.html#securityhub-Type-AwsSecurityFinding-UpdatedAt) timestamp. ## Example custom integrations You can use the following example custom product integrations as a guide to create your own custom solutions: **Sending findings from Chef InSpec scans to Security Hub CSPM** You can create an Amazon CloudFormation template that runs a [Chef InSpec](https://www.chef.io/products/chef-inspec/) compliance scan and then sends findings to Security Hub CSPM. For more details, see [Continuous compliance monitoring with Chef InSpec and Amazon Security Hub CSPM](https://amazonaws-china.com/blogs/security/continuous-compliance-monitoring-with-chef-inspec-and-aws-security-hub/). **Sending container vulnerabilities detected by Trivy to Security Hub CSPM** You can create an Amazon CloudFormation template that uses [AquaSecurity Trivy](https://github.com/aquasecurity/trivy) to scan containers for vulnerabilities, and then sends those vulnerability findings to Security Hub CSPM. For more details, see [How to build a CI/CD pipeline for container vulnerability scanning with Trivy andAmazon Security Hub CSPM](https://amazonaws-china.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/). # Creating and updating findings in Security Hub CSPM Findings In Amazon Security Hub CSPM, a *finding* is an observable record of a security check or security-related detection. A finding can originate from one of the following sources: + A security check for a control in Security Hub CSPM. + An integration with another Amazon Web Services service. + An integration with a third-party product. + A custom integration. Security Hub CSPM normalizes findings from all sources into a standard syntax and format called the *Amazon Security Finding Format (ASFF)*. For detailed information about this format, including descriptions of individual ASFF fields, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). If you enable cross-Region aggregation, Security Hub CSPM also aggregates new and updated findings automatically from all linked Regions to an aggregation Region that you specify. For more information, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). After a finding is created, it can be updated as follows: + A finding provider can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API to update general information about the finding. Finding providers can only update findings that they created. + A customer can use the Security Hub CSPM console or the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation of the Security Hub CSPM API to update the status of the investigation into the finding. The `BatchUpdateFindings` operation can also be used by a SIEM, ticketing, incident management, SOAR, or other type of tool on behalf of a customer. To reduce finding noise and streamline tracking and analysis of individual findings, Security Hub CSPM automatically deletes findings that haven't been updated recently. The timing with which Security Hub CSPM does this depends on whether a finding is active or archived: + An *active finding* is a finding whose record state (`RecordState`) is `ACTIVE`. Security Hub CSPM stores active findings for 90 days. If an active finding hasn't been updated for 90 days, it expires and Security Hub CSPM permanently deletes it. + An *archived finding* is a finding whose record state (`RecordState`) is `ARCHIVED`. Security Hub CSPM stores archived findings for 30 days. If an archived finding hasn't been updated for 30 days, it expires and Security Hub CSPM permanently deletes it. For control findings, which are findings that Security Hub CSPM generates from security checks for controls, Security Hub CSPM determines whether a finding has expired based on the value for the `UpdatedAt` field of the finding. If this value was more than 90 days ago for an active finding, Security Hub CSPM permanently deletes the finding. If this value was more than 30 days ago for an archived finding, Security Hub CSPM permanently deletes the finding. For all other types of findings, Security Hub CSPM determines whether a finding has expired based on the values for the `ProcessedAt` and `UpdatedAt` fields of the finding. Security Hub CSPM compares the values for these fields and determines which is more recent. If the more recent value was more than 90 days ago for an active finding, Security Hub CSPM permanently deletes the finding. If the more recent value was more than 30 days ago for an archived finding, Security Hub CSPM permanently deletes the finding. Finding providers can change the value for the `UpdatedAt` field of one or more findings by using the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. For longer-term retention of findings, you can export findings to an S3 bucket. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). **Topics** + [ # BatchImportFindings for finding providers ](finding-update-batchimportfindings.md) + [ # BatchUpdateFindings for customers ](finding-update-batchupdatefindings.md) + [ # Reviewing finding details and history in Security Hub CSPM ](securityhub-findings-viewing.md) + [ # Filtering findings in Security Hub CSPM ](securityhub-findings-manage.md) + [ # Grouping findings in Security Hub CSPM ](finding-list-grouping.md) + [ # Setting the workflow status of findings in Security Hub CSPM ](findings-workflow-status.md) + [ # Sending findings to a custom Security Hub CSPM action ](findings-custom-action.md) + [ # Amazon Security Finding Format (ASFF) ](securityhub-findings-format.md) # BatchImportFindings for finding providers Finding providers can use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation to create new findings in Amazon Security Hub CSPM. They can also use this operation to update findings that they created. Finding providers can't update findings that they didn't create. Customers, SIEMs, ticketing, SOAR, and other types of tools must use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation to make updates related to their investigation of findings from finding providers. For more information, see [BatchUpdateFindings for customers](finding-update-batchupdatefindings.md). When Security Hub CSPM receives a `BatchImportFindings` request to create or update a finding, it automatically generates a **Security Hub Findings - Imported** event in Amazon EventBridge. You can take automated action on that event. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). ## Prerequisites for using `BatchImportFindings` `BatchImportFindings` must be called by one of the following: + The account that is associated with the findings. The identifier of the associated account must match the value of the `AwsAccountId` attribute for the finding. + An account that is allow-listed as an official Security Hub CSPM partner integration. Security Hub CSPM can only accept finding updates for accounts that have Security Hub CSPM enabled. The finding provider also must be enabled. If Security Hub CSPM is disabled, or the finding provider integration is not enabled, then the findings are returned in the `FailedFindings` list, with an `InvalidAccess` error. ## Determining whether to create or update a finding To determine whether to create or update a finding, Security Hub CSPM checks the `ID` field. If the value of `ID` doesn't match an existing finding, Security Hub CSPM creates a new finding. If `ID` matches an existing finding, Security Hub CSPM checks the `UpdatedAt` field for the update, and proceeds as follows: + If `UpdatedAt` on the update matches or occurs before `UpdatedAt` on the existing finding, Security Hub CSPM ignores the update request. + If `UpdatedAt` on the update occurs after `UpdatedAt` on the existing finding, Security Hub CSPM updates the existing finding. ## Restrictions on finding updates with `BatchImportFindings` Finding providers can't use `BatchImportFindings` to update the following attributes of an existing finding: + `Note` + `UserDefinedFields` + `VerificationState` + `Workflow` Security Hub CSPM ignores any content provided in a `BatchImportFindings` request for these attributes. Customers, or entities acting on their behalf (such as ticketing tools), can use `BatchUpdateFindings` to update these attributes. ## Updating findings with FindingProviderFields Finding providers also shouldn't use `BatchImportFindings` to update the following top-level attributes in the Amazon Security Finding Format (ASFF): + `Confidence` + `Criticality` + `RelatedFindings` + `Severity` + `Types` Instead, finding providers should use the [`FindingProviderFields`](asff-top-level-attributes.md#asff-findingproviderfields) object to provide values for these attributes. **Example** ``` "FindingProviderFields": { "Confidence": 42, "Criticality": 99, "RelatedFindings":[ { "ProductArn": "arn:aws-cn:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" } ], "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] } ``` For `BatchImportFindings` requests, Security Hub CSPM handles values in the top-level attributes and in [`FindingProviderFields`](asff-top-level-attributes.md#asff-findingproviderfields) as follows. **(Preferred) `BatchImportFindings` provides a value for an attribute in [`FindingProviderFields`](asff-top-level-attributes.md#asff-findingproviderfields), but does not provide a value for the corresponding top-level attribute.** For example, `BatchImportFindings` provides `FindingProviderFields.Confidence`, but does not provide `Confidence`. This is the preferred option for `BatchImportFindings` requests. Security Hub CSPM updates the value of the attribute in `FindingProviderFields`. It replicates the value to the top-level attribute only if the attribute wasn't already updated by `BatchUpdateFindings`. **`BatchImportFindings` provides a value for a top-level attribute, but does not provide a value for the corresponding attribute in `FindingProviderFields`.** For example, `BatchImportFindings` provides `Confidence`, but does not provide `FindingProviderFields.Confidence`. Security Hub CSPM uses the value to update the attribute in `FindingProviderFields`. It overwrites any existing value. Security Hub CSPM updates the top-level attribute only if the attribute was not already updated by `BatchUpdateFindings`. **`BatchImportFindings` provides a value for both a top-level attribute and the corresponding attribute in `FindingProviderFields`.** For example, `BatchImportFindings` provides both `Confidence` and `FindingProviderFields.Confidence`. For a new finding, Security Hub CSPM uses the value in `FindingProviderFields` to populate both the top-level attribute and the corresponding attribute in `FindingProviderFields`. It doesn't use the provided top-level attribute value. For an existing finding, Security Hub CSPM uses both values. However, it updates the top-level attribute value only if the attribute was not already updated by `BatchUpdateFindings`. # BatchUpdateFindings for customers Amazon Security Hub CSPM customers, and entities acting on their behalf, can use the [BatchUpdateFindings](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation to update information related to the processing of Security Hub CSPM findings from finding providers. As a customer, you can use this operation directly. SIEM, ticketing, incident management, and SOAR tools can also use this operation on behalf of a customer. You can't use the `BatchUpdateFindings` operation to create new findings. However, you can use it to update up to 100 existing findings at a time. In a `BatchUpdateFindings` request, you specify which findings to update, which Amazon Security Finding Format (ASFF) fields to update for the findings, and the new values for the fields. Security Hub CSPM then updates the findings as specified in your request. This process can take several minutes. If you update findings by using the `BatchUpdateFindings` operation, your updates don't affect existing values for the `UpdatedAt` field of the findings. When Security Hub CSPM receives a `BatchUpdateFindings` request to update a finding, it automatically generates a **Security Hub Findings – Imported** event in Amazon EventBridge. You can optionally use this event to take automated action on the specified finding. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). ## Available fields for BatchUpdateFindings If you are signed in to a Security Hub CSPM administrator account, you can use `BatchUpdateFindings` to update findings that were generated by the administrator account or member accounts. Member accounts can use `BatchUpdateFindings` to update findings for their account only. Customers can use `BatchUpdateFindings` to update the following fields and objects: + `Confidence` + `Criticality` + `Note` + `RelatedFindings` + `Severity` + `Types` + `UserDefinedFields` + `VerificationState` + `Workflow` ## Configuring access to BatchUpdateFindings You can configure Amazon Identity and Access Management (IAM) policies to restrict access to using `BatchUpdateFindings` to update finding fields and field values. In a statement to restrict access to `BatchUpdateFindings`, use the following values: + `Action` is `securityhub:BatchUpdateFindings` + `Effect` is `Deny` + For `Condition`, you can deny a `BatchUpdateFindings` request based on the following: + The finding includes a specific field. + The finding includes a specific field value. ### Condition keys These are the condition keys for restricting access to `BatchUpdateFindings`. **ASFF field** The condition key for an ASFF field is as follows: ``` securityhub:ASFFSyntaxPath/ ``` Replace `` with the ASFF field. When configuring access to `BatchUpdateFindings`, include one or more specific ASFF fields in your IAM policy rather than a parent-level field. For example, to restrict access to the `Workflow.Status` field, you must include ` securityhub:ASFFSyntaxPath/Workflow.Status` in your policy instead of the `Workflow` parent-level field. ### Disallowing all updates to a field To prevent a user from making any update to a specific field, use a condition like this: ``` "Condition": { "Null": { "securityhub:ASFFSyntaxPath/": "false" } } ``` For example, the following statement indicates that `BatchUpdateFindings` can't be used to update the `Workflow.Status` field of findings. ``` { "Sid": "VisualEditor0", "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "Null": { "securityhub:ASFFSyntaxPath/Workflow.Status": "false" } } } ``` ### Disallowing specific field values To prevent a user from setting a field to a specific value, use a condition like this: ``` "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/": "" } } ``` For example, the following statement indicates that `BatchUpdateFindings` can't be used to set `Workflow.Status` to `SUPPRESSED`. ``` { "Sid": "VisualEditor0", "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED" } } ``` You can also provide a list of values that are not permitted. ``` "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/": [ "", "", "" ] } } ``` For example, the following statement indicates that `BatchUpdateFindings` can't be used to set `Workflow.Status` to either `RESOLVED` or `SUPPRESSED`. ``` { "Sid": "VisualEditor0", "Effect": "Deny", "Action": "securityhub:BatchUpdateFindings", "Resource": "*", "Condition": { "StringEquals": { "securityhub:ASFFSyntaxPath/Workflow.Status": [ "RESOLVED", "NOTIFIED" ] } } ``` # Reviewing finding details and history in Security Hub CSPM Reviewing finding details and history In Amazon Security Hub CSPM, a *finding* is an observable record of a security check or security-related detection. Security Hub CSPM generates a finding when it completes a security check of a control and when it ingests a finding from an integrated Amazon Web Services service or third-party product. Each finding includes a history of changes and other details, such as a severity rating and information about the affected resources. You can review the history and other details of individual findings on the Security Hub CSPM console or programmatically with the Security Hub CSPM API or the Amazon CLI. To help you streamline your analysis, the Security Hub CSPM console displays a finding panel when you choose a specific finding. The panel includes different menus and tabs for reviewing specific details of a finding. **Actions menu** From this menu, you can review the complete JSON of a finding or add notes. A finding can have only one note attached to it at a time. This menu also provides options to [set the workflow status of a finding](findings-workflow-status.md) or [send a finding to a custom action](findings-custom-action.md) in Amazon EventBridge. **Investigate menu** From this menu, you can investigate a finding in Amazon Detective. Detective extracts entities, such as IP addresses and Amazon users, from a finding and visualizes their activity. You can use the entity activity as a starting point to investigate the cause and impact of a finding. **Overview tab** This tab provides a summary of a finding. For example, you can determine when a finding was created and last updated, in which account it exists, and the source of the finding. For control findings, this tab also shows the name of the associated Amazon Config rule and a link to remediation guidance in the Security Hub CSPM documentation. In the **Resources** snapshot on the **Overview** tab, you can get a brief overview of the resources involved in a finding. For some resources, this includes an **Open resource** option, which links directly to an impacted resource on the relevant Amazon Web Services service console. The **History** snapshot shows up to two changes made to the finding on the most recent date for which history is being tracked. For example, if you made one change yesterday and another one today, the snapshot shows today's change. To review earlier entries, switch to the **History** tab. The **Compliance** row expands to show more details. For example, if a control includes parameters, you can review the parameter values that Security Hub CSPM currently uses when conducting security checks for the control. **Resources tab** This tab provides details about the resources involved in a finding. If you're signed in to the account that owns a resource, you can review the resource in the applicable Amazon Web Services service console. If you're not the owner of a resource, this tab displays the Amazon Web Services account ID for the owner. The **Details** row shows resource-specific details in a finding. It shows the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ResourceDetails.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ResourceDetails.html) section of the finding in JSON format. The **Tags** row shows tag keys and values that are assigned to the resources involved in a finding. Resources that are [supported by the GetResources operation](https://docs.amazonaws.cn/resourcegroupstagging/latest/APIReference/supported-services.html) of the Amazon Resource Groups Tagging API can be tagged. Security Hub CSPM calls this operation by using a [service-linked role](using-service-linked-roles.md) when processing new or updated findings, and retrieves the resource tags if the Amazon Security Finding Format (ASFF) `Resource.Id` field is populated with the ARN of a resource. Security Hub CSPM ignores invalid resource IDs. For more information about the inclusion of resource tags in findings, see [Tags](asff-resources-attributes.md#asff-resources-tags). **History tab** This tab tracks the history of a finding. Finding history is available for active and archived findings. It provides an immutable trail of changes made to a finding over time, including what ASFF field changed, when the change occurred, and by which user. Each page on the tab displays up to 20 changes. More recent changes are displayed first. For active findings, finding history is available for up to 90 days. For archived findings, finding history is available for up to 30 days. Finding history includes changes that were made manually, or automatically by [Security Hub CSPM automation rules](automation-rules.md). It doesn't include changes to top-level timestamp fields, such as the `CreatedAt` and `UpdatedAt` fields. If you're signed in to a Security Hub CSPM administrator account, finding history is for the administrator account and all member accounts. **Threat tab** This tab includes data from the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Action.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Action.html), [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Malware.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Malware.html), and [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Process.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Process.html) objects of the ASFF, including the type of threat and whether a resource is the target or actor. These details typically apply to findings that originate in Amazon GuardDuty. **Vulnerabilities tab** This tab displays data from the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Vulnerability.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Vulnerability.html) object of the ASFF, including whether there are exploits or available fixes associated with a finding. These details typically apply to findings that originate in Amazon Inspector. The rows on each tab include a copy or filter option. For example, if you open the panel for a finding that has a workflow status of **Notified**, you can choose the filter option next to the **Workflow status** row. If you choose **Show all findings with this value**, Security Hub CSPM filters the findings table and displays only findings with the same workflow status. ## Reviewing finding details and history Choose your preferred method, and follow the steps to review finding details in Security Hub CSPM. If you enable cross-Region aggregation and sign in to the aggregation Region, finding data includes data from the aggregation Region and linked Regions. In other Regions, finding data is specific to that Region only. For more information about cross-Region aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). ------ #### [ Security Hub CSPM console ] **Reviewing finding details and history** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. To display a finding list, do one of the following: + In the navigation pane, choose **Findings**. Add search filters as necessary to narrow the finding list. + In the navigation pane, choose **Insights**. Choose an insight. Then, in the results list, choose an insight result. + In the navigation pane, choose **Integrations**. Choose **See findings** for an integration. + In the navigation pane, choose **Controls**. 1. Choose a finding. The finding panel displays the details of the finding. 1. In the finding panel, do any of the following: + To review specific details for the finding, choose a tab. + To take action on the finding, choose an option from the **Actions** menu. + To investigate the finding in Amazon Detective, choose an **Investigate** option. **Note** If you integrate with Amazon Organizations and you're signed in to a member account, the finding panel includes the account name. For member accounts that are invited manually, instead of through Organizations, the finding panel includes only the account ID. ------ #### [ Security Hub CSPM API ] Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API, or if you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-findings.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-findings.html) command. You can provide one or more values for the `Filters` parameter to narrow the findings to retrieve. If the volume of results is too large, you can use the `MaxResults` parameter to limit the findings to a specified number and the `NextToken` parameter to paginate findings. Use the `SortCriteria` parameter to sort the findings by a specific field. For example, the following Amazon CLI command retrieves the findings that match the specified filter criteria, and sorts the results in descending order by the `LastObservedAt` field. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub get-findings \ --filters '{"GeneratorId":[{"Value": "aws-foundational","Comparison":"PREFIX"}],"WorkflowStatus": [{"Value": "NEW","Comparison":"EQUALS"}],"Confidence": [{"Gte": 85}]}' --sort-criteria '{"Field": "LastObservedAt","SortOrder": "desc"}' --page-size 5 --max-items 100 ``` To review finding history, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetFindingHistory.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetFindingHistory.html) operation. If you're using the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-finding-history.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-finding-history.html) command. Identify the finding that you want to get history for with the `ProductArn` and `Id` fields. For information about these fields, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecurityFindingIdentifier.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecurityFindingIdentifier.html). Each request can retrieve the history for only one finding. For example, the following Amazon CLI command retrieves the history for the specified finding. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub get-finding-history \ --region us-west-2 \ --finding-identifier Id="a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws-cn:securityhub:us-west-2:123456789012:product/123456789012/default" \ --max-results 2 \ --start-time "2021-09-30T15:53:35.573Z" \ --end-time "2021-09-31T15:53:35.573Z" ``` ------ #### [ PowerShell ] Use the `Get-SHUBFinding` cmdlet. Optionally populate the `Filter` parameter to narrow the findings to retrieve. For example, the following cmdlet retrieves the findings that match the specified filters. ``` Get-SHUBFinding -Filter @{AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = "XXX"};ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{Comparison = "EQUALS"; Value = 'FAILED'}} ``` ------ **Note** If you filter findings by `CompanyName` or `ProductName`, Security Hub CSPM uses the values that are part of the `ProductFields` ASFF object. Security Hub CSPM doesn't use the top-level `CompanyName` and `ProductName` fields. # Filtering findings in Security Hub CSPM Filtering findings Amazon Security Hub CSPM generates its own findings from security checks and receives findings from integrated products. You can display a list of findings on the **Findings**, **Integrations**, and **Insights** pages of the Security Hub CSPM console. You can add filters to narrow a finding list so that the list is relevant to your organization or use case. For information about filtering findings for a specific security control, see [Filtering and sorting control findings](control-finding-list.md). The information on this page applies to the **Findings**, **Insights**, and **Integrations** pages. ## Default filters on finding lists By default, finding lists on the Security Hub CSPM console are filtered based on the `RecordState` and `Workflow.Status` fields of the Amazon Security Finding Format (ASFF). This is in addition to the filters for a specific insight or integration. Record state indicates whether a finding is active or archived. By default, a finding list only shows active findings. A finding provider can archive a finding if it's no longer active or important. Security Hub CSPM also automatically archives control findings if the associated resource is deleted. Workflow status indicates the status of an investigation into a finding. By default, a finding list only shows findings with a workflow status of `NEW` or `NOTIFIED`. You can update the workflow status of a finding. ## Instructions for adding filters You can filter a finding list by up to ten attributes. For each attribute, you can provide up to 20 filter values. When filtering the finding list, Security Hub CSPM applies `AND` logic to the set of filters. A finding matches only if it matches all of the provided filters. For example, if you add GuardDuty as a filter for **Product name**, and `AwsS3Bucket` as a filter for **Resource type**, Security Hub CSPM displays findings that match both of these criteria. Security Hub CSPM applies `OR` logic to filters that use the same attribute but different values. For example, if you add both GuardDuty and Amazon Inspector as filter values for **Product name**, Security Hub CSPM displays findings that were generated by either GuardDuty or Amazon Inspector. **To add filters to a findings list (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. To display a findings list, take one of the following actions from the navigation pane: + Choose **Findings**. + Choose **Insights**. Choose an insight. Then, on the results list, choose an insight result. + Choose **Integrations**. Choose **See findings** for an integration. 1. In the **Add filters** box, select one or more fileds to filter by. When you filter by **Company name** or **Product name**, the console uses the top-level `CompanyName` and `ProductName` fields of the Amazon Security Finding Format (ASFF). The API uses the values that are nested under `ProductFields`. 1. Choose the filter match type. For a string filter, you can choose from the following options: + **is** – Find a value that exactly matches the filter value. + **starts with** – Find a value that starts with the filter value. + **is not** – Find a value that does not match the filter value. + **does not start with** – Find a value that does not start with the filter value. For the **Resource tags** field, you can filter based on specific keys or values. For a numeric filter, you can choose whether to provide a single number (**Simple**) or a range of numbers (**Range**). For a date or time filter, you can choose whether to provide a length of time from the current date and time (**Rolling window**) or a specific date range (**Fixed range**). Adding multiple filters has the following interactions: + **is** and **starts with** filters are joined by OR. A value matches if it contains any of the filter values. For example, if you specify **Severity label is CRITICAL** and **Severity label is HIGH**, the results include both critical and high severity findings. + **is not** and **does not start with** filters are joined by AND. A value matches only if it does not contain any of those filter values. For example, if you specify **Severity label is not LOW** and **Severity label is not MEDIUM**, the results don't include low or medium severity findings. If you have an **is** filter on a field, you can't have an **is not** or a **does not start with** filter on the same field. 1. Specify the filter value. For string filters, the filter value is case sensitive. 1. Choose **Apply**. For an existing filter, you can change the filter match type or value. On a filtered finding list, choose the filter. In the **Edit filter** box, choose the new match type or value, and then choose **Apply**. To remove a filter, choose the **x** icon. The list is updated automatically to reflect the change. # Grouping findings in Security Hub CSPM Grouping findings You can group findings in Amazon Security Hub CSPM based on the values of a selected attribute. When you group the findings, the list of findings is replaced with a list of values for the selected attribute in the matching findings. For each value, the list displays the number of matching findings. For example, if you group the findings by Amazon Web Services account ID, you see a list of account identifiers, with the number of matching findings for each account. Security Hub CSPM can display up to 100 values for a selected attribute. If there are more than 100 values, you only see the first 100. When you choose an attribute value, Security Hub CSPM displays the list of matching findings for that value. **To group the findings in a findings list (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. To display a findings list, take one of the following actions from the navigation pane: + Choose **Findings**. + Choose **Insights**. Choose an insight. Then, on the results list, choose an insight result. + Choose **Integrations**. Choose **See findings** for an integration. 1. In the **Group by** drop down, choose the attribute to use for the grouping. To remove a grouping attribute, choose the **x** icon. When you remove the grouping attribute, the list changes from the list of attribute values to a list of findings. # Setting the workflow status of findings in Security Hub CSPM Setting the workflow status of findings Workflow status tracks the progress of your investigation into a finding. Workflow status is specific to an individual finding and doesn't affect generation of new findings. For example, if you change the workflow status of a finding to `SUPPRESSED` or `RESOLVED`, your change doesn't prevent Security Hub CSPM from generating a new finding for the same issue. The workflow status of a finding can be one of the following values. **NEW** The initial state of a finding before you review it. Findings that are ingested from integrated Amazon Web Services services, such as Amazon Config, have `NEW` as their initial status. Security Hub CSPM also resets the workflow status from either `NOTIFIED` or `RESOLVED` to `NEW` in the following cases: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. These changes imply that additional investigation is required. **NOTIFIED** Indicates that you notified the resource owner about the security issue. You can use this status when you are not the resource owner, and you need intervention from the resource owner in order to resolve a security issue. If one of the following occurs, the workflow status is changed automatically from `NOTIFIED` to `NEW`: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. **SUPPRESSED** Indicates that you reviewed the finding and do not believe that any action is needed. The workflow status of a `SUPPRESSED` finding does not change if `RecordState` changes from `ARCHIVED` to `ACTIVE`. **RESOLVED** The finding was reviewed and remediated and is now considered resolved. The finding remains `RESOLVED` unless one of the following occurs: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. In those cases, the workflow status is automatically reset to `NEW`. For findings from controls, if `Compliance.Status` is `PASSED`, Security Hub CSPM automatically sets the workflow status to `RESOLVED`. ## Setting the workflow status of findings To change the workflow status of one or more findings, you can use the Security Hub CSPM console or the Security Hub CSPM API. If you change the workflow status of a finding, note that it can take several minutes for Security Hub CSPM to process your request and update the finding. **Tip** You can also change the workflow status of findings automatically by using automation rules. With automation rules, you configure Security Hub CSPM to automatically update the workflow status of findings based on criteria that you specify. For more information, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). To change the workflow status of one or more findings, choose your preferred method and follow the steps. ------ #### [ Security Hub CSPM console ] **To change the workflow status of findings** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, do one of the following to display a table of findings: + Choose **Findings**. + Choose **Insights**. Then choose an insight. In the insight results, choose a result. + Choose **Integrations**. Then, in the section for the integration, choose **See findings**. + Choose **Security standards**. Then, in the section for the standard, choose **View results**. In the table of controls, choose a control to display findings for the control. 1. In the findings table, select the check box for each finding whose workflow status you want to change. 1. At the top of the page, choose **Workflow status**, and then choose the new workflow status for the selected findings. 1. In the **Set workflow status** dialog box, optionally enter a note that details the reason for changing the workflow status. Then choose **Set status**. ------ #### [ Security Hub CSPM API ] Use the [BatchUpdateFindings](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. Provide both the finding ID and the ARN of the product that generated the finding. You can get these details by using the [GetFindings](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetFindings.html) operation. ------ #### [ Amazon CLI ] Run the [batch-update-findings](https://docs.amazonaws.cn/cli/latest/reference/securityhub/batch-update-findings.html) command. Provide both the finding ID and the ARN of the product that generated the finding. You can get these details by running the [get-findings](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-findings.html) command. ``` batch-update-findings --finding-identifiers Id="",ProductArn="" --workflow Status="" ``` **Example** ``` aws securityhub batch-update-findings --finding-identifiers Id="arn:aws-cn:securityhub:us-west-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.Lambda.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",ProductArn="arn:aws-cn:securityhub:us-west-1::product/aws/securityhub" --workflow Status="RESOLVED" ``` ------ # Sending findings to a custom Security Hub CSPM action Sending findings to a custom action You can create Amazon Security Hub CSPM custom actions to automate Security Hub CSPM with Amazon EventBridge. For custom actions, the event type is **Security Hub Findings - Custom Action**. After you set up a custom action, you can send findings to it. For more information and detailed steps on creating custom actions, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). **To send findings to a custom action (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. To display a finding list, do one of the following: + In the Security Hub CSPM navigation pane, choose **Findings**. + In the Security Hub CSPM navigation pane, choose **Insights**. Choose an insight. Then on the results list, choose an insight result. + In the Security Hub CSPM navigation pane, choose **Integrations**. Choose **See findings** for an integration. + In the Security Hub CSPM navigation pane, choose **Security standards**. Choose **View results** to display a list of controls. Then choose the control name. 1. In the finding list, select the check box for each finding to send to the custom action. You can send up to 20 findings at a time. 1. For **Actions**, choose the custom action. # Amazon Security Finding Format (ASFF) Finding format: ASFF Amazon Security Hub CSPM consumes and aggregates findings from integrated Amazon Web Services services and third-party products. Security Hub CSPM processes these findings using a standard findings format called the *Amazon Security Finding Format (ASFF)*, which eliminates the need for time-consuming data conversion efforts. This page provides a complete outline of the JSON for a finding in the Amazon Security Finding Format (ASFF). The format derives from [JSON Schema](https://json-schema.org/). Choose the name of a linked object to review an example of a finding for that object. Comparing your Security Hub CSPM findings with the resources and examples shown here can help you interpret your findings. For descriptions of individual ASFF attributes, see [Required top-level ASFF attributes](asff-required-attributes.md) and [Optional top-level ASFF attributes](asff-top-level-attributes.md). ``` "Findings": [ { "Action": { "ActionType": "string", "AwsApiCallAction": { "AffectedResources": { "string": "string" }, "Api": "string", "CallerType": "string", "DomainDetails": { "Domain": "string" }, "FirstSeen": "string", "LastSeen": "string", "RemoteIpDetails": { "City": { "CityName": "string" }, "Country": { "CountryCode": "string", "CountryName": "string" }, "IpAddressV4": "string", "Geolocation": { "Lat": number, "Lon": number }, "Organization": { "Asn": number, "AsnOrg": "string", "Isp": "string", "Org": "string" } }, "ServiceName": "string" }, "DnsRequestAction": { "Blocked": boolean, "Domain": "string", "Protocol": "string" }, "NetworkConnectionAction": { "Blocked": boolean, "ConnectionDirection": "string", "LocalPortDetails": { "Port": number, "PortName": "string" }, "Protocol": "string", "RemoteIpDetails": { "City": { "CityName": "string" }, "Country": { "CountryCode": "string", "CountryName": "string" }, "IpAddressV4": "string", "Geolocation": { "Lat": number, "Lon": number }, "Organization": { "Asn": number, "AsnOrg": "string", "Isp": "string", "Org": "string" } }, "RemotePortDetails": { "Port": number, "PortName": "string" } }, "PortProbeAction": { "Blocked": boolean, "PortProbeDetails": [{ "LocalIpDetails": { "IpAddressV4": "string" }, "LocalPortDetails": { "Port": number, "PortName": "string" }, "RemoteIpDetails": { "City": { "CityName": "string" }, "Country": { "CountryCode": "string", "CountryName": "string" }, "GeoLocation": { "Lat": number, "Lon": number }, "IpAddressV4": "string", "Organization": { "Asn": number, "AsnOrg": "string", "Isp": "string", "Org": "string" } } }] } }, "AwsAccountId": "string", "AwsAccountName": "string", "CompanyName": "string", "Compliance": { "AssociatedStandards": [{ "StandardsId": "string" }], "RelatedRequirements": ["string"], "SecurityControlId": "string", "SecurityControlParameters": [ { "Name": "string", "Value": ["string"] } ], "Status": "string", "StatusReasons": [ { "Description": "string", "ReasonCode": "string" } ] }, "Confidence": number, "CreatedAt": "string", "Criticality": number, "Description": "string", "Detection": { "Sequence": { "Uid": "string", "Actors": [{ "Id": "string", "Session": { "Uid": "string", "MfAStatus": "string", "CreatedTime": "string", "Issuer": "string" }, "User": { "CredentialUid": "string", "Name": "string", "Type": "string", "Uid": "string", "Account": { "Uid": "string", "Name": "string" } } }], "Endpoints": [{ "Id": "string", "Ip": "string", "Domain": "string", "Port": number, "Location": { "City": "string", "Country": "string", "Lat": number, "Lon": number }, "AutonomousSystem": { "Name": "string", "Number": number }, "Connection": { "Direction": "string" } }], "Signals": [{ "Id": "string", "Title": "string", "ActorIds": ["string"], "Count": number, "FirstSeenAt": number, "SignalIndicators": [ { "Key": "string", "Title": "string", "Values": ["string"] }, { "Key": "string", "Title": "string", "Values": ["string"] } ], "LastSeenAt": number, "Name": "string", "ResourceIds": ["string"], "Type": "string" }], "SequenceIndicators": [ { "Key": "string", "Title": "string", "Values": ["string"] }, { "Key": "string", "Title": "string", "Values": ["string"] } ] } }, "FindingProviderFields": { "Confidence": number, "Criticality": number, "RelatedFindings": [{ "ProductArn": "string", "Id": "string" }], "Severity": { "Label": "string", "Normalized": number, "Original": "string" }, "Types": ["string"] }, "FirstObservedAt": "string", "GeneratorId": "string", "Id": "string", "LastObservedAt": "string", "Malware": [{ "Name": "string", "Path": "string", "State": "string", "Type": "string" }], "Network": { "DestinationDomain": "string", "DestinationIpV4": "string", "DestinationIpV6": "string", "DestinationPort": number, "Direction": "string", "OpenPortRange": { "Begin": integer, "End": integer }, "Protocol": "string", "SourceDomain": "string", "SourceIpV4": "string", "SourceIpV6": "string", "SourceMac": "string", "SourcePort": number }, "NetworkPath": [{ "ComponentId": "string", "ComponentType": "string", "Egress": { "Destination": { "Address": ["string"], "PortRanges": [{ "Begin": integer, "End": integer }] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [{ "Begin": integer, "End": integer }] } }, "Ingress": { "Destination": { "Address": ["string"], "PortRanges": [{ "Begin": integer, "End": integer }] }, "Protocol": "string", "Source": { "Address": ["string"], "PortRanges": [{ "Begin": integer, "End": integer }] } } }], "Note": { "Text": "string", "UpdatedAt": "string", "UpdatedBy": "string" }, "PatchSummary": { "FailedCount": number, "Id": "string", "InstalledCount": number, "InstalledOtherCount": number, "InstalledPendingReboot": number, "InstalledRejectedCount": number, "MissingCount": number, "Operation": "string", "OperationEndTime": "string", "OperationStartTime": "string", "RebootOption": "string" }, "Process": { "LaunchedAt": "string", "Name": "string", "ParentPid": number, "Path": "string", "Pid": number, "TerminatedAt": "string" }, "ProductArn": "string", "ProductFields": { "string": "string" }, "ProductName": "string", "RecordState": "string", "Region": "string", "RelatedFindings": [{ "Id": "string", "ProductArn": "string" }], "Remediation": { "Recommendation": { "Text": "string", "Url": "string" } }, "Resources": [{ "ApplicationArn": "string", "ApplicationName": "string", "DataClassification": { "DetailedResultsLocation": "string", "Result": { "AdditionalOccurrences": boolean, "CustomDataIdentifiers": { "Detections": [{ "Arn": "string", "Count": integer, "Name": "string", "Occurrences": { "Cells": [{ "CellReference": "string", "Column": integer, "ColumnName": "string", "Row": integer }], "LineRanges": [{ "End": integer, "Start": integer, "StartColumn": integer }], "OffsetRanges": [{ "End": integer, "Start": integer, "StartColumn": integer }], "Pages": [{ "LineRange": { "End": integer, "Start": integer, "StartColumn": integer }, "OffsetRange": { "End": integer, "Start": integer, "StartColumn": integer }, "PageNumber": integer }], "Records": [{ "JsonPath": "string", "RecordIndex": integer }] } }], "TotalCount": integer }, "MimeType": "string", "SensitiveData": [{ "Category": "string", "Detections": [{ "Count": integer, "Occurrences": { "Cells": [{ "CellReference": "string", "Column": integer, "ColumnName": "string", "Row": integer }], "LineRanges": [{ "End": integer, "Start": integer, "StartColumn": integer }], "OffsetRanges": [{ "End": integer, "Start": integer, "StartColumn": integer }], "Pages": [{ "LineRange": { "End": integer, "Start": integer, "StartColumn": integer }, "OffsetRange": { "End": integer, "Start": integer, "StartColumn": integer }, "PageNumber": integer }], "Records": [{ "JsonPath": "string", "RecordIndex": integer }] }, "Type": "string" }], "TotalCount": integer }], "SizeClassified": integer, "Status": { "Code": "string", "Reason": "string" } } }, "Details": { "AwsAmazonMQBroker": { "AutoMinorVersionUpgrade": boolean, "BrokerArn": "string", "BrokerId": "string", "BrokerName": "string", "Configuration": { "Id": "string", "Revision": integer }, "DeploymentMode": "string", "EncryptionOptions": { "UseAwsOwnedKey": boolean }, "EngineType": "string", "EngineVersion": "string", "HostInstanceType": "string", "Logs": { "Audit": boolean, "AuditLogGroup": "string", "General": boolean, "GeneralLogGroup": "string" }, "MaintenanceWindowStartTime": { "DayOfWeek": "string", "TimeOfDay": "string", "TimeZone": "string" }, "PubliclyAccessible": boolean, "SecurityGroups": [ "string" ], "StorageType": "string", "SubnetIds": [ "string", "string" ], "Users": [{ "Username": "string" }] }, "AwsApiGatewayRestApi": { "ApiKeySource": "string", "BinaryMediaTypes": [" string"], "CreatedDate": "string", "Description": "string", "EndpointConfiguration": { "Types": ["string"] }, "Id": "string", "MinimumCompressionSize": number, "Name": "string", "Version": "string" }, "AwsApiGatewayStage": { "AccessLogSettings": { "DestinationArn": "string", "Format": "string" }, "CacheClusterEnabled": boolean, "CacheClusterSize": "string", "CacheClusterStatus": "string", "CanarySettings": { "DeploymentId": "string", "PercentTraffic": number, "StageVariableOverrides": [{ "string": "string" }], "UseStageCache": boolean }, "ClientCertificateId": "string", "CreatedDate": "string", "DeploymentId": "string", "Description": "string", "DocumentationVersion": "string", "LastUpdatedDate": "string", "MethodSettings": [{ "CacheDataEncrypted": boolean, "CachingEnabled": boolean, "CacheTtlInSeconds": number, "DataTraceEnabled": boolean, "HttpMethod": "string", "LoggingLevel": "string", "MetricsEnabled": boolean, "RequireAuthorizationForCacheControl": boolean, "ResourcePath": "string", "ThrottlingBurstLimit": number, "ThrottlingRateLimit": number, "UnauthorizedCacheControlHeaderStrategy": "string" }], "StageName": "string", "TracingEnabled": boolean, "Variables": { "string": "string" }, "WebAclArn": "string" }, "AwsApiGatewayV2Api": { "ApiEndpoint": "string", "ApiId": "string", "ApiKeySelectionExpression": "string", "CorsConfiguration": { "AllowCredentials": boolean, "AllowHeaders": ["string"], "AllowMethods": ["string"], "AllowOrigins": ["string"], "ExposeHeaders": ["string"], "MaxAge": number }, "CreatedDate": "string", "Description": "string", "Name": "string", "ProtocolType": "string", "RouteSelectionExpression": "string", "Version": "string" }, "AwsApiGatewayV2Stage": { "AccessLogSettings": { "DestinationArn": "string", "Format": "string" }, "ApiGatewayManaged": boolean, "AutoDeploy": boolean, "ClientCertificateId": "string", "CreatedDate": "string", "DefaultRouteSettings": { "DataTraceEnabled": boolean, "DetailedMetricsEnabled": boolean, "LoggingLevel": "string", "ThrottlingBurstLimit": number, "ThrottlingRateLimit": number }, "DeploymentId": "string", "Description": "string", "LastDeploymentStatusMessage": "string", "LastUpdatedDate": "string", "RouteSettings": { "DetailedMetricsEnabled": boolean, "LoggingLevel": "string", "DataTraceEnabled": boolean, "ThrottlingBurstLimit": number, "ThrottlingRateLimit": number }, "StageName": "string", "StageVariables": [{ "string": "string" }] }, "AwsAppSyncGraphQLApi": { "AwsAppSyncGraphQlApi": { "AdditionalAuthenticationProviders": [ { "AuthenticationType": "string", "LambdaAuthorizerConfig": { "AuthorizerResultTtlInSeconds": integer, "AuthorizerUri": "string" } }, { "AuthenticationType": "string" } ], "ApiId": "string", "Arn": "string", "AuthenticationType": "string", "Id": "string", "LogConfig": { "CloudWatchLogsRoleArn": "string", "ExcludeVerboseContent": boolean, "FieldLogLevel": "string" }, "Name": "string", "XrayEnabled": boolean } }, "AwsAthenaWorkGroup": { "Description": "string", "Name": "string", "WorkgroupConfiguration": { "ResultConfiguration": { "EncryptionConfiguration": { "EncryptionOption": "string", "KmsKey": "string" } } }, "State": "string" }, "AwsAutoScalingAutoScalingGroup": { "AvailabilityZones": [{ "Value": "string" }], "CreatedTime": "string", "HealthCheckGracePeriod": integer, "HealthCheckType": "string", "LaunchConfigurationName": "string", "LoadBalancerNames": ["string"], "LaunchTemplate": { "LaunchTemplateId": "string", "LaunchTemplateName": "string", "Version": "string" }, "MixedInstancesPolicy": { "InstancesDistribution": { "OnDemandAllocationStrategy": "string", "OnDemandBaseCapacity": number, "OnDemandPercentageAboveBaseCapacity": number, "SpotAllocationStrategy": "string", "SpotInstancePools": number, "SpotMaxPrice": "string" }, "LaunchTemplate": { "LaunchTemplateSpecification": { "LaunchTemplateId": "string", "LaunchTemplateName": "string", "Version": "string" }, "CapacityRebalance": boolean, "Overrides": [{ "InstanceType": "string", "WeightedCapacity": "string" }] } } }, "AwsAutoScalingLaunchConfiguration": { "AssociatePublicIpAddress": boolean, "BlockDeviceMappings": [{ "DeviceName": "string", "Ebs": { "DeleteOnTermination": boolean, "Encrypted": boolean, "Iops": number, "SnapshotId": "string", "VolumeSize": number, "VolumeType": "string" }, "NoDevice": boolean, "VirtualName": "string" }], "ClassicLinkVpcId": "string", "ClassicLinkVpcSecurityGroups": ["string"], "CreatedTime": "string", "EbsOptimized": boolean, "IamInstanceProfile": "string" }, "ImageId": "string", "InstanceMonitoring": { "Enabled": boolean }, "InstanceType": "string", "KernelId": "string", "KeyName": "string", "LaunchConfigurationName": "string", "MetadataOptions": { "HttpEndPoint": "string", "HttpPutReponseHopLimit": number, "HttpTokens": "string" }, "PlacementTenancy": "string", "RamdiskId": "string", "SecurityGroups": ["string"], "SpotPrice": "string", "UserData": "string" }, "AwsBackupBackupPlan": { "BackupPlan": { "AdvancedBackupSettings": [{ "BackupOptions": { "WindowsVSS":"string" }, "ResourceType":"string" }], "BackupPlanName": "string", "BackupPlanRule": [{ "CompletionWindowMinutes": integer, "CopyActions": [{ "DestinationBackupVaultArn": "string", "Lifecycle": { "DeleteAfterDays": integer, "MoveToColdStorageAfterDays": integer } }], "Lifecycle": { "DeleteAfterDays": integer }, "RuleName": "string", "ScheduleExpression": "string", "StartWindowMinutes": integer, "TargetBackupVault": "string" }] }, "BackupPlanArn": "string", "BackupPlanId": "string", "VersionId": "string" }, "AwsBackupBackupVault": { "AccessPolicy": { "Statement": [{ "Action": ["string"], "Effect": "string", "Principal": { "Amazon": "string" }, "Resource": "string" }], "Version": "string" }, "BackupVaultArn": "string", "BackupVaultName": "string", "EncryptionKeyArn": "string", "Notifications": { "BackupVaultEvents": ["string"], "SNSTopicArn": "string" } }, "AwsBackupRecoveryPoint": { "BackupSizeInBytes": integer, "BackupVaultName": "string", "BackupVaultArn": "string", "CalculatedLifecycle": { "DeleteAt": "string", "MoveToColdStorageAt": "string" }, "CompletionDate": "string", "CreatedBy": { "BackupPlanArn": "string", "BackupPlanId": "string", "BackupPlanVersion": "string", "BackupRuleId": "string" }, "CreationDate": "string", "EncryptionKeyArn": "string", "IamRoleArn": "string", "IsEncrypted": boolean, "LastRestoreTime": "string", "Lifecycle": { "DeleteAfterDays": integer, "MoveToColdStorageAfterDays": integer }, "RecoveryPointArn": "string", "ResourceArn": "string", "ResourceType": "string", "SourceBackupVaultArn": "string", "Status": "string", "StatusMessage": "string", "StorageClass": "string" }, "AwsCertificateManagerCertificate": { "CertificateAuthorityArn": "string", "CreatedAt": "string", "DomainName": "string", "DomainValidationOptions": [{ "DomainName": "string", "ResourceRecord": { "Name": "string", "Type": "string", "Value": "string" }, "ValidationDomain": "string", "ValidationEmails": ["string"], "ValidationMethod": "string", "ValidationStatus": "string" }], "ExtendedKeyUsages": [{ "Name": "string", "OId": "string" }], "FailureReason": "string", "ImportedAt": "string", "InUseBy": ["string"], "IssuedAt": "string", "Issuer": "string", "KeyAlgorithm": "string", "KeyUsages": [{ "Name": "string" }], "NotAfter": "string", "NotBefore": "string", "Options": { "CertificateTransparencyLoggingPreference": "string" }, "RenewalEligibility": "string", "RenewalSummary": { "DomainValidationOptions": [{ "DomainName": "string", "ResourceRecord": { "Name": "string", "Type": "string", "Value": "string" }, "ValidationDomain": "string", "ValidationEmails": ["string"], "ValidationMethod": "string", "ValidationStatus": "string" }], "RenewalStatus": "string", "RenewalStatusReason": "string", "UpdatedAt": "string" }, "Serial": "string", "SignatureAlgorithm": "string", "Status": "string", "Subject": "string", "SubjectAlternativeNames": ["string"], "Type": "string" }, "AwsCloudFormationStack": { "Capabilities": ["string"], "CreationTime": "string", "Description": "string", "DisableRollback": boolean, "DriftInformation": { "StackDriftStatus": "string" }, "EnableTerminationProtection": boolean, "LastUpdatedTime": "string", "NotificationArns": ["string"], "Outputs": [{ "Description": "string", "OutputKey": "string", "OutputValue": "string" }], "RoleArn": "string", "StackId": "string", "StackName": "string", "StackStatus": "string", "StackStatusReason": "string", "TimeoutInMinutes": number }, "AwsCloudFrontDistribution": { "CacheBehaviors": { "Items": [{ "ViewerProtocolPolicy": "string" }] }, "DefaultCacheBehavior": { "ViewerProtocolPolicy": "string" }, "DefaultRootObject": "string", "DomainName": "string", "Etag": "string", "LastModifiedTime": "string", "Logging": { "Bucket": "string", "Enabled": boolean, "IncludeCookies": boolean, "Prefix": "string" }, "OriginGroups": { "Items": [{ "FailoverCriteria": { "StatusCodes": { "Items": [number], "Quantity": number } } }] }, "Origins": { "Items": [{ "CustomOriginConfig": { "HttpPort": number, "HttpsPort": number, "OriginKeepaliveTimeout": number, "OriginProtocolPolicy": "string", "OriginReadTimeout": number, "OriginSslProtocols": { "Items": ["string"], "Quantity": number } }, "DomainName": "string", "Id": "string", "OriginPath": "string", "S3OriginConfig": { "OriginAccessIdentity": "string" } }] }, "Status": "string", "ViewerCertificate": { "AcmCertificateArn": "string", "Certificate": "string", "CertificateSource": "string", "CloudFrontDefaultCertificate": boolean, "IamCertificateId": "string", "MinimumProtocolVersion": "string", "SslSupportMethod": "string" }, "WebAclId": "string" }, "AwsCloudTrailTrail": { "CloudWatchLogsLogGroupArn": "string", "CloudWatchLogsRoleArn": "string", "HasCustomEventSelectors": boolean, "HomeRegion": "string", "IncludeGlobalServiceEvents": boolean, "IsMultiRegionTrail": boolean, "IsOrganizationTrail": boolean, "KmsKeyId": "string", "LogFileValidationEnabled": boolean, "Name": "string", "S3BucketName": "string", "S3KeyPrefix": "string", "SnsTopicArn": "string", "SnsTopicName": "string", "TrailArn": "string" }, "AwsCloudWatchAlarm": { "ActionsEnabled": boolean, "AlarmActions": ["string"], "AlarmArn": "string", "AlarmConfigurationUpdatedTimestamp": "string", "AlarmDescription": "string", "AlarmName": "string", "ComparisonOperator": "string", "DatapointsToAlarm": number, "Dimensions": [{ "Name": "string", "Value": "string" }], "EvaluateLowSampleCountPercentile": "string", "EvaluationPeriods": number, "ExtendedStatistic": "string", "InsufficientDataActions": ["string"], "MetricName": "string", "Namespace": "string", "OkActions": ["string"], "Period": number, "Statistic": "string", "Threshold": number, "ThresholdMetricId": "string", "TreatMissingData": "string", "Unit": "string" }, "AwsCodeBuildProject": { "Artifacts": [{ "ArtifactIdentifier": "string", "EncryptionDisabled": boolean, "Location": "string", "Name": "string", "NamespaceType": "string", "OverrideArtifactName": boolean, "Packaging": "string", "Path": "string", "Type": "string" }], "SecondaryArtifacts": [{ "ArtifactIdentifier": "string", "Type": "string", "Location": "string", "Name": "string", "NamespaceType": "string", "Packaging": "string", "Path": "string", "EncryptionDisabled": boolean, "OverrideArtifactName": boolean }], "EncryptionKey": "string", "Certificate": "string", "Environment": { "Certificate": "string", "EnvironmentVariables": [{ "Name": "string", "Type": "string", "Value": "string" }], "ImagePullCredentialsType": "string", "PrivilegedMode": boolean, "RegistryCredential": { "Credential": "string", "CredentialProvider": "string" }, "Type": "string" }, "LogsConfig": { "CloudWatchLogs": { "GroupName": "string", "Status": "string", "StreamName": "string" }, "S3Logs": { "EncryptionDisabled": boolean, "Location": "string", "Status": "string" } }, "Name": "string", "ServiceRole": "string", "Source": { "Type": "string", "Location": "string", "GitCloneDepth": integer }, "VpcConfig": { "VpcId": "string", "Subnets": ["string"], "SecurityGroupIds": ["string"] } }, "AwsDmsEndpoint": { "CertificateArn": "string", "DatabaseName": "string", "EndpointArn": "string", "EndpointIdentifier": "string", "EndpointType": "string", "EngineName": "string", "KmsKeyId": "string", "Port": integer, "ServerName": "string", "SslMode": "string", "Username": "string" }, "AwsDmsReplicationInstance": { "AllocatedStorage": integer, "AutoMinorVersionUpgrade": boolean, "AvailabilityZone": "string", "EngineVersion": "string", "KmsKeyId": "string", "MultiAZ": boolean, "PreferredMaintenanceWindow": "string", "PubliclyAccessible": boolean, "ReplicationInstanceClass": "string", "ReplicationInstanceIdentifier": "string", "ReplicationSubnetGroup": { "ReplicationSubnetGroupIdentifier": "string" }, "VpcSecurityGroups": [ { "VpcSecurityGroupId": "string" } ] }, "AwsDmsReplicationTask": { "CdcStartPosition": "string", "Id": "string", "MigrationType": "string", "ReplicationInstanceArn": "string", "ReplicationTaskIdentifier": "string", "ReplicationTaskSettings": { "string": "string" }, "SourceEndpointArn": "string", "TableMappings": { "string": "string" }, "TargetEndpointArn": "string" }, "AwsDynamoDbTable": { "AttributeDefinitions": [{ "AttributeName": "string", "AttributeType": "string" }], "BillingModeSummary": { "BillingMode": "string", "LastUpdateToPayPerRequestDateTime": "string" }, "CreationDateTime": "string", "DeletionProtectionEnabled": boolean, "GlobalSecondaryIndexes": [{ "Backfilling": boolean, "IndexArn": "string", "IndexName": "string", "IndexSizeBytes": number, "IndexStatus": "string", "ItemCount": number, "KeySchema": [{ "AttributeName": "string", "KeyType": "string" }], "Projection": { "NonKeyAttributes": ["string"], "ProjectionType": "string" }, "ProvisionedThroughput": { "LastDecreaseDateTime": "string", "LastIncreaseDateTime": "string", "NumberOfDecreasesToday": number, "ReadCapacityUnits": number, "WriteCapacityUnits": number } }], "GlobalTableVersion": "string", "ItemCount": number, "KeySchema": [{ "AttributeName": "string", "KeyType": "string" }], "LatestStreamArn": "string", "LatestStreamLabel": "string", "LocalSecondaryIndexes": [{ "IndexArn": "string", "IndexName": "string", "KeySchema": [{ "AttributeName": "string", "KeyType": "string" }], "Projection": { "NonKeyAttributes": ["string"], "ProjectionType": "string" } }], "ProvisionedThroughput": { "LastDecreaseDateTime": "string", "LastIncreaseDateTime": "string", "NumberOfDecreasesToday": number, "ReadCapacityUnits": number, "WriteCapacityUnits": number }, "Replicas": [{ "GlobalSecondaryIndexes": [{ "IndexName": "string", "ProvisionedThroughputOverride": { "ReadCapacityUnits": number } }], "KmsMasterKeyId": "string", "ProvisionedThroughputOverride": { "ReadCapacityUnits": number }, "RegionName": "string", "ReplicaStatus": "string", "ReplicaStatusDescription": "string" }], "RestoreSummary": { "RestoreDateTime": "string", "RestoreInProgress": boolean, "SourceBackupArn": "string", "SourceTableArn": "string" }, "SseDescription": { "InaccessibleEncryptionDateTime": "string", "KmsMasterKeyArn": "string", "SseType": "string", "Status": "string" }, "StreamSpecification": { "StreamEnabled": boolean, "StreamViewType": "string" }, "TableId": "string", "TableName": "string", "TableSizeBytes": number, "TableStatus": "string" }, "AwsEc2ClientVpnEndpoint": { "AuthenticationOptions": [ { "MutualAuthentication": { "ClientRootCertificateChainArn": "string" }, "Type": "string" } ], "ClientCidrBlock": "string", "ClientConnectOptions": { "Enabled": boolean }, "ClientLoginBannerOptions": { "Enabled": boolean }, "ClientVpnEndpointId": "string", "ConnectionLogOptions": { "Enabled": boolean }, "Description": "string", "DnsServer": ["string"], "ServerCertificateArn": "string", "SecurityGroupIdSet": [ "string" ], "SelfServicePortalUrl": "string", "SessionTimeoutHours": "integer", "SplitTunnel": boolean, "TransportProtocol": "string", "VpcId": "string", "VpnPort": integer }, "AwsEc2Eip": { "AllocationId": "string", "AssociationId": "string", "Domain": "string", "InstanceId": "string", "NetworkBorderGroup": "string", "NetworkInterfaceId": "string", "NetworkInterfaceOwnerId": "string", "PrivateIpAddress": "string", "PublicIp": "string", "PublicIpv4Pool": "string" }, "AwsEc2Instance": { "IamInstanceProfileArn": "string", "ImageId": "string", "IpV4Addresses": ["string"], "IpV6Addresses": ["string"], "KeyName": "string", "LaunchedAt": "string", "MetadataOptions": { "HttpEndpoint": "string", "HttpProtocolIpv6": "string", "HttpPutResponseHopLimit": number, "HttpTokens": "string", "InstanceMetadataTags": "string" }, "Monitoring": { "State": "string" }, "NetworkInterfaces": [{ "NetworkInterfaceId": "string" }], "SubnetId": "string", "Type": "string", "VirtualizationType": "string", "VpcId": "string" }, "AwsEc2LaunchTemplate": { "DefaultVersionNumber": "string", "ElasticGpuSpecifications": ["string"], "ElasticInferenceAccelerators": ["string"], "Id": "string", "ImageId": "string", "LatestVersionNumber": "string", "LaunchTemplateData": { "BlockDeviceMappings": [{ "DeviceName": "string", "Ebs": { "DeleteonTermination": boolean, "Encrypted": boolean, "SnapshotId": "string", "VolumeSize": number, "VolumeType": "string" } }], "MetadataOptions": { "HttpTokens": "string", "HttpPutResponseHopLimit" : number }, "Monitoring": { "Enabled": boolean }, "NetworkInterfaces": [{ "AssociatePublicIpAddress" : boolean }] }, "LaunchTemplateName": "string", "LicenseSpecifications": ["string"], "SecurityGroupIds": ["string"], "SecurityGroups": ["string"], "TagSpecifications": ["string"] }, "AwsEc2NetworkAcl": { "Associations": [{ "NetworkAclAssociationId": "string", "NetworkAclId": "string", "SubnetId": "string" }], "Entries": [{ "CidrBlock": "string", "Egress": boolean, "IcmpTypeCode": { "Code": number, "Type": number }, "Ipv6CidrBlock": "string", "PortRange": { "From": number, "To": number }, "Protocol": "string", "RuleAction": "string", "RuleNumber": number }], "IsDefault": boolean, "NetworkAclId": "string", "OwnerId": "string", "VpcId": "string" }, "AwsEc2NetworkInterface": { "Attachment": { "AttachmentId": "string", "AttachTime": "string", "DeleteOnTermination": boolean, "DeviceIndex": number, "InstanceId": "string", "InstanceOwnerId": "string", "Status": "string" }, "Ipv6Addresses": [{ "Ipv6Address": "string" }], "NetworkInterfaceId": "string", "PrivateIpAddresses": [{ "PrivateDnsName": "string", "PrivateIpAddress": "string" }], "PublicDnsName": "string", "PublicIp": "string", "SecurityGroups": [{ "GroupId": "string", "GroupName": "string" }], "SourceDestCheck": boolean }, "AwsEc2RouteTable": { "AssociationSet": [{ "AssociationState": { "State": "string" }, "Main": boolean, "RouteTableAssociationId": "string", "RouteTableId": "string" }], "PropogatingVgwSet": [], "RouteTableId": "string", "RouteSet": [ { "DestinationCidrBlock": "string", "GatewayId": "string", "Origin": "string", "State": "string" }, { "DestinationCidrBlock": "string", "GatewayId": "string", "Origin": "string", "State": "string" } ], "VpcId": "string" }, "AwsEc2SecurityGroup": { "GroupId": "string", "GroupName": "string", "IpPermissions": [{ "FromPort": number, "IpProtocol": "string", "IpRanges": [{ "CidrIp": "string" }], "Ipv6Ranges": [{ "CidrIpv6": "string" }], "PrefixListIds": [{ "PrefixListId": "string" }], "ToPort": number, "UserIdGroupPairs": [{ "GroupId": "string", "GroupName": "string", "PeeringStatus": "string", "UserId": "string", "VpcId": "string", "VpcPeeringConnectionId": "string" }] }], "IpPermissionsEgress": [{ "FromPort": number, "IpProtocol": "string", "IpRanges": [{ "CidrIp": "string" }], "Ipv6Ranges": [{ "CidrIpv6": "string" }], "PrefixListIds": [{ "PrefixListId": "string" }], "ToPort": number, "UserIdGroupPairs": [{ "GroupId": "string", "GroupName": "string", "PeeringStatus": "string", "UserId": "string", "VpcId": "string", "VpcPeeringConnectionId": "string" }] }], "OwnerId": "string", "VpcId": "string" }, "AwsEc2Subnet": { "AssignIpv6AddressOnCreation": boolean, "AvailabilityZone": "string", "AvailabilityZoneId": "string", "AvailableIpAddressCount": number, "CidrBlock": "string", "DefaultForAz": boolean, "Ipv6CidrBlockAssociationSet": [{ "AssociationId": "string", "Ipv6CidrBlock": "string", "CidrBlockState": "string" }], "MapPublicIpOnLaunch": boolean, "OwnerId": "string", "State": "string", "SubnetArn": "string", "SubnetId": "string", "VpcId": "string" }, "AwsEc2TransitGateway": { "AmazonSideAsn": number, "AssociationDefaultRouteTableId": "string", "AutoAcceptSharedAttachments": "string", "DefaultRouteTableAssociation": "string", "DefaultRouteTablePropagation": "string", "Description": "string", "DnsSupport": "string", "Id": "string", "MulticastSupport": "string", "PropagationDefaultRouteTableId": "string", "TransitGatewayCidrBlocks": ["string"], "VpnEcmpSupport": "string" }, "AwsEc2Volume": { "Attachments": [{ "AttachTime": "string", "DeleteOnTermination": boolean, "InstanceId": "string", "Status": "string" }], "CreateTime": "string", "DeviceName": "string", "Encrypted": boolean, "KmsKeyId": "string", "Size": number, "SnapshotId": "string", "Status": "string", "VolumeId": "string", "VolumeScanStatus": "string", "VolumeType": "string" }, "AwsEc2Vpc": { "CidrBlockAssociationSet": [{ "AssociationId": "string", "CidrBlock": "string", "CidrBlockState": "string" }], "DhcpOptionsId": "string", "Ipv6CidrBlockAssociationSet": [{ "AssociationId": "string", "CidrBlockState": "string", "Ipv6CidrBlock": "string" }], "State": "string" }, "AwsEc2VpcEndpointService": { "AcceptanceRequired": boolean, "AvailabilityZones": ["string"], "BaseEndpointDnsNames": ["string"], "ManagesVpcEndpoints": boolean, "GatewayLoadBalancerArns": ["string"], "NetworkLoadBalancerArns": ["string"], "PrivateDnsName": "string", "ServiceId": "string", "ServiceName": "string", "ServiceState": "string", "ServiceType": [{ "ServiceType": "string" }] }, "AwsEc2VpcPeeringConnection": { "AccepterVpcInfo": { "CidrBlock": "string", "CidrBlockSet": [{ "CidrBlock": "string" }], "Ipv6CidrBlockSet": [{ "Ipv6CidrBlock": "string" }], "OwnerId": "string", "PeeringOptions": { "AllowDnsResolutionFromRemoteVpc": boolean, "AllowEgressFromLocalClassicLinkToRemoteVpc": boolean, "AllowEgressFromLocalVpcToRemoteClassicLink": boolean }, "Region": "string", "VpcId": "string" }, "ExpirationTime": "string", "RequesterVpcInfo": { "CidrBlock": "string", "CidrBlockSet": [{ "CidrBlock": "string" }], "Ipv6CidrBlockSet": [{ "Ipv6CidrBlock": "string" }], "OwnerId": "string", "PeeringOptions": { "AllowDnsResolutionFromRemoteVpc": boolean, "AllowEgressFromLocalClassicLinkToRemoteVpc": boolean, "AllowEgressFromLocalVpcToRemoteClassicLink": boolean }, "Region": "string", "VpcId": "string" }, "Status": { "Code": "string", "Message": "string" }, "VpcPeeringConnectionId": "string" }, "AwsEcrContainerImage": { "Architecture": "string", "ImageDigest": "string", "ImagePublishedAt": "string", "ImageTags": ["string"], "RegistryId": "string", "RepositoryName": "string" }, "AwsEcrRepository": { "Arn": "string", "ImageScanningConfiguration": { "ScanOnPush": boolean }, "ImageTagMutability": "string", "LifecyclePolicy": { "LifecyclePolicyText": "string", "RegistryId": "string" }, "RepositoryName": "string", "RepositoryPolicyText": "string" }, "AwsEcsCluster": { "ActiveServicesCount": number, "CapacityProviders": ["string"], "ClusterArn": "string", "ClusterName": "string", "ClusterSettings": [{ "Name": "string", "Value": "string" }], "Configuration": { "ExecuteCommandConfiguration": { "KmsKeyId": "string", "LogConfiguration": { "CloudWatchEncryptionEnabled": boolean, "CloudWatchLogGroupName": "string", "S3BucketName": "string", "S3EncryptionEnabled": boolean, "S3KeyPrefix": "string" }, "Logging": "string" } }, "DefaultCapacityProviderStrategy": [{ "Base": number, "CapacityProvider": "string", "Weight": number }], "RegisteredContainerInstancesCount": number, "RunningTasksCount": number, "Status": "string" }, "AwsEcsContainer": { "Image": "string", "MountPoints": [{ "ContainerPath": "string", "SourceVolume": "string" }], "Name": "string", "Privileged": boolean }, "AwsEcsService": { "CapacityProviderStrategy": [{ "Base": number, "CapacityProvider": "string", "Weight": number }], "Cluster": "string", "DeploymentConfiguration": { "DeploymentCircuitBreaker": { "Enable": boolean, "Rollback": boolean }, "MaximumPercent": number, "MinimumHealthyPercent": number }, "DeploymentController": { "Type": "string" }, "DesiredCount": number, "EnableEcsManagedTags": boolean, "EnableExecuteCommand": boolean, "HealthCheckGracePeriodSeconds": number, "LaunchType": "string", "LoadBalancers": [{ "ContainerName": "string", "ContainerPort": number, "LoadBalancerName": "string", "TargetGroupArn": "string" }], "Name": "string", "NetworkConfiguration": { "AwsVpcConfiguration": { "AssignPublicIp": "string", "SecurityGroups": ["string"], "Subnets": ["string"] } }, "PlacementConstraints": [{ "Expression": "string", "Type": "string" }], "PlacementStrategies": [{ "Field": "string", "Type": "string" }], "PlatformVersion": "string", "PropagateTags": "string", "Role": "string", "SchedulingStrategy": "string", "ServiceArn": "string", "ServiceName": "string", "ServiceRegistries": [{ "ContainerName": "string", "ContainerPort": number, "Port": number, "RegistryArn": "string" }], "TaskDefinition": "string" }, "AwsEcsTask": { "CreatedAt": "string", "ClusterArn": "string", "Group": "string", "StartedAt": "string", "StartedBy": "string", "TaskDefinitionArn": "string", "Version": number, "Volumes": [{ "Name": "string", "Host": { "SourcePath": "string" } }], "Containers": [{ "Image": "string", "MountPoints": [{ "ContainerPath": "string", "SourceVolume": "string" }], "Name": "string", "Privileged": boolean }] }, "AwsEcsTaskDefinition": { "ContainerDefinitions": [{ "Command": ["string"], "Cpu": number, "DependsOn": [{ "Condition": "string", "ContainerName": "string" }], "DisableNetworking": boolean, "DnsSearchDomains": ["string"], "DnsServers": ["string"], "DockerLabels": { "string": "string" }, "DockerSecurityOptions": ["string"], "EntryPoint": ["string"], "Environment": [{ "Name": "string", "Value": "string" }], "EnvironmentFiles": [{ "Type": "string", "Value": "string" }], "Essential": boolean, "ExtraHosts": [{ "Hostname": "string", "IpAddress": "string" }], "FirelensConfiguration": { "Options": { "string": "string" }, "Type": "string" }, "HealthCheck": { "Command": ["string"], "Interval": number, "Retries": number, "StartPeriod": number, "Timeout": number }, "Hostname": "string", "Image": "string", "Interactive": boolean, "Links": ["string"], "LinuxParameters": { "Capabilities": { "Add": ["string"], "Drop": ["string"] }, "Devices": [{ "ContainerPath": "string", "HostPath": "string", "Permissions": ["string"] }], "InitProcessEnabled": boolean, "MaxSwap": number, "SharedMemorySize": number, "Swappiness": number, "Tmpfs": [{ "ContainerPath": "string", "MountOptions": ["string"], "Size": number }] }, "LogConfiguration": { "LogDriver": "string", "Options": { "string": "string" }, "SecretOptions": [{ "Name": "string", "ValueFrom": "string" }] }, "Memory": number, "MemoryReservation": number, "MountPoints": [{ "ContainerPath": "string", "ReadOnly": boolean, "SourceVolume": "string" }], "Name": "string", "PortMappings": [{ "ContainerPort": number, "HostPort": number, "Protocol": "string" }], "Privileged": boolean, "PseudoTerminal": boolean, "ReadonlyRootFilesystem": boolean, "RepositoryCredentials": { "CredentialsParameter": "string" }, "ResourceRequirements": [{ "Type": "string", "Value": "string" }], "Secrets": [{ "Name": "string", "ValueFrom": "string" }], "StartTimeout": number, "StopTimeout": number, "SystemControls": [{ "Namespace": "string", "Value": "string" }], "Ulimits": [{ "HardLimit": number, "Name": "string", "SoftLimit": number }], "User": "string", "VolumesFrom": [{ "ReadOnly": boolean, "SourceContainer": "string" }], "WorkingDirectory": "string" }], "Cpu": "string", "ExecutionRoleArn": "string", "Family": "string", "InferenceAccelerators": [{ "DeviceName": "string", "DeviceType": "string" }], "IpcMode": "string", "Memory": "string", "NetworkMode": "string", "PidMode": "string", "PlacementConstraints": [{ "Expression": "string", "Type": "string" }], "ProxyConfiguration": { "ContainerName": "string", "ProxyConfigurationProperties": [{ "Name": "string", "Value": "string" }], "Type": "string" }, "RequiresCompatibilities": ["string"], "Status": "string", "TaskRoleArn": "string", "Volumes": [{ "DockerVolumeConfiguration": { "Autoprovision": boolean, "Driver": "string", "DriverOpts": { "string": "string" }, "Labels": { "string": "string" }, "Scope": "string" }, "EfsVolumeConfiguration": { "AuthorizationConfig": { "AccessPointId": "string", "Iam": "string" }, "FilesystemId": "string", "RootDirectory": "string", "TransitEncryption": "string", "TransitEncryptionPort": number }, "Host": { "SourcePath": "string" }, "Name": "string" }] }, "AwsEfsAccessPoint": { "AccessPointId": "string", "Arn": "string", "ClientToken": "string", "FileSystemId": "string", "PosixUser": { "Gid": "string", "SecondaryGids": ["string"], "Uid": "string" }, "RootDirectory": { "CreationInfo": { "OwnerGid": "string", "OwnerUid": "string", "Permissions": "string" }, "Path": "string" } }, "AwsEksCluster": { "Arn": "string", "CertificateAuthorityData": "string", "ClusterStatus": "string", "Endpoint": "string", "Logging": { "ClusterLogging": [{ "Enabled": boolean, "Types": ["string"] }] }, "Name": "string", "ResourcesVpcConfig": { "EndpointPublicAccess": boolean, "SecurityGroupIds": ["string"], "SubnetIds": ["string"] }, "RoleArn": "string", "Version": "string" }, "AwsElasticBeanstalkEnvironment": { "ApplicationName": "string", "Cname": "string", "DateCreated": "string", "DateUpdated": "string", "Description": "string", "EndpointUrl": "string", "EnvironmentArn": "string", "EnvironmentId": "string", "EnvironmentLinks": [{ "EnvironmentName": "string", "LinkName": "string" }], "EnvironmentName": "string", "OptionSettings": [{ "Namespace": "string", "OptionName": "string", "ResourceName": "string", "Value": "string" }], "PlatformArn": "string", "SolutionStackName": "string", "Status": "string", "Tier": { "Name": "string", "Type": "string", "Version": "string" }, "VersionLabel": "string" }, "AwsElasticSearchDomain": { "AccessPolicies": "string", "DomainStatus": { "DomainId": "string", "DomainName": "string", "Endpoint": "string", "Endpoints": { "string": "string" } }, "DomainEndpointOptions": { "EnforceHTTPS": boolean, "TLSSecurityPolicy": "string" }, "ElasticsearchClusterConfig": { "DedicatedMasterCount": number, "DedicatedMasterEnabled": boolean, "DedicatedMasterType": "string", "InstanceCount": number, "InstanceType": "string", "ZoneAwarenessConfig": { "AvailabilityZoneCount": number }, "ZoneAwarenessEnabled": boolean }, "ElasticsearchVersion": "string", "EncryptionAtRestOptions": { "Enabled": boolean, "KmsKeyId": "string" }, "LogPublishingOptions": { "AuditLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "IndexSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "SearchSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean } }, "NodeToNodeEncryptionOptions": { "Enabled": boolean }, "ServiceSoftwareOptions": { "AutomatedUpdateDate": "string", "Cancellable": boolean, "CurrentVersion": "string", "Description": "string", "NewVersion": "string", "UpdateAvailable": boolean, "UpdateStatus": "string" }, "VPCOptions": { "AvailabilityZones": [ "string" ], "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ], "VPCId": "string" } }, "AwsElbLoadBalancer": { "AvailabilityZones": ["string"], "BackendServerDescriptions": [{ "InstancePort": number, "PolicyNames": ["string"] }], "CanonicalHostedZoneName": "string", "CanonicalHostedZoneNameID": "string", "CreatedTime": "string", "DnsName": "string", "HealthCheck": { "HealthyThreshold": number, "Interval": number, "Target": "string", "Timeout": number, "UnhealthyThreshold": number }, "Instances": [{ "InstanceId": "string" }], "ListenerDescriptions": [{ "Listener": { "InstancePort": number, "InstanceProtocol": "string", "LoadBalancerPort": number, "Protocol": "string", "SslCertificateId": "string" }, "PolicyNames": ["string"] }], "LoadBalancerAttributes": { "AccessLog": { "EmitInterval": number, "Enabled": boolean, "S3BucketName": "string", "S3BucketPrefix": "string" }, "ConnectionDraining": { "Enabled": boolean, "Timeout": number }, "ConnectionSettings": { "IdleTimeout": number }, "CrossZoneLoadBalancing": { "Enabled": boolean }, "AdditionalAttributes": [{ "Key": "string", "Value": "string" }] }, "LoadBalancerName": "string", "Policies": { "AppCookieStickinessPolicies": [{ "CookieName": "string", "PolicyName": "string" }], "LbCookieStickinessPolicies": [{ "CookieExpirationPeriod": number, "PolicyName": "string" }], "OtherPolicies": ["string"] }, "Scheme": "string", "SecurityGroups": ["string"], "SourceSecurityGroup": { "GroupName": "string", "OwnerAlias": "string" }, "Subnets": ["string"], "VpcId": "string" }, "AwsElbv2LoadBalancer": { "AvailabilityZones": { "SubnetId": "string", "ZoneName": "string" }, "CanonicalHostedZoneId": "string", "CreatedTime": "string", "DNSName": "string", "IpAddressType": "string", "LoadBalancerAttributes": [{ "Key": "string", "Value": "string" }], "Scheme": "string", "SecurityGroups": ["string"], "State": { "Code": "string", "Reason": "string" }, "Type": "string", "VpcId": "string" }, "AwsEventSchemasRegistry": { "Description": "string", "RegistryArn": "string", "RegistryName": "string" }, "AwsEventsEndpoint": { "Arn": "string", "Description": "string", "EndpointId": "string", "EndpointUrl": "string", "EventBuses": [ { "EventBusArn": "string" }, { "EventBusArn": "string" } ], "Name": "string", "ReplicationConfig": { "State": "string" }, "RoleArn": "string", "RoutingConfig": { "FailoverConfig": { "Primary": { "HealthCheck": "string" }, "Secondary": { "Route": "string" } } }, "State": "string" }, "AwsEventsEventBus": { "Arn": "string", "Name": "string", "Policy": "string" }, "AwsGuardDutyDetector": { "FindingPublishingFrequency": "string", "ServiceRole": "string", "Status": "string", "DataSources": { "CloudTrail": { "Status": "string" }, "DnsLogs": { "Status": "string" }, "FlowLogs": { "Status": "string" }, "S3Logs": { "Status": "string" }, "Kubernetes": { "AuditLogs": { "Status": "string" } }, "MalwareProtection": { "ScanEc2InstanceWithFindings": { "EbsVolumes": { "Status": "string" } }, "ServiceRole": "string" } } }, "AwsIamAccessKey": { "AccessKeyId": "string", "AccountId": "string", "CreatedAt": "string", "PrincipalId": "string", "PrincipalName": "string", "PrincipalType": "string", "SessionContext": { "Attributes": { "CreationDate": "string", "MfaAuthenticated": boolean }, "SessionIssuer": { "AccountId": "string", "Arn": "string", "PrincipalId": "string", "Type": "string", "UserName": "string" } }, "Status": "string" }, "AwsIamGroup": { "AttachedManagedPolicies": [{ "PolicyArn": "string", "PolicyName": "string" }], "CreateDate": "string", "GroupId": "string", "GroupName": "string", "GroupPolicyList": [{ "PolicyName": "string" }], "Path": "string" }, "AwsIamPolicy": { "AttachmentCount": number, "CreateDate": "string", "DefaultVersionId": "string", "Description": "string", "IsAttachable": boolean, "Path": "string", "PermissionsBoundaryUsageCount": number, "PolicyId": "string", "PolicyName": "string", "PolicyVersionList": [{ "CreateDate": "string", "IsDefaultVersion": boolean, "VersionId": "string" }], "UpdateDate": "string" }, "AwsIamRole": { "AssumeRolePolicyDocument": "string", "AttachedManagedPolicies": [{ "PolicyArn": "string", "PolicyName": "string" }], "CreateDate": "string", "InstanceProfileList": [{ "Arn": "string", "CreateDate": "string", "InstanceProfileId": "string", "InstanceProfileName": "string", "Path": "string", "Roles": [{ "Arn": "string", "AssumeRolePolicyDocument": "string", "CreateDate": "string", "Path": "string", "RoleId": "string", "RoleName": "string" }] }], "MaxSessionDuration": number, "Path": "string", "PermissionsBoundary": { "PermissionsBoundaryArn": "string", "PermissionsBoundaryType": "string" }, "RoleId": "string", "RoleName": "string", "RolePolicyList": [{ "PolicyName": "string" }] }, "AwsIamUser": { "AttachedManagedPolicies": [{ "PolicyArn": "string", "PolicyName": "string" }], "CreateDate": "string", "GroupList": ["string"], "Path": "string", "PermissionsBoundary": { "PermissionsBoundaryArn": "string", "PermissionsBoundaryType": "string" }, "UserId": "string", "UserName": "string", "UserPolicyList": [{ "PolicyName": "string" }] }, "AwsKinesisStream": { "Arn": "string", "Name": "string", "RetentionPeriodHours": number, "ShardCount": number, "StreamEncryption": { "EncryptionType": "string", "KeyId": "string" } }, "AwsKmsKey": { "AWSAccountId": "string", "CreationDate": "string", "Description": "string", "KeyId": "string", "KeyManager": "string", "KeyRotationStatus": boolean, "KeyState": "string", "Origin": "string" }, "AwsLambdaFunction": { "Architectures": [ "string" ], "Code": { "S3Bucket": "string", "S3Key": "string", "S3ObjectVersion": "string", "ZipFile": "string" }, "CodeSha256": "string", "DeadLetterConfig": { "TargetArn": "string" }, "Environment": { "Variables": { "Stage": "string" }, "Error": { "ErrorCode": "string", "Message": "string" } }, "FunctionName": "string", "Handler": "string", "KmsKeyArn": "string", "LastModified": "string", "Layers": { "Arn": "string", "CodeSize": number }, "PackageType": "string", "RevisionId": "string", "Role": "string", "Runtime": "string", "Timeout": integer, "TracingConfig": { "Mode": "string" }, "Version": "string", "VpcConfig": { "SecurityGroupIds": ["string"], "SubnetIds": ["string"] }, "MasterArn": "string", "MemorySize": number }, "AwsLambdaLayerVersion": { "CompatibleRuntimes": [ "string" ], "CreatedDate": "string", "Version": number }, "AwsMskCluster": { "ClusterInfo": { "ClientAuthentication": { "Sasl": { "Scram": { "Enabled": boolean }, "Iam": { "Enabled": boolean } }, "Tls": { "CertificateAuthorityArnList": [], "Enabled": boolean }, "Unauthenticated": { "Enabled": boolean } }, "ClusterName": "string", "CurrentVersion": "string", "EncryptionInfo": { "EncryptionAtRest": { "DataVolumeKMSKeyId": "string" }, "EncryptionInTransit": { "ClientBroker": "string", "InCluster": boolean } }, "EnhancedMonitoring": "string", "NumberOfBrokerNodes": integer } }, "AwsNetworkFirewallFirewall": { "DeleteProtection": boolean, "Description": "string", "FirewallArn": "string", "FirewallId": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "FirewallPolicyChangeProtection": boolean, "SubnetChangeProtection": boolean, "SubnetMappings": [{ "SubnetId": "string" }], "VpcId": "string" }, "AwsNetworkFirewallFirewallPolicy": { "Description": "string", "FirewallPolicy": { "StatefulRuleGroupReferences": [{ "ResourceArn": "string" }], "StatelessCustomActions": [{ "ActionDefinition": { "PublishMetricAction": { "Dimensions": [{ "Value": "string" }] } }, "ActionName": "string" }], "StatelessDefaultActions": ["string"], "StatelessFragmentDefaultActions": ["string"], "StatelessRuleGroupReferences": [{ "Priority": number, "ResourceArn": "string" }] }, "FirewallPolicyArn": "string", "FirewallPolicyId": "string", "FirewallPolicyName": "string" }, "AwsNetworkFirewallRuleGroup": { "Capacity": number, "Description": "string", "RuleGroup": { "RulesSource": { "RulesSourceList": { "GeneratedRulesType": "string", "Targets": ["string"], "TargetTypes": ["string"] }, "RulesString": "string", "StatefulRules": [{ "Action": "string", "Header": { "Destination": "string", "DestinationPort": "string", "Direction": "string", "Protocol": "string", "Source": "string", "SourcePort": "string" }, "RuleOptions": [{ "Keyword": "string", "Settings": ["string"] }] }], "StatelessRulesAndCustomActions": { "CustomActions": [{ "ActionDefinition": { "PublishMetricAction": { "Dimensions": [{ "Value": "string" }] } }, "ActionName": "string" }], "StatelessRules": [{ "Priority": number, "RuleDefinition": { "Actions": ["string"], "MatchAttributes": { "DestinationPorts": [{ "FromPort": number, "ToPort": number }], "Destinations": [{ "AddressDefinition": "string" }], "Protocols": [number], "SourcePorts": [{ "FromPort": number, "ToPort": number }], "Sources": [{ "AddressDefinition": "string" }], "TcpFlags": [{ "Flags": ["string"], "Masks": ["string"] }] } } }] } }, "RuleVariables": { "IpSets": { "Definition": ["string"] }, "PortSets": { "Definition": ["string"] } } }, "RuleGroupArn": "string", "RuleGroupId": "string", "RuleGroupName": "string", "Type": "string" }, "AwsOpenSearchServiceDomain": { "AccessPolicies": "string", "AdvancedSecurityOptions": { "Enabled": boolean, "InternalUserDatabaseEnabled": boolean, "MasterUserOptions": { "MasterUserArn": "string", "MasterUserName": "string", "MasterUserPassword": "string" } }, "Arn": "string", "ClusterConfig": { "DedicatedMasterCount": number, "DedicatedMasterEnabled": boolean, "DedicatedMasterType": "string", "InstanceCount": number, "InstanceType": "string", "WarmCount": number, "WarmEnabled": boolean, "WarmType": "string", "ZoneAwarenessConfig": { "AvailabilityZoneCount": number }, "ZoneAwarenessEnabled": boolean }, "DomainEndpoint": "string", "DomainEndpointOptions": { "CustomEndpoint": "string", "CustomEndpointCertificateArn": "string", "CustomEndpointEnabled": boolean, "EnforceHTTPS": boolean, "TLSSecurityPolicy": "string" }, "DomainEndpoints": { "string": "string" }, "DomainName": "string", "EncryptionAtRestOptions": { "Enabled": boolean, "KmsKeyId": "string" }, "EngineVersion": "string", "Id": "string", "LogPublishingOptions": { "AuditLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "IndexSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "SearchSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean } }, "NodeToNodeEncryptionOptions": { "Enabled": boolean }, "ServiceSoftwareOptions": { "AutomatedUpdateDate": "string", "Cancellable": boolean, "CurrentVersion": "string", "Description": "string", "NewVersion": "string", "OptionalDeployment": boolean, "UpdateAvailable": boolean, "UpdateStatus": "string" }, "VpcOptions": { "SecurityGroupIds": ["string"], "SubnetIds": ["string"] } }, "AwsRdsDbCluster": { "ActivityStreamStatus": "string", "AllocatedStorage": number, "AssociatedRoles": [{ "RoleArn": "string", "Status": "string" }], "AutoMinorVersionUpgrade": boolean, "AvailabilityZones": ["string"], "BackupRetentionPeriod": integer, "ClusterCreateTime": "string", "CopyTagsToSnapshot": boolean, "CrossAccountClone": boolean, "CustomEndpoints": ["string"], "DatabaseName": "string", "DbClusterIdentifier": "string", "DbClusterMembers": [{ "DbClusterParameterGroupStatus": "string", "DbInstanceIdentifier": "string", "IsClusterWriter": boolean, "PromotionTier": integer }], "DbClusterOptionGroupMemberships": [{ "DbClusterOptionGroupName": "string", "Status": "string" }], "DbClusterParameterGroup": "string", "DbClusterResourceId": "string", "DbSubnetGroup": "string", "DeletionProtection": boolean, "DomainMemberships": [{ "Domain": "string", "Fqdn": "string", "IamRoleName": "string", "Status": "string" }], "EnabledCloudwatchLogsExports": ["string"], "Endpoint": "string", "Engine": "string", "EngineMode": "string", "EngineVersion": "string", "HostedZoneId": "string", "HttpEndpointEnabled": boolean, "IamDatabaseAuthenticationEnabled": boolean, "KmsKeyId": "string", "MasterUsername": "string", "MultiAz": boolean, "Port": integer, "PreferredBackupWindow": "string", "PreferredMaintenanceWindow": "string", "ReaderEndpoint": "string", "ReadReplicaIdentifiers": ["string"], "Status": "string", "StorageEncrypted": boolean, "VpcSecurityGroups": [{ "Status": "string", "VpcSecurityGroupId": "string" }] }, "AwsRdsDbClusterSnapshot": { "AllocatedStorage": integer, "AvailabilityZones": ["string"], "ClusterCreateTime": "string", "DbClusterIdentifier": "string", "DbClusterSnapshotAttributes": [{ "AttributeName": "string", "AttributeValues": ["string"] }], "DbClusterSnapshotIdentifier": "string", "Engine": "string", "EngineVersion": "string", "IamDatabaseAuthenticationEnabled": boolean, "KmsKeyId": "string", "LicenseModel": "string", "MasterUsername": "string", "PercentProgress": integer, "Port": integer, "SnapshotCreateTime": "string", "SnapshotType": "string", "Status": "string", "StorageEncrypted": boolean, "VpcId": "string" }, "AwsRdsDbInstance": { "AllocatedStorage": number, "AssociatedRoles": [{ "RoleArn": "string", "FeatureName": "string", "Status": "string" }], "AutoMinorVersionUpgrade": boolean, "AvailabilityZone": "string", "BackupRetentionPeriod": number, "CACertificateIdentifier": "string", "CharacterSetName": "string", "CopyTagsToSnapshot": boolean, "DBClusterIdentifier": "string", "DBInstanceClass": "string", "DBInstanceIdentifier": "string", "DbInstancePort": number, "DbInstanceStatus": "string", "DbiResourceId": "string", "DBName": "string", "DbParameterGroups": [{ "DbParameterGroupName": "string", "ParameterApplyStatus": "string" }], "DbSecurityGroups": ["string"], "DbSubnetGroup": { "DbSubnetGroupArn": "string", "DbSubnetGroupDescription": "string", "DbSubnetGroupName": "string", "SubnetGroupStatus": "string", "Subnets": [{ "SubnetAvailabilityZone": { "Name": "string" }, "SubnetIdentifier": "string", "SubnetStatus": "string" }], "VpcId": "string" }, "DeletionProtection": boolean, "Endpoint": { "Address": "string", "Port": number, "HostedZoneId": "string" }, "DomainMemberships": [{ "Domain": "string", "Fqdn": "string", "IamRoleName": "string", "Status": "string" }], "EnabledCloudwatchLogsExports": ["string"], "Engine": "string", "EngineVersion": "string", "EnhancedMonitoringResourceArn": "string", "IAMDatabaseAuthenticationEnabled": boolean, "InstanceCreateTime": "string", "Iops": number, "KmsKeyId": "string", "LatestRestorableTime": "string", "LicenseModel": "string", "ListenerEndpoint": { "Address": "string", "HostedZoneId": "string", "Port": number }, "MasterUsername": "admin", "MaxAllocatedStorage": number, "MonitoringInterval": number, "MonitoringRoleArn": "string", "MultiAz": boolean, "OptionGroupMemberships": [{ "OptionGroupName": "string", "Status": "string" }], "PendingModifiedValues": { "AllocatedStorage": number, "BackupRetentionPeriod": number, "CaCertificateIdentifier": "string", "DbInstanceClass": "string", "DbInstanceIdentifier": "string", "DbSubnetGroupName": "string", "EngineVersion": "string", "Iops": number, "LicenseModel": "string", "MasterUserPassword": "string", "MultiAZ": boolean, "PendingCloudWatchLogsExports": { "LogTypesToDisable": ["string"], "LogTypesToEnable": ["string"] }, "Port": number, "ProcessorFeatures": [{ "Name": "string", "Value": "string" }], "StorageType": "string" }, "PerformanceInsightsEnabled": boolean, "PerformanceInsightsKmsKeyId": "string", "PerformanceInsightsRetentionPeriod": number, "PreferredBackupWindow": "string", "PreferredMaintenanceWindow": "string", "ProcessorFeatures": [{ "Name": "string", "Value": "string" }], "PromotionTier": number, "PubliclyAccessible": boolean, "ReadReplicaDBClusterIdentifiers": ["string"], "ReadReplicaDBInstanceIdentifiers": ["string"], "ReadReplicaSourceDBInstanceIdentifier": "string", "SecondaryAvailabilityZone": "string", "StatusInfos": [{ "Message": "string", "Normal": boolean, "Status": "string", "StatusType": "string" }], "StorageEncrypted": boolean, "TdeCredentialArn": "string", "Timezone": "string", "VpcSecurityGroups": [{ "VpcSecurityGroupId": "string", "Status": "string" }] }, "AwsRdsDbSecurityGroup": { "DbSecurityGroupArn": "string", "DbSecurityGroupDescription": "string", "DbSecurityGroupName": "string", "Ec2SecurityGroups": [{ "Ec2SecurityGroupuId": "string", "Ec2SecurityGroupName": "string", "Ec2SecurityGroupOwnerId": "string", "Status": "string" }], "IpRanges": [{ "CidrIp": "string", "Status": "string" }], "OwnerId": "string", "VpcId": "string" }, "AwsRdsDbSnapshot": { "AllocatedStorage": integer, "AvailabilityZone": "string", "DbInstanceIdentifier": "string", "DbiResourceId": "string", "DbSnapshotIdentifier": "string", "Encrypted": boolean, "Engine": "string", "EngineVersion": "string", "IamDatabaseAuthenticationEnabled": boolean, "InstanceCreateTime": "string", "Iops": number, "KmsKeyId": "string", "LicenseModel": "string", "MasterUsername": "string", "OptionGroupName": "string", "PercentProgress": integer, "Port": integer, "ProcessorFeatures": [], "SnapshotCreateTime": "string", "SnapshotType": "string", "SourceDbSnapshotIdentifier": "string", "SourceRegion": "string", "Status": "string", "StorageType": "string", "TdeCredentialArn": "string", "Timezone": "string", "VpcId": "string" }, "AwsRdsEventSubscription": { "CustomerAwsId": "string", "CustSubscriptionId": "string", "Enabled": boolean, "EventCategoriesList": ["string"], "EventSubscriptionArn": "string", "SnsTopicArn": "string", "SourceIdsList": ["string"], "SourceType": "string", "Status": "string", "SubscriptionCreationTime": "string" }, "AwsRedshiftCluster": { "AllowVersionUpgrade": boolean, "AutomatedSnapshotRetentionPeriod": number, "AvailabilityZone": "string", "ClusterAvailabilityStatus": "string", "ClusterCreateTime": "string", "ClusterIdentifier": "string", "ClusterNodes": [{ "NodeRole": "string", "PrivateIPAddress": "string", "PublicIPAddress": "string" }], "ClusterParameterGroups": [{ "ClusterParameterStatusList": [{ "ParameterApplyErrorDescription": "string", "ParameterApplyStatus": "string", "ParameterName": "string" }], "ParameterApplyStatus": "string", "ParameterGroupName": "string" }], "ClusterPublicKey": "string", "ClusterRevisionNumber": "string", "ClusterSecurityGroups": [{ "ClusterSecurityGroupName": "string", "Status": "string" }], "ClusterSnapshotCopyStatus": { "DestinationRegion": "string", "ManualSnapshotRetentionPeriod": number, "RetentionPeriod": number, "SnapshotCopyGrantName": "string" }, "ClusterStatus": "string", "ClusterSubnetGroupName": "string", "ClusterVersion": "string", "DBName": "string", "DeferredMaintenanceWindows": [{ "DeferMaintenanceEndTime": "string", "DeferMaintenanceIdentifier": "string", "DeferMaintenanceStartTime": "string" }], "ElasticIpStatus": { "ElasticIp": "string", "Status": "string" }, "ElasticResizeNumberOfNodeOptions": "string", "Encrypted": boolean, "Endpoint": { "Address": "string", "Port": number }, "EnhancedVpcRouting": boolean, "ExpectedNextSnapshotScheduleTime": "string", "ExpectedNextSnapshotScheduleTimeStatus": "string", "HsmStatus": { "HsmClientCertificateIdentifier": "string", "HsmConfigurationIdentifier": "string", "Status": "string" }, "IamRoles": [{ "ApplyStatus": "string", "IamRoleArn": "string" }], "KmsKeyId": "string", "LoggingStatus":{ "BucketName": "string", "LastFailureMessage": "string", "LastFailureTime": "string", "LastSuccessfulDeliveryTime": "string", "LoggingEnabled": boolean, "S3KeyPrefix": "string" }, "MaintenanceTrackName": "string", "ManualSnapshotRetentionPeriod": number, "MasterUsername": "string", "NextMaintenanceWindowStartTime": "string", "NodeType": "string", "NumberOfNodes": number, "PendingActions": ["string"], "PendingModifiedValues": { "AutomatedSnapshotRetentionPeriod": number, "ClusterIdentifier": "string", "ClusterType": "string", "ClusterVersion": "string", "EncryptionType": "string", "EnhancedVpcRouting": boolean, "MaintenanceTrackName": "string", "MasterUserPassword": "string", "NodeType": "string", "NumberOfNodes": number, "PubliclyAccessible": "string" }, "PreferredMaintenanceWindow": "string", "PubliclyAccessible": boolean, "ResizeInfo": { "AllowCancelResize": boolean, "ResizeType": "string" }, "RestoreStatus": { "CurrentRestoreRateInMegaBytesPerSecond": number, "ElapsedTimeInSeconds": number, "EstimatedTimeToCompletionInSeconds": number, "ProgressInMegaBytes": number, "SnapshotSizeInMegaBytes": number, "Status": "string" }, "SnapshotScheduleIdentifier": "string", "SnapshotScheduleState": "string", "VpcId": "string", "VpcSecurityGroups": [{ "Status": "string", "VpcSecurityGroupId": "string" }] }, "AwsRoute53HostedZone": { "HostedZone": { "Id": "string", "Name": "string", "Config": { "Comment": "string" } }, "NameServers": ["string"], "QueryLoggingConfig": { "CloudWatchLogsLogGroupArn": { "CloudWatchLogsLogGroupArn": "string", "Id": "string", "HostedZoneId": "string" } }, "Vpcs": [ { "Id": "string", "Region": "string" } ] }, "AwsS3AccessPoint": { "AccessPointArn": "string", "Alias": "string", "Bucket": "string", "BucketAccountId": "string", "Name": "string", "NetworkOrigin": "string", "PublicAccessBlockConfiguration": { "BlockPublicAcls": boolean, "BlockPublicPolicy": boolean, "IgnorePublicAcls": boolean, "RestrictPublicBuckets": boolean }, "VpcConfiguration": { "VpcId": "string" } }, "AwsS3AccountPublicAccessBlock": { "BlockPublicAcls": boolean, "BlockPublicPolicy": boolean, "IgnorePublicAcls": boolean, "RestrictPublicBuckets": boolean }, "AwsS3Bucket": { "AccessControlList": "string", "BucketLifecycleConfiguration": { "Rules": [{ "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": number }, "ExpirationDate": "string", "ExpirationInDays": number, "ExpiredObjectDeleteMarker": boolean, "Filter": { "Predicate": { "Operands": [{ "Prefix": "string", "Type": "string" }, { "Tag": { "Key": "string", "Value": "string" }, "Type": "string" } ], "Type": "string" } }, "Id": "string", "NoncurrentVersionExpirationInDays": number, "NoncurrentVersionTransitions": [{ "Days": number, "StorageClass": "string" }], "Prefix": "string", "Status": "string", "Transitions": [{ "Date": "string", "Days": number, "StorageClass": "string" }] }] }, "BucketLoggingConfiguration": { "DestinationBucketName": "string", "LogFilePrefix": "string" }, "BucketName": "string", "BucketNotificationConfiguration": { "Configurations": [{ "Destination": "string", "Events": ["string"], "Filter": { "S3KeyFilter": { "FilterRules": [{ "Name": "string", "Value": "string" }] } }, "Type": "string" }] }, "BucketVersioningConfiguration": { "IsMfaDeleteEnabled": boolean, "Status": "string" }, "BucketWebsiteConfiguration": { "ErrorDocument": "string", "IndexDocumentSuffix": "string", "RedirectAllRequestsTo": { "HostName": "string", "Protocol": "string" }, "RoutingRules": [{ "Condition": { "HttpErrorCodeReturnedEquals": "string", "KeyPrefixEquals": "string" }, "Redirect": { "HostName": "string", "HttpRedirectCode": "string", "Protocol": "string", "ReplaceKeyPrefixWith": "string", "ReplaceKeyWith": "string" } }] }, "CreatedAt": "string", "ObjectLockConfiguration": { "ObjectLockEnabled": "string", "Rule": { "DefaultRetention": { "Days": integer, "Mode": "string", "Years": integer } } }, "OwnerAccountId": "string", "OwnerId": "string", "OwnerName": "string", "PublicAccessBlockConfiguration": { "BlockPublicAcls": boolean, "BlockPublicPolicy": boolean, "IgnorePublicAcls": boolean, "RestrictPublicBuckets": boolean }, "ServerSideEncryptionConfiguration": { "Rules": [{ "ApplyServerSideEncryptionByDefault": { "KMSMasterKeyID": "string", "SSEAlgorithm": "string" } }] } }, "AwsS3Object": { "ContentType": "string", "ETag": "string", "LastModified": "string", "ServerSideEncryption": "string", "SSEKMSKeyId": "string", "VersionId": "string" }, "AwsSagemakerNotebookInstance": { "DirectInternetAccess": "string", "InstanceMetadataServiceConfiguration": { "MinimumInstanceMetadataServiceVersion": "string" }, "InstanceType": "string", "LastModifiedTime": "string", "NetworkInterfaceId": "string", "NotebookInstanceArn": "string", "NotebookInstanceName": "string", "NotebookInstanceStatus": "string", "PlatformIdentifier": "string", "RoleArn": "string", "RootAccess": "string", "SecurityGroups": ["string"], "SubnetId": "string", "Url": "string", "VolumeSizeInGB": number }, "AwsSecretsManagerSecret": { "Deleted": boolean, "Description": "string", "KmsKeyId": "string", "Name": "string", "RotationEnabled": boolean, "RotationLambdaArn": "string", "RotationOccurredWithinFrequency": boolean, "RotationRules": { "AutomaticallyAfterDays": integer } }, "AwsSnsTopic": { "ApplicationSuccessFeedbackRoleArn": "string", "FirehoseFailureFeedbackRoleArn": "string", "FirehoseSuccessFeedbackRoleArn": "string", "HttpFailureFeedbackRoleArn": "string", "HttpSuccessFeedbackRoleArn": "string", "KmsMasterKeyId": "string", "Owner": "string", "SqsFailureFeedbackRoleArn": "string", "SqsSuccessFeedbackRoleArn": "string", "Subscription": { "Endpoint": "string", "Protocol": "string" }, "TopicName": "string" }, "AwsSqsQueue": { "DeadLetterTargetArn": "string", "KmsDataKeyReusePeriodSeconds": number, "KmsMasterKeyId": "string", "QueueName": "string" }, "AwsSsmPatchCompliance": { "Patch": { "ComplianceSummary": { "ComplianceType": "string", "CompliantCriticalCount": integer, "CompliantHighCount": integer, "CompliantInformationalCount": integer, "CompliantLowCount": integer, "CompliantMediumCount": integer, "CompliantUnspecifiedCount": integer, "ExecutionType": "string", "NonCompliantCriticalCount": integer, "NonCompliantHighCount": integer, "NonCompliantInformationalCount": integer, "NonCompliantLowCount": integer, "NonCompliantMediumCount": integer, "NonCompliantUnspecifiedCount": integer, "OverallSeverity": "string", "PatchBaselineId": "string", "PatchGroup": "string", "Status": "string" } } }, "AwsStepFunctionStateMachine": { "StateMachineArn": "string", "Name": "string", "Status": "string", "RoleArn": "string", "Type": "string", "LoggingConfiguration": { "Level": "string", "IncludeExecutionData": boolean }, "TracingConfiguration": { "Enabled": boolean } }, "AwsWafRateBasedRule": { "MatchPredicates": [{ "DataId": "string", "Negated": boolean, "Type": "string" }], "MetricName": "string", "Name": "string", "RateKey": "string", "RateLimit": number, "RuleId": "string" }, "AwsWafRegionalRateBasedRule": { "MatchPredicates": [{ "DataId": "string", "Negated": boolean, "Type": "string" }], "MetricName": "string", "Name": "string", "RateKey": "string", "RateLimit": number, "RuleId": "string" }, "AwsWafRegionalRule": { "MetricName": "string", "Name": "string", "RuleId": "string", "PredicateList": [{ "DataId": "string", "Negated": boolean, "Type": "string" }] }, "AwsWafRegionalRuleGroup": { "MetricName": "string", "Name": "string", "RuleGroupId": "string", "Rules": [{ "Action": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string" }] }, "AwsWafRegionalWebAcl": { "DefaultAction": "string", "MetricName" : "string", "Name": "string", "RulesList" : [{ "Action": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string", "ExcludedRules": [{ "ExclusionType": "string", "RuleId": "string" }], "OverrideAction": { "Type": "string" } }], "WebAclId": "string" }, "AwsWafRule": { "MetricName": "string", "Name": "string", "PredicateList": [{ "DataId": "string", "Negated": boolean, "Type": "string" }], "RuleId": "string" }, "AwsWafRuleGroup": { "MetricName": "string", "Name": "string", "RuleGroupId": "string", "Rules": [{ "Action": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string" }] }, "AwsWafv2RuleGroup": { "Arn": "string", "Capacity": number, "Description": "string", "Id": "string", "Name": "string", "Rules": [{ "Action": { "Allow": { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "string", "Value": "string" }, { "Name": "string", "Value": "string" } ] } } }, "Name": "string", "Priority": number, "VisibilityConfig": { "CloudWatchMetricsEnabled": boolean, "MetricName": "string", "SampledRequestsEnabled": boolean } }], "VisibilityConfig": { "CloudWatchMetricsEnabled": boolean, "MetricName": "string", "SampledRequestsEnabled": boolean } }, "AwsWafWebAcl": { "DefaultAction": "string", "Name": "string", "Rules": [{ "Action": { "Type": "string" }, "ExcludedRules": [{ "RuleId": "string" }], "OverrideAction": { "Type": "string" }, "Priority": number, "RuleId": "string", "Type": "string" }], "WebAclId": "string" }, "AwsWafv2WebAcl": { "Arn": "string", "Capacity": number, "CaptchaConfig": { "ImmunityTimeProperty": { "ImmunityTime": number } }, "DefaultAction": { "Block": {} }, "Description": "string", "ManagedbyFirewallManager": boolean, "Name": "string", "Rules": [{ "Action": { "RuleAction": { "Block": {} } }, "Name": "string", "Priority": number, "VisibilityConfig": { "SampledRequestsEnabled": boolean, "CloudWatchMetricsEnabled": boolean, "MetricName": "string" } }], "VisibilityConfig": { "SampledRequestsEnabled": boolean, "CloudWatchMetricsEnabled": boolean, "MetricName": "string" } }, "AwsXrayEncryptionConfig": { "KeyId": "string", "Status": "string", "Type": "string" }, "CodeRepository": { "CodeSecurityIntegrationArn": "string", "ProjectName": "string", "ProviderType": "string" }, "Container": { "ContainerRuntime": "string", "ImageId": "string", "ImageName": "string", "LaunchedAt": "string", "Name": "string", "Privileged": boolean, "VolumeMounts": [{ "Name": "string", "MountPath": "string" }] }, "Other": { "string": "string" }, "Id": "string", "Partition": "string", "Region": "string", "ResourceRole": "string", "Tags": { "string": "string" }, "Type": "string" }], "SchemaVersion": "string", "Severity": { "Label": "string", "Normalized": number, "Original": "string" }, "Sample": boolean, "SourceUrl": "string", "Threats": [{ "FilePaths": [{ "FileName": "string", "FilePath": "string", "Hash": "string", "ResourceId": "string" }], "ItemCount": number, "Name": "string", "Severity": "string" }], "ThreatIntelIndicators": [{ "Category": "string", "LastObservedAt": "string", "Source": "string", "SourceUrl": "string", "Type": "string", "Value": "string" }], "Title": "string", "Types": ["string"], "UpdatedAt": "string", "UserDefinedFields": { "string": "string" }, "VerificationState": "string", "Vulnerabilities": [{ "CodeVulnerabilities": [{ "Cwes": [ "string", "string" ], "FilePath": { "EndLine": integer, "FileName": "string", "FilePath": "string", "StartLine": integer }, "SourceArn":"string" }], "Cvss": [{ "Adjustments": [{ "Metric": "string", "Reason": "string" }], "BaseScore": number, "BaseVector": "string", "Source": "string", "Version": "string" }], "EpssScore": number, "ExploitAvailable": "string", "FixAvailable": "string", "Id": "string", "LastKnownExploitAt": "string", "ReferenceUrls": ["string"], "RelatedVulnerabilities": ["string"], "Vendor": { "Name": "string", "Url": "string", "VendorCreatedAt": "string", "VendorSeverity": "string", "VendorUpdatedAt": "string" }, "VulnerablePackages": [{ "Architecture": "string", "Epoch": "string", "FilePath": "string", "FixedInVersion": "string", "Name": "string", "PackageManager": "string", "Release": "string", "Remediation": "string", "SourceLayerArn": "string", "SourceLayerHash": "string", "Version": "string" }] }], "Workflow": { "Status": "string" }, "WorkflowState": "string" } ] ``` # Impact of consolidation on ASFF fields and values ASFF and consolidation Amazon Security Hub CSPM offers two types of consolidation for controls: + **Consolidated controls view** – With this type of consolidation, each control has a single identifier across all standards. In addition, on the Security Hub CSPM console, the **Controls** page displays all controls across all standards. + **Consolidated control findings** – With this type of consolidation, Security Hub CSPM produces a single finding for a control, even if the control applies to multiple enabled standards. This can reduce finding noise. You can't enable or disable consolidated controls view. Consolidated control findings is enabled by default if you enable Security Hub CSPM on or after February 23, 2023. Otherwise, it's disabled by default. However, for organizations, consolidated control findings is enabled for Security Hub CSPM member accounts only if it's enabled for the administrator account. To learn more about consolidated control findings, see [Generating and updating control findings](controls-findings-create-update.md). Both types of consolidation affect fields and values for control findings in the [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). **Topics** + [ ## Consolidated controls view – ASFF changes ](#securityhub-findings-format-consolidated-controls-view) + [ ## Consolidated control findings – ASFF changes ](#securityhub-findings-format-consolidated-control-findings) + [ ## Generator IDs before and after enabling consolidated control findings ](#securityhub-findings-format-changes-generator-ids) + [ ## How consolidation impacts control IDs and titles ](#securityhub-findings-format-changes-ids-titles) + [ ## Updating workflows for consolidation ](#securityhub-findings-format-changes-prepare) ## Consolidated controls view – ASFF changes The consolidated controls view feature introduced the following changes to fields and values for control findings in the ASFF. If your workflows don’t rely on values for these ASFF fields, no action is required. If you have workflows that rely on specific values for these fields, update your workflows to use the current values. | ASFF field | Sample value before consolidated controls view | Sample value after consolidated controls view, and a description of the change | | --- | --- | --- | | Compliance.SecurityControlId | Not applicable (new field) | EC2.2 Introduces a single control ID across standards. `ProductFields.RuleId` still provides the standard-based control ID for CIS v1.2.0 controls. `ProductFields.ControlId` still provides the standard-based control ID for controls in other standards. | | Compliance.AssociatedStandards | Not applicable (new field) | [\$1"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"\$1] Shows which standards a control is enabled in. | | ProductFields.ArchivalReasons:0/Description | Not applicable (new field) | "The finding is in an ARCHIVED state because consolidated control findings has been turned on or off. This causes findings in the previous state to be archived when new findings are being generated." Describes why Security Hub CSPM has archived existing findings. | | ProductFields.ArchivalReasons:0/ReasonCode | Not applicable (new field) | "CONSOLIDATED\$1CONTROL\$1FINDINGS\$1UPDATE" Provides the reason why Security Hub CSPM has archived existing findings. | | ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation This field no longer references a standard. | | Remediation.Recommendation.Text | "For directions on how to fix this issue, consult the Amazon Security Hub CSPM PCI DSS documentation." | "For directions on how to correct this issue, consult the Amazon Security Hub CSPM controls documentation." This field no longer references a standard. | | Remediation.Recommendation.Url | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation This field no longer references a standard. | ## Consolidated control findings – ASFF changes If you enable consolidated control findings, you might be affected by the following changes to fields and values for control findings in the ASFF. These changes are in addition to the changes introduced by the consolidated controls view feature. If your workflows don’t rely on values for these ASFF fields, no action is required. If you have workflows that rely on specific values for these fields, update your workflows to use the current values. **Tip** If you use the [Automated Security Response on Amazon v2.0.0](https://www.amazonaws.cn/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution, note that it supports consolidated control findings. This means that you can maintain your current workflows if you enable consolidated control findings. | ASFF field | Example value before enabling consolidated control findings | Example value after enabling consolidated control findings, and a description of the change | | --- | --- | --- | | GeneratorId | aws-foundational-security-best-practices/v/1.0.0/Config.1 | security-control/Config.1 This field no longer references a standard. | | Title | PCI.Config.1 Amazon Config should be enabled | Amazon Config should be enabled This field no longer references standard-specific information. | | Id | arn:aws-cn:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956 | arn:aws-cn:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956 This field no longer references a standard. | | ProductFields.ControlId | PCI.EC2.2 | Removed. See `Compliance.SecurityControlId` instead. This field is removed in favor of a single, standard-agnostic control ID. | | ProductFields.RuleId | 1.3 | Removed. See `Compliance.SecurityControlId` instead. This field is removed in favor of a single, standard-agnostic control ID. | | Description | This PCI DSS control checks whether Amazon Config is enabled in the current account and region. | This Amazon control checks whether Amazon Config is enabled in the current account and region.This field no longer references a standard. | | Severity | "Severity": \$1 "Product": 90, "Label": "CRITICAL", "Normalized": 90, "Original": "CRITICAL" \$1 | "Severity": \$1 "Label": "CRITICAL", "Normalized": 90, "Original": "CRITICAL" \$1 Security Hub CSPM no longer uses the Product field to describe the severity of a finding. | | Types | ["Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"] | ["Software and Configuration Checks/Industry and Regulatory Standards"] This field no longer references a standard. | | Compliance.RelatedRequirements | ["PCI DSS 10.5.2", "PCI DSS 11.5", "CIS Amazon Foundations 2.5"] | ["PCI DSS v3.2.1/10.5.2", "PCI DSS v3.2.1/11.5", "CIS Amazon Foundations Benchmark v1.2.0/2.5"] This field shows related requirements in all enabled standards. | | CreatedAt | 2022-05-05T08:18:13.138Z | 2022-09-25T08:18:13.138Z Format remains the same, but value resets when you enable consolidated control findings. | | FirstObservedAt | 2022-05-07T08:18:13.138Z | 2022-09-28T08:18:13.138Z Format remains the same, but value resets when you enable consolidated control findings. | | ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation | Removed. See `Remediation.Recommendation.Url` instead. | | ProductFields.StandardsArn | arn:aws-cn:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0 | Removed. See `Compliance.AssociatedStandards` instead. | | ProductFields.StandardsControlArn | arn:aws-cn:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1 | Removed. Security Hub CSPM generates one finding for a security check across standards. | | ProductFields.StandardsGuideArn | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 | Removed. See `Compliance.AssociatedStandards` instead. | | ProductFields.StandardsGuideSubscriptionArn | arn:aws-cn:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0 | Removed. Security Hub CSPM generates one finding for a security check across standards. | | ProductFields.StandardsSubscriptionArn | arn:aws-cn:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 | Removed. Security Hub CSPM generates one finding for a security check across standards. | | ProductFields.aws/securityhub/FindingId | arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 | arn:aws-cn:securityhub:us-east-1::product/aws/securityhub/arn:aws-cn:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 This field no longer references a standard. | ### Values for customer-provided ASFF fields after turning on consolidated control findings If you enable consolidated control findings, Security Hub CSPM generates one finding across standards and archives the original findings (separate findings for each standard). Updates that you made to the original findings by using the Security Hub CSPM console or the [https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html) operation won't be preserved in the new findings. If necessary, you can recover this data by referring to the archived findings. To review archived findings, you can use the **Findings** page on the Security Hub CSPM console and set the **Record state** filter to **ARCHIVED**. Alternatively, you can use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation of the Security Hub CSPM API. | Customer-provided ASFF field | Description of change after enabling consolidated control findings | | --- | --- | | Confidence | Resets to empty state. | | Criticality | Resets to empty state. | | Note | Resets to empty state. | | RelatedFindings | Resets to empty state. | | Severity | Default severity of the finding (matches the severity of the control). | | Types | Resets to standard-agnostic value. | | UserDefinedFields | Resets to empty state. | | VerificationState | Resets to empty state. | | Workflow | New failed findings have a default value of NEW. New passed findings have a default value of RESOLVED. | ## Generator IDs before and after enabling consolidated control findings The following table lists changes to generator ID values for controls when you enable consolidated control findings. These changes apply to controls that Security Hub CSPM supported as of February 15, 2023. | GeneratorID before enabling consolidated control findings | GeneratorID after enabling consolidated control findings | | --- | --- | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1 | security-control/CloudWatch.1 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.10 | security-control/IAM.16 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.11 | security-control/IAM.17 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.12 | security-control/IAM.4 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13 | security-control/IAM.9 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.14 | security-control/IAM.6 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.16 | security-control/IAM.2 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.2 | security-control/IAM.5 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.20 | security-control/IAM.18 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.22 | security-control/IAM.1 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.3 | security-control/IAM.8 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.4 | security-control/IAM.3 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.5 | security-control/IAM.11 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.6 | security-control/IAM.12 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.7 | security-control/IAM.13 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.8 | security-control/IAM.14 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.9 | security-control/IAM.15 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.1 | security-control/CloudTrail.1 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.2 | security-control/CloudTrail.4 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.3 | security-control/CloudTrail.6 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.4 | security-control/CloudTrail.5 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5 | security-control/Config.1 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.6 | security-control/CloudTrail.7 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7 | security-control/CloudTrail.2 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.8 | security-control/KMS.4 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9 | security-control/EC2.6 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1 | security-control/CloudWatch.2 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2 | security-control/CloudWatch.3 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3 | security-control/CloudWatch.1 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4 | security-control/CloudWatch.4 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5 | security-control/CloudWatch.5 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6 | security-control/CloudWatch.6 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7 | security-control/CloudWatch.7 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8 | security-control/CloudWatch.8 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9 | security-control/CloudWatch.9 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10 | security-control/CloudWatch.10 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11 | security-control/CloudWatch.11 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12 | security-control/CloudWatch.12 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13 | security-control/CloudWatch.13 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14 | security-control/CloudWatch.14 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1 | security-control/EC2.13 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2 | security-control/EC2.14 | | arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.3 | security-control/EC2.2 | | cis-aws-foundations-benchmark/v/1.4.0/1.10 | security-control/IAM.5 | | cis-aws-foundations-benchmark/v/1.4.0/1.14 | security-control/IAM.3 | | cis-aws-foundations-benchmark/v/1.4.0/1.16 | security-control/IAM.1 | | cis-aws-foundations-benchmark/v/1.4.0/1.17 | security-control/IAM.18 | | cis-aws-foundations-benchmark/v/1.4.0/1.4 | security-control/IAM.4 | | cis-aws-foundations-benchmark/v/1.4.0/1.5 | security-control/IAM.9 | | cis-aws-foundations-benchmark/v/1.4.0/1.6 | security-control/IAM.6 | | cis-aws-foundations-benchmark/v/1.4.0/1.7 | security-control/CloudWatch.1 | | cis-aws-foundations-benchmark/v/1.4.0/1.8 | security-control/IAM.15 | | cis-aws-foundations-benchmark/v/1.4.0/1.9 | security-control/IAM.16 | | cis-aws-foundations-benchmark/v/1.4.0/2.1.2 | security-control/S3.5 | | cis-aws-foundations-benchmark/v/1.4.0/2.1.5.1 | security-control/S3.1 | | cis-aws-foundations-benchmark/v/1.4.0/2.1.5.2 | security-control/S3.8 | | cis-aws-foundations-benchmark/v/1.4.0/2.2.1 | security-control/EC2.7 | | cis-aws-foundations-benchmark/v/1.4.0/2.3.1 | security-control/RDS.3 | | cis-aws-foundations-benchmark/v/1.4.0/3.1 | security-control/CloudTrail.1 | | cis-aws-foundations-benchmark/v/1.4.0/3.2 | security-control/CloudTrail.4 | | cis-aws-foundations-benchmark/v/1.4.0/3.4 | security-control/CloudTrail.5 | | cis-aws-foundations-benchmark/v/1.4.0/3.5 | security-control/Config.1 | | cis-aws-foundations-benchmark/v/1.4.0/3.6 | security-control/S3.9 | | cis-aws-foundations-benchmark/v/1.4.0/3.7 | security-control/CloudTrail.2 | | cis-aws-foundations-benchmark/v/1.4.0/3.8 | security-control/KMS.4 | | cis-aws-foundations-benchmark/v/1.4.0/3.9 | security-control/EC2.6 | | cis-aws-foundations-benchmark/v/1.4.0/4.3 | security-control/CloudWatch.1 | | cis-aws-foundations-benchmark/v/1.4.0/4.4 | security-control/CloudWatch.4 | | cis-aws-foundations-benchmark/v/1.4.0/4.5 | security-control/CloudWatch.5 | | cis-aws-foundations-benchmark/v/1.4.0/4.6 | security-control/CloudWatch.6 | | cis-aws-foundations-benchmark/v/1.4.0/4.7 | security-control/CloudWatch.7 | | cis-aws-foundations-benchmark/v/1.4.0/4.8 | security-control/CloudWatch.8 | | cis-aws-foundations-benchmark/v/1.4.0/4.9 | security-control/CloudWatch.9 | | cis-aws-foundations-benchmark/v/1.4.0/4.10 | security-control/CloudWatch.10 | | cis-aws-foundations-benchmark/v/1.4.0/4.11 | security-control/CloudWatch.11 | | cis-aws-foundations-benchmark/v/1.4.0/4.12 | security-control/CloudWatch.12 | | cis-aws-foundations-benchmark/v/1.4.0/4.13 | security-control/CloudWatch.13 | | cis-aws-foundations-benchmark/v/1.4.0/4.14 | security-control/CloudWatch.14 | | cis-aws-foundations-benchmark/v/1.4.0/5.1 | security-control/EC2.21 | | cis-aws-foundations-benchmark/v/1.4.0/5.3 | security-control/EC2.2 | | aws-foundational-security-best-practices/v/1.0.0/Account.1 | security-control/Account.1 | | aws-foundational-security-best-practices/v/1.0.0/ACM.1 | security-control/ACM.1 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.1 | security-control/APIGateway.1 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.2 | security-control/APIGateway.2 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.3 | security-control/APIGateway.3 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.4 | security-control/APIGateway.4 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.5 | security-control/APIGateway.5 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.8 | security-control/APIGateway.8 | | aws-foundational-security-best-practices/v/1.0.0/APIGateway.9 | security-control/APIGateway.9 | | aws-foundational-security-best-practices/v/1.0.0/AutoScaling.1 | security-control/AutoScaling.1 | | aws-foundational-security-best-practices/v/1.0.0/AutoScaling.2 | security-control/AutoScaling.2 | | aws-foundational-security-best-practices/v/1.0.0/AutoScaling.3 | security-control/AutoScaling.3 | | aws-foundational-security-best-practices/v/1.0.0/Autoscaling.5 | security-control/Autoscaling.5 | | aws-foundational-security-best-practices/v/1.0.0/AutoScaling.6 | security-control/AutoScaling.6 | | aws-foundational-security-best-practices/v/1.0.0/AutoScaling.9 | security-control/AutoScaling.9 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.1 | security-control/CloudFront.1 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.3 | security-control/CloudFront.3 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.4 | security-control/CloudFront.4 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.5 | security-control/CloudFront.5 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.6 | security-control/CloudFront.6 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.7 | security-control/CloudFront.7 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.8 | security-control/CloudFront.8 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.9 | security-control/CloudFront.9 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.10 | security-control/CloudFront.10 | | aws-foundational-security-best-practices/v/1.0.0/CloudFront.12 | security-control/CloudFront.12 | | aws-foundational-security-best-practices/v/1.0.0/CloudTrail.1 | security-control/CloudTrail.1 | | aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2 | security-control/CloudTrail.2 | | aws-foundational-security-best-practices/v/1.0.0/CloudTrail.4 | security-control/CloudTrail.4 | | aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5 | security-control/CloudTrail.5 | | aws-foundational-security-best-practices/v/1.0.0/CodeBuild.1 | security-control/CodeBuild.1 | | aws-foundational-security-best-practices/v/1.0.0/CodeBuild.2 | security-control/CodeBuild.2 | | aws-foundational-security-best-practices/v/1.0.0/CodeBuild.3 | security-control/CodeBuild.3 | | aws-foundational-security-best-practices/v/1.0.0/CodeBuild.4 | security-control/CodeBuild.4 | | aws-foundational-security-best-practices/v/1.0.0/Config.1 | security-control/Config.1 | | aws-foundational-security-best-practices/v/1.0.0/DMS.1 | security-control/DMS.1 | | aws-foundational-security-best-practices/v/1.0.0/DynamoDB.1 | security-control/DynamoDB.1 | | aws-foundational-security-best-practices/v/1.0.0/DynamoDB.2 | security-control/DynamoDB.2 | | aws-foundational-security-best-practices/v/1.0.0/DynamoDB.3 | security-control/DynamoDB.3 | | aws-foundational-security-best-practices/v/1.0.0/EC2.1 | security-control/EC2.1 | | aws-foundational-security-best-practices/v/1.0.0/EC2.3 | security-control/EC2.3 | | aws-foundational-security-best-practices/v/1.0.0/EC2.4 | security-control/EC2.4 | | aws-foundational-security-best-practices/v/1.0.0/EC2.6 | security-control/EC2.6 | | aws-foundational-security-best-practices/v/1.0.0/EC2.7 | security-control/EC2.7 | | aws-foundational-security-best-practices/v/1.0.0/EC2.8 | security-control/EC2.8 | | aws-foundational-security-best-practices/v/1.0.0/EC2.9 | security-control/EC2.9 | | aws-foundational-security-best-practices/v/1.0.0/EC2.10 | security-control/EC2.10 | | aws-foundational-security-best-practices/v/1.0.0/EC2.15 | security-control/EC2.15 | | aws-foundational-security-best-practices/v/1.0.0/EC2.16 | security-control/EC2.16 | | aws-foundational-security-best-practices/v/1.0.0/EC2.17 | security-control/EC2.17 | | aws-foundational-security-best-practices/v/1.0.0/EC2.18 | security-control/EC2.18 | | aws-foundational-security-best-practices/v/1.0.0/EC2.19 | security-control/EC2.19 | | aws-foundational-security-best-practices/v/1.0.0/EC2.2 | security-control/EC2.2 | | aws-foundational-security-best-practices/v/1.0.0/EC2.20 | security-control/EC2.20 | | aws-foundational-security-best-practices/v/1.0.0/EC2.21 | security-control/EC2.21 | | aws-foundational-security-best-practices/v/1.0.0/EC2.23 | security-control/EC2.23 | | aws-foundational-security-best-practices/v/1.0.0/EC2.24 | security-control/EC2.24 | | aws-foundational-security-best-practices/v/1.0.0/EC2.25 | security-control/EC2.25 | | aws-foundational-security-best-practices/v/1.0.0/ECR.1 | security-control/ECR.1 | | aws-foundational-security-best-practices/v/1.0.0/ECR.2 | security-control/ECR.2 | | aws-foundational-security-best-practices/v/1.0.0/ECR.3 | security-control/ECR.3 | | aws-foundational-security-best-practices/v/1.0.0/ECS.1 | security-control/ECS.1 | | aws-foundational-security-best-practices/v/1.0.0/ECS.10 | security-control/ECS.10 | | aws-foundational-security-best-practices/v/1.0.0/ECS.12 | security-control/ECS.12 | | aws-foundational-security-best-practices/v/1.0.0/ECS.2 | security-control/ECS.2 | | aws-foundational-security-best-practices/v/1.0.0/ECS.3 | security-control/ECS.3 | | aws-foundational-security-best-practices/v/1.0.0/ECS.4 | security-control/ECS.4 | | aws-foundational-security-best-practices/v/1.0.0/ECS.5 | security-control/ECS.5 | | aws-foundational-security-best-practices/v/1.0.0/ECS.8 | security-control/ECS.8 | | aws-foundational-security-best-practices/v/1.0.0/EFS.1 | security-control/EFS.1 | | aws-foundational-security-best-practices/v/1.0.0/EFS.2 | security-control/EFS.2 | | aws-foundational-security-best-practices/v/1.0.0/EFS.3 | security-control/EFS.3 | | aws-foundational-security-best-practices/v/1.0.0/EFS.4 | security-control/EFS.4 | | aws-foundational-security-best-practices/v/1.0.0/EKS.2 | security-control/EKS.2 | | aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.1 | security-control/ElasticBeanstalk.1 | | aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.2 | security-control/ElasticBeanstalk.2 | | aws-foundational-security-best-practices/v/1.0.0/ELBv2.1 | security-control/ELB.1 | | aws-foundational-security-best-practices/v/1.0.0/ELB.2 | security-control/ELB.2 | | aws-foundational-security-best-practices/v/1.0.0/ELB.3 | security-control/ELB.3 | | aws-foundational-security-best-practices/v/1.0.0/ELB.4 | security-control/ELB.4 | | aws-foundational-security-best-practices/v/1.0.0/ELB.5 | security-control/ELB.5 | | aws-foundational-security-best-practices/v/1.0.0/ELB.6 | security-control/ELB.6 | | aws-foundational-security-best-practices/v/1.0.0/ELB.7 | security-control/ELB.7 | | aws-foundational-security-best-practices/v/1.0.0/ELB.8 | security-control/ELB.8 | | aws-foundational-security-best-practices/v/1.0.0/ELB.9 | security-control/ELB.9 | | aws-foundational-security-best-practices/v/1.0.0/ELB.10 | security-control/ELB.10 | | aws-foundational-security-best-practices/v/1.0.0/ELB.11 | security-control/ELB.11 | | aws-foundational-security-best-practices/v/1.0.0/ELB.12 | security-control/ELB.12 | | aws-foundational-security-best-practices/v/1.0.0/ELB.13 | security-control/ELB.13 | | aws-foundational-security-best-practices/v/1.0.0/ELB.14 | security-control/ELB.14 | | aws-foundational-security-best-practices/v/1.0.0/EMR.1 | security-control/EMR.1 | | aws-foundational-security-best-practices/v/1.0.0/ES.1 | security-control/ES.1 | | aws-foundational-security-best-practices/v/1.0.0/ES.2 | security-control/ES.2 | | aws-foundational-security-best-practices/v/1.0.0/ES.3 | security-control/ES.3 | | aws-foundational-security-best-practices/v/1.0.0/ES.4 | security-control/ES.4 | | aws-foundational-security-best-practices/v/1.0.0/ES.5 | security-control/ES.5 | | aws-foundational-security-best-practices/v/1.0.0/ES.6 | security-control/ES.6 | | aws-foundational-security-best-practices/v/1.0.0/ES.7 | security-control/ES.7 | | aws-foundational-security-best-practices/v/1.0.0/ES.8 | security-control/ES.8 | | aws-foundational-security-best-practices/v/1.0.0/GuardDuty.1 | security-control/GuardDuty.1 | | aws-foundational-security-best-practices/v/1.0.0/IAM.1 | security-control/IAM.1 | | aws-foundational-security-best-practices/v/1.0.0/IAM.2 | security-control/IAM.2 | | aws-foundational-security-best-practices/v/1.0.0/IAM.21 | security-control/IAM.21 | | aws-foundational-security-best-practices/v/1.0.0/IAM.3 | security-control/IAM.3 | | aws-foundational-security-best-practices/v/1.0.0/IAM.4 | security-control/IAM.4 | | aws-foundational-security-best-practices/v/1.0.0/IAM.5 | security-control/IAM.5 | | aws-foundational-security-best-practices/v/1.0.0/IAM.6 | security-control/IAM.6 | | aws-foundational-security-best-practices/v/1.0.0/IAM.7 | security-control/IAM.7 | | aws-foundational-security-best-practices/v/1.0.0/IAM.8 | security-control/IAM.8 | | aws-foundational-security-best-practices/v/1.0.0/Kinesis.1 | security-control/Kinesis.1 | | aws-foundational-security-best-practices/v/1.0.0/KMS.1 | security-control/KMS.1 | | aws-foundational-security-best-practices/v/1.0.0/KMS.2 | security-control/KMS.2 | | aws-foundational-security-best-practices/v/1.0.0/KMS.3 | security-control/KMS.3 | | aws-foundational-security-best-practices/v/1.0.0/Lambda.1 | security-control/Lambda.1 | | aws-foundational-security-best-practices/v/1.0.0/Lambda.2 | security-control/Lambda.2 | | aws-foundational-security-best-practices/v/1.0.0/Lambda.5 | security-control/Lambda.5 | | aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.3 | security-control/NetworkFirewall.3 | | aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.4 | security-control/NetworkFirewall.4 | | aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.5 | security-control/NetworkFirewall.5 | | aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.6 | security-control/NetworkFirewall.6 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.1 | security-control/Opensearch.1 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.2 | security-control/Opensearch.2 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.3 | security-control/Opensearch.3 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.4 | security-control/Opensearch.4 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.5 | security-control/Opensearch.5 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.6 | security-control/Opensearch.6 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.7 | security-control/Opensearch.7 | | aws-foundational-security-best-practices/v/1.0.0/Opensearch.8 | security-control/Opensearch.8 | | aws-foundational-security-best-practices/v/1.0.0/RDS.1 | security-control/RDS.1 | | aws-foundational-security-best-practices/v/1.0.0/RDS.10 | security-control/RDS.10 | | aws-foundational-security-best-practices/v/1.0.0/RDS.11 | security-control/RDS.11 | | aws-foundational-security-best-practices/v/1.0.0/RDS.12 | security-control/RDS.12 | | aws-foundational-security-best-practices/v/1.0.0/RDS.13 | security-control/RDS.13 | | aws-foundational-security-best-practices/v/1.0.0/RDS.14 | security-control/RDS.14 | | aws-foundational-security-best-practices/v/1.0.0/RDS.15 | security-control/RDS.15 | | aws-foundational-security-best-practices/v/1.0.0/RDS.16 | security-control/RDS.16 | | aws-foundational-security-best-practices/v/1.0.0/RDS.17 | security-control/RDS.17 | | aws-foundational-security-best-practices/v/1.0.0/RDS.19 | security-control/RDS.19 | | aws-foundational-security-best-practices/v/1.0.0/RDS.2 | security-control/RDS.2 | | aws-foundational-security-best-practices/v/1.0.0/RDS.20 | security-control/RDS.20 | | aws-foundational-security-best-practices/v/1.0.0/RDS.21 | security-control/RDS.21 | | aws-foundational-security-best-practices/v/1.0.0/RDS.22 | security-control/RDS.22 | | aws-foundational-security-best-practices/v/1.0.0/RDS.23 | security-control/RDS.23 | | aws-foundational-security-best-practices/v/1.0.0/RDS.24 | security-control/RDS.24 | | aws-foundational-security-best-practices/v/1.0.0/RDS.25 | security-control/RDS.25 | | aws-foundational-security-best-practices/v/1.0.0/RDS.3 | security-control/RDS.3 | | aws-foundational-security-best-practices/v/1.0.0/RDS.4 | security-control/RDS.4 | | aws-foundational-security-best-practices/v/1.0.0/RDS.5 | security-control/RDS.5 | | aws-foundational-security-best-practices/v/1.0.0/RDS.6 | security-control/RDS.6 | | aws-foundational-security-best-practices/v/1.0.0/RDS.7 | security-control/RDS.7 | | aws-foundational-security-best-practices/v/1.0.0/RDS.8 | security-control/RDS.8 | | aws-foundational-security-best-practices/v/1.0.0/RDS.9 | security-control/RDS.9 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.1 | security-control/Redshift.1 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.2 | security-control/Redshift.2 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.3 | security-control/Redshift.3 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.4 | security-control/Redshift.4 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.6 | security-control/Redshift.6 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.7 | security-control/Redshift.7 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.8 | security-control/Redshift.8 | | aws-foundational-security-best-practices/v/1.0.0/Redshift.9 | security-control/Redshift.9 | | aws-foundational-security-best-practices/v/1.0.0/S3.1 | security-control/S3.1 | | aws-foundational-security-best-practices/v/1.0.0/S3.12 | security-control/S3.12 | | aws-foundational-security-best-practices/v/1.0.0/S3.13 | security-control/S3.13 | | aws-foundational-security-best-practices/v/1.0.0/S3.2 | security-control/S3.2 | | aws-foundational-security-best-practices/v/1.0.0/S3.3 | security-control/S3.3 | | aws-foundational-security-best-practices/v/1.0.0/S3.5 | security-control/S3.5 | | aws-foundational-security-best-practices/v/1.0.0/S3.6 | security-control/S3.6 | | aws-foundational-security-best-practices/v/1.0.0/S3.8 | security-control/S3.8 | | aws-foundational-security-best-practices/v/1.0.0/S3.9 | security-control/S3.9 | | aws-foundational-security-best-practices/v/1.0.0/SageMaker.1 | security-control/SageMaker.1 | | aws-foundational-security-best-practices/v/1.0.0/SageMaker.2 | security-control/SageMaker.2 | | aws-foundational-security-best-practices/v/1.0.0/SageMaker.3 | security-control/SageMaker.3 | | aws-foundational-security-best-practices/v/1.0.0/SecretsManager.1 | security-control/SecretsManager.1 | | aws-foundational-security-best-practices/v/1.0.0/SecretsManager.2 | security-control/SecretsManager.2 | | aws-foundational-security-best-practices/v/1.0.0/SecretsManager.3 | security-control/SecretsManager.3 | | aws-foundational-security-best-practices/v/1.0.0/SecretsManager.4 | security-control/SecretsManager.4 | | aws-foundational-security-best-practices/v/1.0.0/SQS.1 | security-control/SQS.1 | | aws-foundational-security-best-practices/v/1.0.0/SSM.1 | security-control/SSM.1 | | aws-foundational-security-best-practices/v/1.0.0/SSM.2 | security-control/SSM.2 | | aws-foundational-security-best-practices/v/1.0.0/SSM.3 | security-control/SSM.3 | | aws-foundational-security-best-practices/v/1.0.0/SSM.4 | security-control/SSM.4 | | aws-foundational-security-best-practices/v/1.0.0/WAF.1 | security-control/WAF.1 | | aws-foundational-security-best-practices/v/1.0.0/WAF.2 | security-control/WAF.2 | | aws-foundational-security-best-practices/v/1.0.0/WAF.3 | security-control/WAF.3 | | aws-foundational-security-best-practices/v/1.0.0/WAF.4 | security-control/WAF.4 | | aws-foundational-security-best-practices/v/1.0.0/WAF.6 | security-control/WAF.6 | | aws-foundational-security-best-practices/v/1.0.0/WAF.7 | security-control/WAF.7 | | aws-foundational-security-best-practices/v/1.0.0/WAF.8 | security-control/WAF.8 | | aws-foundational-security-best-practices/v/1.0.0/WAF.10 | security-control/WAF.10 | | pci-dss/v/3.2.1/PCI.AutoScaling.1 | security-control/AutoScaling.1 | | pci-dss/v/3.2.1/PCI.CloudTrail.1 | security-control/CloudTrail.2 | | pci-dss/v/3.2.1/PCI.CloudTrail.2 | security-control/CloudTrail.3 | | pci-dss/v/3.2.1/PCI.CloudTrail.3 | security-control/CloudTrail.4 | | pci-dss/v/3.2.1/PCI.CloudTrail.4 | security-control/CloudTrail.5 | | pci-dss/v/3.2.1/PCI.CodeBuild.1 | security-control/CodeBuild.1 | | pci-dss/v/3.2.1/PCI.CodeBuild.2 | security-control/CodeBuild.2 | | pci-dss/v/3.2.1/PCI.Config.1 | security-control/Config.1 | | pci-dss/v/3.2.1/PCI.CW.1 | security-control/CloudWatch.1 | | pci-dss/v/3.2.1/PCI.DMS.1 | security-control/DMS.1 | | pci-dss/v/3.2.1/PCI.EC2.1 | security-control/EC2.1 | | pci-dss/v/3.2.1/PCI.EC2.2 | security-control/EC2.2 | | pci-dss/v/3.2.1/PCI.EC2.4 | security-control/EC2.12 | | pci-dss/v/3.2.1/PCI.EC2.5 | security-control/EC2.13 | | pci-dss/v/3.2.1/PCI.EC2.6 | security-control/EC2.6 | | pci-dss/v/3.2.1/PCI.ELBv2.1 | security-control/ELB.1 | | pci-dss/v/3.2.1/PCI.ES.1 | security-control/ES.2 | | pci-dss/v/3.2.1/PCI.ES.2 | security-control/ES.1 | | pci-dss/v/3.2.1/PCI.GuardDuty.1 | security-control/GuardDuty.1 | | pci-dss/v/3.2.1/PCI.IAM.1 | security-control/IAM.4 | | pci-dss/v/3.2.1/PCI.IAM.2 | security-control/IAM.2 | | pci-dss/v/3.2.1/PCI.IAM.3 | security-control/IAM.1 | | pci-dss/v/3.2.1/PCI.IAM.4 | security-control/IAM.6 | | pci-dss/v/3.2.1/PCI.IAM.5 | security-control/IAM.9 | | pci-dss/v/3.2.1/PCI.IAM.6 | security-control/IAM.19 | | pci-dss/v/3.2.1/PCI.IAM.7 | security-control/IAM.8 | | pci-dss/v/3.2.1/PCI.IAM.8 | security-control/IAM.10 | | pci-dss/v/3.2.1/PCI.KMS.1 | security-control/KMS.4 | | pci-dss/v/3.2.1/PCI.Lambda.1 | security-control/Lambda.1 | | pci-dss/v/3.2.1/PCI.Lambda.2 | security-control/Lambda.3 | | pci-dss/v/3.2.1/PCI.Opensearch.1 | security-control/Opensearch.2 | | pci-dss/v/3.2.1/PCI.Opensearch.2 | security-control/Opensearch.1 | | pci-dss/v/3.2.1/PCI.RDS.1 | security-control/RDS.1 | | pci-dss/v/3.2.1/PCI.RDS.2 | security-control/RDS.2 | | pci-dss/v/3.2.1/PCI.Redshift.1 | security-control/Redshift.1 | | pci-dss/v/3.2.1/PCI.S3.1 | security-control/S3.3 | | pci-dss/v/3.2.1/PCI.S3.2 | security-control/S3.2 | | pci-dss/v/3.2.1/PCI.S3.3 | security-control/S3.7 | | pci-dss/v/3.2.1/PCI.S3.5 | security-control/S3.5 | | pci-dss/v/3.2.1/PCI.S3.6 | security-control/S3.1 | | pci-dss/v/3.2.1/PCI.SageMaker.1 | security-control/SageMaker.1 | | pci-dss/v/3.2.1/PCI.SSM.1 | security-control/SSM.2 | | pci-dss/v/3.2.1/PCI.SSM.2 | security-control/SSM.3 | | pci-dss/v/3.2.1/PCI.SSM.3 | security-control/SSM.1 | | service-managed-aws-control-tower/v/1.0.0/ACM.1 | security-control/ACM.1 | | service-managed-aws-control-tower/v/1.0.0/APIGateway.1 | security-control/APIGateway.1 | | service-managed-aws-control-tower/v/1.0.0/APIGateway.2 | security-control/APIGateway.2 | | service-managed-aws-control-tower/v/1.0.0/APIGateway.3 | security-control/APIGateway.3 | | service-managed-aws-control-tower/v/1.0.0/APIGateway.4 | security-control/APIGateway.4 | | service-managed-aws-control-tower/v/1.0.0/APIGateway.5 | security-control/APIGateway.5 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.1 | security-control/AutoScaling.1 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.2 | security-control/AutoScaling.2 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.3 | security-control/AutoScaling.3 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.4 | security-control/AutoScaling.4 | | service-managed-aws-control-tower/v/1.0.0/Autoscaling.5 | security-control/Autoscaling.5 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.6 | security-control/AutoScaling.6 | | service-managed-aws-control-tower/v/1.0.0/AutoScaling.9 | security-control/AutoScaling.9 | | service-managed-aws-control-tower/v/1.0.0/CloudTrail.1 | security-control/CloudTrail.1 | | service-managed-aws-control-tower/v/1.0.0/CloudTrail.2 | security-control/CloudTrail.2 | | service-managed-aws-control-tower/v/1.0.0/CloudTrail.4 | security-control/CloudTrail.4 | | service-managed-aws-control-tower/v/1.0.0/CloudTrail.5 | security-control/CloudTrail.5 | | service-managed-aws-control-tower/v/1.0.0/CodeBuild.1 | security-control/CodeBuild.1 | | service-managed-aws-control-tower/v/1.0.0/CodeBuild.2 | security-control/CodeBuild.2 | | service-managed-aws-control-tower/v/1.0.0/CodeBuild.4 | security-control/CodeBuild.4 | | service-managed-aws-control-tower/v/1.0.0/CodeBuild.5 | security-control/CodeBuild.5 | | service-managed-aws-control-tower/v/1.0.0/DMS.1 | security-control/DMS.1 | | service-managed-aws-control-tower/v/1.0.0/DynamoDB.1 | security-control/DynamoDB.1 | | service-managed-aws-control-tower/v/1.0.0/DynamoDB.2 | security-control/DynamoDB.2 | | service-managed-aws-control-tower/v/1.0.0/EC2.1 | security-control/EC2.1 | | service-managed-aws-control-tower/v/1.0.0/EC2.2 | security-control/EC2.2 | | service-managed-aws-control-tower/v/1.0.0/EC2.3 | security-control/EC2.3 | | service-managed-aws-control-tower/v/1.0.0/EC2.4 | security-control/EC2.4 | | service-managed-aws-control-tower/v/1.0.0/EC2.6 | security-control/EC2.6 | | service-managed-aws-control-tower/v/1.0.0/EC2.7 | security-control/EC2.7 | | service-managed-aws-control-tower/v/1.0.0/EC2.8 | security-control/EC2.8 | | service-managed-aws-control-tower/v/1.0.0/EC2.9 | security-control/EC2.9 | | service-managed-aws-control-tower/v/1.0.0/EC2.10 | security-control/EC2.10 | | service-managed-aws-control-tower/v/1.0.0/EC2.15 | security-control/EC2.15 | | service-managed-aws-control-tower/v/1.0.0/EC2.16 | security-control/EC2.16 | | service-managed-aws-control-tower/v/1.0.0/EC2.17 | security-control/EC2.17 | | service-managed-aws-control-tower/v/1.0.0/EC2.18 | security-control/EC2.18 | | service-managed-aws-control-tower/v/1.0.0/EC2.19 | security-control/EC2.19 | | service-managed-aws-control-tower/v/1.0.0/EC2.20 | security-control/EC2.20 | | service-managed-aws-control-tower/v/1.0.0/EC2.21 | security-control/EC2.21 | | service-managed-aws-control-tower/v/1.0.0/EC2.22 | security-control/EC2.22 | | service-managed-aws-control-tower/v/1.0.0/ECR.1 | security-control/ECR.1 | | service-managed-aws-control-tower/v/1.0.0/ECR.2 | security-control/ECR.2 | | service-managed-aws-control-tower/v/1.0.0/ECR.3 | security-control/ECR.3 | | service-managed-aws-control-tower/v/1.0.0/ECS.1 | security-control/ECS.1 | | service-managed-aws-control-tower/v/1.0.0/ECS.2 | security-control/ECS.2 | | service-managed-aws-control-tower/v/1.0.0/ECS.3 | security-control/ECS.3 | | service-managed-aws-control-tower/v/1.0.0/ECS.4 | security-control/ECS.4 | | service-managed-aws-control-tower/v/1.0.0/ECS.5 | security-control/ECS.5 | | service-managed-aws-control-tower/v/1.0.0/ECS.8 | security-control/ECS.8 | | service-managed-aws-control-tower/v/1.0.0/ECS.10 | security-control/ECS.10 | | service-managed-aws-control-tower/v/1.0.0/ECS.12 | security-control/ECS.12 | | service-managed-aws-control-tower/v/1.0.0/EFS.1 | security-control/EFS.1 | | service-managed-aws-control-tower/v/1.0.0/EFS.2 | security-control/EFS.2 | | service-managed-aws-control-tower/v/1.0.0/EFS.3 | security-control/EFS.3 | | service-managed-aws-control-tower/v/1.0.0/EFS.4 | security-control/EFS.4 | | service-managed-aws-control-tower/v/1.0.0/EKS.2 | security-control/EKS.2 | | service-managed-aws-control-tower/v/1.0.0/ELB.2 | security-control/ELB.2 | | service-managed-aws-control-tower/v/1.0.0/ELB.3 | security-control/ELB.3 | | service-managed-aws-control-tower/v/1.0.0/ELB.4 | security-control/ELB.4 | | service-managed-aws-control-tower/v/1.0.0/ELB.5 | security-control/ELB.5 | | service-managed-aws-control-tower/v/1.0.0/ELB.6 | security-control/ELB.6 | | service-managed-aws-control-tower/v/1.0.0/ELB.7 | security-control/ELB.7 | | service-managed-aws-control-tower/v/1.0.0/ELB.8 | security-control/ELB.8 | | service-managed-aws-control-tower/v/1.0.0/ELB.9 | security-control/ELB.9 | | service-managed-aws-control-tower/v/1.0.0/ELB.10 | security-control/ELB.10 | | service-managed-aws-control-tower/v/1.0.0/ELB.12 | security-control/ELB.12 | | service-managed-aws-control-tower/v/1.0.0/ELB.13 | security-control/ELB.13 | | service-managed-aws-control-tower/v/1.0.0/ELB.14 | security-control/ELB.14 | | service-managed-aws-control-tower/v/1.0.0/ELBv2.1 | security-control/ELBv2.1 | | service-managed-aws-control-tower/v/1.0.0/EMR.1 | security-control/EMR.1 | | service-managed-aws-control-tower/v/1.0.0/ES.1 | security-control/ES.1 | | service-managed-aws-control-tower/v/1.0.0/ES.2 | security-control/ES.2 | | service-managed-aws-control-tower/v/1.0.0/ES.3 | security-control/ES.3 | | service-managed-aws-control-tower/v/1.0.0/ES.4 | security-control/ES.4 | | service-managed-aws-control-tower/v/1.0.0/ES.5 | security-control/ES.5 | | service-managed-aws-control-tower/v/1.0.0/ES.6 | security-control/ES.6 | | service-managed-aws-control-tower/v/1.0.0/ES.7 | security-control/ES.7 | | service-managed-aws-control-tower/v/1.0.0/ES.8 | security-control/ES.8 | | service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.1 | security-control/ElasticBeanstalk.1 | | service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.2 | security-control/ElasticBeanstalk.2 | | service-managed-aws-control-tower/v/1.0.0/GuardDuty.1 | security-control/GuardDuty.1 | | service-managed-aws-control-tower/v/1.0.0/IAM.1 | security-control/IAM.1 | | service-managed-aws-control-tower/v/1.0.0/IAM.2 | security-control/IAM.2 | | service-managed-aws-control-tower/v/1.0.0/IAM.3 | security-control/IAM.3 | | service-managed-aws-control-tower/v/1.0.0/IAM.4 | security-control/IAM.4 | | service-managed-aws-control-tower/v/1.0.0/IAM.5 | security-control/IAM.5 | | service-managed-aws-control-tower/v/1.0.0/IAM.6 | security-control/IAM.6 | | service-managed-aws-control-tower/v/1.0.0/IAM.7 | security-control/IAM.7 | | service-managed-aws-control-tower/v/1.0.0/IAM.8 | security-control/IAM.8 | | service-managed-aws-control-tower/v/1.0.0/IAM.21 | security-control/IAM.21 | | service-managed-aws-control-tower/v/1.0.0/Kinesis.1 | security-control/Kinesis.1 | | service-managed-aws-control-tower/v/1.0.0/KMS.1 | security-control/KMS.1 | | service-managed-aws-control-tower/v/1.0.0/KMS.2 | security-control/KMS.2 | | service-managed-aws-control-tower/v/1.0.0/KMS.3 | security-control/KMS.3 | | service-managed-aws-control-tower/v/1.0.0/Lambda.1 | security-control/Lambda.1 | | service-managed-aws-control-tower/v/1.0.0/Lambda.2 | security-control/Lambda.2 | | service-managed-aws-control-tower/v/1.0.0/Lambda.5 | security-control/Lambda.5 | | service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.3 | security-control/NetworkFirewall.3 | | service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.4 | security-control/NetworkFirewall.4 | | service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.5 | security-control/NetworkFirewall.5 | | service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.6 | security-control/NetworkFirewall.6 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.1 | security-control/Opensearch.1 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.2 | security-control/Opensearch.2 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.3 | security-control/Opensearch.3 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.4 | security-control/Opensearch.4 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.5 | security-control/Opensearch.5 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.6 | security-control/Opensearch.6 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.7 | security-control/Opensearch.7 | | service-managed-aws-control-tower/v/1.0.0/Opensearch.8 | security-control/Opensearch.8 | | service-managed-aws-control-tower/v/1.0.0/RDS.1 | security-control/RDS.1 | | service-managed-aws-control-tower/v/1.0.0/RDS.2 | security-control/RDS.2 | | service-managed-aws-control-tower/v/1.0.0/RDS.3 | security-control/RDS.3 | | service-managed-aws-control-tower/v/1.0.0/RDS.4 | security-control/RDS.4 | | service-managed-aws-control-tower/v/1.0.0/RDS.5 | security-control/RDS.5 | | service-managed-aws-control-tower/v/1.0.0/RDS.6 | security-control/RDS.6 | | service-managed-aws-control-tower/v/1.0.0/RDS.8 | security-control/RDS.8 | | service-managed-aws-control-tower/v/1.0.0/RDS.9 | security-control/RDS.9 | | service-managed-aws-control-tower/v/1.0.0/RDS.10 | security-control/RDS.10 | | service-managed-aws-control-tower/v/1.0.0/RDS.11 | security-control/RDS.11 | | service-managed-aws-control-tower/v/1.0.0/RDS.13 | security-control/RDS.13 | | service-managed-aws-control-tower/v/1.0.0/RDS.17 | security-control/RDS.17 | | service-managed-aws-control-tower/v/1.0.0/RDS.18 | security-control/RDS.18 | | service-managed-aws-control-tower/v/1.0.0/RDS.19 | security-control/RDS.19 | | service-managed-aws-control-tower/v/1.0.0/RDS.20 | security-control/RDS.20 | | service-managed-aws-control-tower/v/1.0.0/RDS.21 | security-control/RDS.21 | | service-managed-aws-control-tower/v/1.0.0/RDS.22 | security-control/RDS.22 | | service-managed-aws-control-tower/v/1.0.0/RDS.23 | security-control/RDS.23 | | service-managed-aws-control-tower/v/1.0.0/RDS.25 | security-control/RDS.25 | | service-managed-aws-control-tower/v/1.0.0/Redshift.1 | security-control/Redshift.1 | | service-managed-aws-control-tower/v/1.0.0/Redshift.2 | security-control/Redshift.2 | | service-managed-aws-control-tower/v/1.0.0/Redshift.4 | security-control/Redshift.4 | | service-managed-aws-control-tower/v/1.0.0/Redshift.6 | security-control/Redshift.6 | | service-managed-aws-control-tower/v/1.0.0/Redshift.7 | security-control/Redshift.7 | | service-managed-aws-control-tower/v/1.0.0/Redshift.8 | security-control/Redshift.8 | | service-managed-aws-control-tower/v/1.0.0/Redshift.9 | security-control/Redshift.9 | | service-managed-aws-control-tower/v/1.0.0/S3.1 | security-control/S3.1 | | service-managed-aws-control-tower/v/1.0.0/S3.2 | security-control/S3.2 | | service-managed-aws-control-tower/v/1.0.0/S3.3 | security-control/S3.3 | | service-managed-aws-control-tower/v/1.0.0/S3.5 | security-control/S3.5 | | service-managed-aws-control-tower/v/1.0.0/S3.6 | security-control/S3.6 | | service-managed-aws-control-tower/v/1.0.0/S3.8 | security-control/S3.8 | | service-managed-aws-control-tower/v/1.0.0/S3.9 | security-control/S3.9 | | service-managed-aws-control-tower/v/1.0.0/S3.12 | security-control/S3.12 | | service-managed-aws-control-tower/v/1.0.0/S3.13 | security-control/S3.13 | | service-managed-aws-control-tower/v/1.0.0/SageMaker.1 | security-control/SageMaker.1 | | service-managed-aws-control-tower/v/1.0.0/SecretsManager.1 | security-control/SecretsManager.1 | | service-managed-aws-control-tower/v/1.0.0/SecretsManager.2 | security-control/SecretsManager.2 | | service-managed-aws-control-tower/v/1.0.0/SecretsManager.3 | security-control/SecretsManager.3 | | service-managed-aws-control-tower/v/1.0.0/SecretsManager.4 | security-control/SecretsManager.4 | | service-managed-aws-control-tower/v/1.0.0/SQS.1 | security-control/SQS.1 | | service-managed-aws-control-tower/v/1.0.0/SSM.1 | security-control/SSM.1 | | service-managed-aws-control-tower/v/1.0.0/SSM.2 | security-control/SSM.2 | | service-managed-aws-control-tower/v/1.0.0/SSM.3 | security-control/SSM.3 | | service-managed-aws-control-tower/v/1.0.0/SSM.4 | security-control/SSM.4 | | service-managed-aws-control-tower/v/1.0.0/WAF.2 | security-control/WAF.2 | | service-managed-aws-control-tower/v/1.0.0/WAF.3 | security-control/WAF.3 | | service-managed-aws-control-tower/v/1.0.0/WAF.4 | security-control/WAF.4 | ## How consolidation impacts control IDs and titles Consolidated controls view and consolidated control findings standardize control IDs and titles across standards. The terms *security control ID* and *security control title* refer to these standard-agnostic values. The Security Hub CSPM console displays standard-agnostic security control IDs and security control titles, regardless of whether consolidated control findings is enabled or disabled for your account. However, Security Hub CSPM findings contain standard-specific control titles, for PCI DSS and CIS v1.2.0, if consolidated control findings is disabled for your account. In addition, Security Hub CSPM findings contain the standard-specific control ID and security control ID. For examples of how consolidation impacts control findings, see [Samples of control findings](sample-control-findings.md). For controls that are part of the [Amazon Control Tower service-managed standard](service-managed-standard-aws-control-tower.md), the prefix `CT.` is removed from the control ID and title in findings when consolidated control findings is enabled. To disable a security control in Security Hub CSPM, you must disable all standard controls that correspond to the security control. The following table shows the mapping of security control IDs and titles to standard-specific control IDs and titles. IDs and titles for controls that belong to the Amazon Foundational Security Best Practices (FSBP) standard are already standard-agnostic. For a mapping of controls to the requirements of Center for Internet Security (CIS) v3.0.0, see [Mapping of controls to CIS requirements in each version](cis-aws-foundations-benchmark.md#cis-version-comparison). To run your own scripts on this table, you can [download it as a .csv file](samples/Consolidation_ID_Title_Changes.csv.zip). | Standard | Standard control ID and title | Security control ID and title | | --- | --- | --- | | CIS v1.2.0 | 1.1 Avoid the use of the root user | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | | CIS v1.2.0 | 1.10 Ensure IAM password policy prevents password reuse | [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) | | CIS v1.2.0 | 1.11 Ensure IAM password policy expires passwords within 90 days or less | [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) | | CIS v1.2.0 | 1.12 Ensure no root user access key exists | [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) | | CIS v1.2.0 | 1.13 Ensure MFA is enabled for the root user | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | | CIS v1.2.0 | 1.14 Ensure hardware MFA is enabled for the root user | [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) | | CIS v1.2.0 | 1.16 Ensure IAM policies are attached only to groups or roles | [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) | | CIS v1.2.0 | 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) | | CIS v1.2.0 | 1.20 Ensure a support role has been created to manage incidents with Amazon Web Services Support | [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) | | CIS v1.2.0 | 1.22 Ensure IAM policies that allow full "\$1:\$1" administrative privileges are not created | [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) | | CIS v1.2.0 | 1.3 Ensure credentials unused for 90 days or greater are disabled | [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) | | CIS v1.2.0 | 1.4 Ensure access keys are rotated every 90 days or less | [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) | | CIS v1.2.0 | 1.5 Ensure IAM password policy requires at least one uppercase letter | [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) | | CIS v1.2.0 | 1.6 Ensure IAM password policy requires at least one lowercase letter | [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) | | CIS v1.2.0 | 1.7 Ensure IAM password policy requires at least one symbol | [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) | | CIS v1.2.0 | 1.8 Ensure IAM password policy requires at least one number | [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) | | CIS v1.2.0 | 1.9 Ensure IAM password policy requires minimum password length of 14 or greater | [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) | | CIS v1.2.0 | 2.1 Ensure CloudTrail is enabled in all regions | [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) | | CIS v1.2.0 | 2.2 Ensure CloudTrail log file validation is enabled | [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) | | CIS v1.2.0 | 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) | | CIS v1.2.0 | 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | | CIS v1.2.0 | 2.5 Ensure Amazon Config is enabled | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | | CIS v1.2.0 | 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) | | CIS v1.2.0 | 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) | | CIS v1.2.0 | 2.8 Ensure rotation for customer created CMKs is enabled | [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) | | CIS v1.2.0 | 2.9 Ensure VPC flow logging is enabled in all VPCs | [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) | | CIS v1.2.0 | 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls | [[CloudWatch.2] Ensure a log metric filter and alarm exist for unauthorized API calls](cloudwatch-controls.md#cloudwatch-2) | | CIS v1.2.0 | 3.10 Ensure a log metric filter and alarm exist for security group changes | [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) | | CIS v1.2.0 | 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) | | CIS v1.2.0 | 3.12 Ensure a log metric filter and alarm exist for changes to network gateways | [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) | | CIS v1.2.0 | 3.13 Ensure a log metric filter and alarm exist for route table changes | [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) | | CIS v1.2.0 | 3.14 Ensure a log metric filter and alarm exist for VPC changes | [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) | | CIS v1.2.0 | 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | [[CloudWatch.3] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA](cloudwatch-controls.md#cloudwatch-3) | | CIS v1.2.0 | 3.3 Ensure a log metric filter and alarm exist for usage of root user | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | | CIS v1.2.0 | 3.4 Ensure a log metric filter and alarm exist for IAM policy changes | [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) | | CIS v1.2.0 | 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes | [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) | | CIS v1.2.0 | 3.6 Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures | [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) | | CIS v1.2.0 | 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) | | CIS v1.2.0 | 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes | [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) | | CIS v1.2.0 | 3.9 Ensure a log metric filter and alarm exist for Amazon Config configuration changes | [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) | | CIS v1.2.0 | 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | | CIS v1.2.0 | 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 | [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) | | CIS v1.2.0 | 4.3 Ensure the default security group of every VPC restricts all traffic | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | | CIS v1.4.0 | 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) | | CIS v1.4.0 | 1.14 Ensure access keys are rotated every 90 days or less | [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) | | CIS v1.4.0 | 1.16 Ensure IAM policies that allow full "\$1:\$1" administrative privileges are not attached | [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) | | CIS v1.4.0 | 1.17 Ensure a support role has been created to manage incidents with Amazon Web Services Support | [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) | | CIS v1.4.0 | 1.4 Ensure no root user account access key exists | [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) | | CIS v1.4.0 | 1.5 Ensure MFA is enabled for the root user account | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | | CIS v1.4.0 | 1.6 Ensure hardware MFA is enabled for the root user account | [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) | | CIS v1.4.0 | 1.7 Eliminate use of the root user for administrative and daily tasks | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | | CIS v1.4.0 | 1.8 Ensure IAM password policy requires minimum length of 14 or greater | [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) | | CIS v1.4.0 | 1.9 Ensure IAM password policy prevents password reuse | [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) | | CIS v1.4.0 | 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests | [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) | | CIS v1.4.0 | 2.1.5.1 S3 Block Public Access setting should be enabled | [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) | | CIS v1.4.0 | 2.1.5.2 S3 Block Public Access setting should be enabled at the bucket level | [[S3.8] S3 general purpose buckets should block public access](s3-controls.md#s3-8) | | CIS v1.4.0 | 2.2.1 Ensure EBS volume encryption is enabled | [[EC2.7] EBS default encryption should be enabled](ec2-controls.md#ec2-7) | | CIS v1.4.0 | 2.3.1 Ensure that encryption is enabled for RDS Instances | [[RDS.3] RDS DB instances should have encryption at-rest enabled](rds-controls.md#rds-3) | | CIS v1.4.0 | 3.1 Ensure CloudTrail is enabled in all regions | [[CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events](cloudtrail-controls.md#cloudtrail-1) | | CIS v1.4.0 | 3.2 Ensure CloudTrail log file validation is enabled | [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) | | CIS v1.4.0 | 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | | CIS v1.4.0 | 3.5 Ensure Amazon Config is enabled in all regions | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | | CIS v1.4.0 | 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) | | CIS v1.4.0 | 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) | | CIS v1.4.0 | 3.8 Ensure rotation for customer created CMKs is enabled | [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) | | CIS v1.4.0 | 3.9 Ensure VPC flow logging is enabled in all VPCs | [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) | | CIS v1.4.0 | 4.4 Ensure a log metric filter and alarm exist for IAM policy changes | [[CloudWatch.4] Ensure a log metric filter and alarm exist for IAM policy changes](cloudwatch-controls.md#cloudwatch-4) | | CIS v1.4.0 | 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes | [[CloudWatch.5] Ensure a log metric filter and alarm exist for CloudTrail configuration changes](cloudwatch-controls.md#cloudwatch-5) | | CIS v1.4.0 | 4.6 Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures | [[CloudWatch.6] Ensure a log metric filter and alarm exist for Amazon Web Services Management Console authentication failures](cloudwatch-controls.md#cloudwatch-6) | | CIS v1.4.0 | 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | [[CloudWatch.7] Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys](cloudwatch-controls.md#cloudwatch-7) | | CIS v1.4.0 | 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes | [[CloudWatch.8] Ensure a log metric filter and alarm exist for S3 bucket policy changes](cloudwatch-controls.md#cloudwatch-8) | | CIS v1.4.0 | 4.9 Ensure a log metric filter and alarm exist for Amazon Config configuration changes | [[CloudWatch.9] Ensure a log metric filter and alarm exist for Amazon Config configuration changes](cloudwatch-controls.md#cloudwatch-9) | | CIS v1.4.0 | 4.10 Ensure a log metric filter and alarm exist for security group changes | [[CloudWatch.10] Ensure a log metric filter and alarm exist for security group changes](cloudwatch-controls.md#cloudwatch-10) | | CIS v1.4.0 | 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | [[CloudWatch.11] Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)](cloudwatch-controls.md#cloudwatch-11) | | CIS v1.4.0 | 4.12 Ensure a log metric filter and alarm exist for changes to network gateways | [[CloudWatch.12] Ensure a log metric filter and alarm exist for changes to network gateways](cloudwatch-controls.md#cloudwatch-12) | | CIS v1.4.0 | 4.13 Ensure a log metric filter and alarm exist for route table changes | [[CloudWatch.13] Ensure a log metric filter and alarm exist for route table changes](cloudwatch-controls.md#cloudwatch-13) | | CIS v1.4.0 | 4.14 Ensure a log metric filter and alarm exist for VPC changes | [[CloudWatch.14] Ensure a log metric filter and alarm exist for VPC changes](cloudwatch-controls.md#cloudwatch-14) | | CIS v1.4.0 | 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) | | CIS v1.4.0 | 5.3 Ensure the default security group of every VPC restricts all traffic | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | | PCI DSS v3.2.1 | PCI.AutoScaling.1 Auto scaling groups associated with a load balancer should use load balancer health checks | [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) | | PCI DSS v3.2.1 | PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using Amazon KMS CMKs | [[CloudTrail.2] CloudTrail should have encryption at-rest enabled](cloudtrail-controls.md#cloudtrail-2) | | PCI DSS v3.2.1 | PCI.CloudTrail.2 CloudTrail should be enabled | [[CloudTrail.3] At least one CloudTrail trail should be enabled](cloudtrail-controls.md#cloudtrail-3) | | PCI DSS v3.2.1 | PCI.CloudTrail.3 CloudTrail log file validation should be enabled | [[CloudTrail.4] CloudTrail log file validation should be enabled](cloudtrail-controls.md#cloudtrail-4) | | PCI DSS v3.2.1 | PCI.CloudTrail.4 CloudTrail trails should be integrated with Amazon CloudWatch Logs | [[CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs](cloudtrail-controls.md#cloudtrail-5) | | PCI DSS v3.2.1 | PCI.CodeBuild.1 CodeBuild GitHub or Bitbucket source repository URLs should use OAuth | [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) | | PCI DSS v3.2.1 | PCI.CodeBuild.2 CodeBuild project environment variables should not contain clear text credentials | [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) | | PCI DSS v3.2.1 | PCI.Config.1 Amazon Config should be enabled | [[Config.1] Amazon Config should be enabled and use the service-linked role for resource recording](config-controls.md#config-1) | | PCI DSS v3.2.1 | PCI.CW.1 A log metric filter and alarm should exist for usage of the "root" user | [[CloudWatch.1] A log metric filter and alarm should exist for usage of the "root" user](cloudwatch-controls.md#cloudwatch-1) | | PCI DSS v3.2.1 | PCI.DMS.1 Database Migration Service replication instances should not be public | [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) | | PCI DSS v3.2.1 | PCI.EC2.1 EBS snapshots should not be publicly restorable | [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) | | PCI DSS v3.2.1 | PCI.EC2.2 VPC default security group should prohibit inbound and outbound traffic | [[EC2.2] VPC default security groups should not allow inbound or outbound traffic](ec2-controls.md#ec2-2) | | PCI DSS v3.2.1 | PCI.EC2.4 Unused EC2 EIPs should be removed | [[EC2.12] Unused Amazon EC2 EIPs should be removed](ec2-controls.md#ec2-12) | | PCI DSS v3.2.1 | PCI.EC2.5 Security groups should not allow ingress from 0.0.0.0/0 to port 22 | [[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22](ec2-controls.md#ec2-13) | | PCI DSS v3.2.1 | PCI.EC2.6 VPC flow logging should be enabled in all VPCs | [[EC2.6] VPC flow logging should be enabled in all VPCs](ec2-controls.md#ec2-6) | | PCI DSS v3.2.1 | PCI.ELBv2.1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS | [[ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS](elb-controls.md#elb-1) | | PCI DSS v3.2.1 | PCI.ES.1 Elasticsearch domains should be in a VPC | [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) | | PCI DSS v3.2.1 | PCI.ES.2 Elasticsearch domains should have encryption at-rest enabled | [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) | | PCI DSS v3.2.1 | PCI.GuardDuty.1 GuardDuty should be enabled | [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) | | PCI DSS v3.2.1 | PCI.IAM.1 IAM root user access key should not exist | [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) | | PCI DSS v3.2.1 | PCI.IAM.2 IAM users should not have IAM policies attached | [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) | | PCI DSS v3.2.1 | PCI.IAM.3 IAM policies should not allow full "\$1" administrative privileges | [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) | | PCI DSS v3.2.1 | PCI.IAM.4 Hardware MFA should be enabled for the root user | [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) | | PCI DSS v3.2.1 | PCI.IAM.5 Virtual MFA should be enabled for the root user | [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) | | PCI DSS v3.2.1 | PCI.IAM.6 MFA should be enabled for all IAM users | [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) | | PCI DSS v3.2.1 | PCI.IAM.7 IAM user credentials should be disabled if not used within a pre-defined number days | [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) | | PCI DSS v3.2.1 | PCI.IAM.8 Password policies for IAM users should have strong configurations | [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) | | PCI DSS v3.2.1 | PCI.KMS.1 Customer master key (CMK) rotation should be enabled | [[KMS.4] Amazon KMS key rotation should be enabled](kms-controls.md#kms-4) | | PCI DSS v3.2.1 | PCI.Lambda.1 Lambda functions should prohibit public access | [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) | | PCI DSS v3.2.1 | PCI.Lambda.2 Lambda functions should be in a VPC | [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) | | PCI DSS v3.2.1 | PCI.Opensearch.1 OpenSearch domains should be in a VPC | [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) | | PCI DSS v3.2.1 | PCI.Opensearch.2 EBS snapshots should not be publicly restorable | [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) | | PCI DSS v3.2.1 | PCI.RDS.1 RDS snapshot should be private | [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) | | PCI DSS v3.2.1 | PCI.RDS.2 RDS DB Instances should prohibit public access | [[RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration](rds-controls.md#rds-2) | | PCI DSS v3.2.1 | PCI.Redshift.1 Amazon Redshift clusters should prohibit public access | [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) | | PCI DSS v3.2.1 | PCI.S3.1 S3 buckets should prohibit public write access | [[S3.3] S3 general purpose buckets should block public write access](s3-controls.md#s3-3) | | PCI DSS v3.2.1 | PCI.S3.2 S3 buckets should prohibit public read access | [[S3.2] S3 general purpose buckets should block public read access](s3-controls.md#s3-2) | | PCI DSS v3.2.1 | PCI.S3.3 S3 buckets should have cross-region replication enabled | [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) | | PCI DSS v3.2.1 | PCI.S3.5 S3 buckets should require requests to use Secure Socket Layer | [[S3.5] S3 general purpose buckets should require requests to use SSL](s3-controls.md#s3-5) | | PCI DSS v3.2.1 | PCI.S3.6 S3 Block Public Access setting should be enabled | [[S3.1] S3 general purpose buckets should have block public access settings enabled](s3-controls.md#s3-1) | | PCI DSS v3.2.1 | PCI.SageMaker.1 Amazon SageMaker notebook instances should not have direct internet access | [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) | | PCI DSS v3.2.1 | PCI.SSM.1 EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation | [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) | | PCI DSS v3.2.1 | PCI.SSM.2 EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT | [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) | | PCI DSS v3.2.1 | PCI.SSM.3 EC2 instances should be managed by Amazon Systems Manager | [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) | ## Updating workflows for consolidation If your workflows don’t rely on the specific format of any fields in control findings, no action is required. If your workflows rely on the specific format of one or more fields in control findings, as noted in the preceding tables, you should update your workflows. For example, If you created an Amazon EventBridge rule that triggered an action for a specific control ID, such as invoking an Amazon Lambda function if the control ID equals CIS 2.7, update the rule to use CloudTrail.2, which is the value for the `Compliance.SecurityControlId` field for that control. If you created [custom insights](securityhub-custom-insights.md) that use any of the fields or values that changed, update those insights to use the new fields or values. # Required top-level ASFF attributes The following top-level attributes in the Amazon Security Finding Format (ASFF) are required for all findings in Security Hub CSPM. For more information about these attributes, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecurityFinding.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the *Amazon Security Hub API Reference*. ## AwsAccountId The Amazon Web Services account ID that the finding applies to. **Example** ``` "AwsAccountId": "111111111111" ``` ## CreatedAt Indicates when the potential security issue or event captured by a finding was created. **Example** ``` "CreatedAt": "2017-03-22T13:22:13.933Z" ``` ## Description A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding. For control findings that Security Hub CSPM generates, this field provides a description of the control. This field doesn't reference a standard if you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Example** ``` "Description": "This Amazon control checks whether Amazon Config is enabled in the current account and Region." ``` ## GeneratorId The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. For control findings that Security Hub CSPM generates, this field doesn't reference a standard if you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Example** ``` "GeneratorId": "security-control/Config.1" ``` ## Id The product-specific identifier for a finding. For control findings that Security Hub CSPM generates, this field provides the Amazon Resource Name (ARN) of the finding. This field doesn't reference a standard if you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Example** ``` "Id": "arn:aws-cn:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956" ``` ## ProductArn The Amazon Resource Name (ARN) generated by Security Hub CSPM that uniquely identifies a third-party findings product after the product is registered with Security Hub CSPM. The format of this field is `arn:partition:securityhub:region:account-id:product/company-id/product-id`. + For Amazon Web Services services that are integrated with Security Hub CSPM, the `company-id` must be "`aws`", and the `product-id` must be the Amazon public service name. Because Amazon products and services aren't associated with an account, the `account-id` section of the ARN is empty. Amazon Web Services services that are not yet integrated with Security Hub CSPM are considered third-party products. + For public products, the `company-id` and `product-id` must be the ID values specified at the time of registration. + For private products, the `company-id` must be the account ID. The `product-id` must be the reserved word "default" or the ID that was specified at the time of registration. **Example** ``` // Private ARN "ProductArn": "arn:aws-cn:securityhub:us-east-1:111111111111:product/111111111111/default" // Public ARN "ProductArn": "arn:aws-cn:securityhub:us-west-2::product/aws/guardduty" "ProductArn": "arn:aws-cn:securityhub:us-west-2:222222222222:product/generico/secure-pro" ``` ## Resources The `Resources` array of objects provides a set of resource data types that describe the Amazon resources that the finding refers to. For details about the fields that a `Resources` object might contain, including which fields are required, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Resource.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Resource.html) in the *Amazon Security Hub API Reference*. For examples of `Resources` objects for specific Amazon Web Services services, see [Resources ASFF object](asff-resources.md). **Example** ``` "Resources": [ { "ApplicationArn": "arn:aws-cn:resource-groups:us-west-2:123456789012:group/SampleApp/1234567890abcdef0", "ApplicationName": "SampleApp", "DataClassification": { "DetailedResultsLocation": "Path_to_Folder_Or_File", "Result": { "MimeType": "text/plain", "SizeClassified": 2966026, "AdditionalOccurrences": false, "Status": { "Code": "COMPLETE", "Reason": "Unsupportedfield" }, "SensitiveData": [ { "Category": "PERSONAL_INFORMATION", "Detections": [ { "Count": 34, "Type": "GE_PERSONAL_ID", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 10, "StartColumn": 20 } ], "Pages": [], "Records": [], "Cells": [] } }, { "Count": 59, "Type": "EMAIL_ADDRESS", "Occurrences": { "Pages": [ { "PageNumber": 1, "OffsetRange": { "Start": 1, "End": 100, "StartColumn": 10 }, "LineRange": { "Start": 1, "End": 100, "StartColumn": 10 } } ] } }, { "Count": 2229, "Type": "URL", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 13 } ] } }, { "Count": 13826, "Type": "NameDetection", "Occurrences": { "Records": [ { "RecordIndex": 1, "JsonPath": "$.ssn.value" } ] } }, { "Count": 32, "Type": "AddressDetection" } ], "TotalCount": 32 } ], "CustomDataIdentifiers": { "Detections": [ { "Arn": "1712be25e7c7f53c731fe464f1c869b8", "Name": "1712be25e7c7f53c731fe464f1c869b8", "Count": 2 } ], "TotalCount": 2 } } }, "Type": "AwsEc2Instance", "Id": "arn:aws-cn:ec2:us-west-2:123456789012:instance/i-abcdef01234567890", "Partition": "aws", "Region": "us-west-2", "ResourceRole": "Target", "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": true }, "Details": { "IamInstanceProfileArn": "arn:aws-cn:iam::123456789012:role/IamInstanceProfileArn", "ImageId": "ami-79fd7eee", "IpV4Addresses": ["1.1.1.1"], "IpV6Addresses": ["2001:db8:1234:1a2b::123"], "KeyName": "testkey", "LaunchedAt": "2018-09-29T01:25:54Z", "MetadataOptions": { "HttpEndpoint": "enabled", "HttpProtocolIpv6": "enabled", "HttpPutResponseHopLimit": 1, "HttpTokens": "optional", "InstanceMetadataTags": "disabled" } }, "NetworkInterfaces": [ { "NetworkInterfaceId": "eni-e5aa89a3" } ], "SubnetId": "PublicSubnet", "Type": "i3.xlarge", "VirtualizationType": "hvm", "VpcId": "TestVPCIpv6" } ] ``` ## SchemaVersion The schema version that a finding is formatted for. The value of this field must be one of the officially published versions identified by Amazon. In the current release, the Amazon Security Finding Format schema version is `2018-10-08`. **Example** ``` "SchemaVersion": "2018-10-08" ``` ## Severity Defines the importance of a finding. For details about this object, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Severity.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Severity.html) in the *Amazon Security Hub API Reference*. `Severity` is both a top-level object in a finding and nested under the `FindingProviderFields` object. The value of the top-level `Severity` object for a finding should be updated only by using the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API. To provide severity information, finding providers should update the `Severity` object under `FindingProviderFields` when making a [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html) API request.
 If a `BatchImportFindings` request for a new finding only provides `Label` or only provides `Normalized`, Security Hub CSPM automatically populates the value of the other field. 
The `Product` and `Original` fields may also be populated. If the top-level `Finding.Severity` object is present but `Finding.FindingProviderFields` is not present, Security Hub CSPM creates the `FindingProviderFields.Severity` object and copies the entire `Finding.Severity object` into it. This ensures that the original, provider-supplied details are retained within the `FindingProviderFields.Severity` structure, even if the top-level `Severity` object is overwritten. The finding severity does not consider the criticality of the involved assets or the underlying resource. Criticality is defined as the level of importance of the resources that are associated with the finding. For example, a resource that is associated with a mission critical application has higher criticality than one that is associated with nonproduction testing. To capture information about resource criticality, use the `Criticality` field. We recommend using the following guidance when translating findings' native severity scores to the value of `Severity.Label` in the ASFF. + `INFORMATIONAL` – This category may include a finding for a `PASSED`, `WARNING`, or `NOT AVAILABLE` check or a sensitive data identification. + `LOW` – Findings that could result in future compromises. For example, this category may include vulnerabilities, configuration weaknesses, and exposed passwords. + `MEDIUM` – Findings that indicate an active compromise, but no indication that an adversary completed their objectives. For example, this category may include malware activity, hacking activity, and unusual behavior detection. + `HIGH` or `CRITICAL` – Findings that indicate that an adversary completed their objectives, such as active data loss or compromise or a denial of service. **Example** ``` "Severity": { "Label": "CRITICAL", "Normalized": 90, "Original": "CRITICAL" } ``` ## Title A finding's title. This field can contain nonspecific boilerplate text or details that are specific to this instance of the finding. For control findings, this field provides the title of the control. This field doesn't reference a standard if you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). **Example** ``` "Title": "Amazon Config should be enabled" ``` ## Types One or more finding types in the format of `namespace/category/classifier` that classify a finding. This field doesn't reference a standard if you turn on [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings). `Types` should be updated only by using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API. Finding providers who want to provide a value for `Types` should use the `Types` attribute under [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_FindingProviderFields.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_FindingProviderFields.html). In the following list, the top-level bullets are namespaces, the second-level bullets are categories, and the third-level bullets are classifiers. We recommend that finding providers use defined namespaces to help sort and group findings. The defined categories and classifiers may also be used, but are not required. Only the Software and Configuration Checks namespace has defined classifiers. You may define a partial path for namespace/category/classifier. For example, the following finding types are all valid: + TTPs + TTPs/Defense Evasion + TTPs/Defense Evasion/CloudTrailStopped The tactics, techniques, and procedures (TTPs) categories in the following list align to the [MITRE ATT&CK MatrixTM](https://attack.mitre.org/matrices/enterprise/). The Unusual Behaviors namespace reflects general unusual behavior, such as general statistical anomalies, and are not aligned with a specific TTP. However, you could classify a finding with both Unusual Behaviors and TTPs finding types. **List of namespaces, categories, and classifiers:** + Software and Configuration Checks + Vulnerabilities + CVE + Amazon Security Best Practices + Network Reachability + Runtime Behavior Analysis + Industry and Regulatory Standards + Amazon Foundational Security Best Practices + CIS Host Hardening Benchmarks + CIS Amazon Foundations Benchmark + PCI-DSS + Cloud Security Alliance Controls + ISO 90001 Controls + ISO 27001 Controls + ISO 27017 Controls + ISO 27018 Controls + SOC 1 + SOC 2 + HIPAA Controls (USA) + NIST 800-53 Controls (USA) + NIST CSF Controls (USA) + IRAP Controls (Australia) + K-ISMS Controls (Korea) + MTCS Controls (Singapore) + FISC Controls (Japan) + My Number Act Controls (Japan) + ENS Controls (Spain) + Cyber Essentials Plus Controls (UK) + G-Cloud Controls (UK) + C5 Controls (Germany) + IT-Grundschutz Controls (Germany) + GDPR Controls (Europe) + TISAX Controls (Europe) + Patch Management + TTPs + Initial Access + Execution + Persistence + Privilege Escalation + Defense Evasion + Credential Access + Discovery + Lateral Movement + Collection + Command and Control + Effects + Data Exposure + Data Exfiltration + Data Destruction + Denial of Service + Resource Consumption + Unusual Behaviors + Application + Network Flow + IP address + User + VM + Container + Serverless + Process + Database + Data + Sensitive Data Identifications + PII + Passwords + Legal + Financial + Security + Business **Example** ``` "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] ``` ## UpdatedAt Indicates when the finding provider last updated the finding record. This timestamp reflects the time when the finding record was last or most recently updated. Consequently, it can differ from the `LastObservedAt` timestamp, which reflects when the event or vulnerability was last or most recently observed. When you update the finding record, you must update this timestamp to the current timestamp. Upon creation of a finding record, the `CreatedAt` and `UpdatedAt` timestamps must be the same. After an update to the finding record, the value of this field must be more recent than all of the previous values that it contained. Note that `UpdatedAt` cannot be updated by using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. You can update it only by using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation. **Example** ``` "UpdatedAt": "2017-04-22T13:22:13.933Z" ``` # Optional top-level ASFF attributes The following top-level attributes in the Amazon Security Finding Format (ASFF) are optional for findings in Security Hub CSPM. For more information about these attributes, see [AwsSecurityFinding](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecurityFinding.html) in the *Amazon Security Hub API Reference*. ## Action The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Action.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Action.html) object provides details about an action that affects or was taken on a resource. **Example** ``` "Action": { "ActionType": "PORT_PROBE", "PortProbeAction": { "PortProbeDetails": [ { "LocalPortDetails": { "Port": 80, "PortName": "HTTP" }, "LocalIpDetails": { "IpAddressV4": "192.0.2.0" }, "RemoteIpDetails": { "Country": { "CountryName": "Example Country" }, "City": { "CityName": "Example City" }, "GeoLocation": { "Lon": 0, "Lat": 0 }, "Organization": { "AsnOrg": "ExampleASO", "Org": "ExampleOrg", "Isp": "ExampleISP", "Asn": 64496 } } } ], "Blocked": false } } ``` ## AwsAccountName The Amazon Web Services account name that the finding applies to. **Example** ``` "AwsAccountName": "jane-doe-testaccount" ``` ## CompanyName The name of the company for the product that generated the finding. For control-based findings, the company is Amazon. Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) or [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub CSPM with custom products](securityhub-custom-providers.md). When you use the Security Hub CSPM console to filter findings by company name, you use this attribute. When you use the Security Hub CSPM API to filter findings by company name, you use the `aws/securityhub/CompanyName` attribute under `ProductFields`. Security Hub CSPM does not synchronize those two attributes. **Example** ``` "CompanyName": "Amazon" ``` ## Compliance The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Compliance.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Compliance.html) object typically provides details about a control finding, such as applicable standards and the status of the control check. **Example** ``` "Compliance": { "AssociatedStandards": [ {"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}, {"StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0"}, {"StandardsId": "standards/nist-800-53/v/5.0.0"} ], "RelatedRequirements": [ "NIST.800-53.r5 AC-4", "NIST.800-53.r5 AC-4(21)", "NIST.800-53.r5 SC-7", "NIST.800-53.r5 SC-7(11)", "NIST.800-53.r5 SC-7(16)", "NIST.800-53.r5 SC-7(21)", "NIST.800-53.r5 SC-7(4)", "NIST.800-53.r5 SC-7(5)" ], "SecurityControlId": "EC2.18", "SecurityControlParameters":[ { "Name": "authorizedTcpPorts", "Value": ["80", "443"] }, { "Name": "authorizedUdpPorts", "Value": ["427"] } ], "Status": "NOT_AVAILABLE", "StatusReasons": [ { "ReasonCode": "CONFIG_RETURNS_NOT_APPLICABLE", "Description": "This finding has a compliance status of NOT AVAILABLE because Amazon Config sent Security Hub CSPM a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation." } ] } ``` ## Confidence The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` should only be updated using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). Finding providers who want to provide a value for `Confidence` should use the `Confidence` attribute under `FindingProviderFields`. See [Updating findings with FindingProviderFields](finding-update-batchimportfindings.md#batchimportfindings-findingproviderfields). `Confidence` is scored on a 0–100 basis using a ratio scale. 0 means 0 percent confidence, and 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. **Example** ``` "Confidence": 42 ``` ## Criticality The level of importance that is assigned to the resources that are associated with a finding. `Criticality` should only be updated by calling the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. Don't update this object with [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html). Finding providers who want to provide a value for `Criticality` should use the `Criticality` attribute under `FindingProviderFields`. See [Updating findings with FindingProviderFields](finding-update-batchimportfindings.md#batchimportfindings-findingproviderfields). `Criticality` is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For each resource, consider the following when assigning `Criticality`: + Does the affected resource contain sensitive data (for example, an S3 bucket with PII)? + Does the affected resource enable an adversary to deepen their access or extend their capabilities to carry out additional malicious activity (for example, a compromised sysadmin account)? + Is the resource a business-critical asset (for example, a key business system that if compromised could have significant revenue impact)? You can use the following guidelines: + A resource powering mission-critical systems or containing highly sensitive data can be scored in the 75–100 range. + A resource powering important (but not critical systems) or containing moderately important data can be scored in the 25–74 range. + A resource powering unimportant systems or containing nonsensitive data should be scored in the 0–24 range. **Example** ``` "Criticality": 99 ``` ## Detection The `Detection` object provides details about an attack sequence finding from Amazon GuardDuty Extended Threat Detection. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Amazon Security Hub CSPM, you must have GuardDuty enabled in your account. For more information, see [Amazon GuardDuty Extended Threat Detection](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty-extended-threat-detection.html) in the *Amazon GuardDuty User Guide*. **Example** ``` "Detection": { "Sequence": { "Uid": "1111111111111-184ec3b9-cf8d-452d-9aad-f5bdb7afb010", "Actors": [{ "Id": "USER:AROA987654321EXAMPLE:i-b188560f:1234567891", "Session": { "Uid": "1234567891", "MfAStatus": "DISABLED", "CreatedTime": "1716916944000", "Issuer": "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket" }, "User": { "CredentialUid": "ASIAIOSFODNN7EXAMPLE", "Name": "ec2_instance_role_production", "Type": "AssumedRole", "Uid": "AROA987654321EXAMPLE:i-b188560f", "Account": { "Uid": "AccountId", "Name": "AccountName" } } }], "Endpoints": [{ "Id": "EndpointId", "Ip": "203.0.113.1", "Domain": "example.com", "Port": 4040, "Location": { "City": "New York", "Country": "US", "Lat": 40.7123, "Lon": -74.0068 }, "AutonomousSystem": { "Name": "AnyCompany", "Number": 64496 }, "Connection": { "Direction": "INBOUND" } }], "Signals": [{ "Id": "arn:aws-cn:guardduty:us-east-1:123456789012:detector/d0bfe135ab8b4dd8c3eaae7df9900073/finding/535a382b1bcc44d6b219517a29058fb7", "Title": "Someone ran a penetration test tool on your account.", "ActorIds": ["USER:AROA987654321EXAMPLE:i-b188560f:1234567891"], "Count": 19, "FirstSeenAt": 1716916943000, "SignalIndicators": [ { "Key": "ATTACK_TACTIC", "Title": "Attack Tactic", "Values": [ "Impact" ] }, { "Key": "HIGH_RISK_API", "Title": "High Risk Api", "Values": [ "s3:DeleteObject" ] }, { "Key": "ATTACK_TECHNIQUE", "Title": "Attack Technique", "Values": [ "Data Destruction" ] }, ], "LastSeenAt": 1716916944000, "Name": "Test:IAMUser/KaliLinux", "ResourceIds": [ "arn:aws-cn:s3:::amzn-s3-demo-destination-bucket" ], "Type": "FINDING" }], "SequenceIndicators": [ { "Key": "ATTACK_TACTIC", "Title": "Attack Tactic", "Values": [ "Discovery", "Exfiltration", "Impact" ] }, { "Key": "HIGH_RISK_API", "Title": "High Risk Api", "Values": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBuckets" "s3:ListObjects" ] }, { "Key": "ATTACK_TECHNIQUE", "Title": "Attack Technique", "Values": [ "Cloud Service Discovery", "Data Destruction" ] } ] } } ``` ## FindingProviderFields `FindingProviderFields` includes the following attributes: + `Confidence` + `Criticality` + `RelatedFindings` + `Severity` + `Types` The preceding fields are nested under the `FindingProviderFields` object, but have analogues of the same name as top-level ASFF fields. When a new finding is sent to Security Hub CSPM by a finding provider, Security Hub CSPM populates the `FindingProviderFields` object automatically if it is empty based on the corresponding top-level fields. Finding providers can update `FindingProviderFields` by using the[https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation of the Security Hub CSPM API. Finding providers cannot update this object with [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). For details on how Security Hub CSPM handles updates from `BatchImportFindings` to `FindingProviderFields` and to the corresponding top-level attributes, see [Updating findings with FindingProviderFields](finding-update-batchimportfindings.md#batchimportfindings-findingproviderfields). Customers can update the top-level fields by using the `BatchUpdateFindings` operation. Customers can't update `FindingProviderFields`. **Example** ``` "FindingProviderFields": { "Confidence": 42, "Criticality": 99, "RelatedFindings":[ { "ProductArn": "arn:aws-cn:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" } ], "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] } ``` ## FirstObservedAt Indicates when the potential security issue or event captured by a finding was first observed. This timestamp specifies when the event or vulnerability was first observed. Consequently, it can differ from the `CreatedAt` timestamp, which reflects when this finding record was created. For control findings that Security Hub CSPM generates and updates, this timestamp can also indicate when the compliance status of a resource most recently changed. For other types of findings, this timestamp should be immutable between updates of the finding record, but can be updated if a more accurate timestamp is determined. **Example** ``` "FirstObservedAt": "2017-03-22T13:22:13.933Z" ``` ## LastObservedAt Indicates when the potential security issue or event captured by a finding was most recently observed by the security findings product. This timestamp specifies when the event or vulnerability was last or most recently observed. Consequently, it can differ from the `UpdatedAt` timestamp, which reflects when this finding record was last or most recently updated. You can provide this timestamp, but it isn't required upon first observation. If you populate this field upon first observation, the timestamp should be the same as the `FirstObservedAt` timestamp. You should update this field to reflect the last or most recently observed timestamp each time a finding is observed. **Example** ``` "LastObservedAt": "2017-03-23T13:22:13.933Z" ``` ## Malware The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Malware.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Malware.html) object provides a list of malware related to a finding. **Example** ``` "Malware": [ { "Name": "Stringler", "Type": "COIN_MINER", "Path": "/usr/sbin/stringler", "State": "OBSERVED" } ] ``` ## Network (Retired) The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Network.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Network.html) object provides network-related information about a finding. This object is retired. To provide this data, you can either map the data to a resource in `Resources`, or use the `Action` object. **Example** ``` "Network": { "Direction": "IN", "OpenPortRange": { "Begin": 443, "End": 443 }, "Protocol": "TCP", "SourceIpV4": "1.2.3.4", "SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "SourcePort": "42", "SourceDomain": "example1.com", "SourceMac": "00:0d:83:b1:c0:8e", "DestinationIpV4": "2.3.4.5", "DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "DestinationPort": "80", "DestinationDomain": "example2.com" } ``` ## NetworkPath The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_NetworkPathComponent.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_NetworkPathComponent.html) object provides information about a network path that is related to a finding. Each entry in `NetworkPath` represents a component of the path. **Example** ``` "NetworkPath" : [ { "ComponentId": "abc-01a234bc56d8901ee", "ComponentType": "AWS::EC2::InternetGateway", "Egress": { "Destination": { "Address": [ "192.0.2.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { "Address": ["203.0.113.0/24"] } }, "Ingress": { "Destination": { "Address": [ "198.51.100.0/24" ], "PortRanges": [ { "Begin": 443, "End": 443 } ] }, "Protocol": "TCP", "Source": { "Address": [ "203.0.113.0/24" ] } } } ] ``` ## Note The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Note.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Note.html) object specifies a user-defined note that you can add to a finding. A finding provider can provide an initial note for a finding, but cannot add notes after that. You can only update a note using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). **Example** ``` "Note": { "Text": "Don't forget to check under the mat.", "UpdatedBy": "jsmith", "UpdatedAt": "2018-08-31T00:15:09Z" } ``` ## PatchSummary The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_PatchSummary.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_PatchSummary.html) object provides a summary of the patch compliance status for an instance against a selected compliance standard. **Example** ``` "PatchSummary" : { "FailedCount" : 0, "Id" : "pb-123456789098", "InstalledCount" : 100, "InstalledOtherCount" : 1023, "InstalledPendingReboot" : 0, "InstalledRejectedCount" : 0, "MissingCount" : 100, "Operation" : "Install", "OperationEndTime" : "2018-09-27T23:39:31Z", "OperationStartTime" : "2018-09-27T23:37:31Z", "RebootOption" : "RebootIfNeeded" } ``` ## Process The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ProcessDetails.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ProcessDetails.html) object provides process-related details about a finding. Example: ``` "Process": { "LaunchedAt": "2018-09-27T22:37:31Z", "Name": "syslogd", "ParentPid": 56789, "Path": "/usr/sbin/syslogd", "Pid": 12345, "TerminatedAt": "2018-09-27T23:37:31Z" } ``` ## ProcessedAt Indicates when Security Hub CSPM received a finding and began to process it. This differs from `CreatedAt` and `UpdatedAt`, which are required timestamps that relate to the finding provider's interaction with the security issue and finding. The `ProcessedAt` timestamp indicates when Security Hub CSPM starts to process a finding. A finding appears in a user's account after processing is complete. ``` "ProcessedAt": "2023-03-23T13:22:13.933Z" ``` ## ProductFields A data type where security findings products can include additional solution-specific details that are not part of the defined Amazon Security Finding Format. For findings generated by Security Hub CSPM controls, `ProductFields` includes information about the control. See [Generating and updating control findings](controls-findings-create-update.md). This field should not contain redundant data and must not contain data that conflicts with Amazon Security Finding Format fields. The "`aws/`" prefix represents a reserved namespace for Amazon products and services only and must not be submitted with findings from third-party integrations. Although not required, products should format field names as `company-id/product-id/field-name`, where the `company-id` and `product-id` match those supplied in the `ProductArn` of the finding. The fields referencing `Archival` are used when Security Hub CSPM archives an existing finding. For example, Security Hub CSPM archives existing findings when you disable a control or standard and when you turn [consolidated control findings](controls-findings-create-update.md#consolidated-control-findings) on or off. This field may also include information about the standard that includes the control that produced the finding. **Example** ``` "ProductFields": { "API", "DeleteTrail", "ArchivalReasons:0/Description": "The finding is in an ARCHIVED state because consolidated control findings has been turned on or off. This causes findings in the previous state to be archived when new findings are being generated.", "ArchivalReasons:0/ReasonCode": "CONSOLIDATED_CONTROL_FINDINGS_UPDATE", "aws/inspector/AssessmentTargetName": "My prod env", "aws/inspector/AssessmentTemplateName": "My daily CVE assessment", "aws/inspector/RulesPackageName": "Common Vulnerabilities and Exposures", "generico/secure-pro/Action.Type", "AWS_API_CALL", "generico/secure-pro/Count": "6", "Service_Name": "cloudtrail.amazonaws.com" } ``` ## ProductName Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM. Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) or [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). The exception to this is when you use a custom integration. See [Integrating Security Hub CSPM with custom products](securityhub-custom-providers.md). When you use the Security Hub CSPM console to filter findings by product name, you use this attribute. When you use the Security Hub CSPM API to filter findings by product name, you use the `aws/securityhub/ProductName` attribute under `ProductFields`. Security Hub CSPM does not synchronize those two attributes. ## RecordState Provides the record state of a finding. By default, when initially generated by a service, findings are considered `ACTIVE`. The `ARCHIVED` state indicates that a finding should be hidden from view. Archived findings are not deleted immediately. You can search, review, and report on them. Security Hub CSPM automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled. `RecordState` is intended for finding providers, and can be updated only by using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) operation. You cannot update it by using the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. To track the status of your investigation into a finding, use [`Workflow`](#asff-workflow) instead of `RecordState`. If the record state changes from `ARCHIVED` to `ACTIVE`, and the workflow status of the finding is `NOTIFIED` or `RESOLVED`, Security Hub CSPM automatically changes the workflow status to `NEW`. **Example** ``` "RecordState": "ACTIVE" ``` ## Region Specifies the Amazon Web Services Region from which the finding was generated. Security Hub CSPM populates this attribute automatically for each finding. You cannot update it using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) or [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). **Example** ``` "Region": "us-west-2" ``` ## RelatedFindings Provides a list of findings that are related to the current finding. `RelatedFindings` should only be updated with the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) API operation. You should not update this object with [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html). For [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) requests, finding providers should use the `RelatedFindings` object under [`FindingProviderFields`](#asff-findingproviderfields). To view descriptions of `RelatedFindings` attributes, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_RelatedFinding.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_RelatedFinding.html) in the *Amazon Security Hub API Reference*. **Example** ``` "RelatedFindings": [ { "ProductArn": "arn:aws-cn:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" }, { "ProductArn": "arn:aws-cn:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder-111111111111-x189dx7824" } ] ``` ## RiskAssessment **Example** ``` "RiskAssessment": { "Posture": { "FindingTotal": 4, "Indicators": [ { "Type": "Reachability", "Findings": [ { "Id": "arn:aws-cn:inspector2:us-east-2:123456789012:finding/1234567890abcdef0", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/inspector", "Title": "Finding title" }, { "Id": "arn:aws-cn:inspector2:us-east-2:123456789012:finding/abcdef01234567890", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/inspector", "Title": "Finding title" } ] }, { "Type": "Vulnerability", "Findings": [ { "Id": "arn:aws-cn:inspector2:us-east-2:123456789012:finding/021345abcdef6789", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/inspector", "Title": "Finding title" }, { "Id": "arn:aws-cn:inspector2:us-east-2:123456789012:finding/021345ghijkl6789", "ProductArn": "arn:aws-cn:securityhub:us-east-1::product/aws/inspector", "Title": "Finding title" } ] } ] } } ``` ## Remediation The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Remediation.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Remediation.html) object provides information about recommended remediation steps to address the finding. **Example** ``` "Remediation": { "Recommendation": { "Text": "For instructions on how to fix this issue, see the Amazon Security Hub CSPM documentation for EC2.2.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation" } } ``` ## Sample Specifies whether the finding is a sample finding. ``` "Sample": true ``` ## SourceUrl The `SourceUrl` object provides a URL that links to a page about the current finding in the finding product. ``` "SourceUrl": "http://sourceurl.com" ``` ## ThreatIntelIndicators The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ThreatIntelIndicator.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ThreatIntelIndicator.html) object provides threat intelligence details that are related to a finding. **Example** ``` "ThreatIntelIndicators": [ { "Category": "BACKDOOR", "LastObservedAt": "2018-09-27T23:37:31Z", "Source": "Threat Intel Weekly", "SourceUrl": "http://threatintelweekly.org/backdoors/8888", "Type": "IPV4_ADDRESS", "Value": "8.8.8.8", } ] ``` ## Threats The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Threat.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Threat.html) object provides details about the threat detected by a finding. **Example** ``` "Threats": [{ "FilePaths": [{ "FileName": "b.txt", "FilePath": "/tmp/b.txt", "Hash": "sha256", "ResourceId": "arn:aws-cn:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f" }], "ItemCount": 3, "Name": "Iot.linux.mirai.vwisi", "Severity": "HIGH" }] ``` ## UserDefinedFields Provides a list of name-value string pairs that are associated with the finding. These are custom, user-defined fields that are added to a finding. These fields can be generated automatically through your specific configuration. Finding providers should not use this field for data that the product generates. Instead, finding providers can use the `ProductFields` field for data that does not map to any standard Amazon Security Finding Format field. These fields can only be updated using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). **Example** ``` "UserDefinedFields": { "reviewedByCio": "true", "comeBackToLater": "Check this again on Monday" } ``` ## VerificationState Provides the veracity of a finding. Findings products can provide a value of `UNKNOWN` for this field. A findings product should provide a value for this field if there is a meaningful analog in the findings product's system. This field is typically populated by a user determination or action after investigating a finding. A finding provider can provide an initial value for this attribute, but cannot update it after that. You can only update this attribute by using [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). ``` "VerificationState": "Confirmed" ``` ## Vulnerabilities The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Vulnerability.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Vulnerability.html) object provides a list of vulnerabilities that are associated with a finding. **Example** ``` "Vulnerabilities" : [ { "CodeVulnerabilities": [{ "Cwes": [ "CWE-798", "CWE-799" ], "FilePath": { "EndLine": 421, "FileName": "package-lock.json", "FilePath": "package-lock.json", "StartLine": 420 }, "SourceArn":"arn:aws-cn:lambda:us-east-1:123456789012:layer:Amazon-AppConfig-Extension:114" }], "Cvss": [ { "BaseScore": 4.7, "BaseVector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "Version": "V3" }, { "BaseScore": 4.7, "BaseVector": "AV:L/AC:M/Au:N/C:C/I:N/A:N", "Version": "V2" } ], "EpssScore": 0.015, "ExploitAvailable": "YES", "FixAvailable": "YES", "Id": "CVE-2020-12345", "LastKnownExploitAt": "2020-01-16T00:01:35Z", "ReferenceUrls":[ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" ], "RelatedVulnerabilities": ["CVE-2020-12345"], "Vendor": { "Name": "Alas", "Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html", "VendorCreatedAt":"2020-01-16T00:01:43Z", "VendorSeverity":"Medium", "VendorUpdatedAt":"2020-01-16T00:01:43Z" }, "VulnerablePackages": [ { "Architecture": "x86_64", "Epoch": "1", "FilePath": "/tmp", "FixedInVersion": "0.14.0", "Name": "openssl", "PackageManager": "OS", "Release": "16.amzn2.0.3", "Remediation": "Update aws-crt to 0.14.0", "SourceLayerArn": "arn:aws-cn:lambda:us-west-2:123456789012:layer:id", "SourceLayerHash": "sha256:c1962c35b63a6ff6ce7df6e042ee82371a605ca9515569edec46ff14f926f001", "Version": "1.0.2k" } ] } ] ``` ## Workflow The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Workflow.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_Workflow.html) object provides information about the status of the investigation into a finding. This field is intended for customers to use with remediation, orchestration, and ticketing tools. It is not intended for finding providers. You can only update the `Workflow` field with [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html). Customers can also update it from the console. See [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md). **Example** ``` "Workflow": { "Status": "NEW" } ``` ## WorkflowState (Retired) This object is retired and has been replaced by the `Status` field of the `Workflow` object. This field provides the workflow state of a finding. Findings products can provide the value of `NEW` for this field. A findings product can provide a value for this field if there is a meaningful analog in the findings product's system. **Example** ``` "WorkflowState": "NEW" ``` # Resources ASFF object In the Amazon Security Finding Format (ASFF), the `Resources` object provides information about the resources involved in a finding. It contains an array of up to 32 resource objects. To determine how resource names are formatted, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). For examples of each resource object, select a resource from the following list. **Topics** + [ # Resource attributes in the ASFF ](asff-resources-attributes.md) + [ # AwsAmazonMQ resources in ASFF ](asff-resourcedetails-awsamazonmq.md) + [ # AwsApiGateway resources in ASFF ](asff-resourcedetails-awsapigateway.md) + [ # AwsAppSync resources in ASFF ](asff-resourcedetails-awsappsync.md) + [ # AwsAthena resources in ASFF ](asff-resourcedetails-awsathena.md) + [ # AwsAutoScaling resources in ASFF ](asff-resourcedetails-awsautoscaling.md) + [ # AwsBackup resources in ASFF ](asff-resourcedetails-awsbackup.md) + [ # AwsCertificateManager resources in ASFF ](asff-resourcedetails-awscertificatemanager.md) + [ # AwsCloudFormation resources in ASFF ](asff-resourcedetails-awscloudformation.md) + [ # AwsCloudFront resources in ASFF ](asff-resourcedetails-awscloudfront.md) + [ # AwsCloudTrail resources in ASFF ](asff-resourcedetails-awscloudtrail.md) + [ # AwsCloudWatch resources in ASFF ](asff-resourcedetails-awscloudwatch.md) + [ # AwsCodeBuild resources in ASFF ](asff-resourcedetails-awscodebuild.md) + [ # AwsDms resources in ASFF ](asff-resourcedetails-awsdms.md) + [ # AwsDynamoDB resources in ASFF ](asff-resourcedetails-awsdynamodb.md) + [ # AwsEc2 resources in ASFF ](asff-resourcedetails-awsec2.md) + [ # AwsEcr resources in ASFF ](asff-resourcedetails-awsecr.md) + [ # AwsEcs resources in ASFF ](asff-resourcedetails-awsecs.md) + [ # AwsEfs resources in ASFF ](asff-resourcedetails-awsefs.md) + [ # AwsEks resources in ASFF ](asff-resourcedetails-awseks.md) + [ # AwsElasticBeanstalk resources in ASFF ](asff-resourcedetails-awselasticbeanstalk.md) + [ # AwsElasticSearch resources in ASFF ](asff-resourcedetails-awselasticsearch.md) + [ # AwsElb resources in ASFF ](asff-resourcedetails-awselb.md) + [ # AwsEventBridge resources in ASFF ](asff-resourcedetails-awsevent.md) + [ # AwsGuardDuty resources in ASFF ](asff-resourcedetails-awsguardduty.md) + [ # AwsIam resources in ASFF ](asff-resourcedetails-awsiam.md) + [ # AwsKinesis resources in ASFF ](asff-resourcedetails-awskinesis.md) + [ # AwsKms resources in ASFF ](asff-resourcedetails-awskms.md) + [ # AwsLambda ](asff-resourcedetails-awslambda.md) + [ # AwsMsk resources in ASFF ](asff-resourcedetails-awsmsk.md) + [ # AwsNetworkFirewall resources in ASFF ](asff-resourcedetails-awsnetworkfirewall.md) + [ # AwsOpenSearchService resources in ASFF ](asff-resourcedetails-awsopensearchservice.md) + [ # AwsRds resources in ASFF ](asff-resourcedetails-awsrds.md) + [ # AwsRedshift resources in ASFF ](asff-resourcedetails-awsredshift.md) + [ # AwsRoute53 resources in ASFF ](asff-resourcedetails-awsroute53.md) + [ # AwsS3 resources in ASFF ](asff-resourcedetails-awss3.md) + [ # AwsSageMaker resources in ASFF ](asff-resourcedetails-awssagemaker.md) + [ # AwsSecretsManager resources in ASFF ](asff-resourcedetails-awssecretsmanager.md) + [ # AwsSns resources in ASFF ](asff-resourcedetails-awssns.md) + [ # AwsSqs resources in ASFF ](asff-resourcedetails-awssqs.md) + [ # AwsSsm resources in ASFF ](asff-resourcedetails-awsssm.md) + [ # AwsStepFunctions resources in ASFF ](asff-resourcedetails-awsstepfunctions.md) + [ # AwsWaf resources in ASFF ](asff-resourcedetails-awswaf.md) + [ # AwsXray resources in ASFF ](asff-resourcedetails-awsxray.md) + [ # CodeRepository object in ASFF ](asff-resourcedetails-coderepository.md) + [ # Container object in ASFF ](asff-resourcedetails-container.md) + [ # Other object in ASFF ](asff-resourcedetails-other.md) # Resource attributes in the ASFF Resource attributes Here are descriptions and examples for the `Resources` object in the Amazon Security Finding Format (ASFF). For more information about these fields, see [Resources](asff-required-attributes.md#Resources). ## DataClassification The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DataClassificationDetails.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DataClassificationDetails.html) field provides information about sensitive data that was detected on the resource. **Example** ``` "DataClassification": { "DetailedResultsLocation": "Path_to_Folder_Or_File", "Result": { "MimeType": "text/plain", "SizeClassified": 2966026, "AdditionalOccurrences": false, "Status": { "Code": "COMPLETE", "Reason": "Unsupportedfield" }, "SensitiveData": [ { "Category": "PERSONAL_INFORMATION", "Detections": [ { "Count": 34, "Type": "GE_PERSONAL_ID", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 10, "StartColumn": 20 } ], "Pages": [], "Records": [], "Cells": [] } }, { "Count": 59, "Type": "EMAIL_ADDRESS", "Occurrences": { "Pages": [ { "PageNumber": 1, "OffsetRange": { "Start": 1, "End": 100, "StartColumn": 10 }, "LineRange": { "Start": 1, "End": 100, "StartColumn": 10 } } ] } }, { "Count": 2229, "Type": "URL", "Occurrences": { "LineRanges": [ { "Start": 1, "End": 13 } ] } }, { "Count": 13826, "Type": "NameDetection", "Occurrences": { "Records": [ { "RecordIndex": 1, "JsonPath": "$.ssn.value" } ] } }, { "Count": 32, "Type": "AddressDetection" } ], "TotalCount": 32 } ], "CustomDataIdentifiers": { "Detections": [ { "Arn": "1712be25e7c7f53c731fe464f1c869b8", "Name": "1712be25e7c7f53c731fe464f1c869b8", "Count": 2, } ], "TotalCount": 2 } } } ``` ## Details The [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ResourceDetails.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ResourceDetails.html) field provides additional information about a single resource using the appropriate objects. Each resource must be provided in a separate resource object in the `Resources` object. Note that if the finding size exceeds the maximum of 240 KB, then the `Details` object is removed from the finding. For control findings that use Amazon Config rules, you can view the resource details on the Amazon Config console. Security Hub CSPM provides a set of available resource details for its supported resource types. These details correspond to values of the `Type` object. Use the provided types whenever possible. For example, if the resource is an S3 bucket, then set the resource `Type` to `AwsS3Bucket` and provide the resource details in the [`AwsS3Bucket`](asff-resourcedetails-awss3.md#asff-resourcedetails-awss3bucket) object. The [`Other`](asff-resourcedetails-other.md) object allows you to provide custom fields and values. You use the `Other` object in the following cases: + The resource type (the value of the resource `Type`) does not have a corresponding details object. To provide details for the resource, you use the [`Other`](asff-resourcedetails-other.md) object. + The object for the resource type does not include all of the fields that you want to populate. In this case, use the details object for the resource type to populate the available fields. Use the `Other` object to populate the fields that are not in the type-specific object. + The resource type is not one of the provided types. In this case, set `Resource.Type` to `Other`, and use the `Other` object to populate the details. **Example** ``` "Details": { "AwsEc2Instance": { "IamInstanceProfileArn": "arn:aws-cn:iam::123456789012:role/IamInstanceProfileArn", "ImageId": "ami-79fd7eee", "IpV4Addresses": ["1.1.1.1"], "IpV6Addresses": ["2001:db8:1234:1a2b::123"], "KeyName": "testkey", "LaunchedAt": "2018-09-29T01:25:54Z", "MetadataOptions": { "HttpEndpoint": "enabled", "HttpProtocolIpv6": "enabled", "HttpPutResponseHopLimit": 1, "HttpTokens": "optional", "InstanceMetadataTags": "disabled" }, "NetworkInterfaces": [ { "NetworkInterfaceId": "eni-e5aa89a3" } ], "SubnetId": "PublicSubnet", "Type": "i3.xlarge", "VirtualizationType": "hvm", "VpcId": "TestVPCIpv6" }, "AwsS3Bucket": { "OwnerId": "da4d66eac431652a4d44d490a00500bded52c97d235b7b4752f9f688566fe6de", "OwnerName": "acmes3bucketowner" }, "Other": { "LightPen": "blinky", "SerialNo": "1234abcd"} } ``` ## Id The identifier for the given resource type. For Amazon resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon resources that lack ARNs, this is the identifier as defined by the Amazon service that created the resource. For non-Amazon resources, this is a unique identifier that is associated with the resource. **Example** ``` "Id": "arn:aws-cn:s3:::amzn-s3-demo-bucket" ``` ## Partition The partition in which the resource is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition. The following partitions are supported: + `aws` – Amazon Web Services Regions + `aws-cn` – China Regions + `aws-us-gov` – Amazon GovCloud (US) Region **Example** ``` "Partition": "aws" ``` ## Region The code for the Amazon Web Services Region where this resource is located. For a list of Region codes, see [Regional endpoints](https://docs.amazonaws.cn/general/latest/gr/rande.html#regional-endpoints). **Example** ``` "Region": "us-west-2" ``` ## ResourceRole Identifies the role of the resource in the finding. A resource is either the target of the finding activity or the actor that performed the activity. **Example** ``` "ResourceRole": "target" ``` ## Tags This field provides tag key and value information for the resource involved in a finding. You can tag [resources that are supported](https://docs.amazonaws.cn/resourcegroupstagging/latest/APIReference/supported-services.html) by the `GetResources` operation of the Amazon Resource Groups Tagging API. Security Hub CSPM calls this operation though the [service-linked role](using-service-linked-roles.md) and retrieves the resource tags if the Amazon Security Finding Format (ASFF) `Resource.Id` field is populated with the Amazon resource ARN. Invalid resource IDs are ignored. You can add resource tags to findings that Security Hub CSPM ingests, including findings from integrated Amazon Web Services services and third-party products. Adding tags tells you the tags that were associated with a resource at the time the finding was processed. You can include the `Tags` attribute only for resources that have an associated tag. If a resource has no associated tag, don't include a `Tags` attribute in the finding. The inclusion of resource tags in findings eliminates the need to build data enrichment pipelines or manually enrich the metadata of security findings. You can also use tags to search or filter findings and insights and create [automation rules](automation-rules.md). For information about restrictions that apply to tags, see [ Tag naming limits and requirements](https://docs.amazonaws.cn/tag-editor/latest/userguide/tagging.html#tag-conventions). You can only provide tags that exist on an Amazon resource in this field. To provide data that isn't defined in the Amazon Security Finding Format, use the `Other` details subfield. **Example** ``` "Tags": { "billingCode": "Lotus-1-2-3", "needsPatching": "true" } ``` ## Type The type of resource that you are providing details for. Whenever possible, use one of the provided resource types, such as `AwsEc2Instance` or `AwsS3Bucket`. If the resource type does not match any of the provided resource types, then set the resource `Type` to `Other`, and use the `Other` details subfield to populate the details. Supported values are listed under [Resources](asff-resources.md). **Example** ``` "Type": "AwsS3Bucket" ``` # AwsAmazonMQ resources in ASFF AwsAmazonMQ The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsAmazonMQ` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsAmazonMQBroker `AwsAmazonMQBroker` provides information about an Amazon MQ broker, which is a message broker environment running on Amazon MQ. The following example shows the ASFF for the `AwsAmazonMQBroker` object. To view descriptions of `AwsAmazonMQBroker` attributes, see [AwsAmazonMQBroker](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsAmazonMQBrokerDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsAmazonMQBroker": { "AutoMinorVersionUpgrade": true, "BrokerArn": "arn:aws:mq:us-east-1:123456789012:broker:TestBroker:b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "BrokerId": "b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "BrokerName": "TestBroker", "Configuration": { "Id": "c-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Revision": 1 }, "DeploymentMode": "ACTIVE_STANDBY_MULTI_AZ", "EncryptionOptions": { "UseAwsOwnedKey": true }, "EngineType": "ActiveMQ", "EngineVersion": "5.17.2", "HostInstanceType": "mq.t2.micro", "Logs": { "Audit": false, "AuditLogGroup": "/aws/amazonmq/broker/b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/audit", "General": false, "GeneralLogGroup": "/aws/amazonmq/broker/b-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/general" }, "MaintenanceWindowStartTime": { "DayOfWeek": "MONDAY", "TimeOfDay": "22:00", "TimeZone": "UTC" }, "PubliclyAccessible": true, "SecurityGroups": [ "sg-021345abcdef6789" ], "StorageType": "efs", "SubnetIds": [ "subnet-1234567890abcdef0", "subnet-abcdef01234567890" ], "Users": [ { "Username": "admin" } ] } ``` # AwsApiGateway resources in ASFF AwsApiGateway The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsApiGateway` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsApiGatewayRestApi The `AwsApiGatewayRestApi` object contains information about a REST API in version 1 of Amazon API Gateway. The following is an example `AwsApiGatewayRestApi` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayRestApi` attributes, see [AwsApiGatewayRestApiDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsApiGatewayRestApiDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` AwsApiGatewayRestApi: { "Id": "exampleapi", "Name": "Security Hub", "Description": "Amazon Security Hub", "CreatedDate": "2018-11-18T10:20:05-08:00", "Version": "2018-10-26", "BinaryMediaTypes" : ["-'*~1*'"], "MinimumCompressionSize": 1024, "ApiKeySource": "AWS_ACCOUNT_ID", "EndpointConfiguration": { "Types": [ "REGIONAL" ] } } ``` ## AwsApiGatewayStage The `AwsApiGatewayStage` object provides information about a version 1 Amazon API Gateway stage. The following is an example `AwsApiGatewayStage` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayStage` attributes, see [AwsApiGatewayStageDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsApiGatewayStageDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsApiGatewayStage": { "DeploymentId": "n7hlmf", "ClientCertificateId": "a1b2c3", "StageName": "Prod", "Description" : "Stage Description", "CacheClusterEnabled": false, "CacheClusterSize" : "1.6", "CacheClusterStatus": "NOT_AVAILABLE", "MethodSettings": [ { "MetricsEnabled": true, "LoggingLevel": "INFO", "DataTraceEnabled": false, "ThrottlingBurstLimit": 100, "ThrottlingRateLimit": 5.0, "CachingEnabled": false, "CacheTtlInSeconds": 300, "CacheDataEncrypted": false, "RequireAuthorizationForCacheControl": true, "UnauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER", "HttpMethod": "POST", "ResourcePath": "/echo" } ], "Variables": {"test": "value"}, "DocumentationVersion": "2.0", "AccessLogSettings": { "Format": "{\"requestId\": \"$context.requestId\", \"extendedRequestId\": \"$context.extendedRequestId\", \"ownerAccountId\": \"$context.accountId\", \"requestAccountId\": \"$context.identity.accountId\", \"callerPrincipal\": \"$context.identity.caller\", \"httpMethod\": \"$context.httpMethod\", \"resourcePath\": \"$context.resourcePath\", \"status\": \"$context.status\", \"requestTime\": \"$context.requestTime\", \"responseLatencyMs\": \"$context.responseLatency\", \"errorMessage\": \"$context.error.message\", \"errorResponseType\": \"$context.error.responseType\", \"apiId\": \"$context.apiId\", \"awsEndpointRequestId\": \"$context.awsEndpointRequestId\", \"domainName\": \"$context.domainName\", \"stage\": \"$context.stage\", \"xrayTraceId\": \"$context.xrayTraceId\", \"sourceIp\": \"$context.identity.sourceIp\", \"user\": \"$context.identity.user\", \"userAgent\": \"$context.identity.userAgent\", \"userArn\": \"$context.identity.userArn\", \"integrationLatency\": \"$context.integrationLatency\", \"integrationStatus\": \"$context.integrationStatus\", \"authorizerIntegrationLatency\": \"$context.authorizer.integrationLatency\" }", "DestinationArn": "arn:aws:logs:us-west-2:111122223333:log-group:SecurityHubAPIAccessLog/Prod" }, "CanarySettings": { "PercentTraffic": 0.0, "DeploymentId": "ul73s8", "StageVariableOverrides" : [ "String" : "String" ], "UseStageCache": false }, "TracingEnabled": false, "CreatedDate": "2018-07-11T10:55:18-07:00", "LastUpdatedDate": "2020-08-26T11:51:04-07:00", "WebAclArn" : "arn:aws:waf-regional:us-west-2:111122223333:webacl/cb606bd8-5b0b-4f0b-830a-dd304e48a822" } ``` ## AwsApiGatewayV2Api The `AwsApiGatewayV2Api` object contains information about a version 2 API in Amazon API Gateway. The following is an example `AwsApiGatewayV2Api` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayV2Api` attributes, see [AwsApiGatewayV2ApiDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsApiGatewayV2ApiDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsApiGatewayV2Api": { "ApiEndpoint": "https://example.us-west-2.amazonaws.com", "ApiId": "a1b2c3d4", "ApiKeySelectionExpression": "$request.header.x-api-key", "CreatedDate": "2020-03-28T00:32:37Z", "Description": "ApiGatewayV2 Api", "Version": "string", "Name": "my-api", "ProtocolType": "HTTP", "RouteSelectionExpression": "$request.method $request.path", "CorsConfiguration": { "AllowOrigins": [ "*" ], "AllowCredentials": true, "ExposeHeaders": [ "string" ], "MaxAge": 3000, "AllowMethods": [ "GET", "PUT", "POST", "DELETE", "HEAD" ], "AllowHeaders": [ "*" ] } } ``` ## AwsApiGatewayV2Stage `AwsApiGatewayV2Stage` contains information about a version 2 stage for Amazon API Gateway. The following is an example `AwsApiGatewayV2Stage` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayV2Stage` attributes, see [AwsApiGatewayV2StageDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsApiGatewayV2StageDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsApiGatewayV2Stage": { "CreatedDate": "2020-04-08T00:36:05Z", "Description" : "ApiGatewayV2", "DefaultRouteSettings": { "DetailedMetricsEnabled": false, "LoggingLevel": "INFO", "DataTraceEnabled": true, "ThrottlingBurstLimit": 100, "ThrottlingRateLimit": 50 }, "DeploymentId": "x1zwyv", "LastUpdatedDate": "2020-04-08T00:36:13Z", "RouteSettings": { "DetailedMetricsEnabled": false, "LoggingLevel": "INFO", "DataTraceEnabled": true, "ThrottlingBurstLimit": 100, "ThrottlingRateLimit": 50 }, "StageName": "prod", "StageVariables": [ "function": "my-prod-function" ], "AccessLogSettings": { "Format": "{\"requestId\": \"$context.requestId\", \"extendedRequestId\": \"$context.extendedRequestId\", \"ownerAccountId\": \"$context.accountId\", \"requestAccountId\": \"$context.identity.accountId\", \"callerPrincipal\": \"$context.identity.caller\", \"httpMethod\": \"$context.httpMethod\", \"resourcePath\": \"$context.resourcePath\", \"status\": \"$context.status\", \"requestTime\": \"$context.requestTime\", \"responseLatencyMs\": \"$context.responseLatency\", \"errorMessage\": \"$context.error.message\", \"errorResponseType\": \"$context.error.responseType\", \"apiId\": \"$context.apiId\", \"awsEndpointRequestId\": \"$context.awsEndpointRequestId\", \"domainName\": \"$context.domainName\", \"stage\": \"$context.stage\", \"xrayTraceId\": \"$context.xrayTraceId\", \"sourceIp\": \"$context.identity.sourceIp\", \"user\": \"$context.identity.user\", \"userAgent\": \"$context.identity.userAgent\", \"userArn\": \"$context.identity.userArn\", \"integrationLatency\": \"$context.integrationLatency\", \"integrationStatus\": \"$context.integrationStatus\", \"authorizerIntegrationLatency\": \"$context.authorizer.integrationLatency\" }", "DestinationArn": "arn:aws:logs:us-west-2:111122223333:log-group:SecurityHubAPIAccessLog/Prod" }, "AutoDeploy": false, "LastDeploymentStatusMessage": "Message", "ApiGatewayManaged": true, } ``` # AwsAppSync resources in ASFF AwsAppSync The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsAppSync` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsAppSyncGraphQLApi `AwsAppSyncGraphQLApi` provides information about an Amazon AppSync GraphQL API, which is a top-level construct for your application. The following example shows the ASFF for the `AwsAppSyncGraphQLApi` object. To view descriptions of `AwsAppSyncGraphQLApi` attributes, see [AwsAppSyncGraphQLApi](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsAppSyncGraphQLApiDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsAppSyncGraphQLApi": { "AdditionalAuthenticationProviders": [ { "AuthenticationType": "Amazon_LAMBDA", "LambdaAuthorizerConfig": { "AuthorizerResultTtlInSeconds": 300, "AuthorizerUri": "arn:aws:lambda:us-east-1:123456789012:function:mylambdafunc" } }, { "AuthenticationType": "Amazon_IAM" } ], "ApiId": "021345abcdef6789", "Arn": "arn:aws-cn:appsync:eu-central-1:123456789012:apis/021345abcdef6789", "AuthenticationType": "API_KEY", "Id": "021345abcdef6789", "LogConfig": { "CloudWatchLogsRoleArn": "arn:aws-cn:iam::123456789012:role/service-role/appsync-graphqlapi-logs-eu-central-1", "ExcludeVerboseContent": true, "FieldLogLevel": "ALL" }, "Name": "My AppSync App", "XrayEnabled": true, } ``` # AwsAthena resources in ASFF AwsAthena The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsAthena` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsAthenaWorkGroup `AwsAthenaWorkGroup` provides information about an Amazon Athena workgroup. A workgroup helps you separate users, teams, applications, or workloads. It also helps you set limits on data processing and track costs. The following example shows the ASFF for the `AwsAthenaWorkGroup` object. To view descriptions of `AwsAthenaWorkGroup` attributes, see [AwsAthenaWorkGroup](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsAthenaWorkGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsAthenaWorkGroup": { "Description": "My workgroup for prod workloads", "Name": "MyWorkgroup", "WorkgroupConfiguration" { "ResultConfiguration": { "EncryptionConfiguration": { "EncryptionOption": "SSE_KMS", "KmsKey": "arn:aws-cn:kms:us-east-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } } }, "State": "ENABLED" } ``` # AwsAutoScaling resources in ASFF AwsAutoScaling The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsAutoScaling` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsAutoScalingAutoScalingGroup The `AwsAutoScalingAutoScalingGroup` object provides details about an automatic scaling group. The following is an example `AwsAutoScalingAutoScalingGroup` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsAutoScalingAutoScalingGroup` attributes, see [AwsAutoScalingAutoScalingGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsAutoScalingAutoScalingGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsAutoScalingAutoScalingGroup": { "CreatedTime": "2017-10-17T14:47:11Z", "HealthCheckGracePeriod": 300, "HealthCheckType": "EC2", "LaunchConfigurationName": "mylaunchconf", "LoadBalancerNames": [], "LaunchTemplate": { "LaunchTemplateId": "string", "LaunchTemplateName": "string", "Version": "string" }, "MixedInstancesPolicy": { "InstancesDistribution": { "OnDemandAllocationStrategy": "prioritized", "OnDemandBaseCapacity": number, "OnDemandPercentageAboveBaseCapacity": number, "SpotAllocationStrategy": "lowest-price", "SpotInstancePools": number, "SpotMaxPrice": "string" }, "LaunchTemplate": { "LaunchTemplateSpecification": { "LaunchTemplateId": "string", "LaunchTemplateName": "string", "Version": "string" }, "CapacityRebalance": true, "Overrides": [ { "InstanceType": "string", "WeightedCapacity": "string" } ] } } } } ``` ## AwsAutoScalingLaunchConfiguration The `AwsAutoScalingLaunchConfiguration` object provides details about a launch configuration. The following is an example `AwsAutoScalingLaunchConfiguration` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsAutoScalingLaunchConfiguration` attributes, see [AwsAutoScalingLaunchConfigurationDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsAutoScalingLaunchConfigurationDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` AwsAutoScalingLaunchConfiguration: { "LaunchConfigurationName": "newtest", "ImageId": "ami-058a3739b02263842", "KeyName": "55hundredinstance", "SecurityGroups": [ "sg-01fce87ad6e019725" ], "ClassicLinkVpcSecurityGroups": [], "UserData": "...Base64-Encoded user data..." "InstanceType": "a1.metal", "KernelId": "", "RamdiskId": "ari-a51cf9cc", "BlockDeviceMappings": [ { "DeviceName": "/dev/sdh", "Ebs": { "VolumeSize": 30, "VolumeType": "gp2", "DeleteOnTermination": false, "Encrypted": true, "SnapshotId": "snap-ffaa1e69", "VirtualName": "ephemeral1" } }, { "DeviceName": "/dev/sdb", "NoDevice": true }, { "DeviceName": "/dev/sda1", "Ebs": { "SnapshotId": "snap-02420cd3d2dea1bc0", "VolumeSize": 8, "VolumeType": "gp2", "DeleteOnTermination": true, "Encrypted": false } }, { "DeviceName": "/dev/sdi", "Ebs": { "VolumeSize": 20, "VolumeType": "gp2", "DeleteOnTermination": false, "Encrypted": true } }, { "DeviceName": "/dev/sdc", "NoDevice": true } ], "InstanceMonitoring": { "Enabled": false }, "CreatedTime": 1620842933453, "EbsOptimized": false, "AssociatePublicIpAddress": true, "SpotPrice": "0.045" } ``` # AwsBackup resources in ASFF AwsBackup The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsBackup` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsBackupBackupPlan The `AwsBackupBackupPlan` object provides information about an Amazon Backup backup plan. An Amazon Backup backup plan is a policy expression that defines when and how you want to back up your Amazon resources. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsBackupBackupPlan` object. To view descriptions of `AwsBackupBackupPlan` attributes, see [AwsBackupBackupPlan](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsBackupBackupPlanDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsBackupBackupPlan": { "BackupPlan": { "AdvancedBackupSettings": [{ "BackupOptions": { "WindowsVSS":"enabled" }, "ResourceType":"EC2" }], "BackupPlanName": "test", "BackupPlanRule": [{ "CompletionWindowMinutes": 10080, "CopyActions": [{ "DestinationBackupVaultArn": "arn:aws-cn:backup:us-east-1:858726136373:backup-vault:aws/efs/automatic-backup-vault", "Lifecycle": { "DeleteAfterDays": 365, "MoveToColdStorageAfterDays": 30 } }], "Lifecycle": { "DeleteAfterDays": 35 }, "RuleName": "DailyBackups", "ScheduleExpression": "cron(0 5 ? * * *)", "StartWindowMinutes": 480, "TargetBackupVault": "Default" }, { "CompletionWindowMinutes": 10080, "CopyActions": [{ "DestinationBackupVaultArn": "arn:aws-cn:backup:us-east-1:858726136373:backup-vault:aws/efs/automatic-backup-vault", "Lifecycle": { "DeleteAfterDays": 365, "MoveToColdStorageAfterDays": 30 } }], "Lifecycle": { "DeleteAfterDays": 35 }, "RuleName": "Monthly", "ScheduleExpression": "cron(0 5 1 * ? *)", "StartWindowMinutes": 480, "TargetBackupVault": "Default" }] }, "BackupPlanArn": "arn:aws-cn:backup:us-east-1:858726136373:backup-plan:b6d6b896-590d-4ee1-bf29-c5ccae63f4e7", "BackupPlanId": "b6d6b896-590d-4ee1-bf29-c5ccae63f4e7", "VersionId": "ZDVjNDIzMjItYTZiNS00NzczLTg4YzctNmExMWM2NjZhY2E1" } ``` ## AwsBackupBackupVault The `AwsBackupBackupVault` object provides information about an Amazon Backup backup vault. A Amazon Backup backup vault is a container that stores and organizes your backups. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsBackupBackupVault` object. To view descriptions of `AwsBackupBackupVault` attributes, see [AwsBackupBackupVault](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsBackupBackupVaultDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsBackupBackupVault": { "AccessPolicy": { "Statement": [{ "Action": [ "backup:DeleteBackupVault", "backup:DeleteBackupVaultAccessPolicy", "backup:DeleteRecoveryPoint", "backup:StartCopyJob", "backup:StartRestoreJob", "backup:UpdateRecoveryPointLifecycle" ], "Effect": "Deny", "Principal": { "Amazon": "*" }, "Resource": "*" }], "Version": "2012-10-17" }, "BackupVaultArn": "arn:aws-cn:backup:us-east-1:123456789012:backup-vault:aws/efs/automatic-backup-vault", "BackupVaultName": "aws/efs/automatic-backup-vault", "EncrytionKeyArn": "arn:aws-cn:kms:us-east-1:444455556666:key/72ba68d4-5e43-40b0-ba38-838bf8d06ca0", "Notifications": { "BackupVaultEvents": ["BACKUP_JOB_STARTED", "BACKUP_JOB_COMPLETED", "COPY_JOB_STARTED"], "SNSTopicArn": "arn:aws-cn:sns:us-west-2:111122223333:MyVaultTopic" } } ``` ## AwsBackupRecoveryPoint The `AwsBackupRecoveryPoint` object provides information about an Amazon Backup backup, also referred to as a recovery point. An Amazon Backup recovery point represents the content of a resource at a specified time. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsBackupRecoveryPoint` object. To view descriptions of `AwsBackupBackupVault` attributes, see [AwsBackupRecoveryPoint](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsBackupRecoveryPointDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsBackupRecoveryPoint": { "BackupSizeInBytes": 0, "BackupVaultName": "aws/efs/automatic-backup-vault", "BackupVaultArn": "arn:aws-cn:backup:us-east-1:111122223333:backup-vault:aws/efs/automatic-backup-vault", "CalculatedLifecycle": { "DeleteAt": "2021-08-30T06:51:58.271Z", "MoveToColdStorageAt": "2020-08-10T06:51:58.271Z" }, "CompletionDate": "2021-07-26T07:21:40.361Z", "CreatedBy": { "BackupPlanArn": "arn:aws-cn:backup:us-east-1:111122223333:backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad", "BackupPlanId": "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad", "BackupPlanVersion": "ZGM4YzY5YjktMWYxNC00ZTBmLWE5MjYtZmU5OWNiZmM5ZjIz", "BackupRuleId": "2a600c2-42ad-4196-808e-084923ebfd25" }, "CreationDate": "2021-07-26T06:51:58.271Z", "EncryptionKeyArn": "arn:aws-cn:kms:us-east-1:111122223333:key/72ba68d4-5e43-40b0-ba38-838bf8d06ca0", "IamRoleArn": "arn:aws-cn:iam::111122223333:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup", "IsEncrypted": true, "LastRestoreTime": "2021-07-26T06:51:58.271Z", "Lifecycle": { "DeleteAfterDays": 35, "MoveToColdStorageAfterDays": 15 }, "RecoveryPointArn": "arn:aws-cn:backup:us-east-1:111122223333:recovery-point:151a59e4-f1d5-4587-a7fd-0774c6e91268", "ResourceArn": "arn:aws-cn:elasticfilesystem:us-east-1:858726136373:file-system/fs-15bd31a1", "ResourceType": "EFS", "SourceBackupVaultArn": "arn:aws-cn:backup:us-east-1:111122223333:backup-vault:aws/efs/automatic-backup-vault", "Status": "COMPLETED", "StatusMessage": "Failure message", "StorageClass": "WARM" } ``` # AwsCertificateManager resources in ASFF AwsCertificateManager The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCertificateManager` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCertificateManagerCertificate The `AwsCertificateManagerCertificate` object provides details about an Amazon Certificate Manager (ACM) certificate. The following is an example `AwsCertificateManagerCertificate` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsCertificateManagerCertificate` attributes, see [AwsCertificateManagerCertificateDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCertificateManagerCertificateDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCertificateManagerCertificate": { "CertificateAuthorityArn": "arn:aws-cn:acm:us-west-2:444455556666:certificate-authority/example", "CreatedAt": "2019-05-24T18:12:02.000Z", "DomainName": "example.amazondomains.com", "DomainValidationOptions": [ { "DomainName": "example.amazondomains.com", "ResourceRecord": { "Name": "_1bacb61828d3a1020c40a560ceed08f7.example.amazondomains.com", "Type": "CNAME", "Value": "_example.acm-validations.aws." }, "ValidationDomain": "example.amazondomains.com", "ValidationEmails": [sample_email@sample.com], "ValidationMethod": "DNS", "ValidationStatus": "SUCCESS" } ], "ExtendedKeyUsages": [ { "Name": "TLS_WEB_SERVER_AUTHENTICATION", "OId": "1.3.6.1.5.5.7.3.1" }, { "Name": "TLS_WEB_CLIENT_AUTHENTICATION", "OId": "1.3.6.1.5.5.7.3.2" } ], "FailureReason": "", "ImportedAt": "2018-08-17T00:13:00.000Z", "InUseBy": ["arn:aws-cn:amazondomains:us-west-2:444455556666:loadbalancer/example"], "IssuedAt": "2020-04-26T00:41:17.000Z", "Issuer": "Amazon", "KeyAlgorithm": "RSA-1024", "KeyUsages": [ { "Name": "DIGITAL_SIGNATURE", }, { "Name": "KEY_ENCIPHERMENT", } ], "NotAfter": "2021-05-26T12:00:00.000Z", "NotBefore": "2020-04-26T00:00:00.000Z", "Options": { "CertificateTransparencyLoggingPreference": "ENABLED", } "RenewalEligibility": "ELIGIBLE", "RenewalSummary": { "DomainValidationOptions": [ { "DomainName": "example.amazondomains.com", "ResourceRecord": { "Name": "_1bacb61828d3a1020c40a560ceed08f7.example.amazondomains.com", "Type": "CNAME", "Value": "_example.acm-validations.aws.com", }, "ValidationDomain": "example.amazondomains.com", "ValidationEmails": ["sample_email@sample.com"], "ValidationMethod": "DNS", "ValidationStatus": "SUCCESS" } ], "RenewalStatus": "SUCCESS", "RenewalStatusReason": "", "UpdatedAt": "2020-04-26T00:41:35.000Z", }, "Serial": "02:ac:86:b6:07:2f:0a:61:0e:3a:ac:fd:d9:ab:17:1a", "SignatureAlgorithm": "SHA256WITHRSA", "Status": "ISSUED", "Subject": "CN=example.amazondomains.com", "SubjectAlternativeNames": ["example.amazondomains.com"], "Type": "AMAZON_ISSUED" } ``` # AwsCloudFormation resources in ASFF AwsCloudFormation The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCloudFormation` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCloudFormationStack The `AwsCloudFormationStack` object provides details about an Amazon CloudFormation stack that is nested as a resource in a top-level template. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsCloudFormationStack` object. To view descriptions of `AwsCloudFormationStack` attributes, see [AwsCloudFormationStackDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCloudFormationStackDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCloudFormationStack": { "Capabilities": [ "CAPABILITY_IAM", "CAPABILITY_NAMED_IAM" ], "CreationTime": "2022-02-18T15:31:53.161Z", "Description": "Amazon CloudFormation Sample", "DisableRollback": true, "DriftInformation": { "StackDriftStatus": "DRIFTED" }, "EnableTerminationProtection": false, "LastUpdatedTime": "2022-02-18T15:31:53.161Z", "NotificationArns": [ "arn:aws-cn:sns:us-east-1:978084797471:sample-sns-cfn" ], "Outputs": [{ "Description": "URL for newly created LAMP stack", "OutputKey": "WebsiteUrl", "OutputValue": "http://ec2-44-193-18-241.compute-1.amazonaws.com" }], "RoleArn": "arn:aws-cn:iam::012345678910:role/exampleRole", "StackId": "arn:aws-cn:cloudformation:us-east-1:978084797471:stack/sample-stack/e5d9f7e0-90cf-11ec-88c6-12ac1f91724b", "StackName": "sample-stack", "StackStatus": "CREATE_COMPLETE", "StackStatusReason": "Success", "TimeoutInMinutes": 1 } ``` # AwsCloudFront resources in ASFF AwsCloudFront The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCloudFront` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCloudFrontDistribution The `AwsCloudFrontDistribution` object provides details about a Amazon CloudFront distribution configuration. The following is an example `AwsCloudFrontDistribution` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsCloudFrontDistribution` attributes, see [AwsCloudFrontDistributionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCloudFrontDistributionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCloudFrontDistribution": { "CacheBehaviors": { "Items": [ { "ViewerProtocolPolicy": "https-only" } ] }, "DefaultCacheBehavior": { "ViewerProtocolPolicy": "https-only" }, "DefaultRootObject": "index.html", "DomainName": "d2wkuj2w9l34gt.cloudfront.net", "Etag": "E37HOT42DHPVYH", "LastModifiedTime": "2015-08-31T21:11:29.093Z", "Logging": { "Bucket": "myawslogbucket.s3.amazonaws.com", "Enabled": false, "IncludeCookies": false, "Prefix": "myawslog/" }, "OriginGroups": { "Items": [ { "FailoverCriteria": { "StatusCodes": { "Items": [ 200, 301, 404 ] "Quantity": 3 } } } ] }, "Origins": { "Items": [ { "CustomOriginConfig": { "HttpPort": 80, "HttpsPort": 443, "OriginKeepaliveTimeout": 60, "OriginProtocolPolicy": "match-viewer", "OriginReadTimeout": 30, "OriginSslProtocols": { "Items": ["SSLv3", "TLSv1"], "Quantity": 2 } } }, ] }, "DomainName": "amzn-s3-demo-bucket.s3.amazonaws.com", "Id": "my-origin", "OriginPath": "/production", "S3OriginConfig": { "OriginAccessIdentity": "origin-access-identity/cloudfront/E2YFS67H6VB6E4" } ] }, "Status": "Deployed", "ViewerCertificate": { "AcmCertificateArn": "arn:aws-cn:acm::123456789012:AcmCertificateArn", "Certificate": "ASCAJRRE5XYF52TKRY5M4", "CertificateSource": "iam", "CloudFrontDefaultCertificate": true, "IamCertificateId": "ASCAJRRE5XYF52TKRY5M4", "MinimumProtocolVersion": "TLSv1.2_2021", "SslSupportMethod": "sni-only" }, "WebAclId": "waf-1234567890" } ``` # AwsCloudTrail resources in ASFF AwsCloudTrail The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCloudTrail` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCloudTrailTrail The `AwsCloudTrailTrail` object provides details about a Amazon CloudTrail trail. The following is an example `AwsCloudTrailTrail` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsCloudTrailTrail` attributes, see [AwsCloudTrailTrailDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCloudTrailTrailDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCloudTrailTrail": { "CloudWatchLogsLogGroupArn": "arn:aws-cn:logs:us-west-2:123456789012:log-group:CloudTrail/regression:*", "CloudWatchLogsRoleArn": "arn:aws-cn:iam::866482105055:role/CloudTrail_CloudWatchLogs", "HasCustomEventSelectors": true, "HomeRegion": "us-west-2", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": true, "IsOrganizationTrail": false, "KmsKeyId": "kmsKeyId", "LogFileValidationEnabled": true, "Name": "regression-trail", "S3BucketName": "cloudtrail-bucket", "S3KeyPrefix": "s3KeyPrefix", "SnsTopicArn": "arn:aws-cn:sns:us-east-2:123456789012:MyTopic", "SnsTopicName": "snsTopicName", "TrailArn": "arn:aws-cn:cloudtrail:us-west-2:123456789012:trail" } ``` # AwsCloudWatch resources in ASFF AwsCloudWatch The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCloudWatch` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCloudWatchAlarm The `AwsCloudWatchAlarm` object provides details about Amazon CloudWatch alarms that watch a metric or perform an action when an alarm changes state. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsCloudWatchAlarm` object. To view descriptions of `AwsCloudWatchAlarm` attributes, see [AwsCloudWatchAlarmDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCloudWatchAlarmDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCloudWatchAlarm": { "ActionsEnabled": true, "AlarmActions": [ "arn:aws-cn:automate:region:ec2:stop", "arn:aws-cn:automate:region:ec2:terminate" ], "AlarmArn": "arn:aws-cn:cloudwatch:us-west-2:012345678910:alarm:sampleAlarm", "AlarmConfigurationUpdatedTimestamp": "2022-02-18T15:31:53.161Z", "AlarmDescription": "Alarm Example", "AlarmName": "Example", "ComparisonOperator": "GreaterThanOrEqualToThreshold", "DatapointsToAlarm": 1, "Dimensions": [{ "Name": "InstanceId", "Value": "i-1234567890abcdef0" }], "EvaluateLowSampleCountPercentile": "evaluate", "EvaluationPeriods": 1, "ExtendedStatistic": "p99.9", "InsufficientDataActions": [ "arn:aws-cn:automate:region:ec2:stop" ], "MetricName": "Sample Metric", "Namespace": "YourNamespace", "OkActions": [ "arn:aws-cn:swf:region:account-id:action/actions/AWS_EC2.InstanceId.Stop/1.0" ], "Period": 1, "Statistic": "SampleCount", "Threshold": 12.3, "ThresholdMetricId": "t1", "TreatMissingData": "notBreaching", "Unit": "Kilobytes/Second" } ``` # AwsCodeBuild resources in ASFF AwsCodeBuild The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsCodeBuild` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsCodeBuildProject The `AwsCodeBuildProject` object provides information about an Amazon CodeBuild project. The following is an example `AwsCodeBuildProject` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsCodeBuildProject` attributes, see [AwsCodeBuildProjectDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsCodeBuildProjectDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsCodeBuildProject": { "Artifacts": [ { "ArtifactIdentifier": "string", "EncryptionDisabled": boolean, "Location": "string", "Name": "string", "NamespaceType": "string", "OverrideArtifactName": boolean, "Packaging": "string", "Path": "string", "Type": "string" } ], "SecondaryArtifacts": [ { "ArtifactIdentifier": "string", "EncryptionDisabled": boolean, "Location": "string", "Name": "string", "NamespaceType": "string", "OverrideArtifactName": boolean, "Packaging": "string", "Path": "string", "Type": "string" } ], "EncryptionKey": "string", "Certificate": "string", "Environment": { "Certificate": "string", "EnvironmentVariables": [ { "Name": "string", "Type": "string", "Value": "string" } ], "ImagePullCredentialsType": "string", "PrivilegedMode": boolean, "RegistryCredential": { "Credential": "string", "CredentialProvider": "string" }, "Type": "string" }, "LogsConfig": { "CloudWatchLogs": { "GroupName": "string", "Status": "string", "StreamName": "string" }, "S3Logs": { "EncryptionDisabled": boolean, "Location": "string", "Status": "string" } }, "Name": "string", "ServiceRole": "string", "Source": { "Type": "string", "Location": "string", "GitCloneDepth": integer }, "VpcConfig": { "VpcId": "string", "Subnets": ["string"], "SecurityGroupIds": ["string"] } } ``` # AwsDms resources in ASFF AwsDms The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsDms` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsDmsEndpoint The `AwsDmsEndpoint` object provides information about an Amazon Database Migration Service (Amazon DMS) endpoint. An endpoint provides connection, data store type, and location information about your data store. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsDmsEndpoint` object. To view descriptions of `AwsDmsEndpoint` attributes, see [AwsDmsEndpointDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsDmsEndpointDeatils.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsDmsEndpoint": { "CertificateArn": "arn:aws-cn:dms:us-east-1:123456789012:cert:EXAMPLEIGDURVZGVJQZDPWJ5A7F2YDJVSMTBWFI", "DatabaseName": "Test", "EndpointArn": "arn:aws-cn:dms:us-east-1:123456789012:endpoint:EXAMPLEQB3CZY33F7XV253NAJVBNPK6MJQVFVQA", "EndpointIdentifier": "target-db", "EndpointType": "TARGET", "EngineName": "mariadb", "KmsKeyId": "arn:aws-cn:kms:us-east-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Port": 3306, "ServerName": "target-db.exampletafyu.us-east-1.rds.amazonaws.com", "SslMode": "verify-ca", "Username": "admin" } ``` ## AwsDmsReplicationInstance The `AwsDmsReplicationInstance` object provides information about an Amazon Database Migration Service (Amazon DMS) replication instance. DMS uses a replication instance to connect to your source data store, read the source data, and format the data for consumption by the target data store. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsDmsReplicationInstance` object. To view descriptions of `AwsDmsReplicationInstance` attributes, see [AwsDmsReplicationInstanceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsDmsReplicationInstanceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsDmsReplicationInstance": { "AllocatedStorage": 50, "AutoMinorVersionUpgrade": true, "AvailabilityZone": "us-east-1b", "EngineVersion": "3.5.1", "KmsKeyId": "arn:aws-cn:kms:us-east-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "MultiAZ": false, "PreferredMaintenanceWindow": "wed:08:08-wed:08:38", "PubliclyAccessible": true, "ReplicationInstanceClass": "dms.c5.xlarge", "ReplicationInstanceIdentifier": "second-replication-instance", "ReplicationSubnetGroup": { "ReplicationSubnetGroupIdentifier": "default-vpc-2344f44f" }, "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-003a34e205138138b" } ] } ``` ## AwsDmsReplicationTask The `AwsDmsReplicationTask` object provides information about an Amazon Database Migration Service (Amazon DMS) replication task. A replication task moves a set of data from the source endpoint to the target endpoint. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsDmsReplicationInstance` object. To view descriptions of `AwsDmsReplicationInstance` attributes, see [AwsDmsReplicationInstance](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsDmsReplicationTaskDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsDmsReplicationTask": { "CdcStartPosition": "2023-08-28T14:26:22", "Id": "arn:aws-cn:dms:us-east-1:123456789012:task:YDYUOHZIXWKQSUCBMUCQCNY44SJW74VJNB5DFWQ", "MigrationType": "cdc", "ReplicationInstanceArn": "arn:aws:dms:us-east-1:123456789012:rep:T7V6RFDP23PYQWUL26N3PF5REKML4YOUGIMYJUI", "ReplicationTaskIdentifier": "test-task", "ReplicationTaskSettings": "{\"Logging\":{\"EnableLogging\":false,\"EnableLogContext\":false,\"LogComponents\":[{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"TRANSFORMATION\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"SOURCE_UNLOAD\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"IO\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"TARGET_LOAD\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"PERFORMANCE\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"SOURCE_CAPTURE\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"SORTER\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"REST_SERVER\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"VALIDATOR_EXT\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"TARGET_APPLY\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"TASK_MANAGER\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"TABLES_MANAGER\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"METADATA_MANAGER\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"FILE_FACTORY\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"COMMON\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"ADDONS\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"DATA_STRUCTURE\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"COMMUNICATION\"},{\"Severity\":\"LOGGER_SEVERITY_DEFAULT\",\"Id\":\"FILE_TRANSFER\"}],\"CloudWatchLogGroup\":null,\"CloudWatchLogStream\":null},\"StreamBufferSettings\":{\"StreamBufferCount\":3,\"CtrlStreamBufferSizeInMB\":5,\"StreamBufferSizeInMB\":8},\"ErrorBehavior\":{\"FailOnNoTablesCaptured\":true,\"ApplyErrorUpdatePolicy\":\"LOG_ERROR\",\"FailOnTransactionConsistencyBreached\":false,\"RecoverableErrorThrottlingMax\":1800,\"DataErrorEscalationPolicy\":\"SUSPEND_TABLE\",\"ApplyErrorEscalationCount\":0,\"RecoverableErrorStopRetryAfterThrottlingMax\":true,\"RecoverableErrorThrottling\":true,\"ApplyErrorFailOnTruncationDdl\":false,\"DataTruncationErrorPolicy\":\"LOG_ERROR\",\"ApplyErrorInsertPolicy\":\"LOG_ERROR\",\"EventErrorPolicy\":\"IGNORE\",\"ApplyErrorEscalationPolicy\":\"LOG_ERROR\",\"RecoverableErrorCount\":-1,\"DataErrorEscalationCount\":0,\"TableErrorEscalationPolicy\":\"STOP_TASK\",\"RecoverableErrorInterval\":5,\"ApplyErrorDeletePolicy\":\"IGNORE_RECORD\",\"TableErrorEscalationCount\":0,\"FullLoadIgnoreConflicts\":true,\"DataErrorPolicy\":\"LOG_ERROR\",\"TableErrorPolicy\":\"SUSPEND_TABLE\"},\"TTSettings\":{\"TTS3Settings\":null,\"TTRecordSettings\":null,\"EnableTT\":false},\"FullLoadSettings\":{\"CommitRate\":10000,\"StopTaskCachedChangesApplied\":false,\"StopTaskCachedChangesNotApplied\":false,\"MaxFullLoadSubTasks\":8,\"TransactionConsistencyTimeout\":600,\"CreatePkAfterFullLoad\":false,\"TargetTablePrepMode\":\"DO_NOTHING\"},\"TargetMetadata\":{\"ParallelApplyBufferSize\":0,\"ParallelApplyQueuesPerThread\":0,\"ParallelApplyThreads\":0,\"TargetSchema\":\"\",\"InlineLobMaxSize\":0,\"ParallelLoadQueuesPerThread\":0,\"SupportLobs\":true,\"LobChunkSize\":64,\"TaskRecoveryTableEnabled\":false,\"ParallelLoadThreads\":0,\"LobMaxSize\":0,\"BatchApplyEnabled\":false,\"FullLobMode\":true,\"LimitedSizeLobMode\":false,\"LoadMaxFileSize\":0,\"ParallelLoadBufferSize\":0},\"BeforeImageSettings\":null,\"ControlTablesSettings\":{\"historyTimeslotInMinutes\":5,\"HistoryTimeslotInMinutes\":5,\"StatusTableEnabled\":false,\"SuspendedTablesTableEnabled\":false,\"HistoryTableEnabled\":false,\"ControlSchema\":\"\",\"FullLoadExceptionTableEnabled\":false},\"LoopbackPreventionSettings\":null,\"CharacterSetSettings\":null,\"FailTaskWhenCleanTaskResourceFailed\":false,\"ChangeProcessingTuning\":{\"StatementCacheSize\":50,\"CommitTimeout\":1,\"BatchApplyPreserveTransaction\":true,\"BatchApplyTimeoutMin\":1,\"BatchSplitSize\":0,\"BatchApplyTimeoutMax\":30,\"MinTransactionSize\":1000,\"MemoryKeepTime\":60,\"BatchApplyMemoryLimit\":500,\"MemoryLimitTotal\":1024},\"ChangeProcessingDdlHandlingPolicy\":{\"HandleSourceTableDropped\":true,\"HandleSourceTableTruncated\":true,\"HandleSourceTableAltered\":true},\"PostProcessingRules\":null}", "SourceEndpointArn": "arn:aws-cn:dms:us-east-1:123456789012:endpoint:TZPWV2VCXEGHYOKVKRNHAKJ4Q3RUXACNGFGYWRI", "TableMappings": "{\"rules\":[{\"rule-type\":\"selection\",\"rule-id\":\"969761702\",\"rule-name\":\"969761702\",\"object-locator\":{\"schema-name\":\"%table\",\"table-name\":\"%example\"},\"rule-action\":\"exclude\",\"filters\":[]}]}", "TargetEndpointArn": "arn:aws-cn:dms:us-east-1:123456789012:endpoint:ABR8LBOQB3CZY33F7XV253NAJVBNPK6MJQVFVQA" } ``` # AwsDynamoDB resources in ASFF AwsDynamoDB The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsDynamoDB` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsDynamoDbTable The `AwsDynamoDbTable` object provides details about an Amazon DynamoDB table. The following is an example `AwsDynamoDbTable` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsDynamoDbTable` attributes, see [AwsDynamoDbTableDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsDynamoDbTableDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsDynamoDbTable": { "AttributeDefinitions": [ { "AttributeName": "attribute1", "AttributeType": "value 1" }, { "AttributeName": "attribute2", "AttributeType": "value 2" }, { "AttributeName": "attribute3", "AttributeType": "value 3" } ], "BillingModeSummary": { "BillingMode": "PAY_PER_REQUEST", "LastUpdateToPayPerRequestDateTime": "2019-12-03T15:23:10.323Z" }, "CreationDateTime": "2019-12-03T15:23:10.248Z", "DeletionProtectionEnabled": true, "GlobalSecondaryIndexes": [ { "Backfilling": false, "IndexArn": "arn:aws-cn:dynamodb:us-west-2:111122223333:table/exampleTable/index/exampleIndex", "IndexName": "standardsControlArnIndex", "IndexSizeBytes": 1862513, "IndexStatus": "ACTIVE", "ItemCount": 20, "KeySchema": [ { "AttributeName": "City", "KeyType": "HASH" }, { "AttributeName": "Date", "KeyType": "RANGE" } ], "Projection": { "NonKeyAttributes": ["predictorName"], "ProjectionType": "ALL" }, "ProvisionedThroughput": { "LastIncreaseDateTime": "2019-03-14T13:21:00.399Z", "LastDecreaseDateTime": "2019-03-14T12:47:35.193Z", "NumberOfDecreasesToday": 0, "ReadCapacityUnits": 100, "WriteCapacityUnits": 50 }, } ], "GlobalTableVersion": "V1", "ItemCount": 2705, "KeySchema": [ { "AttributeName": "zipcode", "KeyType": "HASH" } ], "LatestStreamArn": "arn:aws-cn:dynamodb:us-west-2:111122223333:table/exampleTable/stream/2019-12-03T23:23:10.248", "LatestStreamLabel": "2019-12-03T23:23:10.248", "LocalSecondaryIndexes": [ { "IndexArn": "arn:aws-cn:dynamodb:us-east-1:111122223333:table/exampleGroup/index/exampleId", "IndexName": "CITY_DATE_INDEX_NAME", "KeySchema": [ { "AttributeName": "zipcode", "KeyType": "HASH" } ], "Projection": { "NonKeyAttributes": ["predictorName"], "ProjectionType": "ALL" }, } ], "ProvisionedThroughput": { "LastIncreaseDateTime": "2019-03-14T13:21:00.399Z", "LastDecreaseDateTime": "2019-03-14T12:47:35.193Z", "NumberOfDecreasesToday": 0, "ReadCapacityUnits": 100, "WriteCapacityUnits": 50 }, "Replicas": [ { "GlobalSecondaryIndexes":[ { "IndexName": "CITY_DATE_INDEX_NAME", "ProvisionedThroughputOverride": { "ReadCapacityUnits": 10 } } ], "KmsMasterKeyId" : "KmsKeyId" "ProvisionedThroughputOverride": { "ReadCapacityUnits": 10 }, "RegionName": "regionName", "ReplicaStatus": "CREATING", "ReplicaStatusDescription": "replicaStatusDescription" } ], "RestoreSummary" : { "SourceBackupArn": "arn:aws-cn:dynamodb:us-west-2:111122223333:table/exampleTable/backup/backup1", "SourceTableArn": "arn:aws-cn:dynamodb:us-west-2:111122223333:table/exampleTable", "RestoreDateTime": "2020-06-22T17:40:12.322Z", "RestoreInProgress": true }, "SseDescription": { "InaccessibleEncryptionDateTime": "2018-01-26T23:50:05.000Z", "Status": "ENABLED", "SseType": "KMS", "KmsMasterKeyArn": "arn:aws-cn:kms:us-east-1:111122223333:key/key1" }, "StreamSpecification" : { "StreamEnabled": true, "StreamViewType": "NEW_IMAGE" }, "TableId": "example-table-id-1", "TableName": "example-table", "TableSizeBytes": 1862513, "TableStatus": "ACTIVE" } ``` # AwsEc2 resources in ASFF AwsEc2 The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEc2` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEc2ClientVpnEndpoint The `AwsEc2ClientVpnEndpoint` object provides information about an Amazon Client VPN endpoint. A Client VPN endpoint is the resource that you create and configure to enable and manage client VPN sessions. It's the termination point for all client VPN sessions. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2ClientVpnEndpoint` object. To view descriptions of `AwsEc2ClientVpnEndpoint` attributes, see [AwsEc2ClientVpnEndpointDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2ClientVpnEndpointDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2ClientVpnEndpoint": { "AuthenticationOptions": [ { "MutualAuthentication": { "ClientRootCertificateChainArn": "arn:aws-cn:acm:us-east-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Type": "certificate-authentication" } ], "ClientCidrBlock": "10.0.0.0/22", "ClientConnectOptions": { "Enabled": false }, "ClientLoginBannerOptions": { "Enabled": false }, "ClientVpnEndpointId": "cvpn-endpoint-00c5d11fc4729f2a5", "ConnectionLogOptions": { "Enabled": false }, "Description": "test", "DnsServer": ["10.0.0.0"], "ServerCertificateArn": "arn:aws-cn:acm:us-east-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "SecurityGroupIdSet": [ "sg-0f7a177b82b443691" ], "SelfServicePortalUrl": "https://self-service.clientvpn.amazonaws.com/endpoints/cvpn-endpoint-00c5d11fc4729f2a5", "SessionTimeoutHours": 24, "SplitTunnel": false, "TransportProtocol": "udp", "VpcId": "vpc-1a2b3c4d5e6f1a2b3", "VpnPort": 443 } ``` ## AwsEc2Eip The `AwsEc2Eip` object provides information about an Elastic IP address. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2Eip` object. To view descriptions of `AwsEc2Eip` attributes, see [AwsEc2EipDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2EipDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2Eip": { "InstanceId": "instance1", "PublicIp": "192.0.2.04", "AllocationId": "eipalloc-example-id-1", "AssociationId": "eipassoc-example-id-1", "Domain": "vpc", "PublicIpv4Pool": "anycompany", "NetworkBorderGroup": "eu-central-1", "NetworkInterfaceId": "eni-example-id-1", "NetworkInterfaceOwnerId": "777788889999", "PrivateIpAddress": "192.0.2.03" } ``` ## AwsEc2Instance The `AwsEc2Instance` object provides details about an Amazon EC2 instance. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2Instance` object. To view descriptions of `AwsEc2Instance` attributes, see [AwsEc2InstanceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2InstanceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2Instance": { "IamInstanceProfileArn": "arn:aws-cn:iam::123456789012:instance-profile/AdminRole", "ImageId": "ami-1234", "IpV4Addresses": [ "1.1.1.1" ], "IpV6Addresses": [ "2001:db8:1234:1a2b::123" ], "KeyName": "my_keypair", "LaunchedAt": "2018-05-08T16:46:19.000Z", "MetadataOptions": { "HttpEndpoint": "enabled", "HttpProtocolIpv6": "enabled", "HttpPutResponseHopLimit": 1, "HttpTokens": "optional", "InstanceMetadataTags": "disabled", }, "Monitoring": { "State": "disabled" }, "NetworkInterfaces": [ { "NetworkInterfaceId": "eni-e5aa89a3" } ], "SubnetId": "subnet-123", "Type": "i3.xlarge", "VpcId": "vpc-123" } ``` ## AwsEc2LaunchTemplate The `AwsEc2LaunchTemplate` object contains details about an Amazon Elastic Compute Cloud launch template that specifies instance configuration information. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2LaunchTemplate` object. To view descriptions of `AwsEc2LaunchTemplate` attributes, see [AwsEc2LaunchTemplateDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2LaunchTemplateDetals.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2LaunchTemplate": { "DefaultVersionNumber": "1", "ElasticGpuSpecifications": ["string"], "ElasticInferenceAccelerators": ["string"], "Id": "lt-0a16e9802800bdd85", "ImageId": "ami-0d5eff06f840b45e9", "LatestVersionNumber": "1", "LaunchTemplateData": { "BlockDeviceMappings": [{ "DeviceName": "/dev/xvda", "Ebs": { "DeleteonTermination": true, "Encrypted": true, "SnapshotId": "snap-01047646ec075f543", "VolumeSize": 8, "VolumeType:" "gp2" } }], "MetadataOptions": { "HttpTokens": "enabled", "HttpPutResponseHopLimit" : 1 }, "Monitoring": { "Enabled": true, "NetworkInterfaces": [{ "AssociatePublicIpAddress" : true, }], "LaunchTemplateName": "string", "LicenseSpecifications": ["string"], "SecurityGroupIds": ["sg-01fce87ad6e019725"], "SecurityGroups": ["string"], "TagSpecifications": ["string"] } ``` ## AwsEc2NetworkAcl The `AwsEc2NetworkAcl` object contains details about an Amazon EC2 network access control list (ACL). The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2NetworkAcl` object. To view descriptions of `AwsEc2NetworkAcl` attributes, see [AwsEc2NetworkAclDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2NetworkAclDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2NetworkAcl": { "IsDefault": false, "NetworkAclId": "acl-1234567890abcdef0", "OwnerId": "123456789012", "VpcId": "vpc-1234abcd", "Associations": [{ "NetworkAclAssociationId": "aclassoc-abcd1234", "NetworkAclId": "acl-021345abcdef6789", "SubnetId": "subnet-abcd1234" }], "Entries": [{ "CidrBlock": "10.24.34.0/23", "Egress": true, "IcmpTypeCode": { "Code": 10, "Type": 30 }, "Ipv6CidrBlock": "2001:DB8::/32", "PortRange": { "From": 20, "To": 40 }, "Protocol": "tcp", "RuleAction": "allow", "RuleNumber": 100 }] } ``` ## AwsEc2NetworkInterface The `AwsEc2NetworkInterface` object provides information about an Amazon EC2 network interface. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2NetworkInterface` object. To view descriptions of `AwsEc2NetworkInterface` attributes, see [AwsEc2NetworkInterfaceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2NetworkInterfaceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2NetworkInterface": { "Attachment": { "AttachTime": "2019-01-01T03:03:21Z", "AttachmentId": "eni-attach-43348162", "DeleteOnTermination": true, "DeviceIndex": 123, "InstanceId": "i-1234567890abcdef0", "InstanceOwnerId": "123456789012", "Status": 'ATTACHED' }, "SecurityGroups": [ { "GroupName": "my-security-group", "GroupId": "sg-903004f8" }, ], "NetworkInterfaceId": 'eni-686ea200', "SourceDestCheck": false } ``` ## AwsEc2RouteTable The `AwsEc2RouteTable` object provides information about an Amazon EC2 route table. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2RouteTable` object. To view descriptions of `AwsEc2RouteTable` attributes, see [AwsEc2RouteTableDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2RouteTableDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2RouteTable": { "AssociationSet": [{ "AssociationSet": { "State": "associated" }, "Main": true, "RouteTableAssociationId": "rtbassoc-08e706c45de9f7512", "RouteTableId": "rtb-0a59bde9cf2548e34", }], "PropogatingVgwSet": [], "RouteTableId": "rtb-0a59bde9cf2548e34", "RouteSet": [ { "DestinationCidrBlock": "10.24.34.0/23", "GatewayId": "local", "Origin": "CreateRouteTable", "State": "active" }, { "DestinationCidrBlock": "10.24.34.0/24", "GatewayId": "igw-0242c2d7d513fc5d3", "Origin": "CreateRoute", "State": "active" } ], "VpcId": "vpc-0c250a5c33f51d456" } ``` ## AwsEc2SecurityGroup The `AwsEc2SecurityGroup` object describes an Amazon EC2 security group. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2SecurityGroup` object. To view descriptions of `AwsEc2SecurityGroup` attributes, see [AwsEc2SecurityGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2SecurityGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2SecurityGroup": { "GroupName": "MySecurityGroup", "GroupId": "sg-903004f8", "OwnerId": "123456789012", "VpcId": "vpc-1a2b3c4d", "IpPermissions": [ { "IpProtocol": "-1", "IpRanges": [], "UserIdGroupPairs": [ { "UserId": "123456789012", "GroupId": "sg-903004f8" } ], "PrefixListIds": [ {"PrefixListId": "pl-63a5400a"} ] }, { "PrefixListIds": [], "FromPort": 22, "IpRanges": [ { "CidrIp": "203.0.113.0/24" } ], "ToPort": 22, "IpProtocol": "tcp", "UserIdGroupPairs": [] } ] } ``` ## AwsEc2Subnet The `AwsEc2Subnet` object provides information about a subnet in Amazon EC2. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2Subnet` object. To view descriptions of `AwsEc2Subnet` attributes, see [AwsEc2SubnetDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2SubnetDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` AwsEc2Subnet: { "AssignIpv6AddressOnCreation": false, "AvailabilityZone": "us-west-2c", "AvailabilityZoneId": "usw2-az3", "AvailableIpAddressCount": 8185, "CidrBlock": "10.0.0.0/24", "DefaultForAz": false, "MapPublicIpOnLaunch": false, "OwnerId": "123456789012", "State": "available", "SubnetArn": "arn:aws:ec2:us-west-2:123456789012:subnet/subnet-d5436c93", "SubnetId": "subnet-d5436c93", "VpcId": "vpc-153ade70", "Ipv6CidrBlockAssociationSet": [{ "AssociationId": "subnet-cidr-assoc-EXAMPLE", "Ipv6CidrBlock": "2001:DB8::/32", "CidrBlockState": "associated" }] } ``` ## AwsEc2TransitGateway The `AwsEc2TransitGateway` object provides details about an Amazon EC2 transit gateway that interconnects your virtual private clouds (VPCs) and on-premises networks. The following is an example `AwsEc2TransitGateway` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsEc2TransitGateway` attributes, see [AwsEc2TransitGatewayDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2TransitGatewayDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2TransitGateway": { "AmazonSideAsn": 65000, "AssociationDefaultRouteTableId": "tgw-rtb-099ba47cbbea837cc", "AutoAcceptSharedAttachments": "disable", "DefaultRouteTableAssociation": "enable", "DefaultRouteTablePropagation": "enable", "Description": "sample transit gateway", "DnsSupport": "enable", "Id": "tgw-042ae6bf7a5c126c3", "MulticastSupport": "disable", "PropagationDefaultRouteTableId": "tgw-rtb-099ba47cbbea837cc", "TransitGatewayCidrBlocks": ["10.0.0.0/16"], "VpnEcmpSupport": "enable" } ``` ## AwsEc2Volume The `AwsEc2Volume` object provides details about an Amazon EC2 volume. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2Volume` object. To view descriptions of `AwsEc2Volume` attributes, see [AwsEc2VolumeDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2VolumeDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2Volume": { "Attachments": [ { "AttachTime": "2017-10-17T14:47:11Z", "DeleteOnTermination": true, "InstanceId": "i-123abc456def789g", "Status": "attached" } ], "CreateTime": "2020-02-24T15:54:30Z", "Encrypted": true, "KmsKeyId": "arn:aws:kms:us-east-1:111122223333:key/wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Size": 80, "SnapshotId": "", "Status": "available" } ``` ## AwsEc2Vpc The `AwsEc2Vpc` object provides details about an Amazon EC2 VPC. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2Vpc` object. To view descriptions of `AwsEc2Vpc` attributes, see [AwsEc2VpcDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2VpcDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2Vpc": { "CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlock": "192.0.2.0/24", "CidrBlockState": "associated" } ], "DhcpOptionsId": "dopt-4e42ce28", "Ipv6CidrBlockAssociationSet": [ { "AssociationId": "vpc-cidr-assoc-0dc4c852f52abda97", "CidrBlockState": "associated", "Ipv6CidrBlock": "192.0.2.0/24" } ], "State": "available" } ``` ## AwsEc2VpcEndpointService The `AwsEc2VpcEndpointService` object contains details about the service configuration for a VPC endpoint service. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2VpcEndpointService` object. To view descriptions of `AwsEc2VpcEndpointService` attributes, see [AwsEc2VpcEndpointServiceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2VpcEndpointServiceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2VpcEndpointService": { "ServiceType": [ { "ServiceType": "Interface" } ], "ServiceId": "vpce-svc-example1", "ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example1", "ServiceState": "Available", "AvailabilityZones": [ "us-east-1" ], "AcceptanceRequired": true, "ManagesVpcEndpoints": false, "NetworkLoadBalancerArns": [ "arn:aws:elasticloadbalancing:us-east-1:444455556666:loadbalancer/net/my-network-load-balancer/example1" ], "GatewayLoadBalancerArns": [], "BaseEndpointDnsNames": [ "vpce-svc-04eec859668b51c34.us-east-1.vpce.amazonaws.com" ], "PrivateDnsName": "my-private-dns" } ``` ## AwsEc2VpcPeeringConnection The `AwsEc2VpcPeeringConnection` object provides details about the networking connection between two VPCs. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEc2VpcPeeringConnection` object. To view descriptions of `AwsEc2VpcPeeringConnection` attributes, see [AwsEc2VpcPeeringConnectionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEc2VpcPeeringConnectionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEc2VpcPeeringConnection": { "AccepterVpcInfo": { "CidrBlock": "10.0.0.0/28", "CidrBlockSet": [{ "CidrBlock": "10.0.0.0/28" }], "Ipv6CidrBlockSet": [{ "Ipv6CidrBlock": "2002::1234:abcd:ffff:c0a8:101/64" }], "OwnerId": "012345678910", "PeeringOptions": { "AllowDnsResolutionFromRemoteVpc": true, "AllowEgressFromLocalClassicLinkToRemoteVpc": false, "AllowEgressFromLocalVpcToRemoteClassicLink": true }, "Region": "us-west-2", "VpcId": "vpc-i123456" }, "ExpirationTime": "2022-02-18T15:31:53.161Z", "RequesterVpcInfo": { "CidrBlock": "192.168.0.0/28", "CidrBlockSet": [{ "CidrBlock": "192.168.0.0/28" }], "Ipv6CidrBlockSet": [{ "Ipv6CidrBlock": "2002::1234:abcd:ffff:c0a8:101/64" }], "OwnerId": "012345678910", "PeeringOptions": { "AllowDnsResolutionFromRemoteVpc": true, "AllowEgressFromLocalClassicLinkToRemoteVpc": false, "AllowEgressFromLocalVpcToRemoteClassicLink": true }, "Region": "us-west-2", "VpcId": "vpc-i123456" }, "Status": { "Code": "initiating-request", "Message": "Active" }, "VpcPeeringConnectionId": "pcx-1a2b3c4d" } ``` # AwsEcr resources in ASFF AwsEcr The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEcr` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEcrContainerImage The `AwsEcrContainerImage` object provides information about an Amazon ECR image. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcrContainerImage` object. To view descriptions of `AwsEcrContainerImage` attributes, see [AwsEcrContainerImageDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcrContainerImageDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcrContainerImage": { "RegistryId": "123456789012", "RepositoryName": "repository-name", "Architecture": "amd64" "ImageDigest": "sha256:a568e5c7a953fbeaa2904ac83401f93e4a076972dc1bae527832f5349cd2fb10", "ImageTags": ["00000000-0000-0000-0000-000000000000"], "ImagePublishedAt": "2019-10-01T20:06:12Z" } ``` ## AwsEcrRepository The `AwsEcrRepository` object provides information about an Amazon Elastic Container Registry repository. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcrRepository` object. To view descriptions of `AwsEcrRepository` attributes, see [AwsEcrRepositoryDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcrRepositoryDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcrRepository": { "LifecyclePolicy": { "RegistryId": "123456789012", }, "RepositoryName": "sample-repo", "Arn": "arn:aws:ecr:us-west-2:111122223333:repository/sample-repo", "ImageScanningConfiguration": { "ScanOnPush": true }, "ImageTagMutability": "IMMUTABLE" } ``` # AwsEcs resources in ASFF AwsEcs The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEcs` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEcsCluster The `AwsEcsCluster` object provides details about an Amazon Elastic Container Service cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcsCluster` object. To view descriptions of `AwsEcsCluster` attributes, see [AwsEcsClusterDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcsClusterDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcsCluster": { "CapacityProviders": [], "ClusterSettings": [ { "Name": "containerInsights", "Value": "enabled" } ], "Configuration": { "ExecuteCommandConfiguration": { "KmsKeyId": "kmsKeyId", "LogConfiguration": { "CloudWatchEncryptionEnabled": true, "CloudWatchLogGroupName": "cloudWatchLogGroupName", "S3BucketName": "s3BucketName", "S3EncryptionEnabled": true, "S3KeyPrefix": "s3KeyPrefix" }, "Logging": "DEFAULT" } } "DefaultCapacityProviderStrategy": [ { "Base": 0, "CapacityProvider": "capacityProvider", "Weight": 1 } ] } ``` ## AwsEcsContainer The `AwsEcsContainer` object contains details about an Amazon ECS container. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcsContainer` object. To view descriptions of `AwsEcsContainer` attributes, see [AwsEcsContainerDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcsContainerDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcsContainer": { "Image": "1111111/knotejs@sha256:356131c9fef111111111111115f4ed8de5f9dce4dc3bd34bg21846588a3", "MountPoints": [{ "ContainerPath": "/mnt/etc", "SourceVolume": "vol-03909e9" }], "Name": "knote", "Privileged": true } ``` ## AwsEcsService The `AwsEcsService` object provides details about a service within an Amazon ECS cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcsService` object. To view descriptions of `AwsEcsService` attributes, see [AwsEcsServiceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcsServiceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcsService": { "CapacityProviderStrategy": [ { "Base": 12, "CapacityProvider": "", "Weight": "" } ], "Cluster": "arn:aws:ecs:us-east-1:111122223333:cluster/example-ecs-cluster", "DeploymentConfiguration": { "DeploymentCircuitBreaker": { "Enable": false, "Rollback": false }, "MaximumPercent": 200, "MinimumHealthyPercent": 100 }, "DeploymentController": "", "DesiredCount": 1, "EnableEcsManagedTags": false, "EnableExecuteCommand": false, "HealthCheckGracePeriodSeconds": 1, "LaunchType": "FARGATE", "LoadBalancers": [ { "ContainerName": "", "ContainerPort": 23, "LoadBalancerName": "", "TargetGroupArn": "" } ], "Name": "sample-app-service", "NetworkConfiguration": { "AwsVpcConfiguration": { "Subnets": [ "Subnet-example1", "Subnet-example2" ], "SecurityGroups": [ "Sg-0ce48e9a6e5b457f5" ], "AssignPublicIp": "ENABLED" } }, "PlacementConstraints": [ { "Expression": "", "Type": "" } ], "PlacementStrategies": [ { "Field": "", "Type": "" } ], "PlatformVersion": "LATEST", "PropagateTags": "", "Role": "arn:aws:iam::111122223333:role/aws-servicerole/ecs.amazonaws.com/ServiceRoleForECS", "SchedulingStrategy": "REPLICA", "ServiceName": "sample-app-service", "ServiceArn": "arn:aws:ecs:us-east-1:111122223333:service/example-ecs-cluster/sample-app-service", "ServiceRegistries": [ { "ContainerName": "", "ContainerPort": 1212, "Port": 1221, "RegistryArn": "" } ], "TaskDefinition": "arn:aws:ecs:us-east-1:111122223333:task-definition/example-taskdef:1" } ``` ## AwsEcsTask The `AwsEcsTask` object provides details about an Amazon ECS task. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcsTask` object. To view descriptions of `AwsEcsTask` attributes, see [AwsEcsTask](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcsTaskDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcsTask": { "ClusterArn": "arn:aws-cn:ecs:us-west-2:123456789012:task/MyCluster/1234567890123456789", "CreatedAt": "1557134011644", "Group": "service:fargate-service", "StartedAt": "1557134011644", "StartedBy": "ecs-svc/1234567890123456789", "TaskDefinitionArn": "arn:aws-cn:ecs:us-west-2:123456789012:task-definition/sample-fargate:2", "Version": 3, "Volumes": [{ "Name": "string", "Host": { "SourcePath": "string" } }], "Containers": { "Image": "1111111/knotejs@sha256:356131c9fef111111111111115f4ed8de5f9dce4dc3bd34bg21846588a3", "MountPoints": [{ "ContainerPath": "/mnt/etc", "SourceVolume": "vol-03909e9" }], "Name": "knote", "Privileged": true } } ``` ## AwsEcsTaskDefinition The `AwsEcsTaskDefinition` object contains details about a task definition. A task definition describes the container and volume definitions of an Amazon Elastic Container Service task. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEcsTaskDefinition` object. To view descriptions of `AwsEcsTaskDefinition` attributes, see [AwsEcsTaskDefinitionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEcsTaskDefinitionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEcsTaskDefinition": { "ContainerDefinitions": [ { "Command": ['ruby', 'hi.rb'], "Cpu":128, "Essential": true, "HealthCheck": { "Command": ["CMD-SHELL", "curl -f http://localhost/ || exit 1"], "Interval": 10, "Retries": 3, "StartPeriod": 5, "Timeout": 20 }, "Image": "tongueroo/sinatra:latest", "Interactive": true, "Links": [], "LogConfiguration": { "LogDriver": "awslogs", "Options": { "awslogs-group": "/ecs/sinatra-hi", "awslogs-region": "ap-southeast-1", "awslogs-stream-prefix": "ecs" }, "SecretOptions": [] }, "MemoryReservation": 128, "Name": "web", "PortMappings": [ { "ContainerPort": 4567, "HostPort":4567, "Protocol": "tcp" } ], "Privileged": true, "StartTimeout": 10, "StopTimeout": 100, } ], "Family": "sinatra-hi", "NetworkMode": "host", "RequiresCompatibilities": ["EC2"], "Status": "ACTIVE", "TaskRoleArn": "arn:aws-cn:iam::111122223333:role/ecsTaskExecutionRole", } ``` # AwsEfs resources in ASFF AwsEfs The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEfs` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEfsAccessPoint The `AwsEfsAccessPoint` object provides details about files stored in Amazon Elastic File System. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEfsAccessPoint` object. To view descriptions of `AwsEfsAccessPoint` attributes, see [AwsEfsAccessPointDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEfsAccessPointDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEfsAccessPoint": { "AccessPointId": "fsap-05c4c0e79ba0b118a", "Arn": "arn:aws-cn:elasticfilesystem:us-east-1:863155670886:access-point/fsap-05c4c0e79ba0b118a", "ClientToken": "AccessPointCompliant-ASk06ZZSXsEp", "FileSystemId": "fs-0f8137f731cb32146", "PosixUser": { "Gid": "1000", "SecondaryGids": ["0", "4294967295"], "Uid": "1234" }, "RootDirectory": { "CreationInfo": { "OwnerGid": "1000", "OwnerUid": "1234", "Permissions": "777" }, "Path": "/tmp/example" } } ``` # AwsEks resources in ASFF AwsEks The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEks` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEksCluster The `AwsEksCluster` object provides details about an Amazon EKS cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEksCluster` object. To view descriptions of `AwsEksCluster` attributes, see [AwsEksClusterDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEksClusterDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` { "AwsEksCluster": { "Name": "example", "Arn": "arn:aws-cn:eks:us-west-2:222222222222:cluster/example", "CreatedAt": 1565804921.901, "Version": "1.12", "RoleArn": "arn:aws-cn:iam::222222222222:role/example-cluster-ServiceRole-1XWBQWYSFRE2Q", "ResourcesVpcConfig": { "EndpointPublicAccess": false, "SubnetIds": [ "subnet-021345abcdef6789", "subnet-abcdef01234567890", "subnet-1234567890abcdef0" ], "SecurityGroupIds": [ "sg-abcdef01234567890" ] }, "Logging": { "ClusterLogging": [ { "Types": [ "api", "audit", "authenticator", "controllerManager", "scheduler" ], "Enabled": true } ] }, "Status": "CREATING", "CertificateAuthorityData": {}, } } ``` # AwsElasticBeanstalk resources in ASFF AwsElasticBeanstalk The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsElasticBeanstalk` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsElasticBeanstalkEnvironment The `AwsElasticBeanstalkEnvironment` object contains details about an Amazon Elastic Beanstalk environment. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsElasticBeanstalkEnvironment` object. To view descriptions of `AwsElasticBeanstalkEnvironment` attributes, see [AwsElasticBeanstalkEnvironmentDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsElasticBeanstalkEnvironmentDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsElasticBeanstalkEnvironment": { "ApplicationName": "MyApplication", "Cname": "myexampleapp-env.devo-2.elasticbeanstalk-internal.com", "DateCreated": "2021-04-30T01:38:01.090Z", "DateUpdated": "2021-04-30T01:38:01.090Z", "Description": "Example description of my awesome application", "EndpointUrl": "eb-dv-e-p-AWSEBLoa-abcdef01234567890-021345abcdef6789.us-east-1.elb.amazonaws.com", "EnvironmentArn": "arn:aws-cn:elasticbeanstalk:us-east-1:123456789012:environment/MyApplication/myapplication-env", "EnvironmentId": "e-abcd1234", "EnvironmentLinks": [ { "EnvironmentName": "myexampleapp-env", "LinkName": "myapplicationLink" } ], "EnvironmentName": "myapplication-env", "OptionSettings": [ { "Namespace": "aws:elasticbeanstalk:command", "OptionName": "BatchSize", "Value": "100" }, { "Namespace": "aws:elasticbeanstalk:command", "OptionName": "Timeout", "Value": "600" }, { "Namespace": "aws:elasticbeanstalk:command", "OptionName": "BatchSizeType", "Value": "Percentage" }, { "Namespace": "aws:elasticbeanstalk:command", "OptionName": "IgnoreHealthCheck", "Value": "false" }, { "Namespace": "aws:elasticbeanstalk:application", "OptionName": "Application Healthcheck URL", "Value": "TCP:80" } ], "PlatformArn": "arn:aws-cn:elasticbeanstalk:us-east-1::platform/Tomcat 8 with Java 8 running on 64bit Amazon Linux/2.7.7", "SolutionStackName": "64bit Amazon Linux 2017.09 v2.7.7 running Tomcat 8 Java 8", "Status": "Ready", "Tier": { "Name": "WebServer" "Type": "Standard" "Version": "1.0" }, "VersionLabel": "Sample Application" } ``` # AwsElasticSearch resources in ASFF AwsElasticSearch The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsElasticSearch` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsElasticSearchDomain The `AwsElasticSearchDomain` object provides details about an Amazon OpenSearch Service domain. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsElasticSearchDomain` object. To view descriptions of `AwsElasticSearchDomain` attributes, see [AwsElasticSearchDomainDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsElasticsearchDomainDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsElasticSearchDomain": { "AccessPolicies": "string", "DomainStatus": { "DomainId": "string", "DomainName": "string", "Endpoint": "string", "Endpoints": { "string": "string" } }, "DomainEndpointOptions": { "EnforceHTTPS": boolean, "TLSSecurityPolicy": "string" }, "ElasticsearchClusterConfig": { "DedicatedMasterCount": number, "DedicatedMasterEnabled": boolean, "DedicatedMasterType": "string", "InstanceCount": number, "InstanceType": "string", "ZoneAwarenessConfig": { "AvailabilityZoneCount": number }, "ZoneAwarenessEnabled": boolean }, "ElasticsearchVersion": "string", "EncryptionAtRestOptions": { "Enabled": boolean, "KmsKeyId": "string" }, "LogPublishingOptions": { "AuditLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "IndexSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean }, "SearchSlowLogs": { "CloudWatchLogsLogGroupArn": "string", "Enabled": boolean } }, "NodeToNodeEncryptionOptions": { "Enabled": boolean }, "ServiceSoftwareOptions": { "AutomatedUpdateDate": "string", "Cancellable": boolean, "CurrentVersion": "string", "Description": "string", "NewVersion": "string", "UpdateAvailable": boolean, "UpdateStatus": "string" }, "VPCOptions": { "AvailabilityZones": [ "string" ], "SecurityGroupIds": [ "string" ], "SubnetIds": [ "string" ], "VPCId": "string" } } ``` # AwsElb resources in ASFF AwsElb The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsElb` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsElbLoadBalancer The `AwsElbLoadBalancer` object contains details about a Classic Load Balancer. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsElbLoadBalancer` object. To view descriptions of `AwsElbLoadBalancer` attributes, see [AwsElbLoadBalancerDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsElbLoadBalancerDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsElbLoadBalancer": { "AvailabilityZones": ["us-west-2a"], "BackendServerDescriptions": [ { "InstancePort": 80, "PolicyNames": ["doc-example-policy"] } ], "CanonicalHostedZoneName": "Z3DZXE0EXAMPLE", "CanonicalHostedZoneNameID": "my-load-balancer-444455556666.us-west-2.elb.amazonaws.com", "CreatedTime": "2020-08-03T19:22:44.637Z", "DnsName": "my-load-balancer-444455556666.us-west-2.elb.amazonaws.com", "HealthCheck": { "HealthyThreshold": 2, "Interval": 30, "Target": "HTTP:80/png", "Timeout": 3, "UnhealthyThreshold": 2 }, "Instances": [ { "InstanceId": "i-example" } ], "ListenerDescriptions": [ { "Listener": { "InstancePort": 443, "InstanceProtocol": "HTTPS", "LoadBalancerPort": 443, "Protocol": "HTTPS", "SslCertificateId": "arn:aws:iam::444455556666:server-certificate/my-server-cert" }, "PolicyNames": ["ELBSecurityPolicy-TLS-1-2-2017-01"] } ], "LoadBalancerAttributes": { "AccessLog": { "EmitInterval": 60, "Enabled": true, "S3BucketName": "amzn-s3-demo-bucket", "S3BucketPrefix": "doc-example-prefix" }, "ConnectionDraining": { "Enabled": false, "Timeout": 300 }, "ConnectionSettings": { "IdleTimeout": 30 }, "CrossZoneLoadBalancing": { "Enabled": true }, "AdditionalAttributes": [{ "Key": "elb.http.desyncmitigationmode", "Value": "strictest" }] }, "LoadBalancerName": "example-load-balancer", "Policies": { "AppCookieStickinessPolicies": [ { "CookieName": "", "PolicyName": "" } ], "LbCookieStickinessPolicies": [ { "CookieExpirationPeriod": 60, "PolicyName": "my-example-cookie-policy" } ], "OtherPolicies": [ "my-PublicKey-policy", "my-authentication-policy", "my-SSLNegotiation-policy", "my-ProxyProtocol-policy", "ELBSecurityPolicy-2015-03" ] }, "Scheme": "internet-facing", "SecurityGroups": ["sg-example"], "SourceSecurityGroup": { "GroupName": "my-elb-example-group", "OwnerAlias": "444455556666" }, "Subnets": ["subnet-example"], "VpcId": "vpc-a01106c2" } ``` ## AwsElbv2LoadBalancer The `AwsElbv2LoadBalancer` object provides information about a load balancer. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsElbv2LoadBalancer` object. To view descriptions of `AwsElbv2LoadBalancer` attributes, see [AwsElbv2LoadBalancerDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsElbv2LoadBalancerDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsElbv2LoadBalancer": { "AvailabilityZones": { "SubnetId": "string", "ZoneName": "string" }, "CanonicalHostedZoneId": "string", "CreatedTime": "string", "DNSName": "string", "IpAddressType": "string", "LoadBalancerAttributes": [ { "Key": "string", "Value": "string" } ], "Scheme": "string", "SecurityGroups": [ "string" ], "State": { "Code": "string", "Reason": "string" }, "Type": "string", "VpcId": "string" } ``` # AwsEventBridge resources in ASFF AwsEventBridge The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsEventBridge` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsEventSchemasRegistry The `AwsEventSchemasRegistry` object provides information about an Amazon EventBridge schema registry. A schema defines the structure of events that are sent to EventBridge. Schema registries are containers that collect and logically group your schemas. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEventSchemasRegistry` object. To view descriptions of `AwsEventSchemasRegistry` attributes, see [AwsEventSchemasRegistry](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEventSchemasRegistryDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEventSchemasRegistry": { "Description": "This is an example event schema registry.", "RegistryArn": "arn:aws-cn:schemas:us-east-1:123456789012:registry/schema-registry", "RegistryName": "schema-registry" } ``` ## AwsEventsEndpoint The `AwsEventsEndpoint` object provides information about an Amazon EventBridge global endpoint. The endpoint can improve your application’s availability by making it Regional-fault tolerant. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEventsEndpoint` object. To view descriptions of `AwsEventsEndpoint` attributes, see [AwsEventsEndpointDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEventsEndpointDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEventsEndpoint": { "Arn": "arn:aws-cn:events:us-east-1:123456789012:endpoint/my-endpoint", "Description": "This is a sample endpoint.", "EndpointId": "04k1exajoy.veo", "EndpointUrl": "https://04k1exajoy.veo.endpoint.events.amazonaws.com", "EventBuses": [ { "EventBusArn": "arn:aws-cn:events:us-east-1:123456789012:event-bus/default" }, { "EventBusArn": "arn:aws-cn:events:us-east-2:123456789012:event-bus/default" } ], "Name": "my-endpoint", "ReplicationConfig": { "State": "ENABLED" }, "RoleArn": "arn:aws-cn:iam::123456789012:role/service-role/Amazon_EventBridge_Invoke_Event_Bus_1258925394", "RoutingConfig": { "FailoverConfig": { "Primary": { "HealthCheck": "arn:aws-cn:route53:::healthcheck/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Secondary": { "Route": "us-east-2" } } }, "State": "ACTIVE" } ``` ## AwsEventsEventbus The `AwsEventsEventbus` object provides information about an Amazon EventBridge global endpoint. The endpoint can improve your application’s availability by making it Regional-fault tolerant. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsEventsEventbus` object. To view descriptions of `AwsEventsEventbus` attributes, see [AwsEventsEventbusDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsEventsEventbusDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsEventsEventbus": "Arn": "arn:aws-cn:events:us-east-1:123456789012:event-bus/my-event-bus", "Name": "my-event-bus", "Policy": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Sid\":\"AllowAllAccountsFromOrganizationToPutEvents\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"events:PutEvents\",\"Resource\":\"arn:aws-cn:events:us-east-1:123456789012:event-bus/my-event-bus\",\"Condition\":{\"StringEquals\":{\"aws:PrincipalOrgID\":\"o-ki7yjtkjv5\"}}},{\"Sid\":\"AllowAccountToManageRulesTheyCreated\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws-cn:iam::123456789012:root\"},\"Action\":[\"events:PutRule\",\"events:PutTargets\",\"events:DeleteRule\",\"events:RemoveTargets\",\"events:DisableRule\",\"events:EnableRule\",\"events:TagResource\",\"events:UntagResource\",\"events:DescribeRule\",\"events:ListTargetsByRule\",\"events:ListTagsForResource\"],\"Resource\":\"arn:aws-cn:events:us-east-1:123456789012:rule/my-event-bus\",\"Condition\":{\"StringEqualsIfExists\":{\"events:creatorAccount\":\"123456789012\"}}}]}" ``` # AwsGuardDuty resources in ASFF AwsGuardDuty The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsGuardDuty` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsGuardDutyDetector The `AwsGuardDutyDetector` object provides information about an Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector is required for GuardDuty to become operational. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsGuardDutyDetector` object. To view descriptions of `AwsGuardDutyDetector` attributes, see [AwsGuardDutyDetector](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsGuardDutyDetectorDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsGuardDutyDetector": { "FindingPublishingFrequency": "SIX_HOURS", "ServiceRole": "arn:aws-cn:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Status": "ENABLED", "DataSources": { "CloudTrail": { "Status": "ENABLED" }, "DnsLogs": { "Status": "ENABLED" }, "FlowLogs": { "Status": "ENABLED" }, "S3Logs": { "Status": "ENABLED" }, "Kubernetes": { "AuditLogs": { "Status": "ENABLED" } }, "MalwareProtection": { "ScanEc2InstanceWithFindings": { "EbsVolumes": { "Status": "ENABLED" } }, "ServiceRole": "arn:aws:iam::123456789012:role/aws-service-role/malware-protection.guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDutyMalwareProtection" } } } ``` # AwsIam resources in ASFF AwsIam The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsIam` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsIamAccessKey The `AwsIamAccessKey` object contains details about an IAM access key that is related to a finding. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsIamAccessKey` object. To view descriptions of `AwsIamAccessKey` attributes, see [AwsIamAccessKeyDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsIamAccessKeyDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsIamAccessKey": { "AccessKeyId": "string", "AccountId": "string", "CreatedAt": "string", "PrincipalId": "string", "PrincipalName": "string", "PrincipalType": "string", "SessionContext": { "Attributes": { "CreationDate": "string", "MfaAuthenticated": boolean }, "SessionIssuer": { "AccountId": "string", "Arn": "string", "PrincipalId": "string", "Type": "string", "UserName": "string" } }, "Status": "string" } ``` ## AwsIamGroup The `AwsIamGroup` object contains details about an IAM group. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsIamGroup` object. To view descriptions of `AwsIamGroup` attributes, see [AwsIamGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsIamGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsIamGroup": { "AttachedManagedPolicies": [ { "PolicyArn": "arn:aws:iam::aws:policy/ExampleManagedAccess", "PolicyName": "ExampleManagedAccess", } ], "CreateDate": "2020-04-28T14:08:37.000Z", "GroupId": "AGPA4TPS3VLP7QEXAMPLE", "GroupName": "Example_User_Group", "GroupPolicyList": [ { "PolicyName": "ExampleGroupPolicy" } ], "Path": "/" } ``` ## AwsIamPolicy The `AwsIamPolicy` object represents an IAM permissions policy. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsIamPolicy` object. To view descriptions of `AwsIamPolicy` attributes, see [AwsIamPolicyDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsIamPolicyDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsIamPolicy": { "AttachmentCount": 1, "CreateDate": "2017-09-14T08:17:29.000Z", "DefaultVersionId": "v1", "Description": "Example IAM policy", "IsAttachable": true, "Path": "/", "PermissionsBoundaryUsageCount": 5, "PolicyId": "ANPAJ2UCCR6DPCEXAMPLE", "PolicyName": "EXAMPLE-MANAGED-POLICY", "PolicyVersionList": [ { "VersionId": "v1", "IsDefaultVersion": true, "CreateDate": "2017-09-14T08:17:29.000Z" } ], "UpdateDate": "2017-09-14T08:17:29.000Z" } ``` ## AwsIamRole The `AwsIamRole` object contains information about an IAM role, including all of the role's policies. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsIamRole` object. To view descriptions of `AwsIamRole` attributes, see [AwsIamRoleDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsIamRoleDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsIamRole": { "AssumeRolePolicyDocument": "{'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow','Action': 'sts:AssumeRole'}]}", "AttachedManagedPolicies": [ { "PolicyArn": "arn:aws:iam::aws:policy/ExamplePolicy1", "PolicyName": "Example policy 1" }, { "PolicyArn": "arn:aws:iam::444455556666:policy/ExamplePolicy2", "PolicyName": "Example policy 2" } ], "CreateDate": "2020-03-14T07:19:14.000Z", "InstanceProfileList": [ { "Arn": "arn:aws:iam::333333333333:ExampleProfile", "CreateDate": "2020-03-11T00:02:27Z", "InstanceProfileId": "AIPAIXEU4NUHUPEXAMPLE", "InstanceProfileName": "ExampleInstanceProfile", "Path": "/", "Roles": [ { "Arn": "arn:aws:iam::444455556666:role/example-role", "AssumeRolePolicyDocument": "", "CreateDate": "2020-03-11T00:02:27Z", "Path": "/", "RoleId": "AROAJ52OTH4H7LEXAMPLE", "RoleName": "example-role", } ] } ], "MaxSessionDuration": 3600, "Path": "/", "PermissionsBoundary": { "PermissionsBoundaryArn": "arn:aws:iam::aws:policy/AdministratorAccess", "PermissionsBoundaryType": "PermissionsBoundaryPolicy" }, "RoleId": "AROA4TPS3VLEXAMPLE", "RoleName": "BONESBootstrapHydra-OverbridgeOpsFunctionsLambda", "RolePolicyList": [ { "PolicyName": "Example role policy" } ] } ``` ## AwsIamUser The `AwsIamUser` object provides information about a user. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsIamUser` object. To view descriptions of `AwsIamUser` attributes, see [AwsIamUserDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsIamUserDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsIamUser": { "AttachedManagedPolicies": [ { "PolicyName": "ExamplePolicy", "PolicyArn": "arn:aws-cn:iam::aws:policy/ExampleAccess" } ], "CreateDate": "2018-01-26T23:50:05.000Z", "GroupList": [], "Path": "/", "PermissionsBoundary" : { "PermissionsBoundaryArn" : "arn:aws:iam::aws:policy/AdministratorAccess", "PermissionsBoundaryType" : "PermissionsBoundaryPolicy" }, "UserId": "AIDACKCEVSQ6C2EXAMPLE", "UserName": "ExampleUser", "UserPolicyList": [ { "PolicyName": "InstancePolicy" } ] } ``` # AwsKinesis resources in ASFF AwsKinesis The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsKinesis` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsKinesisStream The `AwsKinesisStream` object provides details about Amazon Kinesis Data Streams. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsKinesisStream` object. To view descriptions of `AwsKinesisStream` attributes, see [AwsKinesisStreamDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsKinesisStreamDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsKinesisStream": { "Name": "test-vir-kinesis-stream", "Arn": "arn:aws-cn:kinesis:us-east-1:293279581038:stream/test-vir-kinesis-stream", "RetentionPeriodHours": 24, "ShardCount": 2, "StreamEncryption": { "EncryptionType": "KMS", "KeyId": "arn:aws-cn:kms:us-east-1:293279581038:key/849cf029-4143-4c59-91f8-ea76007247eb" } } ``` # AwsKms resources in ASFF AwsKms The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsKms` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsKmsKey The `AwsKmsKey` object provides details about an Amazon KMS key. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsKmsKey` object. To view descriptions of `AwsKmsKey` attributes, see [AwsKmsKeyDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsKmsKeyDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsKmsKey": { "AWSAccountId": "string", "CreationDate": "string", "Description": "string", "KeyId": "string", "KeyManager": "string", "KeyRotationStatus": boolean, "KeyState": "string", "Origin": "string" } ``` # AwsLambda AwsLambda The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsLambda` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsLambdaFunction The `AwsLambdaFunction` object provides details about a Lambda function's configuration. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsLambdaFunction` object. To view descriptions of `AwsLambdaFunction` attributes, see [AwsLambdaFunctionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsLambdaFunctionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsLambdaFunction": { "Architectures": [ "x86_64" ], "Code": { "S3Bucket": "amzn-s3-demo-bucket", "S3Key": "samplekey", "S3ObjectVersion": "2", "ZipFile": "myzip.zip" }, "CodeSha256": "1111111111111abcdef", "DeadLetterConfig": { "TargetArn": "arn:aws-cn:lambda:us-east-2:123456789012:queue:myqueue:2" }, "Environment": { "Variables": { "Stage": "foobar" }, "Error": { "ErrorCode": "Sample-error-code", "Message": "Caller principal is a manager." } }, "FunctionName": "CheckOut", "Handler": "main.py:lambda_handler", "KmsKeyArn": "arn:aws-cn:kms:us-west-2:123456789012:key/mykey", "LastModified": "2001-09-11T09:00:00Z", "Layers": { "Arn": "arn:aws-cn:lambda:us-east-2:123456789012:layer:my-layer:3", "CodeSize": 169 }, "PackageType": "Zip", "RevisionId": "23", "Role": "arn:aws-cn:iam::123456789012:role/Accounting-Role", "Runtime": "go1.7", "Timeout": 15, "TracingConfig": { "Mode": "Active" }, "Version": "$LATEST$", "VpcConfig": { "SecurityGroupIds": ["sg-085912345678492fb", "sg-08591234567bdgdc"], "SubnetIds": ["subnet-071f712345678e7c8", "subnet-07fd123456788a036"] }, "MasterArn": "arn:aws-cn:lambda:us-east-2:123456789012:\$LATEST", "MemorySize": 2048 } ``` ## AwsLambdaLayerVersion The `AwsLambdaLayerVersion` object provides details about a Lambda layer version. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsLambdaLayerVersion` object. To view descriptions of `AwsLambdaLayerVersion` attributes, see [AwsLambdaLayerVersionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsLambdaLayerVersionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsLambdaLayerVersion": { "Version": 2, "CompatibleRuntimes": [ "java8" ], "CreatedDate": "2019-10-09T22:02:00.274+0000" } ``` # AwsMsk resources in ASFF AwsMsk The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsMsk` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsMskCluster The `AwsMskCluster` object provides information about an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsMskCluster` object. To view descriptions of `AwsMskCluster` attributes, see [AwsMskClusterDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsMskClusterDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsMskCluster": { "ClusterInfo": { "ClientAuthentication": { "Sasl": { "Scram": { "Enabled": true }, "Iam": { "Enabled": true } }, "Tls": { "CertificateAuthorityArnList": [], "Enabled": false }, "Unauthenticated": { "Enabled": false } }, "ClusterName": "my-cluster", "CurrentVersion": "K2PWKAKR8XB7XF", "EncryptionInfo": { "EncryptionAtRest": { "DataVolumeKMSKeyId": "arn:aws-cn:kms:us-east-1:123456789012:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "EncryptionInTransit": { "ClientBroker": "TLS", "InCluster": true } }, "EnhancedMonitoring": "PER_TOPIC_PER_BROKER", "NumberOfBrokerNodes": 3 } } ``` # AwsNetworkFirewall resources in ASFF AwsNetworkFirewall The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsNetworkFirewall` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsNetworkFirewallFirewall The `AwsNetworkFirewallFirewall` object contains details about an Amazon Network Firewall firewall. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsNetworkFirewallFirewall` object. To view descriptions of `AwsNetworkFirewallFirewall` attributes, see [AwsNetworkFirewallFirewallDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsNetworkFirewallFirewallDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsNetworkFirewallFirewall": { "DeleteProtection": false, "FirewallArn": "arn:aws-cn:network-firewall:us-east-1:024665936331:firewall/testfirewall", "FirewallPolicyArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:firewall-policy/InitialFirewall", "FirewallId": "dea7d8e9-ae38-4a8a-b022-672a830a99fa", "FirewallName": "testfirewall", "FirewallPolicyChangeProtection": false, "SubnetChangeProtection": false, "SubnetMappings": [ { "SubnetId": "subnet-0183481095e588cdc" }, { "SubnetId": "subnet-01f518fad1b1c90b0" } ], "VpcId": "vpc-40e83c38" } ``` ## AwsNetworkFirewallFirewallPolicy The `AwsNetworkFirewallFirewallPolicy` object provides details about a firewall policy. A firewall policy defines the behavior of a network firewall. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsNetworkFirewallFirewallPolicy` object. To view descriptions of `AwsNetworkFirewallFirewallPolicy` attributes, see [AwsNetworkFirewallFirewallPolicyDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsNetworkFirewallFirewallPolicyDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsNetworkFirewallFirewallPolicy": { "FirewallPolicy": { "StatefulRuleGroupReferences": [ { "ResourceArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:stateful-rulegroup/PatchesOnly" } ], "StatelessDefaultActions": [ "aws:forward_to_sfe" ], "StatelessFragmentDefaultActions": [ "aws:forward_to_sfe" ], "StatelessRuleGroupReferences": [ { "Priority": 1, "ResourceArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:stateless-rulegroup/Stateless-1" } ] }, "FirewallPolicyArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:firewall-policy/InitialFirewall", "FirewallPolicyId": "9ceeda22-6050-4048-a0ca-50ce47f0cc65", "FirewallPolicyName": "InitialFirewall", "Description": "Initial firewall" } ``` ## AwsNetworkFirewallRuleGroup The `AwsNetworkFirewallRuleGroup` object provides details about an Amazon Network Firewall rule group. Rule groups are used to inspect and control network traffic. Stateless rule groups apply to individual packets. Stateful rule groups apply to packets in the context of their traffic flow. Rule groups are referenced in firewall policies. The following examples show the Amazon Security Finding Format (ASFF) for the `AwsNetworkFirewallRuleGroup` object. To view descriptions of `AwsNetworkFirewallRuleGroup` attributes, see [AwsNetworkFirewallRuleGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsNetworkFirewallRuleGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example – stateless rule group** ``` "AwsNetworkFirewallRuleGroup": { "Capacity": 600, "RuleGroupArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:stateless-rulegroup/Stateless-1", "RuleGroupId": "fb13c4df-b6da-4c1e-91ec-84b7a5487493", "RuleGroupName": "Stateless-1" "Description": "Example of a stateless rule group", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "CustomActions": [], "StatelessRules": [ { "Priority": 1, "RuleDefinition": { "Actions": [ "aws:pass" ], "MatchAttributes": { "DestinationPorts": [ { "FromPort": 443, "ToPort": 443 } ], "Destinations": [ { "AddressDefinition": "192.0.2.0/24" } ], "Protocols": [ 6 ], "SourcePorts": [ { "FromPort": 0, "ToPort": 65535 } ], "Sources": [ { "AddressDefinition": "198.51.100.0/24" } ] } } } ] } } } } ``` **Example – stateful rule group** ``` "AwsNetworkFirewallRuleGroup": { "Capacity": 100, "RuleGroupArn": "arn:aws-cn:network-firewall:us-east-1:444455556666:stateful-rulegroup/tupletest", "RuleGroupId": "38b71c12-da80-4643-a6c5-03337f8933e0", "RuleGroupName": "ExampleRuleGroup", "Description": "Example of a stateful rule group", "Type": "STATEFUL", "RuleGroup": { "RuleSource": { "StatefulRules": [ { "Action": "PASS", "Header": { "Destination": "Any", "DestinationPort": "443", "Direction": "ANY", "Protocol": "TCP", "Source": "Any", "SourcePort": "Any" }, "RuleOptions": [ { "Keyword": "sid:1" } ] } ] } } } ``` The following is a list of valid value examples for `AwsNetworkFirewallRuleGroup` attributes: + `Action` Valid values: `PASS` \$1 `DROP` \$1 `ALERT` + `Protocol` Valid values: `IP` \$1 `TCP` \$1 `UDP` \$1 `ICMP` \$1 `HTTP` \$1 `FTP` \$1 `TLS` \$1 `SMB` \$1 `DNS` \$1 `DCERPC` \$1 `SSH` \$1 `SMTP` \$1 `IMAP` \$1 `MSN` \$1 `KRB5` \$1 `IKEV2` \$1 `TFTP` \$1 `NTP` \$1 `DHCP` + `Flags` Valid values: `FIN` \$1 `SYN` \$1 `RST` \$1 `PSH` \$1 `ACK` \$1 `URG` \$1 `ECE` \$1 `CWR` + `Masks` Valid values: `FIN` \$1 `SYN` \$1 `RST` \$1 `PSH` \$1 `ACK` \$1 `URG` \$1 `ECE` \$1 `CWR` # AwsOpenSearchService resources in ASFF AwsOpenSearchService The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsOpenSearchService` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsOpenSearchServiceDomain The `AwsOpenSearchServiceDomain` object contains information about an Amazon OpenSearch Service domain. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsOpenSearchServiceDomain` object. To view descriptions of `AwsOpenSearchServiceDomain` attributes, see [AwsOpenSearchServiceDomainDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsOpenSearchServiceDomainDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsOpenSearchServiceDomain": { "AccessPolicies": "IAM_Id", "AdvancedSecurityOptions": { "Enabled": true, "InternalUserDatabaseEnabled": true, "MasterUserOptions": { "MasterUserArn": "arn:aws-cn:iam::123456789012:user/third-master-use", "MasterUserName": "third-master-use", "MasterUserPassword": "some-password" } }, "Arn": "arn:aws-cn:Opensearch:us-east-1:111122223333:somedomain", "ClusterConfig": { "InstanceType": "c5.large.search", "InstanceCount": 1, "DedicatedMasterEnabled": true, "ZoneAwarenessEnabled": false, "ZoneAwarenessConfig": { "AvailabilityZoneCount": 2 }, "DedicatedMasterType": "c5.large.search", "DedicatedMasterCount": 3, "WarmEnabled": true, "WarmCount": 3, "WarmType": "ultrawarm1.large.search" }, "DomainEndpoint": "https://es-2021-06-23t17-04-qowmgghud5vofgb5e4wmi.eu-central-1.es.amazonaws.com", "DomainEndpointOptions": { "EnforceHTTPS": false, "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", "CustomEndpointCertificateArn": "arn:aws-cn:acm:us-east-1:111122223333:certificate/bda1bff1-79c0-49d0-abe6-50a15a7477d4", "CustomEndpointEnabled": true, "CustomEndpoint": "example.com" }, "DomainEndpoints": { "vpc": "vpc-endpoint-h2dsd34efgyghrtguk5gt6j2foh4.us-east-1.es.amazonaws.com" }, "DomainName": "my-domain", "EncryptionAtRestOptions": { "Enabled": false, "KmsKeyId": "1a2a3a4-1a2a-3a4a-5a6a-1a2a3a4a5a6a" }, "EngineVersion": "7.1", "Id": "123456789012", "LogPublishingOptions": { "IndexSlowLogs": { "CloudWatchLogsLogGroupArn": "arn:aws-cn:logs:us-east-1:111122223333:log-group:/aws/aes/domains/es-index-slow-logs", "Enabled": true }, "SearchSlowLogs": { "CloudWatchLogsLogGroupArn": "arn:aws-cn:logs:us-east-1:111122223333:log-group:/aws/aes/domains/es-slow-logs", "Enabled": true }, "AuditLogs": { "CloudWatchLogsLogGroupArn": "arn:aws-cn:logs:us-east-1:111122223333:log-group:/aws/aes/domains/es-slow-logs", "Enabled": true } }, "NodeToNodeEncryptionOptions": { "Enabled": true }, "ServiceSoftwareOptions": { "AutomatedUpdateDate": "2022-04-28T14:08:37.000Z", "Cancellable": false, "CurrentVersion": "R20210331", "Description": "There is no software update available for this domain.", "NewVersion": "OpenSearch_1.0", "UpdateAvailable": false, "UpdateStatus": "COMPLETED", "OptionalDeployment": false }, "VpcOptions": { "SecurityGroupIds": [ "sg-2a3a4a5a" ], "SubnetIds": [ "subnet-1a2a3a4a" ], } } ``` # AwsRds resources in ASFF AwsRds The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsRds` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsRdsDbCluster The `AwsRdsDbCluster` object provides details about an Amazon RDS database cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsDbCluster` object. To view descriptions of `AwsRdsDbCluster` attributes, see [AwsRdsDbClusterDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsDbClusterDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsDbCluster": { "ActivityStreamStatus": "stopped", "AllocatedStorage": 1, "AssociatedRoles": [ { "RoleArn": "arn:aws-cn:iam::777788889999:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Status": "PENDING" } ], "AutoMinorVersionUpgrade": true, "AvailabilityZones": [ "us-east-1a", "us-east-1c", "us-east-1e" ], "BackupRetentionPeriod": 1, "ClusterCreateTime": "2020-06-22T17:40:12.322Z", "CopyTagsToSnapshot": true, "CrossAccountClone": false, "CustomEndpoints": [], "DatabaseName": "Sample name", "DbClusterIdentifier": "database-3", "DbClusterMembers": [ { "DbClusterParameterGroupStatus": "in-sync", "DbInstanceIdentifier": "database-3-instance-1", "IsClusterWriter": true, "PromotionTier": 1, } ], "DbClusterOptionGroupMemberships": [], "DbClusterParameterGroup": "cluster-parameter-group", "DbClusterResourceId": "cluster-example", "DbSubnetGroup": "subnet-group", "DeletionProtection": false, "DomainMemberships": [], "Status": "modifying", "EnabledCloudwatchLogsExports": [ "audit", "error", "general", "slowquery" ], "Endpoint": "database-3.cluster-example.us-east-1.rds.amazonaws.com", "Engine": "aurora-mysql", "EngineMode": "provisioned", "EngineVersion": "5.7.mysql_aurora.2.03.4", "HostedZoneId": "ZONE1", "HttpEndpointEnabled": false, "IamDatabaseAuthenticationEnabled": false, "KmsKeyId": "arn:aws:kms:us-east-1:777788889999:key/key1", "MasterUsername": "admin", "MultiAz": false, "Port": 3306, "PreferredBackupWindow": "04:52-05:22", "PreferredMaintenanceWindow": "sun:09:32-sun:10:02", "ReaderEndpoint": "database-3.cluster-ro-example.us-east-1.rds.amazonaws.com", "ReadReplicaIdentifiers": [], "Status": "Modifying", "StorageEncrypted": true, "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-example-1" } ], } ``` ## AwsRdsDbClusterSnapshot The `AwsRdsDbClusterSnapshot` object contains information about an Amazon RDS DB cluster snapshot. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsDbClusterSnapshot` object. To view descriptions of `AwsRdsDbClusterSnapshot` attributes, see [AwsRdsDbClusterSnapshotDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsDbClusterSnapshotDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsDbClusterSnapshot": { "AllocatedStorage": 0, "AvailabilityZones": [ "us-east-1a", "us-east-1d", "us-east-1e" ], "ClusterCreateTime": "2020-06-12T13:23:15.577Z", "DbClusterIdentifier": "database-2", "DbClusterSnapshotAttributes": [{ "AttributeName": "restore", "AttributeValues": ["123456789012"] }], "DbClusterSnapshotIdentifier": "rds:database-2-2020-06-23-03-52", "Engine": "aurora", "EngineVersion": "5.6.10a", "IamDatabaseAuthenticationEnabled": false, "KmsKeyId": "arn:aws:kms:us-east-1:777788889999:key/key1", "LicenseModel": "aurora", "MasterUsername": "admin", "PercentProgress": 100, "Port": 0, "SnapshotCreateTime": "2020-06-22T17:40:12.322Z", "SnapshotType": "automated", "Status": "available", "StorageEncrypted": true, "VpcId": "vpc-faf7e380" } ``` ## AwsRdsDbInstance The `AwsRdsDbInstance` object provides details about an Amazon RDS DB instance. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsDbInstance` object. To view descriptions of `AwsRdsDbInstance` attributes, see [AwsRdsDbInstanceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsDbInstanceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsDbInstance": { "AllocatedStorage": 20, "AssociatedRoles": [], "AutoMinorVersionUpgrade": true, "AvailabilityZone": "us-east-1d", "BackupRetentionPeriod": 7, "CaCertificateIdentifier": "certificate1", "CharacterSetName": "", "CopyTagsToSnapshot": true, "DbClusterIdentifier": "", "DbInstanceArn": "arn:aws:rds:us-east-1:111122223333:db:database-1", "DbInstanceClass": "db.t2.micro", "DbInstanceIdentifier": "database-1", "DbInstancePort": 0, "DbInstanceStatus": "available", "DbiResourceId": "db-EXAMPLE123", "DbName": "", "DbParameterGroups": [ { "DbParameterGroupName": "default.mysql5.7", "ParameterApplyStatus": "in-sync" } ], "DbSecurityGroups": [], "DbSubnetGroup": { "DbSubnetGroupName": "my-group-123abc", "DbSubnetGroupDescription": "My subnet group", "VpcId": "vpc-example1", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-123abc", "SubnetAvailabilityZone": { "Name": "us-east-1d" }, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-456def", "SubnetAvailabilityZone": { "Name": "us-east-1c" }, "SubnetStatus": "Active" } ], "DbSubnetGroupArn": "" }, "DeletionProtection": false, "DomainMemberships": [], "EnabledCloudWatchLogsExports": [], "Endpoint": { "address": "database-1.example.us-east-1.rds.amazonaws.com", "port": 3306, "hostedZoneId": "ZONEID1" }, "Engine": "mysql", "EngineVersion": "5.7.22", "EnhancedMonitoringResourceArn": "arn:aws:logs:us-east-1:111122223333:log-group:Example:log-stream:db-EXAMPLE1", "IamDatabaseAuthenticationEnabled": false, "InstanceCreateTime": "2020-06-22T17:40:12.322Z", "Iops": "", "KmsKeyId": "", "LatestRestorableTime": "2020-06-24T05:50:00.000Z", "LicenseModel": "general-public-license", "ListenerEndpoint": "", "MasterUsername": "admin", "MaxAllocatedStorage": 1000, "MonitoringInterval": 60, "MonitoringRoleArn": "arn:aws:iam::111122223333:role/rds-monitoring-role", "MultiAz": false, "OptionGroupMemberships": [ { "OptionGroupName": "default:mysql-5-7", "Status": "in-sync" } ], "PreferredBackupWindow": "03:57-04:27", "PreferredMaintenanceWindow": "thu:10:13-thu:10:43", "PendingModifiedValues": { "DbInstanceClass": "", "AllocatedStorage": "", "MasterUserPassword": "", "Port": "", "BackupRetentionPeriod": "", "MultiAZ": "", "EngineVersion": "", "LicenseModel": "", "Iops": "", "DbInstanceIdentifier": "", "StorageType": "", "CaCertificateIdentifier": "", "DbSubnetGroupName": "", "PendingCloudWatchLogsExports": "", "ProcessorFeatures": [] }, "PerformanceInsightsEnabled": false, "PerformanceInsightsKmsKeyId": "", "PerformanceInsightsRetentionPeriod": "", "ProcessorFeatures": [], "PromotionTier": "", "PubliclyAccessible": false, "ReadReplicaDBClusterIdentifiers": [], "ReadReplicaDBInstanceIdentifiers": [], "ReadReplicaSourceDBInstanceIdentifier": "", "SecondaryAvailabilityZone": "", "StatusInfos": [], "StorageEncrypted": false, "StorageType": "gp2", "TdeCredentialArn": "", "Timezone": "", "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-example1", "Status": "active" } ] } ``` ## AwsRdsDbSecurityGroup The `AwsRdsDbSecurityGroup` object contains information about an Amazon Relational Database Service The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsDbSecurityGroup` object. To view descriptions of `AwsRdsDbSecurityGroup` attributes, see [AwsRdsDbSecurityGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsDbSecurityGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsDbSecurityGroup": { "DbSecurityGroupArn": "arn:aws:rds:us-west-1:111122223333:secgrp:default", "DbSecurityGroupDescription": "default", "DbSecurityGroupName": "mysecgroup", "Ec2SecurityGroups": [ { "Ec2SecurityGroupuId": "myec2group", "Ec2SecurityGroupName": "default", "Ec2SecurityGroupOwnerId": "987654321021", "Status": "authorizing" } ], "IpRanges": [ { "Cidrip": "0.0.0.0/0", "Status": "authorizing" } ], "OwnerId": "123456789012", "VpcId": "vpc-1234567f" } ``` ## AwsRdsDbSnapshot The `AwsRdsDbSnapshot` object contains details about an Amazon RDS DB cluster snapshot. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsDbSnapshot` object. To view descriptions of `AwsRdsDbSnapshot` attributes, see [AwsRdsDbSnapshotDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsDbSnapshotDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsDbSnapshot": { "DbSnapshotIdentifier": "rds:database-1-2020-06-22-17-41", "DbInstanceIdentifier": "database-1", "SnapshotCreateTime": "2020-06-22T17:41:29.967Z", "Engine": "mysql", "AllocatedStorage": 20, "Status": "available", "Port": 3306, "AvailabilityZone": "us-east-1d", "VpcId": "vpc-example1", "InstanceCreateTime": "2020-06-22T17:40:12.322Z", "MasterUsername": "admin", "EngineVersion": "5.7.22", "LicenseModel": "general-public-license", "SnapshotType": "automated", "Iops": null, "OptionGroupName": "default:mysql-5-7", "PercentProgress": 100, "SourceRegion": null, "SourceDbSnapshotIdentifier": "", "StorageType": "gp2", "TdeCredentialArn": "", "Encrypted": false, "KmsKeyId": "", "Timezone": "", "IamDatabaseAuthenticationEnabled": false, "ProcessorFeatures": [], "DbiResourceId": "db-resourceexample1" } ``` ## AwsRdsEventSubscription The `AwsRdsEventSubscription` contains details about an RDS event notification subscription. The subscription allows RDS to post events to an SNS topic. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRdsEventSubscription` object. To view descriptions of `AwsRdsEventSubscription` attributes, see [AwsRdsEventSubscriptionDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRdsEventSubscriptionDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRdsEventSubscription": { "CustSubscriptionId": "myawsuser-secgrp", "CustomerAwsId": "111111111111", "Enabled": true, "EventCategoriesList": [ "configuration change", "failure" ], "EventSubscriptionArn": "arn:aws:rds:us-east-1:111111111111:es:my-instance-events", "SnsTopicArn": "arn:aws:sns:us-east-1:111111111111:myawsuser-RDS", "SourceIdsList": [ "si-sample", "mysqldb-rr" ], "SourceType": "db-security-group", "Status": "creating", "SubscriptionCreationTime": "2021-06-27T01:38:01.090Z" } ``` # AwsRedshift resources in ASFF AwsRedshift The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsRedshift` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsRedshiftCluster The `AwsRedshiftCluster` object contains details about an Amazon Redshift cluster. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRedshiftCluster` object. To view descriptions of `AwsRedshiftCluster` attributes, see [AwsRedshiftClusterDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRedshiftClusterDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRedshiftCluster": { "AllowVersionUpgrade": true, "AutomatedSnapshotRetentionPeriod": 1, "AvailabilityZone": "us-west-2d", "ClusterAvailabilityStatus": "Unavailable", "ClusterCreateTime": "2020-08-03T19:22:44.637Z", "ClusterIdentifier": "redshift-cluster-1", "ClusterNodes": [ { "NodeRole": "LEADER", "PrivateIPAddress": "192.0.2.108", "PublicIPAddress": "198.51.100.29" }, { "NodeRole": "COMPUTE-0", "PrivateIPAddress": "192.0.2.22", "PublicIPAddress": "198.51.100.63" }, { "NodeRole": "COMPUTE-1", "PrivateIPAddress": "192.0.2.224", "PublicIPAddress": "198.51.100.226" } ], "ClusterParameterGroups": [ { "ClusterParameterStatusList": [ { "ParameterName": "max_concurrency_scaling_clusters", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "enable_user_activity_logging", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "auto_analyze", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "query_group", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "datestyle", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "extra_float_digits", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "search_path", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "statement_timeout", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "wlm_json_configuration", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "require_ssl", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" }, { "ParameterName": "use_fips_ssl", "ParameterApplyStatus": "in-sync", "ParameterApplyErrorDescription": "parameterApplyErrorDescription" } ], "ParameterApplyStatus": "in-sync", "ParameterGroupName": "temp" } ], "ClusterPublicKey": "JalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Amazon-Redshift", "ClusterRevisionNumber": 17498, "ClusterSecurityGroups": [ { "ClusterSecurityGroupName": "default", "Status": "active" } ], "ClusterSnapshotCopyStatus": { "DestinationRegion": "us-west-2", "ManualSnapshotRetentionPeriod": -1, "RetentionPeriod": 1, "SnapshotCopyGrantName": "snapshotCopyGrantName" }, "ClusterStatus": "available", "ClusterSubnetGroupName": "default", "ClusterVersion": "1.0", "DBName": "dev", "DeferredMaintenanceWindows": [ { "DeferMaintenanceEndTime": "2020-10-07T20:34:01.000Z", "DeferMaintenanceIdentifier": "deferMaintenanceIdentifier", "DeferMaintenanceStartTime": "2020-09-07T20:34:01.000Z" } ], "ElasticIpStatus": { "ElasticIp": "203.0.113.29", "Status": "active" }, "ElasticResizeNumberOfNodeOptions": "4", "Encrypted": false, "Endpoint": { "Address": "redshift-cluster-1.example.us-west-2.redshift.amazonaws.com", "Port": 5439 }, "EnhancedVpcRouting": false, "ExpectedNextSnapshotScheduleTime": "2020-10-13T20:34:01.000Z", "ExpectedNextSnapshotScheduleTimeStatus": "OnTrack", "HsmStatus": { "HsmClientCertificateIdentifier": "hsmClientCertificateIdentifier", "HsmConfigurationIdentifier": "hsmConfigurationIdentifier", "Status": "applying" }, "IamRoles": [ { "ApplyStatus": "in-sync", "IamRoleArn": "arn:aws-cn:iam::111122223333:role/RedshiftCopyUnload" } ], "KmsKeyId": "kmsKeyId", "LoggingStatus": { "BucketName": "amzn-s3-demo-bucket", "LastFailureMessage": "test message", "LastFailureTime": "2020-08-09T13:00:00.000Z", "LastSuccessfulDeliveryTime": "2020-08-08T13:00:00.000Z", "LoggingEnabled": true, "S3KeyPrefix": "/" }, "MaintenanceTrackName": "current", "ManualSnapshotRetentionPeriod": -1, "MasterUsername": "awsuser", "NextMaintenanceWindowStartTime": "2020-08-09T13:00:00.000Z", "NodeType": "dc2.large", "NumberOfNodes": 2, "PendingActions": [], "PendingModifiedValues": { "AutomatedSnapshotRetentionPeriod": 0, "ClusterIdentifier": "clusterIdentifier", "ClusterType": "clusterType", "ClusterVersion": "clusterVersion", "EncryptionType": "None", "EnhancedVpcRouting": false, "MaintenanceTrackName": "maintenanceTrackName", "MasterUserPassword": "masterUserPassword", "NodeType": "dc2.large", "NumberOfNodes": 1, "PubliclyAccessible": true }, "PreferredMaintenanceWindow": "sun:13:00-sun:13:30", "PubliclyAccessible": true, "ResizeInfo": { "AllowCancelResize": true, "ResizeType": "ClassicResize" }, "RestoreStatus": { "CurrentRestoreRateInMegaBytesPerSecond": 15, "ElapsedTimeInSeconds": 120, "EstimatedTimeToCompletionInSeconds": 100, "ProgressInMegaBytes": 10, "SnapshotSizeInMegaBytes": 1500, "Status": "restoring" }, "SnapshotScheduleIdentifier": "snapshotScheduleIdentifier", "SnapshotScheduleState": "ACTIVE", "VpcId": "vpc-example", "VpcSecurityGroups": [ { "Status": "active", "VpcSecurityGroupId": "sg-example" } ] } ``` # AwsRoute53 resources in ASFF AwsRoute53 The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsRoute53` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsRoute53HostedZone The `AwsRoute53HostedZone` object provides information about an Amazon Route 53 hosted zone, including the four name servers assigned to the hosted zone. A hosted zone represents a collection of records that can be managed together, belonging to a single parent domain name. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsRoute53HostedZone` object. To view descriptions of `AwsRoute53HostedZone` attributes, see [AwsRoute53HostedZoneDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsRoute53HostedZoneDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsRoute53HostedZone": { "HostedZone": { "Id": "Z06419652JEMGO9TA2XKL", "Name": "asff.testing", "Config": { "Comment": "This is an example comment." } }, "NameServers": [ "ns-470.awsdns-32.net", "ns-1220.awsdns-12.org", "ns-205.awsdns-13.com", "ns-1960.awsdns-51.co.uk" ], "QueryLoggingConfig": { "CloudWatchLogsLogGroupArn": { "CloudWatchLogsLogGroupArn": "arn:aws-cn:logs:us-east-1:123456789012:log-group:asfftesting:*", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "HostedZoneId": "Z00932193AF5H180PPNZD" } }, "Vpcs": [ { "Id": "vpc-05d7c6e36bc03ea76", "Region": "us-east-1" } ] } ``` # AwsS3 resources in ASFF AwsS3 The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsS3` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsS3AccessPoint `AwsS3AccessPoint` provides information about an Amazon S3 access point. S3 access points are named network endpoints that are attached to S3 buckets that you can use to perform S3 object operations. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsS3AccessPoint` object. To view descriptions of `AwsS3AccessPoint` attributes, see [AwsS3AccessPointDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsS3AccessPointDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsS3AccessPoint": { "AccessPointArn": "arn:aws-cn:s3:us-east-1:123456789012:accesspoint/asff-access-point", "Alias": "asff-access-point-hrzrlukc5m36ft7okagglf3gmwluquse1b-s3alias", "Bucket": "amzn-s3-demo-bucket", "BucketAccountId": "123456789012", "Name": "asff-access-point", "NetworkOrigin": "VPC", "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true }, "VpcConfiguration": { "VpcId": "vpc-1a2b3c4d5e6f1a2b3" } } ``` ## AwsS3AccountPublicAccessBlock `AwsS3AccountPublicAccessBlock` provides information about the Amazon S3 Public Access Block configuration for accounts. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsS3AccountPublicAccessBlock` object. To view descriptions of `AwsS3AccountPublicAccessBlock` attributes, see [AwsS3AccountPublicAccessBlockDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsS3AccountPublicAccessBlockDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsS3AccountPublicAccessBlock": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": false, "RestrictPublicBuckets": true } ``` ## AwsS3Bucket The `AwsS3Bucket` object provides details about an Amazon S3 bucket. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsS3Bucket` object. To view descriptions of `AwsS3Bucket` attributes, see [AwsS3BucketDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsS3BucketDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsS3Bucket": { "AccessControlList": "{\"grantSet\":null,\"grantList\":[{\"grantee\":{\"id\":\"4df55416215956920d9d056aa8b99803a294ea221222bb668b55a8c6bca81094\",\"displayName\":null},\"permission\":\"FullControl\"},{\"grantee\":\"AllUsers\",\"permission\":\"ReadAcp\"},{\"grantee\":\"AuthenticatedUsers\",\"permission\":\"ReadAcp\"}",, "BucketLifecycleConfiguration": { "Rules": [ { "AbortIncompleteMultipartUpload": { "DaysAfterInitiation": 5 }, "ExpirationDate": "2021-11-10T00:00:00.000Z", "ExpirationInDays": 365, "ExpiredObjectDeleteMarker": false, "Filter": { "Predicate": { "Operands": [ { "Prefix": "tmp/", "Type": "LifecyclePrefixPredicate" }, { "Tag": { "Key": "ArchiveAge", "Value": "9m" }, "Type": "LifecycleTagPredicate" } ], "Type": "LifecycleAndOperator" } }, "ID": "Move rotated logs to Glacier", "NoncurrentVersionExpirationInDays": -1, "NoncurrentVersionTransitions": [ { "Days": 2, "StorageClass": "GLACIER" } ], "Prefix": "rotated/", "Status": "Enabled", "Transitions": [ { "Date": "2020-11-10T00:00:00.000Z", "Days": 100, "StorageClass": "GLACIER" } ] } ] }, "BucketLoggingConfiguration": { "DestinationBucketName": "s3serversideloggingbucket-123456789012", "LogFilePrefix": "buckettestreadwrite23435/" }, "BucketName": "amzn-s3-demo-bucket", "BucketNotificationConfiguration": { "Configurations": [{ "Destination": "arn:aws-cn:lambda:us-east-1:123456789012:function:s3_public_write", "Events": [ "s3:ObjectCreated:Put" ], "Filter": { "S3KeyFilter": { "FilterRules": [ { "Name": "AffS3BucketNotificationConfigurationS3KeyFilterRuleName.PREFIX", "Value": "pre" }, { "Name": "AffS3BucketNotificationConfigurationS3KeyFilterRuleName.SUFFIX", "Value": "suf" }, ] } }, "Type": "LambdaConfiguration" }] }, "BucketVersioningConfiguration": { "IsMfaDeleteEnabled": true, "Status": "Off" }, "BucketWebsiteConfiguration": { "ErrorDocument": "error.html", "IndexDocumentSuffix": "index.html", "RedirectAllRequestsTo": { "HostName": "example.com", "Protocol": "http" }, "RoutingRules": [{ "Condition": { "HttpErrorCodeReturnedEquals": "Redirected", "KeyPrefixEquals": "index" }, "Redirect": { "HostName": "example.com", "HttpRedirectCode": "401", "Protocol": "HTTP", "ReplaceKeyPrefixWith": "string", "ReplaceKeyWith": "string" } }] }, "CreatedAt": "2007-11-30T01:46:56.000Z", "ObjectLockConfiguration": { "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Days": null, "Mode": "GOVERNANCE", "Years": 12 }, }, }, "OwnerId": "AIDACKCEVSQ6C2EXAMPLE", "OwnerName": "s3bucketowner", "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true, }, "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", "KMSMasterKeyID": "12345678-abcd-abcd-abcd-123456789012" } } ] } } ``` ## AwsS3Object The `AwsS3Object` object provides information about an Amazon S3 object. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsS3Object` object. To view descriptions of `AwsS3Object` attributes, see [AwsS3ObjectDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsS3ObjectDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsS3Object": { "ContentType": "text/html", "ETag": "\"30a6ec7e1a9ad79c203d05a589c8b400\"", "LastModified": "2012-04-23T18:25:43.511Z", "ServerSideEncryption": "aws:kms", "SSEKMSKeyId": "arn:aws-cn:kms:us-west-2:123456789012:key/4dff8393-e225-4793-a9a0-608ec069e5a7", "VersionId": "ws31OurgOOjH_HHllIxPE35P.MELYaYh" } ``` # AwsSageMaker resources in ASFF AwsSageMaker The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsSageMaker` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsSageMakerNotebookInstance The `AwsSageMakerNotebookInstance` object provides information about a Amazon SageMaker AI notebook instance, which is a machine learning compute instance running the Jupyter Notebook App. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsSageMakerNotebookInstance` object. To view descriptions of `AwsSageMakerNotebookInstance` attributes, see [AwsSageMakerNotebookInstanceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSageMakerNotebookInstanceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsSageMakerNotebookInstance": { "DirectInternetAccess": "Disabled", "InstanceMetadataServiceConfiguration": { "MinimumInstanceMetadataServiceVersion": "1", }, "InstanceType": "ml.t2.medium", "LastModifiedTime": "2022-09-09 22:48:32.012000+00:00", "NetworkInterfaceId": "eni-06c09ac2541a1bed3", "NotebookInstanceArn": "arn:aws-cn:sagemaker:us-east-1:001098605940:notebook-instance/sagemakernotebookinstancerootaccessdisabledcomplia-8myjcyofzixm", "NotebookInstanceName": "SagemakerNotebookInstanceRootAccessDisabledComplia-8MYjcyofZiXm", "NotebookInstanceStatus": "InService", "PlatformIdentifier": "notebook-al1-v1", "RoleArn": "arn:aws-cn:iam::001098605940:role/sechub-SageMaker-1-scenar-SageMakerCustomExecution-1R0X32HGC38IW", "RootAccess": "Disabled", "SecurityGroups": [ "sg-06b347359ab068745" ], "SubnetId": "subnet-02c0deea5fa64578e", "Url": "sagemakernotebookinstancerootaccessdisabledcomplia-8myjcyofzixm.notebook.us-east-1.sagemaker.aws", "VolumeSizeInGB": 5 } ``` # AwsSecretsManager resources in ASFF AwsSecretsManager The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsSecretsManager` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsSecretsManagerSecret The `AwsSecretsManagerSecret` object provides details about a Secrets Manager secret. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsSecretsManagerSecret` object. To view descriptions of `AwsSecretsManagerSecret` attributes, see [AwsSecretsManagerSecretDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSecretsManagerSecretDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsSecretsManagerSecret": { "RotationRules": { "AutomaticallyAfterDays": 30 }, "RotationOccurredWithinFrequency": true, "KmsKeyId": "kmsKeyId", "RotationEnabled": true, "RotationLambdaArn": "arn:aws-cn:lambda:us-west-2:777788889999:function:MyTestRotationLambda", "Deleted": false, "Name": "MyTestDatabaseSecret", "Description": "My test database secret" } ``` # AwsSns resources in ASFF AwsSns The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsSns` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsSnsTopic The `AwsSnsTopic` object contains details about an Amazon Simple Notification Service topic. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsSnsTopic` object. To view descriptions of `AwsSnsTopic` attributes, see [AwsSnsTopicDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSnsTopicDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsSnsTopic": { "ApplicationSuccessFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/ApplicationSuccessFeedbackRoleArn", "FirehoseFailureFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/FirehoseFailureFeedbackRoleArn", "FirehoseSuccessFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/FirehoseSuccessFeedbackRoleArn", "HttpFailureFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/HttpFailureFeedbackRoleArn", "HttpSuccessFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/HttpSuccessFeedbackRoleArn", "KmsMasterKeyId": "alias/ExampleAlias", "Owner": "123456789012", "SqsFailureFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/SqsFailureFeedbackRoleArn", "SqsSuccessFeedbackRoleArn": "arn:aws-cn:iam::123456789012:role/SqsSuccessFeedbackRoleArn", "Subscription": { "Endpoint": "http://sampleendpoint.com", "Protocol": "http" }, "TopicName": "SampleTopic" } ``` # AwsSqs resources in ASFF AwsSqs The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsSqs` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsSqsQueue The `AwsSqsQueue` object contains information about an Amazon Simple Queue Service queue. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsSqsQueue` object. To view descriptions of `AwsSqsQueue` attributes, see [AwsSqsQueueDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSqsQueueDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsSqsQueue": { "DeadLetterTargetArn": "arn:aws-cn:sqs:us-west-2:123456789012:queue/target", "KmsDataKeyReusePeriodSeconds": 60,, "KmsMasterKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "QueueName": "sample-queue" } ``` # AwsSsm resources in ASFF AwsSsm The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsSsm` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsSsmPatchCompliance The `AwsSsmPatchCompliance` object provides information about the state of a patch on an instance based on the patch baseline that was used to patch the instance. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsSsmPatchCompliance` object. To view descriptions of `AwsSsmPatchCompliance` attributes, see [AwsSsmPatchComplianceDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsSsmPatchComplianceDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsSsmPatchCompliance": { "Patch": { "ComplianceSummary": { "ComplianceType": "Patch", "CompliantCriticalCount": 0, "CompliantHighCount": 0, "CompliantInformationalCount": 0, "CompliantLowCount": 0, "CompliantMediumCount": 0, "CompliantUnspecifiedCount": 461, "ExecutionType": "Command", "NonCompliantCriticalCount": 0, "NonCompliantHighCount": 0, "NonCompliantInformationalCount": 0, "NonCompliantLowCount": 0, "NonCompliantMediumCount": 0, "NonCompliantUnspecifiedCount": 0, "OverallSeverity": "UNSPECIFIED", "PatchBaselineId": "pb-0c5b2769ef7cbe587", "PatchGroup": "ExamplePatchGroup", "Status": "COMPLIANT" } } } ``` # AwsStepFunctions resources in ASFF AwsStepFunctions The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsStepFunctions` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsStepFunctionStateMachine The `AwsStepFunctionStateMachine` object provides information about an Amazon Step Functions state machine, which is a workflow consisting of a series of event-driven steps. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsStepFunctionStateMachine` object. To view descriptions of `AwsStepFunctionStateMachine` attributes, see [AwsStepFunctionStateMachine](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsStepFunctionStateMachineDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsStepFunctionStateMachine": { "StateMachineArn": "arn:aws-cn:states:us-east-1:123456789012:stateMachine:StepFunctionsLogDisableNonCompliantResource-fQLujTeXvwsb", "Name": "StepFunctionsLogDisableNonCompliantResource-fQLujTeXvwsb", "Status": "ACTIVE", "RoleArn": "arn:aws-cn:iam::123456789012:role/teststepfunc-StatesExecutionRole-1PNM71RVO1UKT", "Type": "STANDARD", "LoggingConfiguration": { "Level": "OFF", "IncludeExecutionData": false }, "TracingConfiguration": { "Enabled": false } } ``` # AwsWaf resources in ASFF AwsWaf The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsWaf` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsWafRateBasedRule The `AwsWafRateBasedRule` object contains details about an Amazon WAF rate-based rule for global resources. An Amazon WAF rate-based rule provides settings to indicate when to allow, block, or count a request. Rate-based rules include the number of requests that arrive over a specified period of time. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafRateBasedRule` object. To view descriptions of `AwsWafRateBasedRule` attributes, see [AwsWafRateBasedRuleDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRateBasedRuleDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRateBasedRule":{ "MatchPredicates" : [{ "DataId" : "391b7a7e-5f00-40d2-b114-3f27ceacbbb0", "Negated" : "True", "Type" : "IPMatch" , }], "MetricName" : "MetricName", "Name" : "Test", "RateKey" : "IP", "RateLimit" : 235000, "RuleId" : "5dfb4085-f103-4ec6-b39a-d4a0dae5f47f" } ``` ## AwsWafRegionalRateBasedRule The `AwsWafRegionalRateBasedRule` object contains details about a rate-based rule for Regional resources. A rate-based rule provides settings to indicate when to allow, block, or count a request. Rate-based rules include the number of requests that arrive over a specified period of time. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafRegionalRateBasedRule` object. To view descriptions of `AwsWafRegionalRateBasedRule` attributes, see [AwsWafRegionalRateBasedRuleDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRegionalRateBasedRuleDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRegionalRateBasedRule":{ "MatchPredicates" : [{ "DataId" : "391b7a7e-5f00-40d2-b114-3f27ceacbbb0", "Negated" : "True", "Type" : "IPMatch" , }], "MetricName" : "MetricName", "Name" : "Test", "RateKey" : "IP", "RateLimit" : 235000, "RuleId" : "5dfb4085-f103-4ec6-b39a-d4a0dae5f47f" } ``` ## AwsWafRegionalRule The `AwsWafRegionalRule` object provides details about an Amazon WAF Regional rule . This rule identifies the web requests that you want to allow, block, or count. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafRegionalRule` object. To view descriptions of `AwsWafRegionalRule` attributes, see [AwsWafRegionalRuleDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRegionalRuleDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRegionalRule": { "MetricName": "SampleWAF_Rule__Metric_1", "Name": "bb-waf-regional-rule-not-empty-conditions-compliant", "RuleId": "8f651760-24fa-40a6-a9ed-4b60f1de95fe", "PredicateList": [{ "DataId": "127d9346-e607-4e93-9286-c1296fb5445a", "Negated": false, "Type": "GeoMatch" }] } ``` ## AwsWafRegionalRuleGroup The `AwsWafRegionalRuleGroup` object provides details about an Amazon WAF Regional rule group. A rule group is a collection of predefined rules that you add to a web access control list (web ACL). The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafRegionalRuleGroup` object. To view descriptions of `AwsWafRegionalRuleGroup` attributes, see [AwsWafRegionalRuleGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRegionalRuleGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRegionalRuleGroup": { "MetricName": "SampleWAF_Metric_1", "Name": "bb-WAFClassicRuleGroupWithRuleCompliant", "RuleGroupId": "2012ca6d-e66d-4d9b-b766-bfb03ad77cfb", "Rules": [{ "Action": { "Type": "ALLOW" } }], "Priority": 1, "RuleId": "cdd225da-32cf-4773-8dc5-3bca3ed9c19c", "Type": "REGULAR" } ``` ## AwsWafRegionalWebAcl `AwsWafRegionalWebAcl` provides details about an Amazon WAF Regional web access control list (web ACL). A web ACL contains the rules that identify the requests that you want to allow, block, or count. The following is an example `AwsWafRegionalWebAcl` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayV2Stage` attributes, see [AwsWafRegionalWebAclDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRegionalWebAclDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRegionalWebAcl": { "DefaultAction": "ALLOW", "MetricName" : "web-regional-webacl-metric-1", "Name": "WebACL_123", "RulesList": [ { "Action": { "Type": "Block" }, "Priority": 3, "RuleId": "24445857-852b-4d47-bd9c-61f05e4d223c", "Type": "REGULAR", "ExcludedRules": [ { "ExclusionType": "Exclusion", "RuleId": "Rule_id_1" } ], "OverrideAction": { "Type": "OVERRIDE" } } ], "WebAclId": "443c76f4-2e72-4c89-a2ee-389d501c1f67" } ``` ## AwsWafRule `AwsWafRule` provides information about an Amazon WAF rule. An Amazon WAF rule identifies the web requests that you want to allow, block, or count. The following is an example `AwsWafRule` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayV2Stage` attributes, see [AwsWafRuleDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRuleDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRule": { "MetricName": "AwsWafRule_Metric_1", "Name": "AwsWafRule_Name_1", "PredicateList": [{ "DataId": "cdd225da-32cf-4773-1dc2-3bca3ed9c19c", "Negated": false, "Type": "GeoMatch" }], "RuleId": "8f651760-24fa-40a6-a9ed-4b60f1de953e" } ``` ## AwsWafRuleGroup `AwsWafRuleGroup` provides information about an Amazon WAF rule group. An Amazon WAF rule group is a collection of predefined rules that you add to a web access control list (web ACL). The following is an example `AwsWafRuleGroup` finding in the Amazon Security Finding Format (ASFF). To view descriptions of `AwsApiGatewayV2Stage` attributes, see [AwsWafRuleGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafRuleGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafRuleGroup": { "MetricName": "SampleWAF_Metric_1", "Name": "bb-WAFRuleGroupWithRuleCompliant", "RuleGroupId": "2012ca6d-e66d-4d9b-b766-bfb03ad77cfb", "Rules": [{ "Action": { "Type": "ALLOW", }, "Priority": 1, "RuleId": "cdd225da-32cf-4773-8dc5-3bca3ed9c19c", "Type": "REGULAR" }] } ``` ## AwsWafv2RuleGroup The `AwsWafv2RuleGroup` object provides details about an Amazon WAFV2 rule group. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafv2RuleGroup` object. To view descriptions of `AwsWafv2RuleGroup` attributes, see [AwsWafv2RuleGroupDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafv2RuleGroupDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafv2RuleGroup": { "Arn": "arn:aws-cn:wafv2:us-east-1:123456789012:global/rulegroup/wafv2rulegroupasff/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Capacity": 1000, "Description": "Resource for ASFF", "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "wafv2rulegroupasff", "Rules": [{ "Action": { "Allow": { "CustomRequestHandling": { "InsertHeaders": [ { "Name": "AllowActionHeader1Name", "Value": "AllowActionHeader1Value" }, { "Name": "AllowActionHeader2Name", "Value": "AllowActionHeader2Value" } ] } }, "Name": "RuleOne", "Priority": 1, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "rulegroupasff", "SampledRequestsEnabled": false } }], "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "rulegroupasff", "SampledRequestsEnabled": false } } ``` ## AwsWafWebAcl The `AwsWafWebAcl` object provides details about an Amazon WAF web ACL. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafWebAcl` object. To view descriptions of `AwsWafWebAcl` attributes, see [AwsWafWebAclDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafWebAclDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafWebAcl": { "DefaultAction": "ALLOW", "Name": "MyWafAcl", "Rules": [ { "Action": { "Type": "ALLOW" }, "ExcludedRules": [ { "RuleId": "5432a230-0113-5b83-bbb2-89375c5bfa98" } ], "OverrideAction": { "Type": "NONE" }, "Priority": 1, "RuleId": "5432a230-0113-5b83-bbb2-89375c5bfa98", "Type": "REGULAR" } ], "WebAclId": "waf-1234567890" } ``` ## AwsWafv2WebAcl The `AwsWafv2WebAcl` object provides details about an Amazon WAFV2 web ACL. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsWafv2WebAcl` object. To view descriptions of `AwsWafv2WebAcl` attributes, see [AwsWafv2WebAclDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsWafv2WebAclDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsWafv2WebAcl": { "Arn": "arn:aws-cn:wafv2:us-east-1:123456789012:regional/webacl/WebACL-RoaD4QexqSxG/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Capacity": 1326, "CaptchaConfig": { "ImmunityTimeProperty": { "ImmunityTime": 500 } }, "DefaultAction": { "Block": {} }, "Description": "Web ACL for JsonBody testing", "ManagedbyFirewallManager": false, "Name": "WebACL-RoaD4QexqSxG", "Rules": [{ "Action": { "RuleAction": { "Block": {} } }, "Name": "TestJsonBodyRule", "Priority": 1, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "JsonBodyMatchMetric" } }], "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "TestingJsonBodyMetric" } } ``` # AwsXray resources in ASFF AwsXray The following are examples of the Amazon Security Finding Format (ASFF) syntax for `AwsXray` resources. Amazon Security Hub CSPM normalizes findings from various sources into ASFF. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). ## AwsXrayEncryptionConfig The `AwsXrayEncryptionConfig` object contains information about the encryption configuration for Amazon X-Ray. The following example shows the Amazon Security Finding Format (ASFF) for the `AwsXrayEncryptionConfig` object. To view descriptions of `AwsXrayEncryptionConfig` attributes, see [AwsXrayEncryptionConfigDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AwsXrayEncryptionConfigDetails.html) in the *Amazon Security Hub API Reference*. **Example** ``` "AwsXRayEncryptionConfig":{ "KeyId": "arn:aws-cn:kms:us-east-2:222222222222:key/example-key", "Status": "UPDATING", "Type":"KMS" } ``` # CodeRepository object in ASFF CodeRepository The `CodeRepository` object provides information about an external code repository that you connected to Amazon resources and configured Amazon Inspector to scan for vulnerabilities. The following example shows the Amazon Security Finding Format (ASFF) syntax for the `CodeRepository` object. To view descriptions of `CodeRepository` attributes, see [CodeRepositoryDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CodeRepositoryDetails.html) in the *Amazon Security Hub API Reference*. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). **Example** ``` "CodeRepository": { "ProviderType": "GITLAB_SELF_MANAGED", "ProjectName": "projectName", "CodeSecurityIntegrationArn": "arn:aws:inspector2:us-east-1:123456789012:codesecurity-integration/00000000-0000-0000-0000-000000000000" } ``` # Container object in ASFF Container The following example shows the Amazon Security Finding Format (ASFF) syntax for the `Container` object. To view descriptions of `Container` attributes, see [ContainerDetails](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ContainerDetails.html) in the *Amazon Security Hub API Reference*. For background information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). **Example** ``` "Container": { "ContainerRuntime": "docker", "ImageId": "image12", "ImageName": "1111111/knotejs@sha256:372131c9fef111111111111115f4ed3ea5f9dce4dc3bd34ce21846588a3", "LaunchedAt": "2018-09-29T01:25:54Z", "Name": "knote", "Privileged": true, "VolumeMounts": [{ "Name": "vol-03909e9", "MountPath": "/mnt/etc" }] } ``` # Other object in ASFF Other In the Amazon Security Finding Format (ASFF), the `Other` object specifies custom fields and values. For more information about ASFF, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). By using the `Other` object, you can specify custom fields and values for a resource. You can use the `Other` object for the following cases: + The resource type does not have a corresponding `Details` object. To specify details for a resource, use the `Other` object. + The `Details` object for the resource type does not include all the attributes that you want to specify. In this case, use the `Details` object for the resource type to specify available attributes. Use the `Other` object to specify attributes that are not in the type-specific `Details` object. + The resource type is not one of the provided types. In this case, set `Resource.Type` to `Other` and use the `Other` object to specify the details. **Type:** Map of up to 50 key-value pairs Each key-value pair must meet the following requirements. + The key must contain fewer than 128 characters. + The value must contain fewer than 1,024 characters. # Viewing insights in Security Hub CSPM Insights In Amazon Security Hub CSPM, an *insight* is a collection of related findings. An insight can identify a specific security area that requires attention and intervention. For example, an insight might point out EC2 instances that are the subject of findings that detect poor security practices. An insight brings together findings from across finding providers. Each insight is defined by a group by statement and optional filters. The group by statement indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers. The optional filters identify the matching findings for the insight. For example, you might want to only see findings from specific providers or findings that are associated with specific types of resources. Security Hub CSPM offers several built-in managed insights. You can't modify or delete managed insights. To track security issues that are unique to your Amazon environment and usage, you can create custom insights. The **Insights** page on the Amazon Security Hub CSPM console displays the list of available insights. By default, the list displays both managed and custom insights. To filter the insight list based on insight type, choose the insight type from the dropdown menu that is next to the filter field. + To display all of the available insights, choose **All insights**. This is the default option. + To display only managed insights, choose **Security Hub CSPM managed insights**. + To display only custom insights, choose **Custom insights**. You also can filter the insight list based on the insight's name. To do so, in the filter field, type the text to use to filter the list. The filter is not case sensitive. The filter looks for insights that contain the text anywhere in the insight name. An insight only returns results if you have enabled integrations or standards that produce matching findings. For example, the managed insight **29. Top resources by counts of failed CIS checks** only returns results if you enable a version of the Center for Internet Security (CIS) Amazon Foundations Benchmark standard. # Reviewing and acting on insights in Security Hub CSPM Reviewing and acting on insights For each insight, Amazon Security Hub CSPM first determines the findings that match the filter criteria, and then uses the grouping attribute to group the matching findings. From the **Insights** page on the console, you can view and take action on the results and findings. If you enable cross-Region aggregation, the results for managed insights (when you're signed in to the aggregation Region) include findings from the aggregation Region and linked Regions. The results for custom insights, if the insight doesn't filter by Region, also include findings from the aggregation Region and linked Regions (when you're signed in to the aggregation Region). In other Regions, the insight results are only for that Region. For information about configuring cross-Region aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). ## Viewing and taking action on insight results The insight results consist of a grouped list of the results for the insight. For example, if the insight is grouped by resource identifiers, then the insight results are the list of resource identifiers. Each item in the results list indicates the number of matching findings for that item. If the findings are grouped by resource identifier or resource type, the results include all of the resources in the matching findings. This includes resources that have a different type from the resource type specified in the filter criteria. For example, an insight identifies findings that are associated with S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, the insight results include both resources. On the Security Hub CSPM console, the results list is sorted from most to fewest matching findings. Security Hub CSPM can only display 100 results. If there are more than 100 grouping values, you only see the first 100. In addition to the results list, the insight results display a set of charts summarizing the number of matching findings for the following attributes. + **Severity label** – Number of findings for each severity label + **Amazon Web Services account ID** – Top five account IDs for the matching findings + **Resource type** – Top five resource types for the matching findings + **Resource ID** – Top five resource IDs for the matching findings + **Product name** - Top five finding providers for the matching findings If you have configured custom actions, then you can send selected results to a custom action. The action must be associated with an Amazon CloudWatch rule for the `Security Hub Insight Results` event type. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). If you have not configured custom actions, the **Actions** menu is disabled. ------ #### [ Security Hub CSPM console ] **To view and take action on insight results (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. To display the list of insight results, choose the insight name. 1. Select the check box for each result to send to the custom action. 1. From the **Actions** menu, choose the custom action. ------ #### [ Security Hub CSPM API, Amazon CLI ] **To view and take action on insight results (API, Amazon CLI)** To view insight results, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetInsightResults.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_GetInsightResults.html) operation of the Security Hub CSPM API. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insight-results.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insight-results.html) command. To identify the insight to return results for, you need the insight ARN. To obtain the insight ARNs for custom insights, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html) API operation or the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insight-results.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insight-results.html) command. The following example retrieves the results for the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub get-insight-results --insight-arn "arn:aws-cn:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` For information about how to create custom actions programmatically, see [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md). ------ ## Viewing and taking action on insight result findings (console) From an insight results list on the Security Hub CSPM console, you can display the list of findings for each result. **To display and take action on insight findings (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. To display the list of insight results, choose the insight name. 1. To display the list of findings for an insight result, choose the item from the results list. The findings list shows the active findings for the selected insight result that have a workflow status of `NEW` or `NOTIFIED`. From the findings list, you can perform the following actions: + [Filtering findings in Security Hub CSPM](securityhub-findings-manage.md) + [Reviewing finding details and history](securityhub-findings-viewing.md#finding-view-details-console) + [Setting the workflow status of findings in Security Hub CSPM](findings-workflow-status.md) + [Sending findings to a custom Security Hub CSPM action](findings-custom-action.md) # Managed insights in Security Hub CSPM Managed insights Amazon Security Hub CSPM provides several managed insights. You can't edit or delete Security Hub CSPM managed insights. You can [view and take action on the insight results and findings](securityhub-insights-view-take-action.md). You can also [use a managed insight as the basis for a new custom insight](securityhub-custom-insight-create-api.md#securityhub-custom-insight-frrom-managed). As with all insights, a managed insight only returns results if you have enabled product integrations or security standards that can produce matching findings. For insights that are grouped by resource identifier, the results include the identifiers of all of the resources in the matching findings. This includes resources that have a different type from the resource type in the filter criteria. For example, insight 2 in the following list identifies findings that are associated with Amazon S3 buckets. If a matching finding contains both an S3 bucket resource and an IAM access key resource, the insight results include both resources. Security Hub CSPM currently offers the following managed insights: **1. Amazon resources with the most findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/1` **Grouped by:** Resource identifier **Finding filters:** + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **2. S3 buckets with public write or read permissions** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/10` **Grouped by:** Resource identifier **Finding filters:** + Type starts with `Effects/Data Exposure` + Resource type is `AwsS3Bucket` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **3. AMIs that are generating the most findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/3` **Grouped by:** EC2 instance image ID **Finding filters:** + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **4. EC2 instances involved in known Tactics, Techniques, and Procedures (TTPs)** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/14` **Grouped by:** Resource ID **Finding filters:** + Type starts with `TTPs` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **5. Amazon principals with suspicious access key activity** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/9` **Grouped by:** IAM access key principal name **Finding filters:** + Resource type is `AwsIamAccessKey` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **6. Amazon resources instances that don't meet security standards / best practices** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/6` **Grouped by:** Resource ID **Finding filters:** + Type is `Software and Configuration Checks/Industry and Regulatory Standards/Amazon Security Best Practices` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **7. Amazon resources associated with potential data exfiltration** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/7` **Grouped by:**: Resource ID **Finding filters:** + Type starts with Effects/Data Exfiltration/ + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **8. Amazon resources associated with unauthorized resource consumption** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/8` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Effects/Resource Consumption` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **9. S3 buckets that don't meet security standards / best practice** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/11` **Grouped by:** Resource ID **Finding filters:** + Resource type is `AwsS3Bucket` + Type is `Software and Configuration Checks/Industry and Regulatory Standards/Amazon Security Best Practices` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **10. S3 buckets with sensitive data** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/12` **Grouped by:** Resource ID **Finding filters:** + Resource type is `AwsS3Bucket` + Type starts with `Sensitive Data Identifications/` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **11. Credentials that may have leaked** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/13` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Sensitive Data Identifications/Passwords/` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **12. EC2 instances that have missing security patches for important vulnerabilities** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/16` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Software and Configuration Checks/Vulnerabilities/CVE` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **13. EC2 instances with general unusual behavior** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/17` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Unusual Behaviors` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **14. EC2 instances that have ports accessible from the Internet** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/18` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Software and Configuration Checks/Amazon Security Best Practices/Network Reachability` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **15. EC2 instances that don't meet security standards / best practices** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/19` **Grouped by:** Resource ID **Finding filters:** + Type starts with one of the following: + `Software and Configuration Checks/Industry and Regulatory Standards/` + `Software and Configuration Checks/Amazon Security Best Practices` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **16. EC2 instances that are open to the Internet** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/21` **Grouped by:** Resource ID **Finding filters:** + Type starts with `Software and Configuration Checks/Amazon Security Best Practices/Network Reachability` + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **17. EC2 instances associated with adversary reconnaissance** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/22` **Grouped by:** Resource ID **Finding filters:** + Type starts with TTPs/Discovery/Recon + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **18. Amazon resources that are associated with malware** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/23` **Grouped by:** Resource ID **Finding filters:** + Type starts with one of the following: + `Effects/Data Exfiltration/Trojan` + `TTPs/Initial Access/Trojan` + `TTPs/Command and Control/Backdoor` + `TTPs/Command and Control/Trojan` + `Software and Configuration Checks/Backdoor` + `Unusual Behaviors/VM/Backdoor` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **19. Amazon resources associated with cryptocurrency issues** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/24` **Grouped by:** Resource ID **Finding filters:** + Type starts with one of the following: + `Effects/Resource Consumption/Cryptocurrency` + `TTPs/Command and Control/CryptoCurrency` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **20. Amazon resources with unauthorized access attempts** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/25` **Grouped by:** Resource ID **Finding filters:** + Type starts with one of the following: + `TTPs/Command and Control/UnauthorizedAccess` + `TTPs/Initial Access/UnauthorizedAccess` + `Effects/Data Exfiltration/UnauthorizedAccess` + `Unusual Behaviors/User/UnauthorizedAccess` + `Effects/Resource Consumption/UnauthorizedAccess` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **21. Threat Intel indicators with the most hits in the last week** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/26` **Finding filters:** + Created within the last 7 days **22. Top accounts by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/27` **Grouped by:** Amazon Web Services account ID **Finding filters:** + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **23. Top products by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/28` **Grouped by:** Product name **Finding filters:** + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **24. Severity by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/29` **Grouped by:** Severity label **Finding filters:** + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **25. Top S3 buckets by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/30` **Grouped by:** Resource ID **Finding filters:** + Resource type is `AwsS3Bucket` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **26. Top EC2 instances by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/31` **Grouped by:** Resource ID **Finding filters:** + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **27. Top AMIs by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/32` **Grouped by:** EC2 instance image ID **Finding filters:** + Resource type is `AwsEc2Instance` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **28. Top IAM users by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/33` **Grouped by:** IAM access key ID **Finding filters:** + Resource type is `AwsIamAccessKey` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **29. Top resources by counts of failed CIS checks** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/34` **Grouped by:** Resource ID **Finding filters:** + Generator ID starts with `arn:aws-cn:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule` + Updated in the last day + Compliance status is `FAILED` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **30. Top integrations by counts of findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/35` **Grouped by:** Product ARN **Finding filters:** + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **31. Resources with the most failed security checks** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/36` **Grouped by:** Resource ID **Finding filters:** + Updated in the last day + Compliance status is `FAILED` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **32. IAM users with suspicious activity** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/37` **Grouped by:** IAM user **Finding filters:** + Resource type is `AwsIamUser` + Record state is `ACTIVE` + Workflow status is `NEW` or `NOTIFIED` **33. Resources with the most Amazon Health findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/38` **Grouped by:** Resource ID **Finding filters:** + `ProductName` equals `Health` **34. Resources with the most Amazon Config findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/39` **Grouped by:** Resource ID **Finding filters:** + `ProductName` equals `Config` **35. Applications with the most findings** **ARN:** `arn:aws-cn:securityhub:::insight/securityhub/default/40` **Grouped by:** ResourceApplicationArn **Finding filters:** + `RecordState` equals `ACTIVE` + `Workflow.Status` equals `NEW` or `NOTIFIED` # Understanding custom insights in Security Hub CSPM Custom insights In addition to Amazon Security Hub CSPM managed insights, you can create custom insights in Security Hub CSPM to track issues that are specific to your environment. Custom insights help you track a curated subset of issues. Here are some examples of custom insights that may be useful to set up: + If you own an administrator account, you can set up a custom insight to track critical and high severity findings that are affecting member accounts. + If you rely on a specific [integrated Amazon service](securityhub-internal-providers.md), you can set up a custom insight to track critical and high severity findings from that service. + If you rely on a [third party integration](securityhub-partner-providers.md), you can set up a custom insight to track critical and high severity findings from that integrated product. You can create completely new custom insights, or start from an existing custom or managed insight. Each insight can be configured with the following options: + **Grouping attribute** – The grouping attribute determines which items are displayed in the insight results list. For example, if the grouping attribute is **Product name**, the insight results display the number of findings that are associated with each finding provider. + **Optional filters** – The filters narrow down the matching findings for the insight. A finding is included in the insight results only if it matches all of the provided filters. For example, if the filters are "Product name is GuardDuty" and "Resource type is `AwsS3Bucket`", matching findings must match both of these criteria. However, Security Hub CSPM applies boolean OR logic to filters that use the same attribute but different values. For example, if the filters are "Product name is GuardDuty" and "Product name is Amazon Inspector", a finding matches if it was generated by either Amazon GuardDuty or Amazon Inspector. If you use the resource identifier or resource type as the grouping attribute, the insight results include all of the resources that are in the matching findings. The list is not limited to resources that match a resource type filter. For example, an insight identifies findings that are associated with S3 buckets, and groups those findings by resource identifier. A matching finding contains both an S3 bucket resource and an IAM access key resource. The insight results include both resources. If you enable [cross-region aggregation](finding-aggregation.md) and then create a custom insight, the insight applies to matching findings in the aggregation Region and linked Regions. The exception is if your insight includes a Region filter. # Creating a custom insight In Amazon Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md). Choose your preferred method, and follow the steps to create a custom insight in Security Hub CSPM ------ #### [ Security Hub CSPM console ] **To create a custom insight (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. Choose **Create insight**. 1. To select the grouping attribute for the insight: 1. Choose the search box to display the filter options. 1. Choose **Group by**. 1. Select the attribute to use to group the findings that are associated with this insight. 1. Choose **Apply**. 1. Optionally, choose any additional filters to use for this insight. For each filter, define the filter criteria, and then choose **Apply**. 1. Choose **Create insight**. 1. Enter an **Insight name**, and then choose **Create insight**. ------ #### [ Security Hub CSPM API ] **To create a custom insight (API)** 1. To create a custom insight, use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_CreateInsight.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_CreateInsight.html) operation of the Security Hub CSPM API. If you use the Amazon CLI, run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-insight.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-insight.html) command. 1. Populate the `Name` parameter with a name for your custom insight. 1. Populate the `Filters` parameter to specify which findings to include in the insight. 1. Populate the `GroupByAttribute` parameter to specify which attribute is used to group the findings that are included in the insight. 1. Optionally, populate the `SortCriteria` parameter to sort the findings by a specific field. The following example creates a custom insight that includes critical findings with the `AwsIamRole` resource type. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-insight --name "Critical role findings" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' --group-by-attribute "ResourceId" ``` ------ #### [ PowerShell ] **To create a custom insight (PowerShell)** 1. Use the `New-SHUBInsight` cmdlet. 1. Populate the `Name` parameter with a name for your custom insight. 1. Populate the `Filter` parameter to specify which findings to include in the insight. 1. Populate the `GroupByAttribute` parameter to specify which attribute is used to group the findings that are included in the insight. If you've enabled [cross-region aggregation](finding-aggregation.md) and use this cmdlet from the aggregation Region, the insight applies to matching findings from the aggregation and linked Regions. **Example** ``` $Filter = @{ AwsAccountId = [Amazon.SecurityHub.Model.StringFilter]@{ Comparison = "EQUALS" Value = "XXX" } ComplianceStatus = [Amazon.SecurityHub.Model.StringFilter]@{ Comparison = "EQUALS" Value = 'FAILED' } } New-SHUBInsight -Filter $Filter -Name TestInsight -GroupByAttribute ResourceId ``` ------ ## Creating a custom insight from a managed insight (console only) You can't save changes to or delete a managed insight. However, you can use a managed insight as the basis for a custom insight. This is an option on the Security Hub CSPM console only. **To create a custom insight from a managed insight (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. Choose the managed insight to work from. 1. Edit the insight configuration as needed. + To change the attribute used to group findings in the insight: 1. To remove the existing grouping, choose the **X** next to the **Group by** setting. 1. Choose the search box. 1. Select the attribute to use for grouping. 1. Choose **Apply**. + To remove a filter from the insight, choose the circled **X** next to the filter. + To add a filter to the insight: 1. Choose the search box. 1. Select the attribute and value to use as a filter. 1. Choose **Apply**. 1. When your updates are complete, choose **Create insight**. 1. When prompted, enter an **Insight name**, and then choose **Create insight**. # Editing a custom insight You can edit an existing custom insight to change the grouping value and filters. After you make the changes, you can save the updates to the original insight, or save the updated version as a new insight. In Amazon Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md). To edit a custom insight, choose your preferred method, and follow the instructions. ------ #### [ Security Hub CSPM console ] **To edit a custom insight (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. Choose the custom insight to modify. 1. Edit the insight configuration as needed. + To change the attribute used to group findings in the insight: 1. To remove the existing grouping, choose the **X** next to the **Group by** setting. 1. Choose the search box. 1. Select the attribute to use for grouping. 1. Choose **Apply**. + To remove a filter from the insight, choose the circled **X** next to the filter. + To add a filter to the insight: 1. Choose the search box. 1. Select the attribute and value to use as a filter. 1. Choose **Apply**. 1. When you complete the updates, choose **Save insight**. 1. When prompted, do one of the following: + To update the existing insight to reflect your changes, choose **Update **** and then choose **Save insight**. + To create a new insight with the updates, choose **Save new insight**. Enter an **Insight name**, and then choose **Save insight**. ------ #### [ Security Hub CSPM API ] **To edit a custom insight (API)** 1. Use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateInsight.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_UpdateInsight.html) operation of the Security Hub CSPM API. If you use the Amazon CLI run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-insight.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/update-insight.html) command. 1. To identify the custom insight that you want to update, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html) operation or the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insights.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insights.html) command. 1. Update the `Name`, `Filters`, and `GroupByAttribute` parameters as needed. The following example updates the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub update-insight --insight-arn "arn:aws-cn:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" --filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' --name "High severity role findings" ``` ------ #### [ PowerShell ] **To edit a custom insight (PowerShell)** 1. Use the `Update-SHUBInsight` cmdlet. 1. To identify the custom insight, provide the insight's Amazon Resource Name (ARN). To get the ARN of a custom insight, use the `Get-SHUBInsight` cmdlet. 1. Update the `Name`, `Filter`, and `GroupByAttribute` parameters as needed. **Example** ``` $Filter = @{ ResourceType = [Amazon.SecurityHub.Model.StringFilter]@{ Comparison = "EQUALS" Value = "AwsIamRole" } SeverityLabel = [Amazon.SecurityHub.Model.StringFilter]@{ Comparison = "EQUALS" Value = "HIGH" } } Update-SHUBInsight -InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" -Filter $Filter -Name "High severity role findings" ``` ------ # Deleting a custom insight In Amazon Security Hub CSPM, custom insights can be used to collect a specific set of findings and track issues that are unique to your environment. For background information about custom insights, see [Understanding custom insights in Security Hub CSPM](securityhub-custom-insights.md). To delete a custom insight, choose your preferred method, and follow the instructions. You can't delete a managed insight. ------ #### [ Security Hub CSPM console ] **To delete a custom insight (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. Locate the custom insight to delete. 1. For that insight, choose the more options icon (the three dots in the top-right corner of the card). 1. Choose **Delete**. ------ #### [ Security Hub CSPM API ] **To delete a custom insight (API)** 1. Use the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DeleteInsight.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_DeleteInsight.html) operation of the Security Hub CSPM API. If you use the Amazon CLI run the [https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-insight.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/delete-insight.html) command. 1. To identify the custom insight to delete, provide the insight's ARN. To get the ARN of a custom insight, use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetInsights.html) operation or [https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insights.html](https://docs.amazonaws.cn/cli/latest/reference/securityhub/get-insights.html) command. The following example deletes the specified insight. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub delete-insight --insight-arn "arn:aws-cn:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` ------ #### [ PowerShell ] **To delete a custom insight (PowerShell)** 1. Use the `Remove-SHUBInsight` cmdlet. 1. To identify the custom insight, provide the insight's ARN. To get the ARN of a custom insight, use the `Get-SHUBInsight` cmdlet. **Example** ``` -InsightArn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" ``` ------ # Automatically modifying and acting on findings in Security Hub CSPM Automations Amazon Security Hub CSPM has features that automatically modify and take action on findings based on your specifications. Security Hub CSPM currently supports two types of automations: + **Automation rules** – Automatically update and suppress findings in near real time based on criteria that you define. + **Automated response and remediation** – Create custom Amazon EventBridge rules that define automatic actions to take against specific findings and insights. Automation rules are helpful when you want to automatically update finding fields in the Amazon Security Finding Format (ASFF). For example, you can use an automation rule to update the severity level or workflow status of findings from a specific third-party integrations. Using the automation rule eliminates the need to manually update the severity level or workflow status of each finding from this third-party product. EventBridge rules are helpful when you want to take actions outside of Security Hub CSPM with regards to specific findings or send specific findings to third-party tools for remediation or additional investigation. The rules can be used to trigger supported actions, such as invoking an Amazon Lambda function or notifying an Amazon Simple Notification Service (Amazon SNS) topic about a specific finding. Automation rules take effect before EventBridge rules are applied. That is, automation rules are triggered and update a finding before EventBridge receives the finding. EventBridge rules then apply to the updated finding. When setting up automations for security controls, we recommend filtering based on control ID rather than title or description. Whereas Security Hub CSPM occasionally updates control titles and descriptions, control IDs stay the same. **Topics** + [ # Understanding automation rules in Security Hub CSPM ](automation-rules.md) + [ # Using EventBridge for automated response and remediation ](securityhub-cloudwatch-events.md) # Understanding automation rules in Security Hub CSPM Automation rules You can use automation rules to automatically update findings in Amazon Security Hub CSPM. As it ingests findings, Security Hub CSPM can apply a variety of rule actions, such as suppressing findings, changing their severity, and adding notes. Such rule actions modify findings that match your specified criteria. Examples of use cases for automation rules include the following: + Elevating a finding’s severity to `CRITICAL` if the finding's resource ID refers to a business-critical resource. + Elevating a finding’s severity from `HIGH` to `CRITICAL` if the finding affects resources in specific production accounts. + Assigning specific findings that have a severity of `INFORMATIONAL` a `SUPPRESSED` workflow status. You can create and manage automation rules from a Security Hub CSPM administrator account only. Rules apply to both new findings and updated findings. You can create a custom rule from scratch, or use a rule template provided by Security Hub CSPM. You can also start with a template and modify it as needed. ## Defining rule criteria and rule actions From a Security Hub CSPM administrator account, you can create an automation rule by defining one or more rule *criteria* and one or more rule *actions*. When a finding matches the defined criteria, Security Hub CSPM applies the rule actions to it. For more information about available criteria and actions, see [Available rule criteria and rule actions](#automation-rules-criteria-actions). Security Hub CSPM currently supports a maximum of 100 automation rules for each administrator account. The Security Hub CSPM administrator account can also edit, view, and delete automation rules. A rule applies to matching findings in the administrator account and all of its member accounts. By providing member account IDs as rule criteria, Security Hub CSPM administrators can also use automation rules to update or suppress findings in specific member accounts. An automation rule applies only in the Amazon Web Services Region in which it's created. To apply a rule in multiple Regions, the administrator must create the rule in each Region. This can be done through the Security Hub CSPM console, Security Hub CSPM API, or [Amazon CloudFormation](creating-resources-with-cloudformation.md).You can also use a [multi-Region deployment script](https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/automation_rules). ## Available rule criteria and rule actions The following Amazon Security Finding Format (ASFF) fields are currently supported as criteria for automation rules: | Rule criterion | Filter operators | Field type | | --- | --- | --- | | AwsAccountId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | AwsAccountName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | CompanyName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ComplianceAssociatedStandardsId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ComplianceSecurityControlId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ComplianceStatus | Is, Is Not | Select: [FAILED, NOT\$1AVAILABLE, PASSED, WARNING] | | Confidence | Eq (equal-to), Gte (greater-than-equal), Lte (less-than-equal) | Number | | CreatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) | | Criticality | Eq (equal-to), Gte (greater-than-equal), Lte (less-than-equal) | Number | | Description | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | FirstObservedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) | | GeneratorId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | Id | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | LastObservedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) | | NoteText | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | NoteUpdatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) | | NoteUpdatedBy | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ProductArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ProductName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | RecordState | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | RelatedFindingsId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | RelatedFindingsProductArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourceApplicationArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourceApplicationName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourceDetailsOther | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map | | ResourceId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourcePartition | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourceRegion | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | ResourceTags | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map | | ResourceType | Is, Is Not | Select (see [Resources](https://docs.amazonaws.cn/securityhub/latest/userguide/asff-resources.html) supported by ASFF) | | SeverityLabel | Is, Is Not | Select: [CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL] | | SourceUrl | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | Title | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | Type | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | UpdatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) | | UserDefinedFields | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map | | VerificationState | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String | | WorkflowStatus | Is, Is Not | Select: [NEW, NOTIFIED, RESOLVED, SUPPRESSED] | For criteria that are labeled as string fields, using different filter operators on the same field affects the evaluation logic. For more information, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StringFilter.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_StringFilter.html) in the *Amazon Security Hub CSPM API Reference*. Each criterion supports a maximum number of values that can be used to filter matching findings. For the limits on each criterion, see [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AutomationRulesFindingFilters.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_AutomationRulesFindingFilters.html) in the *Amazon Security Hub CSPM API Reference*. The following ASFF fields are currently supported as actions for automation rules: + `Confidence` + `Criticality` + `Note` + `RelatedFindings` + `Severity` + `Types` + `UserDefinedFields` + `VerificationState` + `Workflow` For more information about specific ASFF fields, see [Amazon Security Finding Format (ASFF) syntax](https://docs.amazonaws.cn/securityhub/latest/userguide/securityhub-findings-format.html). **Tip** If you want Security Hub CSPM to stop generating findings for a specific control, we recommend disabling the control instead of using an automation rule. When you disable a control, Security Hub CSPM stops running security checks on it and stops generating findings for it, so you won't incur charges for that control. We recommend using automation rules to change the values of specific ASFF fields for findings that match defined criteria. For more information about disabling controls, see [Disabling controls in Security Hub CSPM](disable-controls-overview.md). ## Findings that automation rules evaluate An automation rule evaluates new and updated findings that Security Hub CSPM generates or ingests through the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation *after* you create the rule. Security Hub CSPM updates control findings every 12-24 hours or when the associated resource changes state. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md). Automation rules evaluate original, provider-supplied findings. Providers can supply new findings and update existing findings by using the `BatchImportFindings` operation of the Security Hub CSPM API. If the following fields don't exist in the original finding, Security Hub CSPM automatically populates the fields and then uses the populated values in the evaluation by the automation rule: + `AwsAccountName` + `CompanyName` + `ProductName` + `Resource.Tags` + `Workflow.Status` After you create one or more automation rules, the rules aren't triggered if you update finding fields by using the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. If you create an automation rule and make a `BatchUpdateFindings` update that both affect the same finding field, the last update sets the value for that field. Take the following example: 1. You use the `BatchUpdateFindings` operation to change the value for the `Workflow.Status` field of a finding from `NEW` to `NOTIFIED`. 1. If you call `GetFindings`, the `Workflow.Status` field now has a value of `NOTIFIED`. 1. You create an automation rule that changes the `Workflow.Status` field of the finding from `NEW` to `SUPPRESSED`. (Recall that rules ignore updates made using the `BatchUpdateFindings` operation.) 1. The finding provider uses the `BatchImportFindings` operation to update the finding and changes the value for the `Workflow.Status` field of the finding to `NEW`. 1. If you call `GetFindings`, the `Workflow.Status` field now has a value of `SUPPRESSED`. This is the case because the automation rule was applied, and the rule was the last action taken on the finding. When you create or edit a rule on the Security Hub CSPM console, the console displays a beta of findings that match the rule criteria. Whereas automation rules evaluate original findings sent by the finding provider, the console beta reflects findings in their final state as they would be shown in a response to the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_GetFindings.html) operation (that is, after rule actions or other updates are applied to the finding). ## How rule order works When creating automation rules, you assign each rule an order. This determines the order in which Security Hub CSPM applies your automation rules, and becomes important when multiple rules relate to the same finding or finding field. When multiple rule actions relate to the same finding or finding field, the rule with the highest numerical value for rule order applies last and has the ultimate effect. When you create a rule in the Security Hub CSPM console, Security Hub CSPM automatically assigns rule order based on the order of rule creation. The most recently created rule has the lowest numerical value for rule order and therefore applies first. Security Hub CSPM applies subsequent rules in ascending order. When you create a rule through the Security Hub CSPM API or Amazon CLI, Security Hub CSPM applies the rule with the lowest numerical value for `RuleOrder` first. It then applies subsequent rules in ascending order. If multiple findings have the same `RuleOrder`, Security Hub CSPM applies a rule with an earlier value for the `UpdatedAt` field first (that is, the rule which was most recently edited applies last). You can modify rule order at any time. **Example of rule order**: **Rule A (rule order is `1`)**: + Rule A criteria + `ProductName` = `Security Hub CSPM` + `Resources.Type` is `S3 Bucket` + `Compliance.Status` = `FAILED` + `RecordState` is `NEW` + `Workflow.Status` = `ACTIVE` + Rule A actions + Update `Confidence` to `95` + Update `Severity` to `CRITICAL` **Rule B (rule order is `2`)**: + Rule B criteria + `AwsAccountId` = `123456789012` + Rule B actions + Update `Severity` to `INFORMATIONAL` Rule A actions apply first to Security Hub CSPM findings that match Rule A criteria. Next, Rule B actions apply to Security Hub CSPM findings with the specified account ID. In this example, since Rule B applies last, the end value of `Severity` in findings from the specified account ID is `INFORMATIONAL`. Based on the Rule A action, the end value of `Confidence` in matched findings is `95`. # Creating automation rules An automation rule can be used to automatically update findings in Amazon Security Hub CSPM. You can create a custom automation rule from scratch or, on the Security Hub CSPM console, use a pre-populated rule template. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). You can only create one automation rule at a time. To create multiple automation rules, follow the console procedures multiple times, or call the API or command multiple times with your desired parameters. You must create an automation rule in each Region and account in which you want the rule to apply to findings. When you create an automation rule in the Security Hub CSPM console, Security Hub CSPM shows you a beta of the findings to which your rule applies. The beta is currently not supported if your rule criteria include a CONTAINS or NOT\$1CONTAINS filter. You can choose these filters for map and string field types. **Important** Amazon recommends that you don't include personally identifying, confidential, or sensitive information in your rule name, description, or other fields. ## Creating a custom automation rule Choose your preferred method, and complete the following steps to create a custom automation rule. ------ #### [ Console ] **To create a custom automation rule (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Choose **Create rule**. For **Rule Type**, choose **Create custom rule**. 1. In the **Rule** section, provide a unique rule name and a description for your rule. 1. For **Criteria**, use the **Key**, **Operator**, and **Value** drop down menus to specify your rule criteria. You must specify at least one rule criterion. If supported for your selected criteria, the console shows you a beta of findings that match your criteria. 1. For **Automated action**, use the drop down menus to specify which finding fields to update when findings match your rule criteria. You must specify at least one rule action. 1. For **Rule status**, choose whether you want the rule to be **Enabled** or **Disabled** after it's created. 1. (Optional) Expand the **Additional settings** section. Select **Ignore subsequent rules for findings that match these criteria** if you want this rule to be the last rule applied to findings that match the rule criteria. 1. (Optional) For **Tags**, add tags as key-value pairs to help you easily identify the rule. 1. Choose **Create rule**. ------ #### [ API ] **To create a custom automation rule (API)** 1. Run [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateAutomationRule.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateAutomationRule.html) from the Security Hub CSPM administrator account. This API creates a rule with a specific Amazon Resource Name (ARN). 1. Provide a name and description for the rule. 1. Set the `IsTerminal` parameter to `true` if you want this rule to be the last rule applied to findings that match the rule criteria. 1. For the `RuleOrder` parameter, provide the order of the rule. Security Hub CSPM applies rules with a lower numerical value for this parameter first. 1. For the `RuleStatus` parameter, specify if you want Security Hub CSPM to enable and start applying the rule to findings after creation. If no value is specified, the default value is `ENABLED`. A value of `DISABLED` means that the rule is paused after creation. 1. For the `Criteria` parameter, provide the criteria that you want Security Hub CSPM to use to filter your findings. The rule action will apply to findings that match the criteria. For a list of supported criteria, see [Available rule criteria and rule actions](automation-rules.md#automation-rules-criteria-actions). 1. For the `Actions` parameter, provide the actions that you want Security Hub CSPM to take when there's a match between a finding and your defined criteria. For a list of supported actions, see [Available rule criteria and rule actions](automation-rules.md#automation-rules-criteria-actions). The following example Amazon CLI command creates an automation rule the updates the workflow status and note of matching findings. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-automation-rule \ --actions '[{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "HIGH" }, "Note": { "Text": "Known issue that is a risk. Updated by automation rules", "UpdatedBy": "sechub-automation" } } }]' \ --criteria '{ "SeverityLabel": [{ "Value": "INFORMATIONAL", "Comparison": "EQUALS" }] }' \ --description "A sample rule" \ --no-is-terminal \ --rule-name "sample rule" \ --rule-order 1 \ --rule-status "ENABLED" \ --region us-east-1 ``` ------ ## Creating an automation rule from a template (console only) Rule templates reflect common use cases for automation rules. Currently, only the Security Hub CSPM console supports rule templates. Complete the following steps to create an automation rule from a template in the console. **To create an automation rule from a template (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Choose **Create rule**. For **Rule Type**, choose **Create a rule from template**. 1. Select a rule template from the drop down menu. 1. (Optional) If necessary for your use case, modify the **Rule**, **Criteria**, and **Automated action** sections. You must specify at least one rule criterion and one rule action. If supported for your selected criteria, the console shows you a beta of findings that match your criteria. 1. For **Rule status**, choose whether you want the rule to be **Enabled** or **Disabled** after it's created. 1. (Optional) Expand the **Additional settings** section. Select **Ignore subsequent rules for findings that match these criteria** if you want this rule to be the last rule applied to findings that match the rule criteria. 1. (Optional) For **Tags**, add tags as key-value pairs to help you easily identify the rule. 1. Choose **Create rule**. # Viewing automation rules An automation rule can be used to automatically update findings in Amazon Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). Choose your preferred method, and follow the steps to view your existing automation rules and the details of each rule. To view a history of how automation rules have changed your findings, see [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md). ------ #### [ Console ] **To view automation rules (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Choose a rule name. Alternatively, select a rule. 1. Choose **Actions** and **View**. ------ #### [ API ] **To view automation rules (API)** 1. To view the automation rules for your account, run [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListAutomationRules.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_ListAutomationRules.html) from the Security Hub CSPM administrator account. This API returns the rule ARNs and other metadata for your rules. No input parameters are required for this API, but you can optionally provide `MaxResults` to limit the number of results and `NextToken` as a pagination parameter. The initial value of `NextToken` should be `NULL`. 1. For additional rule details, including the criteria and actions for a rule, run [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetAutomationRules.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchGetAutomationRules.html) from the Security Hub CSPM administrator account. Provide the ARNs of the automation rules that you want details for. The following example retrieves details for the specified automation rules. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub batch-get-automation-rules \ --automation-rules-arns '["arn:aws-cn:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "arn:aws-cn:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"]' \ --region us-east-1 ``` ------ # Editing automation rules An automation rule can be used to automatically update findings in Amazon Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). After creating an automation rule, the delegated Security Hub CSPM administrator can edit the rule. When you edit an automation rule, the changes apply to new and updated findings that Security Hub CSPM generates or ingests after the rule edit. Choose your preferred method, and follow the steps to edit the contents of an automation rule. You can edit one or more rules with a single request. For instructions on editing rule order, see [Editing automation rule order](edit-rule-order.md). ------ #### [ Console ] **To edit automation rules (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Select the rule that you want to edit. Choose **Action** and **Edit**. 1. Change the rule as desired, and choose **Save changes**. ------ #### [ API ] **To edit automation rules (API)** 1. Run [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html) from the Security Hub CSPM administrator account. 1. For the `RuleArn` parameter, provide the ARN of the rule(s) that you want to edit. 1. Provide the new values for the parameters that you want to edit. You can edit any parameter except `RuleArn`. The following example updates the specified automation rule. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub batch-update-automation-rules \ --update-automation-rules-request-items '[ { "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Note": { "Text": "Known issue that is a risk", "UpdatedBy": "sechub-automation" }, "Workflow": { "Status": "NEW" } } }], "Criteria": { "SeverityLabel": [{ "Value": "LOW", "Comparison": "EQUALS" }] }, "RuleArn": "arn:aws-cn:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RuleOrder": 14, "RuleStatus": "DISABLED", } ]' \ --region us-east-1 ``` ------ # Editing automation rule order Editing rule order An automation rule can be used to automatically update findings in Amazon Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). After creating an automation rule, the delegated Security Hub CSPM administrator can edit the rule. If you want to keep the rule criteria and actions the same, but change the order in which Security Hub CSPM applies an automation rule, you can edit just the rule order. Choose your preferred method, and follow the steps to edit rule order. For instructions on editing the criteria or actions of an automation rule, see [Editing automation rules](edit-automation-rules.md). ------ #### [ Console ] **To edit automation rule order (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Select the rule whose order you want to change. Choose **Edit priority**. 1. Choose **Move up** to increase the rule's priority by one unit. Choose **Move down** to decrease the rule priority's by one unit. Choose **Move to top** to assign the rule an order of **1** (this gives the rule precedence over other existing rules). **Note** When you create a rule in the Security Hub CSPM console, Security Hub CSPM automatically assigns rule order based on the order of rule creation. The most recently created rule has the lowest numerical value for rule order and therefore applies first. ------ #### [ API ] **To edit automation rule order (API)** 1. Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html) operation from the Security Hub CSPM administrator account. 1. For the `RuleArn` parameter, provide the ARN of the rule(s) whose order you want to edit. 1. Modify the value of the `RuleOrder` field. **Note** If multiple rules have the same `RuleOrder`, Security Hub CSPM applies a rule with an earlier value for the `UpdatedAt` field first (that is, the rule which was most recently edited applies last). ------ # Deleting or disabling automation rules An automation rule can be used to automatically update findings in Amazon Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md). When you delete an automation rule, Security Hub CSPM removes it from your account and no longer applies the rule to findings. As an alternative to deletion, you can *disable* a rule. This retains the rule for future use, but Security Hub CSPM won't apply the rule to any matching findings until you enable it. Choose your preferred method, and follow the steps to delete an automation rule. You can delete one or more rules in a single request. ------ #### [ Console ] **To delete or disable automation rules (console)** 1. Using the credentials of the Security Hub CSPM administrator, open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Automations**. 1. Select the rule(s) that you want to delete. Choose **Action** and **Delete** (to retain a rule, but disable it temporarily, choose **Disable**). 1. Confirm your choice, and choose **Delete**. ------ #### [ API ] **To delete or disable automation rules (API)** 1. Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchDeleteAutomationRules.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_BatchDeleteAutomationRules.html) operation from the Security Hub CSPM administrator account. 1. For the `AutomationRulesArns` parameter, provide the ARN of the rule(s) that you want to delete (to retain a rule, but disable it temporarily, provide `DISABLED` for the `RuleStatus` parameter). The following example deletes the specified automation rule. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub batch-delete-automation-rules \ --automation-rules-arns '["arn:aws-cn:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]' \ --region us-east-1 ``` ------ # Examples of automation rules Examples of automation rules This section provides examples of automation rules for common Security Hub CSPM use cases. These examples correspond to rule templates that are available on the Security Hub CSPM console. ## Elevate severity to Critical when specific resource such as an S3 bucket is at risk In this example, the rule criteria are matched when the `ResourceId` in a finding is a specific Amazon Simple Storage Service (Amazon S3) bucket. The rule action is to change the severity of matched findings to `CRITICAL`. You can modify this template to apply to other resources. **Example API request**: ``` { "IsTerminal": true, "RuleName": "Elevate severity of findings that relate to important resources", "RuleOrder": 1, "RuleStatus": "ENABLED", "Description": "Elevate finding severity to CRITICAL when specific resource such as an S3 bucket is at risk", "Criteria": { "ProductName": [{ "Value": "Security Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "ResourceId": [{ "Value": "arn:aws-cn:s3:::amzn-s3-demo-bucket/developers/design_info.doc", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "This is a critical resource. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }] } ``` **Example CLI command:** ``` $ aws securityhub create-automation-rule \ --is-terminal \ --rule-name "Elevate severity of findings that relate to important resources" \ --rule-order 1 \ --rule-status "ENABLED" \ --description "Elevate finding severity to CRITICAL when specific resource such as an S3 bucket is at risk" \ --criteria '{ "ProductName": [{ "Value": "Security Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "ResourceId": [{ "Value": "arn:aws-cn:s3:::amzn-s3-demo-bucket/developers/design_info.doc", "Comparison": "EQUALS" }] }' \ --actions '[{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "This is a critical resource. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }]' \ --region us-east-1 ``` ## Elevate severity of findings that relate to resources in production accounts In this example, the rule criteria are matched when a `HIGH` severity finding is generated in specific production accounts. The rule action is to change the severity of matched findings to `CRITICAL`. **Example API request**: ``` { "IsTerminal": false, "RuleName": "Elevate severity for production accounts", "RuleOrder": 1, "RuleStatus": "ENABLED", "Description": "Elevate finding severity from HIGH to CRITICAL for findings that relate to resources in specific production accounts", "Criteria": { "ProductName": [{ "Value": "Security Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "HIGH", "Comparison": "EQUALS" }], "AwsAccountId": [ { "Value": "111122223333", "Comparison": "EQUALS" }, { "Value": "123456789012", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "A resource in production accounts is at risk. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }] } ``` **Example CLI command**: ``` aws securityhub create-automation-rule \ --no-is-terminal \ --rule-name "Elevate severity of findings that relate to resources in production accounts" \ --rule-order 1 \ --rule-status "ENABLED" \ --description "Elevate finding severity from HIGH to CRITICAL for findings that relate to resources in specific production accounts" \ --criteria '{ "ProductName": [{ "Value": "Security Hub CSPM", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "HIGH", "Comparison": "EQUALS" }], "AwsAccountId": [ { "Value": "111122223333", "Comparison": "EQUALS" }, { "Value": "123456789012", "Comparison": "EQUALS" }] }' \ --actions '[{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Severity": { "Label": "CRITICAL" }, "Note": { "Text": "A resource in production accounts is at risk. Please review ASAP.", "UpdatedBy": "sechub-automation" } } }]' \ --region us-east-1 ``` ## Suppress informational findings In this example, the rule criteria are matched for `INFORMATIONAL` severity findings sent to Security Hub CSPM from Amazon GuardDuty. The rule action is to change the workflow status of matched findings to `SUPPRESSED`. **Example API request**: ``` { "IsTerminal": false, "RuleName": "Suppress informational findings", "RuleOrder": 1, "RuleStatus": "ENABLED", "Description": "Suppress GuardDuty findings with INFORMATIONAL severity", "Criteria": { "ProductName": [{ "Value": "GuardDuty", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "INFORMATIONAL", "Comparison": "EQUALS" }] }, "Actions": [{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Workflow": { "Status": "SUPPRESSED" }, "Note": { "Text": "Automatically suppress GuardDuty findings with INFORMATIONAL severity", "UpdatedBy": "sechub-automation" } } }] } ``` **Example CLI command**: ``` aws securityhub create-automation-rule \ --no-is-terminal \ --rule-name "Suppress informational findings" \ --rule-order 1 \ --rule-status "ENABLED" \ --description "Suppress GuardDuty findings with INFORMATIONAL severity" \ --criteria '{ "ProductName": [{ "Value": "GuardDuty", "Comparison": "EQUALS" }], "ComplianceStatus": [{ "Value": "FAILED", "Comparison": "EQUALS" }], "RecordState": [{ "Value": "ACTIVE", "Comparison": "EQUALS" }], "WorkflowStatus": [{ "Value": "NEW", "Comparison": "EQUALS" }], "SeverityLabel": [{ "Value": "INFORMATIONAL", "Comparison": "EQUALS" }] }' \ --actions '[{ "Type": "FINDING_FIELDS_UPDATE", "FindingFieldsUpdate": { "Workflow": { "Status": "SUPPRESSED" }, "Note": { "Text": "Automatically suppress GuardDuty findings with INFORMATIONAL severity", "UpdatedBy": "sechub-automation" } } }]' \ --region us-east-1 ``` # Using EventBridge for automated response and remediation Automated response and remediation By creating rules in Amazon EventBridge, you can respond automatically to Amazon Security Hub CSPM findings. Security Hub CSPM sends findings as *events* to EventBridge in near-real time. You can write simple rules to indicate which events you are interested in and what automated actions to take when an event matches a rule. The actions that can be automatically triggered include the following: + Invoking an Amazon Lambda function + Invoking the Amazon EC2 run command + Relaying the event to Amazon Kinesis Data Streams + Activating an Amazon Step Functions state machine + Notifying an Amazon SNS topic or an Amazon SQS queue + Sending a finding to a third-party ticketing, chat, SIEM, or incident response and management tool Security Hub CSPM automatically sends all new findings and all updates to existing findings to EventBridge as EventBridge events. You can also create custom actions that allow you to send selected findings and insight results to EventBridge. You then configure EventBridge rules to respond to each type of event. For more information about using EventBridge, see the [https://docs.amazonaws.cn/eventbridge/latest/userguide/what-is-amazon-eventbridge.html](https://docs.amazonaws.cn/eventbridge/latest/userguide/what-is-amazon-eventbridge.html). **Note** As a best practice, make sure that the permissions granted to your users to access EventBridge use least-privilege Amazon Identity and Access Management (IAM) policies that grant only the required permissions. For more information, see [Identity and access management in Amazon EventBridge](https://docs.amazonaws.cn/eventbridge/latest/userguide/auth-and-access-control-eventbridge.html). A set of templates for cross-account automated response and remediation is also available in Amazon Solutions. The templates leverage EventBridge event rules and Lambda functions. You deploy the solution using Amazon CloudFormation and Amazon Systems Manager. The solution can create fully automated response and remediation actions. It can also use Security Hub CSPM custom actions to create user-triggered response and remediation actions. For details on how to configure and use the solution, see the [Automated Security Response on Amazon](https://www.amazonaws.cn/solutions/implementations/aws-security-hub-automated-response-and-remediation/) solution page. **Topics** + [ # Security Hub CSPM event types in EventBridge ](securityhub-cwe-integration-types.md) + [ # EventBridge event formats for Security Hub CSPM ](securityhub-cwe-event-formats.md) + [ # Configuring an EventBridge rule for Security Hub CSPM findings ](securityhub-cwe-all-findings.md) + [ # Using custom actions to send findings and insight results to EventBridge ](securityhub-cwe-custom-actions.md) # Security Hub CSPM event types in EventBridge EventBridge event types Security Hub CSPM uses the following Amazon EventBridge event types to integrate with EventBridge. On the EventBridge dashboard for Security Hub CSPM, **All Events** includes all of these event types. ## All findings (Security Hub Findings - Imported) Security Hub CSPM automatically sends all new findings and all updates to existing findings to EventBridge as **Security Hub Findings - Imported** events. Each **Security Hub Findings - Imported** event contains a single finding. Every [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) and [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) request triggers a **Security Hub Findings - Imported** event. For administrator accounts, the event feed in EventBridge includes events for findings from both their account and from their member accounts. In an aggregation Region, the event feed includes events for findings from the aggregation Region and the linked Regions. Cross-Region findings are included in the event feed in near real time. For information on how to configure finding aggregation, see [Understanding cross-Region aggregation in Security Hub CSPM](finding-aggregation.md). You can define rules in EventBridge that automatically route findings to a remediation workflow, third-party tool, or [other supported EventBridge target](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-targets.html). The rules can include filters that only apply the rule if the finding has specific attribute values. You use this method to automatically send all findings, or all findings that have specific characteristics, to a response or remediation workflow. See [Configuring an EventBridge rule for Security Hub CSPM findings](securityhub-cwe-all-findings.md). ## Findings for custom actions (Security Hub Findings - Custom Action) Security Hub CSPM also sends findings that are associated with custom actions to EventBridge as **Security Hub Findings - Custom Action** events. This is useful for analysts working with the Security Hub CSPM console who want to send a specific finding, or a small set of findings, to a response or remediation workflow. You can select a custom action for up to 20 findings at a time. Each finding is sent to EventBridge as a separate EventBridge event. When you create a custom action, you assign it a custom action ID. You can use this ID to create an EventBridge rule that takes a specified action after receiving a finding that is associated with that custom action ID. See [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md). For example, you can create a custom action in Security Hub CSPM called `send_to_ticketing`. Then in EventBridge, you create a rule that is triggered when EventBridge receives a finding that includes the `send_to_ticketing` custom action ID. The rule includes logic to send the finding to your ticketing system. You can then select findings within Security Hub CSPM and use the custom action in Security Hub CSPM to manually send findings to your ticketing system. For examples of how to send Security Hub CSPM findings to EventBridge for further processing, see [How to Integrate Amazon Security Hub CSPM Custom Actions with PagerDuty](https://amazonaws-china.com/blogs/apn/how-to-integrate-aws-security-hub-custom-actions-with-pagerduty/) and [How to Enable Custom Actions in Amazon Security Hub CSPM](https://amazonaws-china.com/blogs/apn/how-to-enable-custom-actions-in-aws-security-hub/) on the Amazon Partner Network (APN) Blog. ## Insight results for custom actions (Security Hub Insight Results) You can also use custom actions to send sets of insight results to EventBridge as **Security Hub Insight Results** events. Insight results are the resources that match an insight. Note that when you send insight results to EventBridge, you are not sending the findings to EventBridge. You are only sending the resource identifiers that are associated with the insight results. You can send up to 100 resource identifiers at a time. Similar to custom actions for findings, you first create the custom action in Security Hub CSPM, and then create a rule in EventBridge. See [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md). For example, suppose you see a particular insight result of interest that you want to share with a colleague. In that case, you can use a custom action to send that insight result to the colleague through a chat or ticketing system. # EventBridge event formats for Security Hub CSPM EventBridge event formats The **Security Hub Findings - Imported**, **Security Findings - Custom Action**, and **Security Hub Insight Results** event types use the following event formats. The event format is the format that is used when Security Hub CSPM sends an event to EventBridge. ## Security Hub Findings - Imported **Security Hub Findings - Imported** events that are sent from Security Hub CSPM to EventBridge use the following format. ``` { "version":"0", "id":"CWE-event-id", "detail-type":"Security Hub Findings - Imported", "source":"aws.securityhub", "account":"111122223333", "time":"2019-04-11T21:52:17Z", "region":"us-west-2", "resources":[ "arn:aws-cn:securityhub:us-west-2::product/aws/macie/arn:aws-cn:macie:us-west-2:111122223333:integtest/trigger/6294d71b927c41cbab915159a8f326a3/alert/f2893b211841" ], "detail":{ "findings": [{ }] } } ``` `` is the content, in JSON format, of the finding that is sent by the event. Each event sends a single finding. For a complete list of finding attributes, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). For information about how to configure EventBridge rules that are triggered by these events, see [Configuring an EventBridge rule for Security Hub CSPM findings](securityhub-cwe-all-findings.md). ## Security Hub Findings - Custom Action **Security Hub Findings - Custom Action** events that are sent from Security Hub CSPM to EventBridge use the following format. Each finding is sent in a separate event. ``` { "version": "0", "id": "1a1111a1-b22b-3c33-444d-5555e5ee5555", "detail-type": "Security Hub Findings - Custom Action", "source": "aws.securityhub", "account": "111122223333", "time": "2019-04-11T18:43:48Z", "region": "us-west-1", "resources": [ "arn:aws-cn:securityhub:us-west-1:111122223333:action/custom/custom-action-name" ], "detail": { "actionName":"custom-action-name", "actionDescription": "description of the action", "findings": [ { } ] } } ``` `` is the content, in JSON format, of the finding that is sent by the event. Each event sends a single finding. For a complete list of finding attributes, see [Amazon Security Finding Format (ASFF)](securityhub-findings-format.md). For information about how to configure EventBridge rules that are triggered by these events, see [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md). ## Security Hub Insight Results **Security Hub Insight Results** events that are sent from Security Hub CSPM to EventBridge use the following format. ``` { "version": "0", "id": "1a1111a1-b22b-3c33-444d-5555e5ee5555", "detail-type": "Security Hub Insight Results", "source": "aws.securityhub", "account": "111122223333", "time": "2017-12-22T18:43:48Z", "region": "us-west-1", "resources": [ "arn:aws-cn:securityhub:us-west-1:111122223333::product/aws/macie:us-west-1:222233334444:test/trigger/1ec9cf700ef6be062b19584e0b7d84ec/alert/f2893b211841" ], "detail": { "actionName":"name of the action", "actionDescription":"description of the action", "insightArn":"ARN of the insight", "insightName":"Name of the insight", "resultType":"ResourceAwsIamAccessKeyUserName", "number of results":"number of results, max of 100", "insightResults": [ {"result 1": 5}, {"result 2": 6} ] } } ``` For information about how to create an EventBridge rule that is triggered by these events, see [Using custom actions to send findings and insight results to EventBridge](securityhub-cwe-custom-actions.md). # Configuring an EventBridge rule for Security Hub CSPM findings Configuring an EventBridge rule You can create a rule in Amazon EventBridge that defines an action to take when a **Security Hub Findings - Imported** event is received. **Security Hub Findings - Imported** events are triggered by updates from both the [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchImportFindings.html) and [https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.amazonaws.cn//securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operations. Each rule contains an event pattern, which identifies the events that trigger the rule. The event pattern always contains the event source (`aws.securityhub`) and the event type (**Security Hub Findings - Imported**). The event pattern can also specify filters to identify the findings that the rule applies to. The event rule then identifies the rule targets. The targets are the actions to take when EventBridge receives a **Security Hub Findings - Imported** event and the finding matches the filters. The instructions provided here use the EventBridge console. When you use the console, EventBridge automatically creates the required resource-based policy that enables EventBridge to write to Amazon CloudWatch Logs. You can also use the [https://docs.amazonaws.cn/eventbridge/latest/APIReference/API_PutRule.html](https://docs.amazonaws.cn/eventbridge/latest/APIReference/API_PutRule.html) operation of the EventBridge API. However, if you use the EventBridge API, then you must create the resource-based policy. For information about the required policy, see [CloudWatch Logs permissions](https://docs.amazonaws.cn/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#cloudwatchlogs-permissions) in the *Amazon EventBridge User Guide*. ## Format of the event pattern The format of the event pattern for **Security Hub Findings - Imported** events is as follows: ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Imported" ], "detail": { "findings": { } } } ``` + `source` identifies Security Hub CSPM as the service that generates the event. + `detail-type` identifies the type of event. + `detail` is optional and provides the filter values for the event pattern. If the event pattern does not contain a `detail` field, then all findings trigger the rule. You can filter the findings based on any finding attribute. For each attribute, you provide a comma-separated array of one or more values. ``` "": [ "", ""] ``` If you provide more than one value for an attribute, then those values are joined by `OR`. A finding matches the filter for an individual attribute if the finding has any of the listed values. For example, if you provide both `INFORMATIONAL` and `LOW` as values for `Severity.Label`, then the finding matches if it has a severity label of either `INFORMATIONAL` or `LOW`. The attributes are joined by `AND`. A finding matches if it matches the filter criteria for all of the provided attributes. When you provide an attribute value, it must reflect the location of that attribute within the Amazon Security Finding Format (ASFF) structure. **Tip** When filtering control findings, we recommend using the `SecurityControlId` or `SecurityControlArn` [ASFF fields](securityhub-findings-format.md) as filters, rather than `Title` or `Description`. The latter fields can change occasionally, whereas the control ID and ARN are static identifiers. In the following example, the event pattern provides filter values for `ProductArn` and `Severity.Label`, so a finding matches if it is generated by Amazon Inspector and it has a severity label of either `INFORMATIONAL` or `LOW`. ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Imported" ], "detail": { "findings": { "ProductArn": ["arn:aws-cn:securityhub:us-east-1::product/aws/inspector"], "Severity": { "Label": ["INFORMATIONAL", "LOW"] } } } } ``` ## Creating an event rule You can use a predefined event pattern or a custom event pattern to create a rule in EventBridge. If you select a predefined pattern, EventBridge automatically fills in `source` and `detail-type`. EventBridge also provides fields to specify filter values for the following finding attributes: + `AwsAccountId` + `Compliance.Status` + `Criticality` + `ProductArn` + `RecordState` + `ResourceId` + `ResourceType` + `Severity.Label` + `Types` + `Workflow.Status` **To create an EventBridge rule (console)** 1. Open the Amazon EventBridge console at [https://console.amazonaws.cn/events/](https://console.amazonaws.cn/events/). 1. Using the following values, create an EventBridge rule that monitors finding events: + For **Rule type**, choose **Rule with an event pattern**. + Choose how to build the event pattern. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/securityhub/latest/userguide/securityhub-cwe-all-findings.html) + For **Target types**, choose **Amazon service**, and for **Select a target**, choose a target such as an Amazon SNS topic or Amazon Lambda function. The target is triggered when an event is received that matches the event pattern defined in the rule. For details about creating rules, see [Creating Amazon EventBridge rules that react to events](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*. # Using custom actions to send findings and insight results to EventBridge Configuring and using custom actions To use Amazon Security Hub CSPM custom actions to send findings or insight results to Amazon EventBridge, you first create the custom action in Security Hub CSPM. Then, you can define rules in EventBridge that apply to your custom actions. You can create up to 50 custom actions. If you enable cross-Region aggregation, and manage findings from the aggregation Region, then create custom actions in the aggregation Region. The rule in EventBridge uses the Amazon Resource Name (ARN) from the custom action. # Creating a custom action When you create a custom action in Amazon Security Hub CSPM, you specify its name, description, and a unique identifier. A custom action specifies which actions to take when an EventBridge event matches an EventBridge rule. Security Hub CSPM sends each finding to EventBridge as an event. Choose your preferred method, and follow the steps to create a custom action. ------ #### [ Console ] **To create a custom action in Security Hub CSPM (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Settings** and then choose **Custom actions**. 1. Choose **Create custom action**. 1. Provide a **Name**, **Description**, and **Custom action ID** for the action. The **Name** must be fewer than 20 characters. The **Custom action ID** must be unique for each Amazon account. 1. Choose **Create custom action**. 1. Make a note of the **Custom action ARN**. You need to use the ARN when you create a rule to associate with this action in EventBridge. ------ #### [ API ] **To create a custom action (API)** Use the [https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateActionTarget.html](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_CreateActionTarget.html) operation. If you're using the Amazon CLI, run the [create-action-target](https://docs.amazonaws.cn/cli/latest/reference/securityhub/create-action-target.html) command. The following example creates a custom action to send findings to a remediation tool. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability. ``` $ aws securityhub create-action-target --name "Send to remediation" --description "Action to send the finding for remediation tracking" --id "Remediation" ``` ------ # Defining a rule in EventBridge To trigger a custom action in Amazon EventBridge, you must create a corresponding rule in EventBridge. The rule definition includes the Amazon Resource Name (ARN) of the custom action. The event pattern for a **Security Hub Findings - Custom Action** event has the following format: ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Findings - Custom Action" ], "resources": [ "" ] } ``` The event pattern for a **Security Hub Insight Results** event has the following format: ``` { "source": [ "aws.securityhub" ], "detail-type": [ "Security Hub Insight Results" ], "resources": [ "" ] } ``` In both patterns, `` is the ARN of a custom action. You can configure a rule that applies to more than one custom action. The instructions provided here are for the EventBridge console. When you use the console, EventBridge automatically creates the required resource-based policy that enables EventBridge to write to CloudWatch Logs. You can also use the [https://docs.amazonaws.cn/eventbridge/latest/APIReference/API_PutRule.html](https://docs.amazonaws.cn/eventbridge/latest/APIReference/API_PutRule.html) API operation of the EventBridge API. However, if you use the EventBridge API, then you must create the resource-based policy. For details on the required policy, see [CloudWatch Logs permissions](https://docs.amazonaws.cn/eventbridge/latest/userguide/resource-based-policies-eventbridge.html#cloudwatchlogs-permissions) in the *Amazon EventBridge User Guide*. **To define a rule in EventBridge (EventBridge console)** 1. Open the Amazon EventBridge console at [https://console.amazonaws.cn/events/](https://console.amazonaws.cn/events/). 1. In the navigation pane, choose **Rules**. 1. Choose **Create rule**. 1. Enter a name and description for the rule. 1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to match events that come from your account, select **default**. When an Amazon service in your account emits an event, it always goes to your account’s default event bus. 1. For **Rule type**, choose **Rule with an event pattern**. 1. Choose **Next**. 1. For **Event source**, choose **Amazon events**. 1. For **Event pattern**, choose **Event pattern form**. 1. For **Event source**, choose **Amazon services**. 1. For **Amazon service**, choose **Security Hub**. 1. For **Event type**, do one of the following: + To create a rule to apply when you send findings to a custom action, choose **Security Hub Findings - Custom Action**. + To create a rule to apply when you send insight results to a custom action, choose **Security Hub Insight Results**. 1. Choose **Specific custom action ARNs**, add a custom action ARN. If the rule applies to multiple custom actions, choose **Add** to add more custom action ARNs. 1. Choose **Next**. 1. Under **Select targets**, choose and configure the target to invoke when this rule is matched. 1. Choose **Next**. 1. (Optional) Enter one or more tags for the rule. For more information, see [Amazon EventBridge tags](https://docs.amazonaws.cn/eventbridge/latest/userguide/eb-tagging.html) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. Review the details of the rule and choose **Create rule**. When you perform a custom action on findings or insight results in your account, events are generated in EventBridge. # Selecting a custom action for findings and insight results After you create Amazon Security Hub CSPM custom actions and Amazon EventBridge rules, you can send findings and insight results to EventBridge for automatic management and processing. Events are sent to EventBridge only in the account in which they are viewed. If you view a finding using an administrator account, the event is sent to EventBridge in the administrator account. For Amazon API calls to be effective, the implementations of target code must switch roles into member accounts. This also means that the role you switch into must be deployed to each member where action is needed. **To send findings to EventBridge (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. Display a list of findings: + From **Findings**, you can view findings from all of the enabled product integrations and controls. + From **Security standards**, you can navigate to a list of findings generated from a specific control. For more information, see [Reviewing the details of controls in Security Hub CSPM](securityhub-standards-control-details.md). + From **Integrations**, you can navigate to a list of findings generated by an enabled integration. For more information, see [Viewing findings from a Security Hub CSPM integration](securityhub-integration-view-findings.md). + From **Insights**, you can navigate to a list of findings for an insight result. For more information, see [Reviewing and acting on insights in Security Hub CSPM](securityhub-insights-view-take-action.md). 1. Select the findings to send to EventBridge. You can select up to 20 findings at a time. 1. From **Actions**, choose the custom action that aligns with the EventBridge rule to apply. Security Hub CSPM sends a separate **Security Hub Findings - Custom Action** event for each finding. **To send insight results to EventBridge (console)** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Insights**. 1. On the **Insights** page, choose the insight that includes the results to send to EventBridge. 1. Select the insight results to send to EventBridge. You can select up to 20 results at a time. 1. From **Actions**, choose the custom action that aligns with the EventBridge rule to apply. # Working with the dashboard in Security Hub CSPM Summary dashboard On the Security Hub CSPM console, the **Summary** dashboard shows a summary of your risks, attack sequences, and security coverage. This dashboard helps you identify risks and attack sequences based on severity and account coverage for different security capabilities. Each time you open the dashboard, it refreshes automatically. Note, however, that security scores and control statuses refresh every 24 hours. You can customize the **Summary** dashboard by adding and removing different security widgets from it. You can also specify filter criteria to retrieve and display particular types of data. If you customize the dashboard, Security Hub saves your customization settings. If other users of your account customize the dashboard, their changes are saved independently from your customization settings. If you configured cross-Region aggregation in Security Hub CSPM, the **Summary** dashboard shows your aggregated data. If your account is the delegated administrator account for an organization, the data includes findings for your account and your member accounts. If your account is a member account or a standalone account, the data includes findings only for your account. **Topics** + [ ## Available widgets for the Summary dashboard ](#available-widgets) + [Filtering the dashboard](filters-dashboard.md) + [Customizing the dashboard](customize-dashboard.md) ## Available widgets for the Summary dashboard The **Summary** dashboard includes widgets that reflect the modern cloud security threat landscape, guided by the security operations and experiences of Amazon customers. Some widgets are shown by default while others are not. You can customize your view of the dashboard by adding or removing widgets. To add a widget, choose **Add widget** at the top of the dashboard. You can then browse the list of available widgets or enter the title of a widget in the search bar. When you find the widget to add, drag it to the location where you want it to appear on the dashboard. For more information, see [Customizing the dashboard](customize-dashboard.md). ### Widgets shown by default By default, the **Summary** dashboard includes the following widgets. **Top threat sequences** Displays the highest severity threat sequences. Threat sequence findings, known as *attack sequence findings* in Amazon GuardDuty, correlate multiple events to identify potential threats to your Amazon environment. Threat sequences may include in-progress or recent attack behaviors (within a 24-hour time window) in your environment, which may in turn lead to further compromise. You must have GuardDuty and GuardDuty S3 Protection enabled to receive threat sequence findings in Security Hub CSPM. **Top risks** Displays a summary of the top risks in your environment. The top of the widget shows you the count of risks at each severity level. You can choose a severity level to go to the **Risks** page with risks filtered to the selected severity level. Risks that have the most occurrences in your environment appear first. This widget helps you prioritize which risks to mitigate. **Security coverage** Summarizes the extent of your security coverage, based on coverage control findings. Coverage controls check whether a specific Amazon Web Services service and its capabilities are enabled (for example, [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1)). This widget helps you ensure that you have `PASSED` findings for coverage controls. The Security Hub CSPM console provides links from this widget to help you enable missing security capabilities. We recommend using central configuration to enable missing security capabilities across multiple Amazon Web Services accounts and Amazon Web Services Regions. For more information, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). **Security standards** Displays your most recent summary security score and the security score for each Security Hub CSPM standard. Security scores, which range from 0–100 percent, represent the proportion of passed controls relative to all of your enabled controls. For more information about these scores, see [Method of calculating security scores](standards-security-score.md#standard-security-score-calculation). This widget helps you understand your overall security posture. **Assets with the most findings** Provides an overview of the resources, accounts, and applications that have the most findings. The list is sorted in descending order by the number of findings. In the widget, each tab shows the top six items in that category, grouped by severity and resource type. If you choose a number in the **Total findings** column, Security Hub CSPM opens a page that shows the findings for the asset. This widget helps you quickly identify which of your core assets have potential security threats. **Findings by Region** Shows the total number of findings, grouped by severity, in each Amazon Web Services Region in which Security Hub CSPM is enabled. This widget helps you identify security issues that potentially affect particular Regions. If you open the dashboard in your aggregation Region, this widget helps you monitor potential security issues in each linked Region. **Most common threat types** Provides a breakdown of the 10 most common types of threats in your Amazon environment. This includes threats such as escalation of privileges, use of exposed credentials, or communication with malicious IP addresses. To view this data, [Amazon GuardDuty](https://docs.amazonaws.cn/guardduty/latest/ug/securityhub-integration.html) must be enabled. If it is, choose a threat type in this widget to open the GuardDuty console and review findings related to this threat. This widget helps you evaluate potential threats in the context of other security issues. **Software vulnerabilities with exploits** Provides a summary of software vulnerabilities that exist in your Amazon environment and have known exploits. You can also review a breakdown of vulnerabilities that do and don't have fixes available. To view this data, [Amazon Inspector](https://docs.amazonaws.cn/inspector/latest/user/securityhub-integration.html) must be enabled. If it is, choose a statistic in this widget to open the Amazon Inspector console and review more details about the vulnerability. This widget helps you evaluate software vulnerabilities in the context of other security issues. **New findings over time** Shows trends in the number of new daily findings during the past 90 days. You can break down the data by severity or by provider for additional context. This widget helps you understand if finding volume spiked or dropped at specific times during the past 90 days. **Resources with the most findings** Provides a summary of the resources that have generated the most findings, broken down by the following resource types: Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic Compute Cloud (Amazon EC2) instances, and Amazon Lambda functions. In the widget, each tab focuses on one of the preceding resource types, listing the 10 resource instances that generated the most findings. To review the findings for a specific resource, choose the resource instance. This widget helps you triage security findings that are associated with common Amazon resources. ### Widgets hidden by default The following widgets are also available for the **Summary** dashboard, but they are hidden by default. **AMIs with the most findings** Provides a list of the 10 Amazon Machine Images (AMIs) that have generated the most findings. This data is available only if Amazon EC2 is enabled for your account. It helps you identify which AMIs pose potential security risks. **IAM principals with the most findings** Provides a list of the 10 Amazon Identity and Access Management (IAM) users that have generated the most findings. This widget helps you perform administrative and billing tasks. It shows you which users contribute to Security Hub CSPM usage the most. **Accounts with the most findings (by severity)** Shows a graph of the 10 accounts that have generated the most findings, grouped by severity. This widget helps you determine which accounts to focus analysis and remediation efforts on. **Accounts with the most findings (by resource type)** Shows a graph of the 10 accounts that have generated the most findings, grouped by resource type. This widget helps you determine which accounts and resource types to prioritize for analysis and remediation. **Insights** Lists five [Security Hub CSPM managed insights](securityhub-managed-insights.md) and the number of findings that they generated. Insights identify a specific security area that requires attention. **Latest findings from Amazon integrations** Shows the number of findings that you received in Security Hub CSPM from [integrated Amazon Web Services services](securityhub-internal-providers.md). It also shows when you most recently received findings from each integrated service. This widget provides consolidated findings data from multiple Amazon Web Services services. To drill down, choose an integrated service. Security Hub CSPM then opens the console for that service. # Filtering the Summary dashboard in Security Hub CSPM Filtering the dashboard You can curate the **Summary** dashboard on the Security Hub CSPM console so that it includes only the security data that's most relevant to you. For example, if you're a member of an application team, you might create a dedicated view for a critical application in your production environment. If you're a member of a security team, you might create a dedicated view that helps you focus on high-severity findings. To create these curated views, enter filter criteria in the filter box above the dashboard. If you apply filter criteria, the criteria apply to all the data and widgets on the dashboard, except the data in the **Insights** and **Security standards** widgets. For a list of available widgets on the dashboard, see [Available widgets for the Summary dashboard](dashboard.md#available-widgets). You can filter the data by using the following fields: + Account name + Account ID + Application ARN + Application name + Product name (for an Amazon Web Services service or third-party product that sends findings to Security Hub CSPM) + Record state + Region + Resource tag + Severity + Workflow status By default, dashboard data is filtered using the following criteria: `Workflow.Status` is `NOTIFIED` or `NEW`, and `RecordState` is `ACTIVE`. These criteria appear above the dashboard, below the filter box. To remove these criteria, choose **X** in the filter token for the criteria that you want to remove. If you apply filter criteria that you want to use again, you can save it as a *filter set*. A filter set is a set of filter criteria that you create and save to reapply when you review data on the **Summary** dashboard. You can create and save a filter set that uses any of the available fields except the following fields: Application ARN, application name, and resource tag. ## Creating and saving filter sets Follow these steps to create and save a filter set. **To create and save a filter set** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Summary**. 1. In the filter box above the **Summary** dashboard, enter the filter criteria for the filter set. 1. On the **Clear filters** menu, choose **Save new filter set**. 1. In the **Save filter set** dialog box, enter a name for the filter set. 1. (Optional) To use the filter set by default each time you open the **Summary** page, select the option to set it as the default view. 1. Choose **Save**. To switch between filter sets that you’ve created and saved, use the **Choose a filter set** menu above the **Summary** dashboard. When you select a filter set, Security Hub CSPM applies the criteria of the filter set to the data on the dashboard. ## Updating or deleting filter sets Follow these steps to update or delete an existing filter set. If you delete a filter set that is currently set as your default view of the **Summary** dashboard, your default view is reset to the default Security Hub CSPM view. **To update or delete a filter set** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Summary**. 1. In the **Choose a filter set** menu above the **Summary** page, choose the filter set. 1. On the **Clear filters** menu, do one of the following: + To update the filter set, choose **Update current filter set**. Then, enter your changes in the dialog box that appears. + To delete the filter set choose **Delete current filter set**. Then, choose **Delete** in the dialog box that appears. # Customizing the Summary dashboard in Security Hub CSPM Customizing the dashboard You can customize the **Summary** dashboard on the Security Hub CSPM console in several ways. For example, you can add and remove widgets from the dashboard. You can also rearrange and resize widgets on the dashboard. For a list of available widgets and a description of each one, see [Available widgets for the Summary dashboard](dashboard.md#available-widgets). If you customize the dashboard, Security Hub CSPM applies your changes immediately and saves your new dashboard settings. Your changes apply to your view of the dashboard in all Amazon Web Services Regions and browsers. **To customize the **Summary** dashboard** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, choose **Summary**. 1. Do any of the following: + To add a widget, choose **Add widgets** at the upper-right corner of the page. In the search bar, enter the title of the widget to add. Then, drag the widget to the location that you want. + To remove a widget, choose the three dots in the upper-right corner of the widget. + To move a widget, choose the handle at the upper-left corner of the widget, and then drag the widget to the location that you want. + To change the size of a widget, choose the resize handle at the lower-right corner of the widget. Drag the widget's edge until the widget is your preferred size. To subsequently restore the original settings, choose **Reset to default layout** at the top of the page. # Regional limits for Security Hub CSPM Regional limits Some Amazon Security Hub CSPM features are available in only certain Amazon Web Services Regions. The following sections specify these Regional limits. For a complete list of all the Regions where Security Hub CSPM is currently available, see [Amazon Security Hub endpoints and quotas](https://docs.amazonaws.cn/general/latest/gr/sechub.html) in the *Amazon Web Services General Reference*. ## Cross-Region aggregation restrictions In Amazon GovCloud (US) Regions, [cross-Region aggregation](finding-aggregation.md) is available for findings, finding updates, and insights across Amazon GovCloud (US) Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions. In the China Regions, cross-Region aggregation is available for findings, finding updates, and insights across the China Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the China (Beijing) and China (Ningxia) Regions. You can't use a Region that's disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see [Enable or disable Amazon Web Services Regions in your account](https://docs.amazonaws.cn/accounts/latest/reference/manage-acct-regions.html#rande-manage-enable) in the *Amazon Account Management Reference Guide*. ## Availability of integrations by Region Some integrations aren't available in all Amazon Web Services Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't available in the Region that you're currently signed in to. ### Integrations supported in the China (Beijing) and China (Ningxia) Regions In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following [integrations with Amazon Web Services services](securityhub-internal-providers.md): + Amazon Firewall Manager + Amazon GuardDuty + Amazon Identity and Access Management Access Analyzer + Amazon Inspector + Amazon IoT Device Defender + Amazon Systems Manager Explorer + Amazon Systems Manager OpsCenter + Amazon Systems Manager Patch Manager In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following [third-party integrations](securityhub-partner-providers.md): + Cloud Custodian + FireEye Helix + Helecloud + IBM QRadar + PagerDuty + Palo Alto Networks Cortex XSOAR + Palo Alto Networks VM-Series + Prowler + RSA Archer + Splunk Enterprise + Splunk Phantom + ThreatModeler ### Integrations supported in the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions In the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions, Security Hub CSPM supports only the following [integrations with Amazon Web Services services](securityhub-internal-providers.md): + Amazon Config + Amazon Detective + Amazon Firewall Manager + Amazon GuardDuty + Amazon Health + IAM Access Analyzer + Amazon Inspector + Amazon IoT Device Defender In the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions, Security Hub CSPM supports only the following [third-party integrations](securityhub-partner-providers.md): + Atlassian Jira Service Management + Atlassian Jira Service Management Cloud + Atlassian OpsGenie + Caveonix Cloud + Cloud Custodian + Cloud Storage Security Antivirus for Amazon S3 + CrowdStrike Falcon + FireEye Helix + Forcepoint CASB + Forcepoint DLP + Forcepoint NGFW + Fugue + Kion + MicroFocus ArcSight + NETSCOUT Cyber Investigator + PagerDuty + Palo Alto Networks – Prisma Cloud Compute + Palo Alto Networks – Prisma Cloud Enterprise + Palo Alto Networks – VM-Series (available only in Amazon GovCloud (US-West)) + Prowler + Rackspace Technology – Cloud Native Security + Rapid7 InsightConnect + RSA Archer + ServiceNow ITSM + Slack + ThreatModeler + Vectra AI Cognito Detect ## Availability of standards by Region The [Amazon Control Tower service-managed standard](service-managed-standard-aws-control-tower.md) is available only in Amazon Web Services Regions that Amazon Control Tower supports. For a list of Regions that Amazon Control Tower currently supports, see [How Amazon Web Services Regions Work With Amazon Control Tower](https://docs.amazonaws.cn/controltower/latest/userguide/region-how.html) in the *Amazon Control Tower User Guide*. The [Amazon Resource Tagging standard](standards-tagging.md) isn't available in the Asia Pacific (Taipei) Region. Other security standards are available in all the Regions where Security Hub CSPM is currently available. ## Availability of controls by Region Some Security Hub CSPM controls aren't available in all Amazon Web Services Regions. For a list of controls that aren't available in each Region, see [Regional limits on Security Hub CSPM controls](regions-controls.md). On the Security Hub CSPM console, a control doesn't appear in the list of controls if it isn't available in the Region that you're currently signed in to. The exception is an aggregation Region. If you set an aggregation Region and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions. # Regional limits on Security Hub CSPM controls Regional limits on controls Some Amazon Security Hub CSPM controls aren't available in all Amazon Web Services Regions. This page specifies which controls aren't available in specific Regions. On the Security Hub CSPM console, a control doesn't appear in the list of controls if it isn't available in the Region that you're currently signed in to. The exception is an aggregation Region. If you set an aggregation Region and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions. **Topics** + [ ## US East (N. Virginia) ](#securityhub-control-support-useast1) + [ ## US East (Ohio) ](#securityhub-control-support-useast2) + [ ## US West (N. California) ](#securityhub-control-support-uswest1) + [ ## US West (Oregon) ](#securityhub-control-support-uswest2) + [ ## Africa (Cape Town) ](#securityhub-control-support-afsouth1) + [ ## Asia Pacific (Hong Kong) ](#securityhub-control-support-apeast1) + [ ## Asia Pacific (Hyderabad) ](#securityhub-control-support-apsouth2) + [ ## Asia Pacific (Jakarta) ](#securityhub-control-support-apsoutheast3) + [ ## Asia Pacific (Malaysia) ](#securityhub-control-support-apsoutheast5) + [ ## Asia Pacific (Melbourne) ](#securityhub-control-support-apsoutheast4) + [ ## Asia Pacific (Mumbai) ](#securityhub-control-support-apsouth1) + [ ## Asia Pacific (New Zealand) ](#securityhub-control-support-apsoutheast6) + [ ## Asia Pacific (Osaka) ](#securityhub-control-support-apnortheast3) + [ ## Asia Pacific (Seoul) ](#securityhub-control-support-apnortheast2) + [ ## Asia Pacific (Singapore) ](#securityhub-control-support-apsoutheast1) + [ ## Asia Pacific (Sydney) ](#securityhub-control-support-apsoutheast2) + [ ## Asia Pacific (Taipei) ](#securityhub-control-support-apeast2) + [ ## Asia Pacific (Thailand) ](#securityhub-control-support-apsoutheast7) + [ ## Asia Pacific (Tokyo) ](#securityhub-control-support-apnortheast1) + [ ## Canada (Central) ](#securityhub-control-support-cacentral1) + [ ## Canada West (Calgary) ](#securityhub-control-support-cawest1) + [ ## China (Beijing) ](#securityhub-control-support-cnnorth1) + [ ## China (Ningxia) ](#securityhub-control-support-cnnorthwest1) + [ ## Europe (Frankfurt) ](#securityhub-control-support-eucentral1) + [ ## Europe (Ireland) ](#securityhub-control-support-euwest1) + [ ## Europe (London) ](#securityhub-control-support-euwest2) + [ ## Europe (Milan) ](#securityhub-control-support-eusouth1) + [ ## Europe (Paris) ](#securityhub-control-support-euwest3) + [ ## Europe (Spain) ](#securityhub-control-support-eusouth2) + [ ## Europe (Stockholm) ](#securityhub-control-support-eunorth1) + [ ## Europe (Zurich) ](#securityhub-control-support-eucentral2) + [ ## Israel (Tel Aviv) ](#securityhub-control-support-ilcentral1) + [ ## Mexico (Central) ](#securityhub-control-support-mxcentral1) + [ ## Middle East (Bahrain) ](#securityhub-control-support-mesouth1) + [ ## Middle East (UAE) ](#securityhub-control-support-mecentral1) + [ ## South America (São Paulo) ](#securityhub-control-support-saeast1) + [ ## Amazon GovCloud (US-East) ](#securityhub-control-support-usgoveast1) + [ ## Amazon GovCloud (US-West) ](#securityhub-control-support-usgovwest1) ## US East (N. Virginia) The following controls are not supported in the US East (N. Virginia) Region. + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) ## US East (Ohio) The following controls are not supported in the US East (Ohio) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## US West (N. California) The following controls are not supported in the US West (N. California) Region. + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## US West (Oregon) The following controls are not supported in the US West (Oregon) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Africa (Cape Town) The following controls are not supported in the Africa (Cape Town) Region. + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Asia Pacific (Hong Kong) The following controls are not supported in the Asia Pacific (Hong Kong) Region. + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Hyderabad) The following controls are not supported in the Asia Pacific (Hyderabad) Region. + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Jakarta) The following controls are not supported in the Asia Pacific (Jakarta) Region. + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Malaysia) The following controls are not supported in the Asia Pacific (Malaysia) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Melbourne) The following controls are not supported in the Asia Pacific (Melbourne) Region. + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Mumbai) The following controls are not supported in the Asia Pacific (Mumbai) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Asia Pacific (New Zealand) The following controls are not supported in the Asia Pacific (New Zealand) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled](apigateway-controls.md#apigateway-3) + [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) + [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) + [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) + [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) + [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) + [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL](elb-controls.md#elb-16) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) + [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) + [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) + [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.1] Amazon Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.11] Amazon WAF web ACL logging should be enabled](waf-controls.md#waf-11) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Osaka) The following controls are not supported in the Asia Pacific (Osaka) Region. + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Seoul) The following controls are not supported in the Asia Pacific (Seoul) Region. + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Asia Pacific (Singapore) The following controls are not supported in the Asia Pacific (Singapore) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Asia Pacific (Sydney) The following controls are not supported in the Asia Pacific (Sydney) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Asia Pacific (Taipei) The following controls are not supported in the Asia Pacific (Taipei) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[ACM.3] ACM certificates should be tagged](acm-controls.md#acm-3) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled](apigateway-controls.md#apigateway-1) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.3] API Gateway REST API stages should have Amazon X-Ray tracing enabled](apigateway-controls.md#apigateway-3) + [[APIGateway.4] API Gateway should be associated with a WAF Web ACL](apigateway-controls.md#apigateway-4) + [[APIGateway.5] API Gateway REST API cache data should be encrypted at rest](apigateway-controls.md#apigateway-5) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) + [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks](autoscaling-controls.md#autoscaling-1) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[AutoScaling.10] EC2 Auto Scaling groups should be tagged](autoscaling-controls.md#autoscaling-10) + [[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses](autoscaling-controls.md#autoscaling-5) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.3] Amazon Backup vaults should be tagged](backup-controls.md#backup-3) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Backup.5] Amazon Backup backup plans should be tagged](backup-controls.md#backup-5) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.2] CloudFormation stacks should be tagged](cloudformation-controls.md#cloudformation-2) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.9] CloudTrail trails should be tagged](cloudtrail-controls.md#cloudtrail-9) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.1] Database Migration Service replication instances should not be public](dms-controls.md#dms-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.5] DynamoDB tables should be tagged](dynamodb-controls.md#dynamodb-5) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service](ec2-controls.md#ec2-10) + [[EC2.19] Security groups should not allow unrestricted access to ports with high risk](ec2-controls.md#ec2-19) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.33] EC2 transit gateway attachments should be tagged](ec2-controls.md#ec2-33) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.35] EC2 network interfaces should be tagged](ec2-controls.md#ec2-35) + [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) + [[EC2.37] EC2 Elastic IP addresses should be tagged](ec2-controls.md#ec2-37) + [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) + [[EC2.39] EC2 internet gateways should be tagged](ec2-controls.md#ec2-39) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.41] EC2 network ACLs should be tagged](ec2-controls.md#ec2-41) + [[EC2.42] EC2 route tables should be tagged](ec2-controls.md#ec2-42) + [[EC2.43] EC2 security groups should be tagged](ec2-controls.md#ec2-43) + [[EC2.44] EC2 subnets should be tagged](ec2-controls.md#ec2-44) + [[EC2.45] EC2 volumes should be tagged](ec2-controls.md#ec2-45) + [[EC2.46] Amazon VPCs should be tagged](ec2-controls.md#ec2-46) + [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) + [[EC2.48] Amazon VPC flow logs should be tagged](ec2-controls.md#ec2-48) + [[EC2.49] Amazon VPC peering connections should be tagged](ec2-controls.md#ec2-49) + [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions](ecs-controls.md#ecs-1) + [[ECS.2] ECS services should not have public IP addresses assigned to them automatically](ecs-controls.md#ecs-2) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.13] ECS services should be tagged](ecs-controls.md#ecs-13) + [[ECS.14] ECS clusters should be tagged](ecs-controls.md#ecs-14) + [[ECS.15] ECS task definitions should be tagged](ecs-controls.md#ecs-15) + [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) + [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) + [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) + [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.5] EFS access points should be tagged](efs-controls.md#efs-5) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.1] EKS cluster endpoints should not be publicly accessible](eks-controls.md#eks-1) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.6] EKS clusters should be tagged](eks-controls.md#eks-6) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination](elb-controls.md#elb-3) + [[ELB.7] Classic Load Balancers should have connection draining enabled](elb-controls.md#elb-7) + [[ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong Amazon Configuration](elb-controls.md#elb-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.16] Application Load Balancers should be associated with an Amazon WAF web ACL](elb-controls.md#elb-16) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.1] Elasticsearch domains should have encryption at-rest enabled](es-controls.md#es-1) + [[ES.2] Elasticsearch domains should not be publicly accessible](es-controls.md#es-2) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.5] Elasticsearch domains should have audit logging enabled](es-controls.md#es-5) + [[ES.6] Elasticsearch domains should have at least three data nodes](es-controls.md#es-6) + [[ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes](es-controls.md#es-7) + [[ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy](es-controls.md#es-8) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.2] EventBridge event buses should be tagged](eventbridge-controls.md#eventbridge-2) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.2] Kinesis streams should be tagged](kinesis-controls.md#kinesis-2) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.3] Amazon KMS keys should not be deleted unintentionally](kms-controls.md#kms-3) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.7] Network Firewall firewalls should be tagged](networkfirewall-controls.md#networkfirewall-7) + [[NetworkFirewall.8] Network Firewall firewall policies should be tagged](networkfirewall-controls.md#networkfirewall-8) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) + [[RDS.17] RDS DB instances should be configured to copy tags to snapshots](rds-controls.md#rds-17) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.19] Existing RDS event notification subscriptions should be configured for critical cluster events](rds-controls.md#rds-19) + [[RDS.20] Existing RDS event notification subscriptions should be configured for critical database instance events](rds-controls.md#rds-20) + [[RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events](rds-controls.md#rds-21) + [[RDS.22] An RDS event notifications subscription should be configured for critical database security group events](rds-controls.md#rds-22) + [[RDS.23] RDS instances should not use a database engine default port](rds-controls.md#rds-23) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) + [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) + [[RDS.30] RDS DB instances should be tagged](rds-controls.md#rds-30) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.32] RDS DB snapshots should be tagged](rds-controls.md#rds-32) + [[RDS.33] RDS DB subnet groups should be tagged](rds-controls.md#rds-33) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) + [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) + [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) + [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) + [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.12] Redshift event notification subscriptions should be tagged](redshift-controls.md#redshift-12) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.14] Redshift cluster subnet groups should be tagged](redshift-controls.md#redshift-14) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.17] S3 general purpose buckets should be encrypted at rest with Amazon KMS keys](s3-controls.md#s3-17) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled](secretsmanager-controls.md#secretsmanager-1) + [[SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully](secretsmanager-controls.md#secretsmanager-2) + [[SecretsManager.3] Remove unused Secrets Manager secrets](secretsmanager-controls.md#secretsmanager-3) + [[SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days](secretsmanager-controls.md#secretsmanager-4) + [[SecretsManager.5] Secrets Manager secrets should be tagged](secretsmanager-controls.md#secretsmanager-5) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.3] SNS topics should be tagged](sns-controls.md#sns-3) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.1] Amazon EC2 instances should be managed by Amazon Systems Manager](ssm-controls.md#ssm-1) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.1] Amazon Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.11] Amazon WAF web ACL logging should be enabled](waf-controls.md#waf-11) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Thailand) The following controls are not supported in the Asia Pacific (Thailand) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.2] Athena data catalogs should be tagged](athena-controls.md#athena-2) + [[Athena.3] Athena workgroups should be tagged](athena-controls.md#athena-3) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) + [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) + [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) + [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.1] Amazon Transfer Family workflows should be tagged](transfer-controls.md#transfer-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Asia Pacific (Tokyo) The following controls are not supported in the Asia Pacific (Tokyo) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Canada (Central) The following controls are not supported in the Canada (Central) Region. + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Canada West (Calgary) The following controls are not supported in the Canada West (Calgary) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## China (Beijing) The following controls are not supported in the China (Beijing) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.7] RDS clusters should have deletion protection enabled](rds-controls.md#rds-7) + [[RDS.12] IAM authentication should be configured for RDS clusters](rds-controls.md#rds-12) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) + [[RDS.16] Aurora DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-16) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.28] RDS DB clusters should be tagged](rds-controls.md#rds-28) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## China (Ningxia) The following controls are not supported in the China (Ningxia) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.36] EC2 customer gateways should be tagged](ec2-controls.md#ec2-36) + [[EC2.50] EC2 VPN gateways should be tagged](ec2-controls.md#ec2-50) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[GuardDuty.3] GuardDuty IPSets should be tagged](guardduty-controls.md#guardduty-3) + [[GuardDuty.4] GuardDuty detectors should be tagged](guardduty-controls.md#guardduty-4) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.23] IAM Access Analyzer analyzers should be tagged](iam-controls.md#iam-23) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) + [[Lambda.2] Lambda functions should use supported runtimes](lambda-controls.md#lambda-2) + [[Lambda.3] Lambda functions should be in a VPC](lambda-controls.md#lambda-3) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.6] Lambda functions should be tagged](lambda-controls.md#lambda-6) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Europe (Frankfurt) The following controls are not supported in the Europe (Frankfurt) Region. + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Europe (Ireland) The following controls are not supported in the Europe (Ireland) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Europe (London) The following controls are not supported in the Europe (London) Region. + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Europe (Milan) The following controls are not supported in the Europe (Milan) Region. + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation](ssm-controls.md#ssm-2) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Europe (Paris) The following controls are not supported in the Europe (Paris) Region. + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Europe (Spain) The following controls are not supported in the Europe (Spain) Region. + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.1] Amazon EBS snapshots should not be configured to be publicly restorable](ec2-controls.md#ec2-1) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Lambda.1] Lambda function policies should prohibit public access](lambda-controls.md#lambda-1) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Europe (Stockholm) The following controls are not supported in the Europe (Stockholm) Region. + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Europe (Zurich) The following controls are not supported in the Europe (Zurich) Region. + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Israel (Tel Aviv) The following controls are not supported in the Israel (Tel Aviv) Region. + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by Amazon Certificate Manager](elb-controls.md#elb-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.1] RDS snapshot should be private](rds-controls.md#rds-1) + [[RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest](rds-controls.md#rds-4) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.29] RDS DB cluster snapshots should be tagged](rds-controls.md#rds-29) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Mexico (Central) The following controls are not supported in the Mexico (Central) Region. + [[ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period](acm-controls.md#acm-1) + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Athena.4] Athena workgroups should have logging enabled](athena-controls.md#athena-4) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.2] Amazon Backup recovery points should be tagged](backup-controls.md#backup-2) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CloudTrail.7] Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket](cloudtrail-controls.md#cloudtrail-7) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.1] CodeBuild Bitbucket source repository URLs should not contain sensitive credentials](codebuild-controls.md#codebuild-1) + [[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials](codebuild-controls.md#codebuild-2) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeBuild.7] CodeBuild report group exports should be encrypted at rest](codebuild-controls.md#codebuild-7) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataFirehose.1] Firehose delivery streams should be encrypted at rest](datafirehose-controls.md#datafirehose-1) + [[DataSync.1] DataSync tasks should have logging enabled](datasync-controls.md#datasync-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.4] DynamoDB tables should be present in a backup plan](dynamodb-controls.md#dynamodb-4) + [[DynamoDB.6] DynamoDB tables should have deletion protection enabled](dynamodb-controls.md#dynamodb-6) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.34] EC2 transit gateway route tables should be tagged](ec2-controls.md#ec2-34) + [[EC2.40] EC2 NAT gateways should be tagged](ec2-controls.md#ec2-40) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports](ec2-controls.md#ec2-53) + [[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports](ec2-controls.md#ec2-54) + [[EC2.55] VPCs should be configured with an interface endpoint for ECR API](ec2-controls.md#ec2-55) + [[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry](ec2-controls.md#ec2-56) + [[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager](ec2-controls.md#ec2-57) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.171] EC2 VPN connections should have logging enabled](ec2-controls.md#ec2-171) + [[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic](ec2-controls.md#ec2-172) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[EC2.182] Block public access settings should be enabled for Amazon EBS snapshots](ec2-controls.md#ec2-182) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[ECS.16] ECS task sets should not automatically assign public IP addresses](ecs-controls.md#ecs-16) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ECS.18] ECS Task Definitions should use in-transit encryption for EFS volumes](ecs-controls.md#ecs-18) + [[ECS.19] ECS capacity providers should have managed termination protection enabled](ecs-controls.md#ecs-19) + [[ECS.20] ECS Task Definitions should configure non-root users in Linux container definitions](ecs-controls.md#ecs-20) + [[ECS.21] ECS Task Definitions should configure non-administrator users in Windows container definitions](ecs-controls.md#ecs-21) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EFS.6] EFS mount targets should not be associated with subnets that assign public IP addresses on launch](efs-controls.md#efs-6) + [[EFS.7] EFS file systems should have automatic backups enabled](efs-controls.md#efs-7) + [[EFS.8] EFS file systems should be encrypted at rest](efs-controls.md#efs-8) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.3] EKS clusters should use encrypted Kubernetes secrets](eks-controls.md#eks-3) + [[EKS.7] EKS identity provider configurations should be tagged](eks-controls.md#eks-7) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.3] Elasticsearch domains should encrypt data sent between nodes](es-controls.md#es-3) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[ES.9] Elasticsearch domains should be tagged](es-controls.md#es-9) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.1] Amazon Glue jobs should be tagged](glue-controls.md#glue-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.1] GuardDuty should be enabled](guardduty-controls.md#guardduty-1) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[GuardDuty.5] GuardDuty EKS Audit Log Monitoring should be enabled](guardduty-controls.md#guardduty-5) + [[GuardDuty.6] GuardDuty Lambda Protection should be enabled](guardduty-controls.md#guardduty-6) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.10] GuardDuty S3 Protection should be enabled](guardduty-controls.md#guardduty-10) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.7] Password policies for IAM users should have strong configurations](iam-controls.md#iam-7) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.10] Password policies for IAM users should have strong configurations](iam-controls.md#iam-10) + [[IAM.11] Ensure IAM password policy requires at least one uppercase letter](iam-controls.md#iam-11) + [[IAM.12] Ensure IAM password policy requires at least one lowercase letter](iam-controls.md#iam-12) + [[IAM.13] Ensure IAM password policy requires at least one symbol](iam-controls.md#iam-13) + [[IAM.14] Ensure IAM password policy requires at least one number](iam-controls.md#iam-14) + [[IAM.15] Ensure IAM password policy requires minimum password length of 14 or greater](iam-controls.md#iam-15) + [[IAM.16] Ensure IAM password policy prevents password reuse](iam-controls.md#iam-16) + [[IAM.17] Ensure IAM password policy expires passwords within 90 days or less](iam-controls.md#iam-17) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoT.4] Amazon IoT Core authorizers should be tagged](iot-controls.md#iot-4) + [[IoT.5] Amazon IoT Core role aliases should be tagged](iot-controls.md#iot-5) + [[IoT.6] Amazon IoT Core policies should be tagged](iot-controls.md#iot-6) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[Kinesis.3] Kinesis streams should have an adequate data retention period](kinesis-controls.md#kinesis-3) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.2] ActiveMQ brokers should stream audit logs to CloudWatch](mq-controls.md#mq-2) + [[MQ.4] Amazon MQ brokers should be tagged](mq-controls.md#mq-4) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.18] RDS instances should be deployed in a VPC](rds-controls.md#rds-18) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.26] RDS DB instances should be protected by a backup plan](rds-controls.md#rds-26) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.36] RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-36) + [[RDS.37] Aurora PostgreSQL DB clusters should publish logs to CloudWatch Logs](rds-controls.md#rds-37) + [[RDS.38] RDS for PostgreSQL DB instances should be encrypted in transit](rds-controls.md#rds-38) + [[RDS.39] RDS for MySQL DB instances should be encrypted in transit](rds-controls.md#rds-39) + [[RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-40) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[Redshift.1] Amazon Redshift clusters should prohibit public access](redshift-controls.md#redshift-1) + [[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit](redshift-controls.md#redshift-2) + [[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled](redshift-controls.md#redshift-3) + [[Redshift.4] Amazon Redshift clusters should have audit logging enabled](redshift-controls.md#redshift-4) + [[Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled](redshift-controls.md#redshift-6) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.15] Redshift security groups should allow ingress on the cluster port only from restricted origins](redshift-controls.md#redshift-15) + [[Redshift.16] Redshift cluster subnet groups should have subnets from multiple Availability Zones](redshift-controls.md#redshift-16) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.7] S3 general purpose buckets should use cross-Region replication](s3-controls.md#s3-7) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.19] S3 access points should have block public access settings enabled](s3-controls.md#s3-19) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.22] S3 general purpose buckets should log object-level write events](s3-controls.md#s3-22) + [[S3.23] S3 general purpose buckets should log object-level read events](s3-controls.md#s3-23) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.4] SageMaker endpoint production variants should have an initial instance count greater than 1](sagemaker-controls.md#sagemaker-4) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[ServiceCatalog.1] Service Catalog portfolios should be shared within an Amazon organization only](servicecatalog-controls.md#servicecatalog-1) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT](ssm-controls.md#ssm-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[Transfer.2] Transfer Family servers should not use FTP protocol for endpoint connection](transfer-controls.md#transfer-2) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Middle East (Bahrain) The following controls are not supported in the Middle East (Bahrain) Region. + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.10] CloudTrail Lake event data stores should be encrypted with customer managed Amazon KMS keys](cloudtrail-controls.md#cloudtrail-10) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DocumentDB.6] Amazon DocumentDB clusters should be encrypted in transit](documentdb-controls.md#documentdb-6) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.20] Both VPN tunnels for an Amazon Site-to-Site VPN connection should be up](ec2-controls.md#ec2-20) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECR.5] ECR repositories should be encrypted with customer managed Amazon KMS keys](ecr-controls.md#ecr-5) + [[ECS.17] ECS task definitions should not use host network mode](ecs-controls.md#ecs-17) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.3] FSx for OpenZFS file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-3) + [[FSx.4] FSx for NetApp ONTAP file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-4) + [[FSx.5] FSx for Windows File Server file systems should be configured for Multi-AZ deployment](fsx-controls.md#fsx-5) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled](networkfirewall-controls.md#networkfirewall-10) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.41] RDS for SQL Server DB instances should be encrypted in transit](rds-controls.md#rds-41) + [[RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs](rds-controls.md#rds-42) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.44] RDS for MariaDB DB instances should be encrypted in transit](rds-controls.md#rds-44) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.46] RDS DB instances should not be deployed in public subnets with routes to internet gateways](rds-controls.md#rds-46) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.4] Redshift Serverless namespaces should be encrypted with customer managed Amazon KMS keys](redshiftserverless-controls.md#redshiftserverless-4) + [[RedshiftServerless.5] Redshift Serverless namespaces should not use the default admin username](redshiftserverless-controls.md#redshiftserverless-5) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.8] SageMaker notebook instances should run on supported platforms](sagemaker-controls.md#sagemaker-8) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[Transfer.3] Transfer Family connectors should have logging enabled](transfer-controls.md#transfer-3) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Middle East (UAE) The following controls are not supported in the Middle East (UAE) Region. + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[Backup.1] Amazon Backup recovery points should be encrypted at rest](backup-controls.md#backup-1) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[CloudFormation.3] CloudFormation stacks should have termination protection enabled](cloudformation-controls.md#cloudformation-3) + [[CloudFormation.4] CloudFormation stacks should have associated service roles](cloudformation-controls.md#cloudformation-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudTrail.6] Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible](cloudtrail-controls.md#cloudtrail-6) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[Detective.1] Detective behavior graphs should be tagged](detective-controls.md#detective-1) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.3] DMS event subscriptions should be tagged](dms-controls.md#dms-3) + [[DMS.4] DMS replication instances should be tagged](dms-controls.md#dms-4) + [[DMS.5] DMS replication subnet groups should be tagged](dms-controls.md#dms-5) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DMS.10] DMS endpoints for Neptune databases should have IAM authorization enabled](dms-controls.md#dms-10) + [[DMS.11] DMS endpoints for MongoDB should have an authentication mechanism enabled](dms-controls.md#dms-11) + [[DMS.12] DMS endpoints for Redis OSS should have TLS enabled](dms-controls.md#dms-12) + [[DMS.13] DMS replication instances should be configured to use multiple Availability Zones](dms-controls.md#dms-13) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.4] Stopped EC2 instances should be removed after a specified time period](ec2-controls.md#ec2-4) + [[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389](ec2-controls.md#ec2-14) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled](ec2-controls.md#ec2-51) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[EC2.180] EC2 network interfaces should have source/destination checking enabled](ec2-controls.md#ec2-180) + [[EC2.181] EC2 launch templates should enable encryption for attached EBS volumes](ec2-controls.md#ec2-181) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[EFS.1] Elastic File System should be configured to encrypt file data at-rest using Amazon KMS](efs-controls.md#efs-1) + [[EFS.2] Amazon EFS volumes should be in backup plans](efs-controls.md#efs-2) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.17] Application and Network Load Balancers with listeners should use recommended security policies](elb-controls.md#elb-17) + [[ELB.18] Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit](elb-controls.md#elb-18) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses](emr-controls.md#emr-1) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.4] Amazon Glue Spark jobs should run on supported versions of Amazon Glue](glue-controls.md#glue-4) + [[GuardDuty.2] GuardDuty filters should be tagged](guardduty-controls.md#guardduty-2) + [[IAM.1] IAM policies should not allow full "\$1" administrative privileges](iam-controls.md#iam-1) + [[IAM.2] IAM users should not have IAM policies attached](iam-controls.md#iam-2) + [[IAM.3] IAM users' access keys should be rotated every 90 days or less](iam-controls.md#iam-3) + [[IAM.4] IAM root user access key should not exist](iam-controls.md#iam-4) + [[IAM.5] MFA should be enabled for all IAM users that have a console password](iam-controls.md#iam-5) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.8] Unused IAM user credentials should be removed](iam-controls.md#iam-8) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.18] Ensure a support role has been created to manage incidents with Amazon Web Services Support](iam-controls.md#iam-18) + [[IAM.19] MFA should be enabled for all IAM users](iam-controls.md#iam-19) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.22] IAM user credentials unused for 45 days should be removed](iam-controls.md#iam-22) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.27] IAM identities should not have the AWSCloudShellFullAccess policy attached](iam-controls.md#iam-27) + [[Inspector.1] Amazon Inspector EC2 scanning should be enabled](inspector-controls.md#inspector-1) + [[Inspector.2] Amazon Inspector ECR scanning should be enabled](inspector-controls.md#inspector-2) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[Inspector.4] Amazon Inspector Lambda standard scanning should be enabled](inspector-controls.md#inspector-4) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys](kms-controls.md#kms-1) + [[KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys](kms-controls.md#kms-2) + [[Lambda.7] Lambda functions should have Amazon X-Ray active tracing enabled](lambda-controls.md#lambda-7) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.4] MSK clusters should have public access disabled](msk-controls.md#msk-4) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[MSK.6] MSK clusters should disable unauthenticated access](msk-controls.md#msk-6) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[Opensearch.9] OpenSearch domains should be tagged](opensearch-controls.md#opensearch-9) + [[Opensearch.10] OpenSearch domains should have the latest software update installed](opensearch-controls.md#opensearch-10) + [[Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes](opensearch-controls.md#opensearch-11) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[Redshift.18] Redshift clusters should have Multi-AZ deployments enabled](redshift-controls.md#redshift-18) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SQS.1] Amazon SQS queues should be encrypted at rest](sqs-controls.md#sqs-1) + [[SQS.2] SQS queues should be tagged](sqs-controls.md#sqs-2) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[SSM.7] SSM documents should have the block public sharing setting enabled](ssm-controls.md#ssm-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## South America (São Paulo) The following controls are not supported in the South America (São Paulo) Region. + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoT.1] Amazon IoT Device Defender security profiles should be tagged](iot-controls.md#iot-1) + [[IoT.2] Amazon IoT Core mitigation actions should be tagged](iot-controls.md#iot-2) + [[IoT.3] Amazon IoT Core dimensions should be tagged](iot-controls.md#iot-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) ## Amazon GovCloud (US-East) The following controls are not supported in the Amazon GovCloud (US-East) Region. + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.2] Cognito identity pools should not allow unauthenticated identities](cognito-controls.md#cognito-2) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[Connect.2] Amazon Connect instances should have CloudWatch logging enabled](connect-controls.md#connect-2) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.47] Amazon VPC endpoint services should be tagged](ec2-controls.md#ec2-47) + [[EC2.52] EC2 transit gateways should be tagged](ec2-controls.md#ec2-52) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[Glue.3] Amazon Glue machine learning transforms should be encrypted at rest](glue-controls.md#glue-3) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed](iam-controls.md#iam-26) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.31] RDS DB security groups should be tagged](rds-controls.md#rds-31) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access](sagemaker-controls.md#sagemaker-1) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.1] SES contact lists should be tagged](ses-controls.md#ses-1) + [[SES.2] SES configuration sets should be tagged](ses-controls.md#ses-2) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[SSM.6] SSM Automation should have CloudWatch logging enabled](ssm-controls.md#ssm-6) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) + [[WorkSpaces.1] WorkSpaces user volumes should be encrypted at rest](workspaces-controls.md#workspaces-1) + [[WorkSpaces.2] WorkSpaces root volumes should be encrypted at rest](workspaces-controls.md#workspaces-2) ## Amazon GovCloud (US-West) The following controls are not supported in the Amazon GovCloud (US-West) Region. + [[ACM.2] RSA certificates managed by ACM should use a key length of at least 2,048 bits](acm-controls.md#acm-2) + [[Account.1] Security contact information should be provided for an Amazon Web Services account](account-controls.md#account-1) + [[Account.2] Amazon Web Services accounts should be part of an Amazon Organizations organization](account-controls.md#account-2) + [[APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication](apigateway-controls.md#apigateway-2) + [[APIGateway.8] API Gateway routes should specify an authorization type](apigateway-controls.md#apigateway-8) + [[APIGateway.9] Access logging should be configured for API Gateway V2 Stages](apigateway-controls.md#apigateway-9) + [[APIGateway.10] API Gateway V2 integrations should use HTTPS for private connections](apigateway-controls.md#apigateway-10) + [[Amplify.1] Amplify apps should be tagged](amplify-controls.md#amplify-1) + [[Amplify.2] Amplify branches should be tagged](amplify-controls.md#amplify-2) + [[AppConfig.1] Amazon AppConfig applications should be tagged](appconfig-controls.md#appconfig-1) + [[AppConfig.2] Amazon AppConfig configuration profiles should be tagged](appconfig-controls.md#appconfig-2) + [[AppConfig.3] Amazon AppConfig environments should be tagged](appconfig-controls.md#appconfig-3) + [[AppConfig.4] Amazon AppConfig extension associations should be tagged](appconfig-controls.md#appconfig-4) + [[AppFlow.1] Amazon AppFlow flows should be tagged](appflow-controls.md#appflow-1) + [[AppRunner.1] App Runner services should be tagged](apprunner-controls.md#apprunner-1) + [[AppRunner.2] App Runner VPC connectors should be tagged](apprunner-controls.md#apprunner-2) + [[AppSync.1] Amazon AppSync API caches should be encrypted at rest](appsync-controls.md#appsync-1) + [[AppSync.2] Amazon AppSync should have field-level logging enabled](appsync-controls.md#appsync-2) + [[AppSync.4] Amazon AppSync GraphQL APIs should be tagged](appsync-controls.md#appsync-4) + [[AppSync.5] Amazon AppSync GraphQL APIs should not be authenticated with API keys](appsync-controls.md#appsync-5) + [[AppSync.6] Amazon AppSync API caches should be encrypted in transit](appsync-controls.md#appsync-6) + [[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones](autoscaling-controls.md#autoscaling-2) + [[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)](autoscaling-controls.md#autoscaling-3) + [[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones](autoscaling-controls.md#autoscaling-6) + [[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates](autoscaling-controls.md#autoscaling-9) + [[Backup.4] Amazon Backup report plans should be tagged](backup-controls.md#backup-4) + [[Batch.1] Batch job queues should be tagged](batch-controls.md#batch-1) + [[Batch.2] Batch scheduling policies should be tagged](batch-controls.md#batch-2) + [[Batch.3] Batch compute environments should be tagged](batch-controls.md#batch-3) + [[Batch.4] Compute resources properties in managed Batch compute environments should be tagged](batch-controls.md#batch-4) + [[CloudFront.1] CloudFront distributions should have a default root object configured](cloudfront-controls.md#cloudfront-1) + [[CloudFront.3] CloudFront distributions should require encryption in transit](cloudfront-controls.md#cloudfront-3) + [[CloudFront.4] CloudFront distributions should have origin failover configured](cloudfront-controls.md#cloudfront-4) + [[CloudFront.5] CloudFront distributions should have logging enabled](cloudfront-controls.md#cloudfront-5) + [[CloudFront.6] CloudFront distributions should have WAF enabled](cloudfront-controls.md#cloudfront-6) + [[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates](cloudfront-controls.md#cloudfront-7) + [[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests](cloudfront-controls.md#cloudfront-8) + [[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins](cloudfront-controls.md#cloudfront-9) + [[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins](cloudfront-controls.md#cloudfront-10) + [[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins](cloudfront-controls.md#cloudfront-12) + [[CloudFront.13] CloudFront distributions should use origin access control](cloudfront-controls.md#cloudfront-13) + [[CloudFront.14] CloudFront distributions should be tagged](cloudfront-controls.md#cloudfront-14) + [[CloudFront.15] CloudFront distributions should use the recommended TLS security policy](cloudfront-controls.md#cloudfront-15) + [[CloudFront.16] CloudFront distributions should use origin access control for Lambda function URL origins](cloudfront-controls.md#cloudfront-16) + [[CloudFront.17] CloudFront distributions should use trusted key groups for signed URLs and cookies](cloudfront-controls.md#cloudfront-17) + [[CloudWatch.17] CloudWatch alarm actions should be activated](cloudwatch-controls.md#cloudwatch-17) + [[CodeArtifact.1]CodeArtifact repositories should be tagged](codeartifact-controls.md#codeartifact-1) + [[CodeBuild.3] CodeBuild S3 logs should be encrypted](codebuild-controls.md#codebuild-3) + [[CodeBuild.4] CodeBuild project environments should have a logging Amazon Configuration](codebuild-controls.md#codebuild-4) + [[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged](codeguruprofiler-controls.md#codeguruprofiler-1) + [[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged](codegurureviewer-controls.md#codegurureviewer-1) + [[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication](cognito-controls.md#cognito-1) + [[Cognito.3] Password policies for Cognito user pools should have strong configurations](cognito-controls.md#cognito-3) + [[Cognito.4] Cognito user pools should have threat protection activated with full function enforcement mode for custom authentication](cognito-controls.md#cognito-4) + [[Cognito.5] MFA should be enabled for Cognito user pools](cognito-controls.md#cognito-5) + [[Cognito.6] Cognito user pools should have deletion protection enabled](cognito-controls.md#cognito-6) + [[Connect.1] Amazon Connect Customer Profiles object types should be tagged](connect-controls.md#connect-1) + [[DataSync.2] DataSync tasks should be tagged](datasync-controls.md#datasync-2) + [[DMS.2] DMS certificates should be tagged](dms-controls.md#dms-2) + [[DMS.6] DMS replication instances should have automatic minor version upgrade enabled](dms-controls.md#dms-6) + [[DMS.7] DMS replication tasks for the target database should have logging enabled](dms-controls.md#dms-7) + [[DMS.8] DMS replication tasks for the source database should have logging enabled](dms-controls.md#dms-8) + [[DMS.9] DMS endpoints should use SSL](dms-controls.md#dms-9) + [[DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest](documentdb-controls.md#documentdb-1) + [[DocumentDB.2] Amazon DocumentDB clusters should have an adequate backup retention period](documentdb-controls.md#documentdb-2) + [[DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public](documentdb-controls.md#documentdb-3) + [[DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs](documentdb-controls.md#documentdb-4) + [[DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled](documentdb-controls.md#documentdb-5) + [[DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest](dynamodb-controls.md#dynamodb-3) + [[DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit](dynamodb-controls.md#dynamodb-7) + [[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389](ec2-controls.md#ec2-21) + [[EC2.22] Unused Amazon EC2 security groups should be removed](ec2-controls.md#ec2-22) + [[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests](ec2-controls.md#ec2-23) + [[EC2.24] Amazon EC2 paravirtual instance types should not be used](ec2-controls.md#ec2-24) + [[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces](ec2-controls.md#ec2-25) + [[EC2.28] EBS volumes should be covered by a backup plan](ec2-controls.md#ec2-28) + [[EC2.38] EC2 instances should be tagged](ec2-controls.md#ec2-38) + [[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts](ec2-controls.md#ec2-58) + [[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager](ec2-controls.md#ec2-60) + [[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)](ec2-controls.md#ec2-170) + [[EC2.173] EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes](ec2-controls.md#ec2-173) + [[EC2.174] EC2 DHCP option sets should be tagged](ec2-controls.md#ec2-174) + [[EC2.175] EC2 launch templates should be tagged](ec2-controls.md#ec2-175) + [[EC2.176] EC2 prefix lists should be tagged](ec2-controls.md#ec2-176) + [[EC2.177] EC2 traffic mirror sessions should be tagged](ec2-controls.md#ec2-177) + [[EC2.178] EC2 traffic mirror filters should be tagged](ec2-controls.md#ec2-178) + [[EC2.179] EC2 traffic mirror targets should be tagged](ec2-controls.md#ec2-179) + [[ECR.1] ECR private repositories should have image scanning configured](ecr-controls.md#ecr-1) + [[ECR.2] ECR private repositories should have tag immutability configured](ecr-controls.md#ecr-2) + [[ECR.3] ECR repositories should have at least one lifecycle policy configured](ecr-controls.md#ecr-3) + [[ECR.4] ECR public repositories should be tagged](ecr-controls.md#ecr-4) + [[ECS.3] ECS task definitions should not share the host's process namespace](ecs-controls.md#ecs-3) + [[ECS.4] ECS containers should run as non-privileged](ecs-controls.md#ecs-4) + [[ECS.5] ECS task definitions should configure containers to be limited to read-only access to root filesystems](ecs-controls.md#ecs-5) + [[ECS.8] Secrets should not be passed as container environment variables](ecs-controls.md#ecs-8) + [[ECS.9] ECS task definitions should have a logging configuration](ecs-controls.md#ecs-9) + [[ECS.10] ECS Fargate services should run on the latest Fargate platform version](ecs-controls.md#ecs-10) + [[ECS.12] ECS clusters should use Container Insights](ecs-controls.md#ecs-12) + [[EFS.3] EFS access points should enforce a root directory](efs-controls.md#efs-3) + [[EFS.4] EFS access points should enforce a user identity](efs-controls.md#efs-4) + [[EKS.2] EKS clusters should run on a supported Kubernetes version](eks-controls.md#eks-2) + [[EKS.8] EKS clusters should have audit logging enabled](eks-controls.md#eks-8) + [[ELB.10] Classic Load Balancer should span multiple Availability Zones](elb-controls.md#elb-10) + [[ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-12) + [[ELB.13] Application, Network and Gateway Load Balancers should span multiple Availability Zones](elb-controls.md#elb-13) + [[ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode](elb-controls.md#elb-14) + [[ELB.21] Application and Network Load Balancer target groups should use encrypted health check protocols](elb-controls.md#elb-21) + [[ELB.22] ELB target groups should use encrypted transport protocols](elb-controls.md#elb-22) + [[ElastiCache.1] ElastiCache (Redis OSS) clusters should have automatic backups enabled](elasticache-controls.md#elasticache-1) + [[ElastiCache.2] ElastiCache clusters should have automatic minor version upgrades enabled](elasticache-controls.md#elasticache-2) + [[ElastiCache.3] ElastiCache replication groups should have automatic failover enabled](elasticache-controls.md#elasticache-3) + [[ElastiCache.4] ElastiCache replication groups should be encrypted at rest](elasticache-controls.md#elasticache-4) + [[ElastiCache.5] ElastiCache replication groups should be encrypted in transit](elasticache-controls.md#elasticache-5) + [[ElastiCache.6] ElastiCache (Redis OSS) replication groups of earlier versions should have Redis OSS AUTH enabled](elasticache-controls.md#elasticache-6) + [[ElastiCache.7] ElastiCache clusters should not use the default subnet group](elasticache-controls.md#elasticache-7) + [[ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled](elasticbeanstalk-controls.md#elasticbeanstalk-1) + [[ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled](elasticbeanstalk-controls.md#elasticbeanstalk-2) + [[ElasticBeanstalk.3] Elastic Beanstalk should stream logs to CloudWatch](elasticbeanstalk-controls.md#elasticbeanstalk-3) + [[EMR.2] Amazon EMR block public access setting should be enabled](emr-controls.md#emr-2) + [[EMR.3] Amazon EMR security configurations should be encrypted at rest](emr-controls.md#emr-3) + [[EMR.4] Amazon EMR security configurations should be encrypted in transit](emr-controls.md#emr-4) + [[ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled](es-controls.md#es-4) + [[EventBridge.3] EventBridge custom event buses should have a resource-based policy attached](eventbridge-controls.md#eventbridge-3) + [[EventBridge.4] EventBridge global endpoints should have event replication enabled](eventbridge-controls.md#eventbridge-4) + [[FraudDetector.1] Amazon Fraud Detector entity types should be tagged](frauddetector-controls.md#frauddetector-1) + [[FraudDetector.2] Amazon Fraud Detector labels should be tagged](frauddetector-controls.md#frauddetector-2) + [[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged](frauddetector-controls.md#frauddetector-3) + [[FraudDetector.4] Amazon Fraud Detector variables should be tagged](frauddetector-controls.md#frauddetector-4) + [[FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes](fsx-controls.md#fsx-1) + [[FSx.2] FSx for Lustre file systems should be configured to copy tags to backups](fsx-controls.md#fsx-2) + [[GlobalAccelerator.1] Global Accelerator accelerators should be tagged](globalaccelerator-controls.md#globalaccelerator-1) + [[GuardDuty.7] GuardDuty EKS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-7) + [[GuardDuty.8] GuardDuty Malware Protection for EC2 should be enabled](guardduty-controls.md#guardduty-8) + [[GuardDuty.9] GuardDuty RDS Protection should be enabled](guardduty-controls.md#guardduty-9) + [[GuardDuty.11] GuardDuty Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-11) + [[GuardDuty.12] GuardDuty ECS Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-12) + [[GuardDuty.13] GuardDuty EC2 Runtime Monitoring should be enabled](guardduty-controls.md#guardduty-13) + [[IAM.6] Hardware MFA should be enabled for the root user](iam-controls.md#iam-6) + [[IAM.9] MFA should be enabled for the root user](iam-controls.md#iam-9) + [[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services](iam-controls.md#iam-21) + [[IAM.24] IAM roles should be tagged](iam-controls.md#iam-24) + [[IAM.25] IAM users should be tagged](iam-controls.md#iam-25) + [[IAM.28] IAM Access Analyzer external access analyzer should be enabled](iam-controls.md#iam-28) + [[Inspector.3] Amazon Inspector Lambda code scanning should be enabled](inspector-controls.md#inspector-3) + [[IoTEvents.1] Amazon IoT Events inputs should be tagged](iotevents-controls.md#iotevents-1) + [[IoTEvents.2] Amazon IoT Events detector models should be tagged](iotevents-controls.md#iotevents-2) + [[IoTEvents.3] Amazon IoT Events alarm models should be tagged](iotevents-controls.md#iotevents-3) + [[IoTSiteWise.1] Amazon IoT SiteWise asset models should be tagged](iotsitewise-controls.md#iotsitewise-1) + [[IoTSiteWise.2] Amazon IoT SiteWise dashboards should be tagged](iotsitewise-controls.md#iotsitewise-2) + [[IoTSiteWise.3] Amazon IoT SiteWise gateways should be tagged](iotsitewise-controls.md#iotsitewise-3) + [[IoTSiteWise.4] Amazon IoT SiteWise portals should be tagged](iotsitewise-controls.md#iotsitewise-4) + [[IoTSiteWise.5] Amazon IoT SiteWise projects should be tagged](iotsitewise-controls.md#iotsitewise-5) + [[IoTTwinMaker.1] Amazon IoT TwinMaker sync jobs should be tagged](iottwinmaker-controls.md#iottwinmaker-1) + [[IoTTwinMaker.2] Amazon IoT TwinMaker workspaces should be tagged](iottwinmaker-controls.md#iottwinmaker-2) + [[IoTTwinMaker.3] Amazon IoT TwinMaker scenes should be tagged](iottwinmaker-controls.md#iottwinmaker-3) + [[IoTTwinMaker.4] Amazon IoT TwinMaker entities should be tagged](iottwinmaker-controls.md#iottwinmaker-4) + [[IoTWireless.1] Amazon IoT Wireless multicast groups should be tagged](iotwireless-controls.md#iotwireless-1) + [[IoTWireless.2] Amazon IoT Wireless service profiles should be tagged](iotwireless-controls.md#iotwireless-2) + [[IoTWireless.3] Amazon IoT FUOTA tasks should be tagged](iotwireless-controls.md#iotwireless-3) + [[IVS.1] IVS playback key pairs should be tagged](ivs-controls.md#ivs-1) + [[IVS.2] IVS recording configurations should be tagged](ivs-controls.md#ivs-2) + [[IVS.3] IVS channels should be tagged](ivs-controls.md#ivs-3) + [[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged](keyspaces-controls.md#keyspaces-1) + [[Kinesis.1] Kinesis streams should be encrypted at rest](kinesis-controls.md#kinesis-1) + [[KMS.5] KMS keys should not be publicly accessible](kms-controls.md#kms-5) + [[Lambda.5] VPC Lambda functions should operate in multiple Availability Zones](lambda-controls.md#lambda-5) + [[Macie.1] Amazon Macie should be enabled](macie-controls.md#macie-1) + [[Macie.2] Macie automated sensitive data discovery should be enabled](macie-controls.md#macie-2) + [[MQ.5] ActiveMQ brokers should use active/standby deployment mode](mq-controls.md#mq-5) + [[MQ.6] RabbitMQ brokers should use cluster deployment mode](mq-controls.md#mq-6) + [[MSK.1] MSK clusters should be encrypted in transit among broker nodes](msk-controls.md#msk-1) + [[MSK.2] MSK clusters should have enhanced monitoring configured](msk-controls.md#msk-2) + [[MSK.3] MSK Connect connectors should be encrypted in transit](msk-controls.md#msk-3) + [[MSK.5] MSK connectors should have logging enabled](msk-controls.md#msk-5) + [[Neptune.1] Neptune DB clusters should be encrypted at rest](neptune-controls.md#neptune-1) + [[Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs](neptune-controls.md#neptune-2) + [[Neptune.3] Neptune DB cluster snapshots should not be public](neptune-controls.md#neptune-3) + [[Neptune.4] Neptune DB clusters should have deletion protection enabled](neptune-controls.md#neptune-4) + [[Neptune.5] Neptune DB clusters should have automated backups enabled](neptune-controls.md#neptune-5) + [[Neptune.6] Neptune DB cluster snapshots should be encrypted at rest](neptune-controls.md#neptune-6) + [[Neptune.7] Neptune DB clusters should have IAM database authentication enabled](neptune-controls.md#neptune-7) + [[Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots](neptune-controls.md#neptune-8) + [[Neptune.9] Neptune DB clusters should be deployed across multiple Availability Zones](neptune-controls.md#neptune-9) + [[NetworkFirewall.1] Network Firewall firewalls should be deployed across multiple Availability Zones](networkfirewall-controls.md#networkfirewall-1) + [[NetworkFirewall.2] Network Firewall logging should be enabled](networkfirewall-controls.md#networkfirewall-2) + [[NetworkFirewall.3] Network Firewall policies should have at least one rule group associated](networkfirewall-controls.md#networkfirewall-3) + [[NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets](networkfirewall-controls.md#networkfirewall-4) + [[NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets](networkfirewall-controls.md#networkfirewall-5) + [[NetworkFirewall.6] Stateless Network Firewall rule group should not be empty](networkfirewall-controls.md#networkfirewall-6) + [[NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled](networkfirewall-controls.md#networkfirewall-9) + [[Opensearch.1] OpenSearch domains should have encryption at rest enabled](opensearch-controls.md#opensearch-1) + [[Opensearch.2] OpenSearch domains should not be publicly accessible](opensearch-controls.md#opensearch-2) + [[Opensearch.3] OpenSearch domains should encrypt data sent between nodes](opensearch-controls.md#opensearch-3) + [[Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled](opensearch-controls.md#opensearch-4) + [[Opensearch.5] OpenSearch domains should have audit logging enabled](opensearch-controls.md#opensearch-5) + [[Opensearch.6] OpenSearch domains should have at least three data nodes](opensearch-controls.md#opensearch-6) + [[Opensearch.7] OpenSearch domains should have fine-grained access control enabled](opensearch-controls.md#opensearch-7) + [[Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy](opensearch-controls.md#opensearch-8) + [[PCA.1] Amazon Private CA root certificate authority should be disabled](pca-controls.md#pca-1) + [[PCA.2] Amazon Private CA certificate authorities should be tagged](pca-controls.md#pca-2) + [[RDS.14] Amazon Aurora clusters should have backtracking enabled](rds-controls.md#rds-14) + [[RDS.15] RDS DB clusters should be configured for multiple Availability Zones](rds-controls.md#rds-15) + [[RDS.24] RDS Database clusters should use a custom administrator username](rds-controls.md#rds-24) + [[RDS.25] RDS database instances should use a custom administrator username](rds-controls.md#rds-25) + [[RDS.27] RDS DB clusters should be encrypted at rest](rds-controls.md#rds-27) + [[RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs](rds-controls.md#rds-34) + [[RDS.35] RDS DB clusters should have automatic minor version upgrade enabled](rds-controls.md#rds-35) + [[RDS.43] RDS DB proxies should require TLS encryption for connections](rds-controls.md#rds-43) + [[RDS.45] Aurora MySQL DB clusters should have audit logging enabled](rds-controls.md#rds-45) + [[RDS.47] RDS for PostgreSQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-47) + [[RDS.48] RDS for MySQL DB clusters should be configured to copy tags to DB snapshots](rds-controls.md#rds-48) + [[RDS.50] RDS DB clusters should have enough backup retention period set](rds-controls.md#rds-50) + [[Redshift.7] Redshift clusters should use enhanced VPC routing](redshift-controls.md#redshift-7) + [[Redshift.8] Amazon Redshift clusters should not use the default Admin username](redshift-controls.md#redshift-8) + [[Redshift.10] Redshift clusters should be encrypted at rest](redshift-controls.md#redshift-10) + [[Redshift.11] Redshift clusters should be tagged](redshift-controls.md#redshift-11) + [[Redshift.13] Redshift cluster snapshots should be tagged](redshift-controls.md#redshift-13) + [[Redshift.17] Redshift cluster parameter groups should be tagged](redshift-controls.md#redshift-17) + [[RedshiftServerless.1] Amazon Redshift Serverless workgroups should use enhanced VPC routing](redshiftserverless-controls.md#redshiftserverless-1) + [[RedshiftServerless.2] Connections to Redshift Serverless workgroups should be required to use SSL](redshiftserverless-controls.md#redshiftserverless-2) + [[RedshiftServerless.3] Redshift Serverless workgroups should prohibit public access](redshiftserverless-controls.md#redshiftserverless-3) + [[RedshiftServerless.6] Redshift Serverless namespaces should export logs to CloudWatch Logs](redshiftserverless-controls.md#redshiftserverless-6) + [[Route53.1] Route 53 health checks should be tagged](route53-controls.md#route53-1) + [[Route53.2] Route 53 public hosted zones should log DNS queries](route53-controls.md#route53-2) + [[S3.10] S3 general purpose buckets with versioning enabled should have Lifecycle configurations](s3-controls.md#s3-10) + [[S3.11] S3 general purpose buckets should have event notifications enabled](s3-controls.md#s3-11) + [[S3.12] ACLs should not be used to manage user access to S3 general purpose buckets](s3-controls.md#s3-12) + [[S3.13] S3 general purpose buckets should have Lifecycle configurations](s3-controls.md#s3-13) + [[S3.20] S3 general purpose buckets should have MFA delete enabled](s3-controls.md#s3-20) + [[S3.24] S3 Multi-Region Access Points should have block public access settings enabled](s3-controls.md#s3-24) + [[S3.25] S3 directory buckets should have lifecycle configurations](s3-controls.md#s3-25) + [[SageMaker.2] SageMaker notebook instances should be launched in a custom VPC](sagemaker-controls.md#sagemaker-2) + [[SageMaker.3] Users should not have root access to SageMaker notebook instances](sagemaker-controls.md#sagemaker-3) + [[SageMaker.5] SageMaker models should have network isolation enabled](sagemaker-controls.md#sagemaker-5) + [[SageMaker.6] SageMaker app image configurations should be tagged](sagemaker-controls.md#sagemaker-6) + [[SageMaker.7] SageMaker images should be tagged](sagemaker-controls.md#sagemaker-7) + [[SageMaker.9] SageMaker data quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-9) + [[SageMaker.10] SageMaker model explainability job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-10) + [[SageMaker.11] SageMaker data quality job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-11) + [[SageMaker.12] SageMaker model bias job definitions should have network isolation enabled](sagemaker-controls.md#sagemaker-12) + [[SageMaker.13] SageMaker model quality job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-13) + [[SageMaker.14] SageMaker monitoring schedules should have network isolation enabled](sagemaker-controls.md#sagemaker-14) + [[SageMaker.15] SageMaker model bias job definitions should have inter-container traffic encryption enabled](sagemaker-controls.md#sagemaker-15) + [[SES.3] SES configuration sets should have TLS enabled for sending emails](ses-controls.md#ses-3) + [[SNS.4] SNS topic access policies should not allow public access](sns-controls.md#sns-4) + [[SQS.3] SQS queue access policies should not allow public access](sqs-controls.md#sqs-3) + [[SSM.4] SSM documents should not be public](ssm-controls.md#ssm-4) + [[SSM.5] SSM documents should be tagged](ssm-controls.md#ssm-5) + [[StepFunctions.1] Step Functions state machines should have logging turned on](stepfunctions-controls.md#stepfunctions-1) + [[StepFunctions.2] Step Functions activities should be tagged](stepfunctions-controls.md#stepfunctions-2) + [[Transfer.4] Transfer Family agreements should be tagged](transfer-controls.md#transfer-4) + [[Transfer.5] Transfer Family certificates should be tagged](transfer-controls.md#transfer-5) + [[Transfer.6] Transfer Family connectors should be tagged](transfer-controls.md#transfer-6) + [[Transfer.7] Transfer Family profiles should be tagged](transfer-controls.md#transfer-7) + [[WAF.1] Amazon WAF Classic Global Web ACL logging should be enabled](waf-controls.md#waf-1) + [[WAF.2] Amazon WAF Classic Regional rules should have at least one condition](waf-controls.md#waf-2) + [[WAF.3] Amazon WAF Classic Regional rule groups should have at least one rule](waf-controls.md#waf-3) + [[WAF.4] Amazon WAF Classic Regional web ACLs should have at least one rule or rule group](waf-controls.md#waf-4) + [[WAF.6] Amazon WAF Classic global rules should have at least one condition](waf-controls.md#waf-6) + [[WAF.7] Amazon WAF Classic global rule groups should have at least one rule](waf-controls.md#waf-7) + [[WAF.8] Amazon WAF Classic global web ACLs should have at least one rule or rule group](waf-controls.md#waf-8) + [[WAF.10] Amazon WAF web ACLs should have at least one rule or rule group](waf-controls.md#waf-10) + [[WAF.12] Amazon WAF rules should have CloudWatch metrics enabled](waf-controls.md#waf-12) # Creating Security Hub CSPM resources with CloudFormation Creating resources with CloudFormation Amazon Security Hub CSPM integrates with Amazon CloudFormation, which is a service that helps you model and set up your Amazon resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the Amazon resources that you want (such as automation rules), and Amazon CloudFormation provisions and configures those resources for you. When you use Amazon CloudFormation, you can reuse your template to set up your Security Hub CSPM resources consistently and repeatedly. Describe your resources once, and then provision the same resources over and over in multiple Amazon Web Services accounts and Regions. ## Security Hub CSPM and Amazon CloudFormation templates To provision and configure resources for Security Hub CSPM and related services, you must understand how [Amazon CloudFormation templates](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/template-guide.html) work. Templates are text files in JSON or YAML format. These templates describe the resources that you want to provision in your Amazon CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use Amazon CloudFormation Designer to help you get started with Amazon CloudFormation templates. For more information, see [What is Amazon CloudFormation Designer?](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer.html) in the *Amazon CloudFormation User Guide*. You can create Amazon CloudFormation templates for the following types of Security Hub CSPM resources: + Enabling Security Hub CSPM + Designating the delegated Security Hub CSPM administrator for an organization + Specify the way your organization is configured in Security Hub CSPM + Enabling a security standard + Enabling cross-Region aggregation + Creating a central configuration policy and associating it with accounts, organizational unit (OUs), or the root + Creating a custom insight + Creating an automation rule + Customizing control parameters + Subscribing to a third-party product integration For more information, including examples of JSON and YAML templates for resources, see the [Amazon Security Hub CSPM resource type reference](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/AWS_SecurityHub.html) in the *Amazon CloudFormation User Guide*. ## Learn more about Amazon CloudFormation To learn more about Amazon CloudFormation, see the following resources: + [Amazon CloudFormation](https://www.amazonaws.cn/cloudformation/) + [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html) + [Amazon CloudFormation API Reference](https://docs.amazonaws.cn/AWSCloudFormation/latest/APIReference/Welcome.html) + [Amazon CloudFormation Command Line Interface User Guide](https://docs.amazonaws.cn/cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html) # Subscribing to Security Hub CSPM announcements with Amazon SNS Subscribing to announcements This section provides information about subscribing to Amazon Security Hub CSPM announcements with Amazon Simple Notification Service (Amazon SNS) to receive notifications about Security Hub CSPM. After subscribing, you will receive notifications about the following events (note the corresponding `AnnouncementType` for each event): + `NEW_STANDARDS_CONTROLS` – New Security Hub CSPM controls or standards have been added. + `RETIRED_STANDARDS_CONTROLS` – Existing Security Hub CSPM controls or standards have been retired. Notifications are available in all formats that Amazon SNS supports. You can subscribe to Security Hub CSPM announcements in all [Amazon Web Services Regions that Security Hub CSPM is available in](https://docs.amazonaws.cn/general/latest/gr/sechub.html). A user must have `Subscribe` permissions to subscribe to an Amazon SNS topic. You can achieve this with Amazon SNS policies, IAM policies, or both. For more information, see [IAM and Amazon SNS policies together](https://docs.amazonaws.cn/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies) in the *Amazon Simple Notification Service Developer Guide*. **Note** Security Hub CSPM sends Amazon SNS announcements about updates to the Security Hub CSPM service to any subscribed Amazon Web Services account. To receive notifications about Security Hub CSPM findings, see [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md). You can subscribe to an Amazon Simple Queue Service (Amazon SQS) queue for an Amazon SNS topic, but you must use an Amazon SNS topic Amazon Resource Name (ARN) that is in the same Region. For more information, see [Subscribing a queue to an Amazon SNS topic](https://docs.amazonaws.cn/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-subscribe-queue-sns-topic.html) in the *Amazon Simple Queue Service Developer Guide*. You can also use an Amazon Lambda function to invoke events when you receive notifications. For more information, including sample function code, see [Tutorial: Using Amazon Lambda with Amazon Simple Notification Service](https://docs.amazonaws.cn/lambda/latest/dg/with-sns-example.html) in the *Amazon Lambda Developer Guide*. The Amazon SNS topic ARNs for each Region are as follows. | Amazon Web Services Region | Amazon SNS topic ARN | | --- | --- | | US East (Ohio) | arn:aws-cn:sns:us-east-2:291342846459:SecurityHubAnnouncements | | US East (N. Virginia) | arn:aws-cn:sns:us-east-1:088139225913:SecurityHubAnnouncements | | US West (N. California) | arn:aws-cn:sns:us-west-1:137690824926:SecurityHubAnnouncements | | US West (Oregon) | arn:aws-cn:sns:us-west-2:393883065485:SecurityHubAnnouncements | | Africa (Cape Town) | arn:aws-cn:sns:af-south-1:463142546776:SecurityHubAnnouncements | | Asia Pacific (Hong Kong) | arn:aws-cn:sns:ap-east-1:464812404305:SecurityHubAnnouncements | | Asia Pacific (Hyderabad) | arn:aws-cn:sns:ap-south-2:849907286123:SecurityHubAnnouncements | | Asia Pacific (Jakarta) | arn:aws-cn:sns:ap-southeast-3:627843640627:SecurityHubAnnouncements | | Asia Pacific (Mumbai) | arn:aws-cn:sns:ap-south-1:707356269775:SecurityHubAnnouncements | | Asia Pacific (Osaka) | arn:aws-cn:sns:ap-northeast-3:633550238216:SecurityHubAnnouncements | | Asia Pacific (Seoul) | arn:aws-cn:sns:ap-northeast-2:374299265323:SecurityHubAnnouncements | | Asia Pacific (Singapore) | arn:aws-cn:sns:ap-southeast-1:512267288502:SecurityHubAnnouncements | | Asia Pacific (Sydney) | arn:aws-cn:sns:ap-southeast-2:475730049140:SecurityHubAnnouncements | | Asia Pacific (Tokyo) | arn:aws-cn:sns:ap-northeast-1:592469075483:SecurityHubAnnouncements | | Canada (Central) | arn:aws-cn:sns:ca-central-1:137749997395:SecurityHubAnnouncements | | China (Beijing) | arn:aws-cn:sns:cn-north-1:672341567257:SecurityHubAnnouncements | | China (Ningxia) | arn:aws-cn:sns:cn-northwest-1:672534482217:SecurityHubAnnouncements | | Europe (Frankfurt) | arn:aws-cn:sns:eu-central-1:871975303681:SecurityHubAnnouncements | | Europe (Ireland) | arn:aws-cn:sns:eu-west-1:705756202095:SecurityHubAnnouncements | | Europe (London) | arn:aws-cn:sns:eu-west-2:883600840440:SecurityHubAnnouncements | | Europe (Milan) | arn:aws-cn:sns:eu-south-1:151363035580:SecurityHubAnnouncements | | Europe (Paris) | arn:aws-cn:sns:eu-west-3:313420042571:SecurityHubAnnouncements | | Europe (Spain) | arn:aws-cn:sns:eu-south-2:777487947751:SecurityHubAnnouncements | | Europe (Stockholm) | arn:aws-cn:sns:eu-north-1:191971010772:SecurityHubAnnouncements | | Europe (Zurich) | arn:aws-cn:sns:eu-central-2:704347005078:SecurityHubAnnouncements | | Israel (Tel Aviv) | arn:aws-cn:sns:il-central-1:726652212146:SecurityHubAnnouncements | | Middle East (Bahrain) | arn:aws-cn:sns:me-south-1:585146626860:SecurityHubAnnouncements | | Middle East (UAE) | arn:aws-cn:sns:me-central-1:431548502100:SecurityHubAnnouncements | | South America (São Paulo) | arn:aws-cn:sns:sa-east-1:359811883282:SecurityHubAnnouncements | | Amazon GovCloud (US-East) | arn:aws-us-gov:sns:us-gov-east-1:239368469855:SecurityHubAnnouncements | | Amazon GovCloud (US-West) | arn:aws-us-gov:sns:us-gov-west-1:239334163374:SecurityHubAnnouncements | Messages are typically the same across Regions within a [partition](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html), so you can subscribe to one Region in each partition to receive announcements that affect all Regions in that partition. Announcements associated with member accounts are not replicated in the administrator account. As a result, each account, including the administrator account, will only have one copy of each announcement. You can decide which account you want to use to subscribe to Security Hub CSPM announcements. For information about the cost of subscribing to Security Hub CSPM announcements, see [Amazon SNS pricing](https://www.amazonaws.cn/sns/pricing/). **Subscribing to Security Hub CSPM announcements (console)** 1. Open the Amazon SNS console at [https://console.amazonaws.cn/sns/v3/home](https://console.amazonaws.cn/sns/v3/home). 1. In the Region list, choose the Region in which you want to subscribe to Security Hub CSPM announcements. This example uses the `us-west-2` Region. 1. In the navigation pane, choose **Subscriptions**, and then choose **Create subscription**. 1. Enter the topic ARN into the **Topic ARN** box. For example, `arn:aws-cn:sns:us-west-2:393883065485:SecurityHubAnnouncements`. 1. For **Protocol**, choose how you want to receive Security Hub CSPM announcements. If you choose **Email**, for **Endpoint**, enter the email address that you want to use to receive announcements. 1. Choose **Create subscription**. 1. Confirm the subscription. For example, if you chose email protocol, Amazon SNS will send a subscription confirmation message to the email you provided. **Subscribing to Security Hub CSPM announcements (Amazon CLI)** 1. Run the following command: ``` aws sns --region us-west-2 subscribe --topic-arn arn:aws-cn:sns:us-west-2:393883065485:SecurityHubAnnouncements --protocol email --notification-endpoint your_email@your_domain.com ``` 1. Confirm the subscription. For example, if you chose email protocol, Amazon SNS will send a subscription confirmation message to the email you provided. ## Amazon SNS message format The following examples show Security Hub CSPM announcements from Amazon SNS about the introduction of new security controls. Message content varies based on announcement type, but the format is the same for all announcement types. Optionally, a `Link` field that provides details about the announcement may be included. **Example: Security Hub CSPM announcement for new controls (email protocol)** ``` { "AnnouncementType":"NEW_STANDARDS_CONTROLS", "Title":"[New Controls] 36 new Security Hub CSPM controls added to the Amazon Foundational Security Best Practices standard", "Description":"We have added 36 new controls to the Amazon Foundational Security Best Practices standard. These include controls for Amazon Auto Scaling (AutoScaling.3, AutoScaling.4, AutoScaling.6), Amazon CloudFormation (CloudFormation.1), Amazon CloudFront (CloudFront.10), Amazon Elastic Compute Cloud (Amazon EC2) (EC2.23, EC2.24, EC2.27), Amazon Elastic Container Registry (Amazon ECR) (ECR.1, ECR.2), Amazon Elastic Container Service (Amazon ECS) (ECS.3, ECS.4, ECS.5, ECS.8, ECS.10, ECS.12), Amazon Elastic File System (Amazon EFS) (EFS.3, EFS.4), Amazon Elastic Kubernetes Service (Amazon EKS) (EKS.2), Elastic Load Balancing (ELB.12, ELB.13, ELB.14), Amazon Kinesis (Kinesis.1), Amazon Network Firewall (NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5), Amazon OpenSearch Service (OpenSearch.7), Amazon Redshift (Redshift.9), Amazon Simple Storage Service (Amazon S3) (S3.13), Amazon Simple Notification Service (SNS.2), Amazon WAF (WAF.2, WAF.3, WAF.4, WAF.6, WAF.7, WAF.8). If you enabled the Amazon Foundational Security Best Practices standard in an account and configured Security Hub CSPM to automatically enable new controls, these controls are enabled by default. Availability of controls can vary by Region. " } ``` **Example: Security Hub CSPM announcement for new controls (email-JSON protocol)** ``` { "Type" : "Notification", "MessageId" : "d124c9cf-326a-5931-9263-92a92e7af49f", "TopicArn" : "arn:aws-cn:sns:us-west-2:393883065485:SecurityHubAnnouncements", "Message" : "{\"AnnouncementType\":\"NEW_STANDARDS_CONTROLS\",\"Title\":\"[New Controls] 36 new Security Hub CSPM controls added to the Amazon Foundational Security Best Practices standard\",\"Description\":\"We have added 36 new controls to the Amazon Foundational Security Best Practices standard. These include controls for Amazon Auto Scaling (AutoScaling.3, AutoScaling.4, AutoScaling.6), Amazon CloudFormation (CloudFormation.1), Amazon CloudFront (CloudFront.10), Amazon Elastic Compute Cloud (Amazon EC2) (EC2.23, EC2.24, EC2.27), Amazon Elastic Container Registry (Amazon ECR) (ECR.1, ECR.2), Amazon Elastic Container Service (Amazon ECS) (ECS.3, ECS.4, ECS.5, ECS.8, ECS.10, ECS.12), Amazon Elastic File System (Amazon EFS) (EFS.3, EFS.4), Amazon Elastic Kubernetes Service (Amazon EKS) (EKS.2), Elastic Load Balancing (ELB.12, ELB.13, ELB.14), Amazon Kinesis (Kinesis.1), Amazon Network Firewall (NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5), Amazon OpenSearch Service (OpenSearch.7), Amazon Redshift (Redshift.9), Amazon Simple Storage Service (Amazon S3) (S3.13), Amazon Simple Notification Service (SNS.2), Amazon WAF (WAF.2, WAF.3, WAF.4, WAF.6, WAF.7, WAF.8). If you enabled the Amazon Foundational Security Best Practices standard in an account and configured Security Hub CSPM to automatically enable new controls, these controls are enabled by default. Availability of controls can vary by Region. \"}", "Timestamp" : "2022-08-04T19:11:12.652Z", "SignatureVersion" : "1", "Signature" : "HTHgNFRYMetCvisulgLM4CVySvK9qCXFPHQDxYl9tuCFQuIrd7YO4m4YFR28XKMgzqrF20YP+EilipUm2SOTpEEtOTekU5bn74+YmNZfwr4aPFx0vUuQCVOshmHl37hjkiLjhCg/t53QQiLfP7MH+MTXIUPR37k5SuFCXvjpRQ8ynV532AH3Wpv0HmojDLMg+eg51V1fUsOG8yiJVCBEJhJ1yS+gkwJdhRk2UQab9RcAmE6COK3hRWcjDwqTXz5nR6Ywv1ZqZfLIl7gYKslt+jsyd/k+7kOqGmOJRDr7qhE7H+7vaGRLOptsQnbW8VmeYnDbahEO8FV+Mp1rpV+7Qg==", "SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-56e67fcb41f6fec09b0196692625d385.pem", "UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws-cn:sns:us-west-2:393883065485:SecurityHubAnnouncements:9d0230d7-d582-451d-9f15-0c32818bf61f" } ``` # Disabling Security Hub CSPM Disabling Security Hub CSPM You can disable Amazon Security Hub CSPM by using the Security Hub CSPM console or the Security Hub API. If you disable Security Hub CSPM, you can enable it again later. If your organization uses central configuration, the delegated Security Hub CSPM administrator can create configuration policies that disable Security Hub CSPM for specific accounts and organizational units (OUs) and keep Security Hub CSPM enabled for others. Configuration policies affect the home Region and all linked Regions. For more information, see [Understanding central configuration in Security Hub CSPM](central-configuration-intro.md). If you disable Security Hub CSPM for an account, the following occurs: + All Security Hub CSPM standards and controls are disabled for the account. + Security Hub CSPM stops generating, updating, and ingesting findings for the account. + After 30 days, Security Hub CSPM permanently deletes all existing archived findings for the account. The findings cannot be recovered by using Security Hub CSPM. + After 90 days, Security Hub CSPM permanently deletes all existing active findings for the account. The findings cannot be recovered by using Security Hub CSPM. + After 90 days, Security Hub CSPM permanently deletes all existing insights and Security Hub CSPM configuration settings for the account. The data and settings cannot be recovered. To retain existing findings, you can export the findings to an S3 bucket before you disable Security Hub CSPM. You can do this by using a custom action with an Amazon EventBridge rule. For more information, see [Using EventBridge for automated response and remediation](securityhub-cloudwatch-events.md). If you re-enable Security Hub CSPM within 90 days of disabling it for an account, you regain access to existing active findings, as well as insights and Security Hub CSPM configuration settings for the account. If you re-enable Security Hub CSPM within 30 days, you also regain access to existing archived findings for the account. However, existing findings might be inaccurate because they will reflect the state of your Amazon environment when you disabled Security Hub CSPM. In addition, as you re-enable individual standards and controls, Security Hub CSPM might initially generate duplicate findings for specific Amazon resources, depending on the standards and controls that you enable. For these reasons, we recommend that you do one of the following: + Change the workflow status of all existing findings to `RESOLVED` before you disable Security Hub CSPM. For more information, see [Setting the workflow status of findings](findings-workflow-status.md). + Disable all standards at least six days before you disable Security Hub CSPM. Security Hub CSPM then archives all existing findings on a best-effort basis, typically within three to five days. For more information, see [Disabling a standard](disable-standards.md). You can't disable Security Hub CSPM in the following cases: + Your account is the delegated Security Hub CSPM administrator account for an organization. If you use central configuration, you can't associate a configuration policy that disables Security Hub CSPM for the delegated administrator account. The association can succeed for other accounts, but Security Hub CSPM doesn't apply the policy to the delegated administrator account. + Your account is a Security Hub CSPM administrator account by invitation, and you have member accounts. Before you can disable Security Hub CSPM, you must disassociate all of your member accounts. To learn how, see [Disassociating member accounts in Security Hub CSPM](securityhub-disassociate-members.md). Before the owner of a member account can disable Security Hub CSPM, the account must disassociate from its administrator account. For an organization account, only the administrator account can disassociate a member account. For more information, see [Disassociating Security Hub CSPM member accounts from your organization](accounts-orgs-disassociate.md). For a manually invited account, either the administrator account or the member account can disassociate the account. For more information, see [Disassociating member accounts in Security Hub CSPM](securityhub-disassociate-members.md) or [Disassociating from a Security Hub CSPM administrator account](securityhub-disassociate-from-admin.md). Disassociation isn't required if you use central configuration because the Security Hub CSPM administrator can create a policy that disables Security Hub CSPM for specific member accounts. When you disable Security Hub CSPM for an account, it's disabled only in the current Amazon Web Services Region. However, if you use central configuration to disable Security Hub CSPM for specific accounts, it's disabled in the home Region and all linked Regions. To disable Security Hub CSPM, choose your preferred method and follow the steps. ------ #### [ Security Hub CSPM console ] Follow these steps to disable Security Hub CSPM by using the console. **To disable Security Hub CSPM** 1. Open the Amazon Security Hub CSPM console at [https://console.amazonaws.cn/securityhub/](https://console.amazonaws.cn/securityhub/). 1. In the navigation pane, under **Settings**, choose **General**. 1. In the **Disable Security Hub CSPM** section, choose **Disable Security Hub CSPM**. 1. When prompted for confirmation, choose **Disable Security Hub CSPM**. ------ #### [ Security Hub API ] To disable Security Hub CSPM programmatically, use the [DisableSecurityHub](https://docs.amazonaws.cn/securityhub/1.0/APIReference/API_DisableSecurityHub.html) operation of the Amazon Security Hub API. Or, if you're using the Amazon CLI, run the [disable-security-hub](https://docs.amazonaws.cn/cli/latest/reference/securityhub/disable-security-hub.html) command. For example, the following command disables Security Hub CSPM in the current Amazon Web Services Region: ``` $ aws securityhub disable-security-hub ``` ------ # Security in Amazon Security Hub CSPM Security Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between Amazon and you. The [shared responsibility model](https://www.amazonaws.cn/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [Amazon compliance programs](https://www.amazonaws.cn/compliance/programs/). To learn about the compliance programs that apply to Amazon Security Hub CSPM, see [Amazon Services in Scope by Compliance Program](https://www.amazonaws.cn/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. This documentation helps you understand how to apply the shared responsibility model when using Security Hub CSPM. The following topics show you how to configure Security Hub CSPM to meet your security and compliance objectives. You also learn how to use other Amazon services that help you to monitor and secure your Security Hub CSPM resources. **Topics** + [ # Data protection in Amazon Security Hub CSPM ](data-protection.md) + [ # Amazon Identity and Access Management for Security Hub CSPM ](security-iam.md) + [ # Compliance validation for Amazon Security Hub CSPM ](securityhub-compliance.md) + [ # Resilience in Amazon Security Hub ](disaster-recovery-resiliency.md) + [ # Infrastructure security in Amazon Security Hub CSPM ](infrastructure-security.md) + [ # Amazon Security Hub CSPM and interface VPC endpoints (Amazon PrivateLink) ](security-vpc-endpoints.md) # Data protection in Amazon Security Hub CSPM Data protection The Amazon [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Security Hub CSPM. As described in this model, Amazon is responsible for protecting the global infrastructure that runs all of the Amazon Web Services Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the Amazon Web Services services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://www.amazonaws.cn/compliance/data-privacy-faq/). For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon IAM Identity Center or Amazon Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with Amazon resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with Amazon CloudTrail. For information about using CloudTrail trails to capture Amazon activities, see [Working with CloudTrail trails](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *Amazon CloudTrail User Guide*. + Use Amazon encryption solutions, along with all default security controls within Amazon Web Services services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://www.amazonaws.cn/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Security Hub CSPM or other Amazon Web Services services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. Security Hub CSPM is a multi-tenant service offering. To ensure data protection, Security Hub CSPM encrypts data at rest and data in transit between component services. # Amazon Identity and Access Management for Security Hub CSPM Identity and access management Amazon Identity and Access Management (IAM) is an Amazon Web Services service that helps an administrator securely control access to Amazon resources. IAM administrators control who can be *authenticated* (signed in) and *authorized* (have permissions) to use Security Hub resources. IAM is an Amazon Web Services service that you can use with no additional charge. **Topics** + [ ## Audience ](#security_iam_audience) + [ ## Authenticating with identities ](#security_iam_authentication) + [ ## Managing access using policies ](#security_iam_access-manage) + [ # How Security Hub works with IAM ](security_iam_service-with-iam.md) + [ # Identity-based policy examples for Amazon Security Hub CSPM ](security_iam_id-based-policy-examples.md) + [ # Service-linked roles for Amazon Security Hub CSPM ](using-service-linked-roles.md) + [ # Amazon managed policies for Security Hub ](security-iam-awsmanpol.md) + [ # Troubleshooting Amazon Security Hub CSPM identity and access ](security_iam_troubleshoot.md) ## Audience How you use Amazon Identity and Access Management (IAM) differs based on your role: + **Service user** - request permissions from your administrator if you cannot access features (see [Troubleshooting Amazon Security Hub CSPM identity and access](security_iam_troubleshoot.md)) + **Service administrator** - determine user access and submit permission requests (see [How Security Hub works with IAM](security_iam_service-with-iam.md)) + **IAM administrator** - write policies to manage access (see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md)) ## Authenticating with identities Authentication is how you sign in to Amazon using your identity credentials. You must be authenticated as the Amazon Web Services account root user, an IAM user, or by assuming an IAM role. For programmatic access, Amazon provides an SDK and CLI to cryptographically sign requests. For more information, see [Amazon Signature Version 4 for API requests](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*. ### Amazon Web Services account root user When you create an Amazon Web Services account, you begin with one sign-in identity called the Amazon Web Services account *root user* that has complete access to all Amazon Web Services services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*. ### Federated identity As a best practice, require human users to use federation with an identity provider to access Amazon Web Services services using temporary credentials. A *federated identity* is a user from your enterprise directory, web identity provider, or Amazon Directory Service that accesses Amazon Web Services services using credentials from an identity source. Federated identities assume roles that provide temporary credentials. ### IAM users and groups An *[IAM user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access Amazon using temporary credentials](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. An [https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.amazonaws.cn/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*. ### IAM roles An *[IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an Amazon CLI or Amazon API operation. For more information, see [Methods to assume a role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*. IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. ## Managing access using policies You control access in Amazon by creating policies and attaching them to Amazon identities or resources. A policy defines permissions when associated with an identity or resource. Amazon evaluates these policies when a principal makes a request. Most policies are stored in Amazon as JSON documents. For more information about JSON policy documents, see [Overview of JSON policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#access_policies-json) in the *IAM User Guide*. Using policies, administrators specify who has access to what by defining which **principal** can perform **actions** on what **resources**, and under what **conditions**. By default, users and roles have no permissions. An IAM administrator creates IAM policies and adds them to roles, which users can then assume. IAM policies define permissions regardless of the method used to perform the operation. ### Identity-based policies Identity-based policies are JSON permissions policy documents that you attach to an identity (user, group, or role). These policies control what actions identities can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. Identity-based policies can be *inline policies* (embedded directly into a single identity) or *managed policies* (standalone policies attached to multiple identities). To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-choosing-managed-or-inline.html) in the *IAM User Guide*. ### Resource-based policies Resource-based policies are JSON policy documents that you attach to a resource. Examples include IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. You must [specify a principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Resource-based policies are inline policies that are located in that service. You can't use Amazon managed policies from IAM in a resource-based policy. ### Other policy types Amazon supports additional policy types that can set the maximum permissions granted by more common policy types: + **Permissions boundaries** – Set the maximum permissions that an identity-based policy can grant to an IAM entity. For more information, see [Permissions boundaries for IAM entities](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_boundaries.html) in the *IAM User Guide*. + **Service control policies (SCPs)** – Specify the maximum permissions for an organization or organizational unit in Amazon Organizations. For more information, see [Service control policies](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *Amazon Organizations User Guide*. + **Resource control policies (RCPs)** – Set the maximum available permissions for resources in your accounts. For more information, see [Resource control policies (RCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *Amazon Organizations User Guide*. + **Session policies** – Advanced policies passed as a parameter when creating a temporary session for a role or federated user. For more information, see [Session policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html#policies_session) in the *IAM User Guide*. ### Multiple policy types When multiple types of policies apply to a request, the resulting permissions are more complicated to understand. To learn how Amazon determines whether to allow a request when multiple policy types are involved, see [Policy evaluation logic](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) in the *IAM User Guide*. # How Security Hub works with IAM How Security Hub CSPM works with IAM Before you use Amazon Identity and Access Management (IAM) to manage access to Amazon Security Hub CSPM, learn which IAM features are available to use with Security Hub CSPM. **IAM features you can use with Amazon Security Hub CSPM** | IAM feature | Security Hub CSPM support | | --- | --- | | [Identity-based policies](#security_iam_service-with-iam-id-based-policies) | Yes | | [Resource-based policies](#security_iam_service-with-iam-resource-based-policies) | No | | [Policy actions](#security_iam_service-with-iam-id-based-policies-actions) | Yes | | [Policy resources](#security_iam_service-with-iam-id-based-policies-resources) | No | | [Policy condition keys](#security_iam_service-with-iam-id-based-policies-conditionkeys) | Yes | | [Access control lists (ACLs)](#security_iam_service-with-iam-acls) | No | | [Attribute-based access control (ABAC) – tags in policies](#security_iam_service-with-iam-tags) | Yes | | [Temporary credentials](#security_iam_service-with-iam-roles-tempcreds) | Yes | | [Forward access sessions (FAS)](#security_iam_service-with-iam-principal-permissions) | Yes | | [Service roles](#security_iam_service-with-iam-roles-service) | No | | [Service-linked roles](#security_iam_service-with-iam-roles-service-linked) | Yes | For a high-level view of how Security Hub CSPM and other Amazon Web Services services work with most IAM features, see [Amazon Web Services services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. ## Identity-based policies for Security Hub CSPM **Supports identity-based policies:** Yes Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html) in the *IAM User Guide*. With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html) in the *IAM User Guide*. Security Hub CSPM supports identity-based policies. For more information, see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md). ## Resource-based policies for Security Hub CSPM Resource-based policies **Supports resource-based policies:** No Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM *role trust policies* and Amazon S3 *bucket policies*. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must [specify a principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html) in a resource-based policy. Principals can include accounts, users, roles, federated users, or Amazon Web Services services. To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. Security Hub CSPM does not support resource-based policies. You can't attach an IAM policy directly to a Security Hub CSPM resource. ## Policy actions for Security Hub CSPM Policy actions **Supports policy actions:** Yes Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Action` element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Include actions in a policy to grant permissions to perform the associated operation. Policy actions in Security Hub CSPM use the following prefix before the action: ``` securityhub: ``` For example, to grant a user permission to enable Security Hub CSPM, which is an action that corresponds to the `EnableSecurityHub` operation of the Security Hub CSPM API, include the `securityhub:EnableSecurityHub` action in their policy. Policy statements must include either an `Action` or `NotAction` element. Security Hub CSPM defines its own set of actions that describe tasks that you can perform with this service. ``` "Action": "securityhub:EnableSecurityHub" ``` To specify multiple actions in a single statement, separate them with commas. For example: ``` "Action": [ "securityhub:EnableSecurityHub", "securityhub:BatchEnableStandards" ``` You can also specify multiple actions using wildcards (\$1). For example, to specify all actions that begin with the word `Get`, include the following action: ``` "Action": "securityhub:Get*" ``` However, as a best practice, you should create policies that follow the principle of least privilege. In other words, you should create policies that include only the permissions that are required to perform a specific task. The user must have access to the `DescribeStandardsControl` operation in order to have access to `BatchGetSecurityControls`, `BatchGetStandardsControlAssociations`, and `ListStandardsControlAssociations`. The user must have access to the `UpdateStandardsControls` operation in order to have access to `BatchUpdateStandardsControlAssociations`, and `UpdateSecurityControl`. For a list of Security Hub CSPM actions, see [Actions defined by Amazon Security Hub CSPM](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions) in the *Service Authorization Reference*. For examples of policies that specify Security Hub CSPM actions, see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md). ## Policy resources for Security Hub CSPM **Supports policy resources:** No Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Resource` JSON policy element specifies the object or objects to which the action applies. As a best practice, specify a resource using its [Amazon Resource Name (ARN)](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference-arns.html). For actions that don't support resource-level permissions, use a wildcard (\$1) to indicate that the statement applies to all resources. ``` "Resource": "*" ``` Security Hub CSPM defines the following resource types: + Hub + Product + Finding aggregator, also referred to as a *cross-Region aggregator* + Automation rule + Configuration policy You can specify these types of resources in policies by using ARNs. For a list of Security Hub CSPM resource types and the ARN syntax for each one, see [Resource types defined by Amazon Security Hub CSPM](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-resources-for-iam-policies) in the *Service Authorization Reference*. To learn which actions you can specify for each type of resource, see [Actions defined by Amazon Security Hub CSPM](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions) in the *Service Authorization Reference*. For examples of policies that specify resources, see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md). ## Policy condition keys for Security Hub CSPM Policy condition keys **Supports service-specific policy condition keys:** Yes Administrators can use Amazon JSON policies to specify who has access to what. That is, which **principal** can perform **actions** on what **resources**, and under what **conditions**. The `Condition` element specifies when statements execute based on defined criteria. You can create conditional expressions that use [condition operators](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html), such as equals or less than, to match the condition in the policy with values in the request. To see all Amazon global condition keys, see [Amazon global condition context keys](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*. For a list of Security Hub CSPM condition keys, see [Condition keys for Amazon Security Hub CSPM](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-policy-keys) in the *Service Authorization Reference*. To learn which actions and resources you can use a condition key with, see [Actions defined by Amazon Security Hub CSPM](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awssecurityhub.html#awssecurityhub-actions-as-permissions). For examples of policies that use condition keys, see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md). ## Access control lists (ACLs) in Security Hub CSPM **Supports ACLs:** No Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format. Security Hub CSPM doesn't support ACLs, which means you can't attach an ACL to a Security Hub CSPM resource. ## Attribute-based access control (ABAC) with Security Hub CSPM Attribute-based access control (ABAC) **Supports ABAC (tags in policies):** Yes Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes called tags. You can attach tags to IAM entities and Amazon resources, then design ABAC policies to allow operations when the principal's tag matches the tag on the resource. To control access based on tags, you provide tag information in the [condition element](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) of a policy using the `aws:ResourceTag/key-name`, `aws:RequestTag/key-name`, or `aws:TagKeys` condition keys. If a service supports all three condition keys for every resource type, then the value is **Yes** for the service. If a service supports all three condition keys for only some resource types, then the value is **Partial**. For more information about ABAC, see [Define permissions with ABAC authorization](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*. To view a tutorial with steps for setting up ABAC, see [Use attribute-based access control (ABAC)](https://docs.amazonaws.cn/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) in the *IAM User Guide*. You can attach tags to Security Hub CSPM resources. You can also control access to resources by providing tag information in the `Condition` element of a policy. For information about tagging Security Hub CSPM resources, see [Tagging Security Hub resources](tagging-resources.md). For an example of an identity-based policy that controls access to a resource based on tags, see [Identity-based policy examples for Amazon Security Hub CSPM](security_iam_id-based-policy-examples.md). ## Using temporary credentials with Security Hub CSPM Temporary credentials **Supports temporary credentials:** Yes Temporary credentials provide short-term access to Amazon resources and are automatically created when you use federation or switch roles. Amazon recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see [Temporary security credentials in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp.html) and [Amazon Web Services services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide*. You can use temporary credentials to sign in with federation, assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling Amazon STS API operations such as [AssumeRole](https://docs.amazonaws.cn/STS/latest/APIReference/API_AssumeRole.html) or [GetFederationToken](https://docs.amazonaws.cn/STS/latest/APIReference/API_GetFederationToken.html). Security Hub CSPM supports the use of temporary credentials. ## Forward access sessions for Security Hub CSPM Forward access sessions **Supports forward access sessions (FAS):** Yes Forward access sessions (FAS) use the permissions of the principal calling an Amazon Web Services service, combined with the requesting Amazon Web Services service to make requests to downstream services. For policy details when making FAS requests, see [Forward access sessions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_forward_access_sessions.html). For example, Security Hub CSPM makes FAS requests to downstream Amazon Web Services services when you integrate Security Hub CSPM with Amazon Organizations and when you designate the delegated Security Hub CSPM administrator account for an organization in Organizations. For other tasks, Security Hub CSPM uses a service-linked role to perform actions on your behalf. For details about this role, see [Service-linked roles for Amazon Security Hub CSPM](using-service-linked-roles.md). ## Service roles for Security Hub CSPM Service roles Security Hub CSPM doesn't assume or use service roles. To perform actions on your behalf, Security Hub CSPM uses a service-linked role. For details about this role, see [Service-linked roles for Amazon Security Hub CSPM](using-service-linked-roles.md). **Warning** Changing the permissions for a service role may create operational issues with your use of Security Hub CSPM. Edit service roles only when Security Hub CSPM provides guidance to do so. ## Service-linked roles for Security Hub CSPM Service-linked roles **Supports service-linked roles:** Yes A service-linked role is a type of service role that is linked to an Amazon Web Services service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your Amazon Web Services account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles. Security Hub CSPM uses a service-linked role to perform actions on your behalf. For details about this role, see [Service-linked roles for Amazon Security Hub CSPM](using-service-linked-roles.md). # Identity-based policy examples for Amazon Security Hub CSPM Identity-based policy examples By default, users and roles don't have permission to create or modify Security Hub CSPM resources. They also can't perform tasks using the Amazon Web Services Management Console, Amazon CLI, or Amazon API. An administrator must create IAM policies that grant users and roles permission to perform specific API operations on the specified resources they need. The administrator must then attach those policies to the users or groups that require those permissions. To learn how to create an IAM identity-based policy using these example JSON policy documents, see [Creating Policies on the JSON Tab](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor) in the *IAM User Guide*. **Topics** + [ ## Policy best practices ](#security_iam_service-with-iam-policy-best-practices) + [ ## Using the Security Hub CSPM console ](#security_iam_id-based-policy-examples-console) + [ ## Example: Allow users to view their own permissions ](#security_iam_id-based-policy-examples-view-own-permissions) + [ ## Example: Allow users to create and manage a configuration policy ](#security_iam_id-based-policy-examples-create-configuration-policy) + [ ## Example: Allow users to view findings ](#security_iam_id-based-policy-examples-view-findings) + [ ## Example: Allow users to create and manage automation rules ](#security_iam_id-based-policy-examples-create-automation-rule) ## Policy best practices Identity-based policies determine whether someone can create, access, or delete Security Hub resources in your account. These actions can incur costs for your Amazon Web Services account. When you create or edit identity-based policies, follow these guidelines and recommendations: + **Get started with Amazon managed policies and move toward least-privilege permissions** – To get started granting permissions to your users and workloads, use the *Amazon managed policies* that grant permissions for many common use cases. They are available in your Amazon Web Services account. We recommend that you reduce permissions further by defining Amazon customer managed policies that are specific to your use cases. For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) or [Amazon managed policies for job functions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*. + **Apply least-privilege permissions** – When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as *least-privilege permissions*. For more information about using IAM to apply permissions, see [ Policies and permissions in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*. + **Use conditions in IAM policies to further restrict access** – You can add a condition to your policies to limit access to actions and resources. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions if they are used through a specific Amazon Web Services service, such as Amazon CloudFormation. For more information, see [ IAM JSON policy elements: Condition](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*. + **Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions** – IAM Access Analyzer validates new and existing policies so that the policies adhere to the IAM policy language (JSON) and IAM best practices. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. For more information, see [Validate policies with IAM Access Analyzer](https://docs.amazonaws.cn/IAM/latest/UserGuide/access-analyzer-policy-validation.html) in the *IAM User Guide*. + **Require multi-factor authentication (MFA)** – If you have a scenario that requires IAM users or a root user in your Amazon Web Services account, turn on MFA for additional security. To require MFA when API operations are called, add MFA conditions to your policies. For more information, see [ Secure API access with MFA](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) in the *IAM User Guide*. For more information about best practices in IAM, see [Security best practices in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. ## Using the Security Hub CSPM console To access the Amazon Security Hub CSPM console, you must have a minimum set of permissions. These permissions must allow you to list and view details about the Security Hub CSPM resources in your Amazon Web Services account. If you create an identity-based policy that is more restrictive than the minimum required permissions, the console won't function as intended for entities (users or roles) with that policy. You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon API. Instead, allow access to only the actions that match the API operation that they're trying to perform. To ensure that those users and roles can use the Security Hub CSPM console, also attach the following Amazon managed policy to the entity. For more information, see [Adding permissions to a user](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } } ] } ``` ------ ## Example: Allow users to view their own permissions This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the Amazon CLI or Amazon API. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": ["arn:aws-cn:iam::*:user/${aws:username}"] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] } ``` ## Example: Allow users to create and manage a configuration policy This example shows how you might create an IAM policy that allows a user to create, view, update, and delete configuration policies. This example policy also allows the user to start, stop, and view policy associations. For this IAM policy to work, the user must be the delegated Security Hub CSPM administrator for an organization. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateAndUpdateConfigurationPolicy", "Effect": "Allow", "Action": [ "securityhub:CreateConfigurationPolicy", "securityhub:UpdateConfigurationPolicy" ], "Resource": "*" }, { "Sid": "ViewConfigurationPolicy", "Effect": "Allow", "Action": [ "securityhub:GetConfigurationPolicy", "securityhub:ListConfigurationPolicies" ], "Resource": "*" }, { "Sid": "DeleteConfigurationPolicy", "Effect": "Allow", "Action": [ "securityhub:DeleteConfigurationPolicy" ], "Resource": "*" }, { "Sid": "ViewConfigurationPolicyAssociation", "Effect": "Allow", "Action": [ "securityhub:BatchGetConfigurationPolicyAssociations", "securityhub:GetConfigurationPolicyAssociation", "securityhub:ListConfigurationPolicyAssociations" ], "Resource": "*" }, { "Sid": "UpdateConfigurationPolicyAssociation", "Effect": "Allow", "Action": [ "securityhub:StartConfigurationPolicyAssociation", "securityhub:StartConfigurationPolicyDisassociation" ], "Resource": "*" } ] } ``` ------ ## Example: Allow users to view findings This example shows how you might create an IAM policy that allows a user to view Security Hub CSPM findings. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "ReviewFindings", "Effect": "Allow", "Action": [ "securityhub:GetFindings" ], "Resource": "*" } ] } ``` ------ ## Example: Allow users to create and manage automation rules This example shows how you might create an IAM policy that allows a user to create, view, update, and delete Security Hub CSPM automation rules. For this IAM policy to work, the user must be a Security Hub CSPM administrator. To limit permissions— for example, to allow a user to only view automation rules—you can remove the create, update, and delete permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateAndUpdateAutomationRules", "Effect": "Allow", "Action": [ "securityhub:CreateAutomationRule", "securityhub:BatchUpdateAutomationRules" ], "Resource": "*" }, { "Sid": "ViewAutomationRules", "Effect": "Allow", "Action": [ "securityhub:BatchGetAutomationRules", "securityhub:ListAutomationRules" ], "Resource": "*" }, { "Sid": "DeleteAutomationRules", "Effect": "Allow", "Action": [ "securityhub:BatchDeleteAutomationRules" ], "Resource": "*" } ] } ``` ------ # Service-linked roles for Amazon Security Hub CSPM Service-linked roles Amazon Security Hub CSPM uses an Amazon Identity and Access Management (IAM) [service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role) named `AWSServiceRoleForSecurityHub`. This service-linked role is an IAM role that's linked directly to Security Hub CSPM. It's predefined by Security Hub CSPM, and it includes all the permissions that Security Hub CSPM requires to call other Amazon Web Services services and monitor Amazon resources on your behalf. Security Hub CSPM uses this service-linked role in all the Amazon Web Services Regions where Security Hub CSPM is available. A service-linked role makes setting up Security Hub CSPM easier because you don't have to manually add the necessary permissions. Security Hub CSPM defines the permissions of its service-linked role, and unless defined otherwise, only Security Hub CSPM can assume the role. The defined permissions include the trust policy and the permissions policy, and you can't attach that permissions policy to any other IAM entity. To review the details of the service-linked role, you can use the Security Hub CSPM console. In the navigation pane, choose **General** under **Settings**. Then, in the **Service permissions** section, choose **View service permissions**. You can delete the Security Hub CSPM service-linked role only after you disable Security Hub CSPM in all the Regions where it's enabled. This protects your Security Hub CSPM resources because you can't inadvertently remove permissions to access them. For information about other services that support service-linked roles, see [Amazon services that work with IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the *IAM User Guide* and locate the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to review the service-linked role documentation for that service. **Topics** + [ ## Service-linked role permissions for Security Hub CSPM ](#slr-permissions) + [ ## Creating a service-linked role for Security Hub CSPM ](#create-slr) + [ ## Editing a service-linked role for Security Hub CSPM ](#edit-slr) + [ ## Deleting a service-linked role for Security Hub CSPM ](#delete-slr) + [ ## Service-linked role for Amazon Security Hub V2 ](#slr-permissions-v2) ## Service-linked role permissions for Security Hub CSPM Security Hub CSPM uses the service-linked role named `AWSServiceRoleForSecurityHub`. It's a service-linked role required for Amazon Security Hub CSPM to access your resources. This service-linked role allows Security Hub CSPM to perform tasks such as receive findings from other Amazon Web Services services and configure the requisite Amazon Config infrastructure to run security checks for controls. The `AWSServiceRoleForSecurityHub` service-linked role trusts the `securityhub.amazonaws.com` service to assume the role. The `AWSServiceRoleForSecurityHub` service-linked role uses the managed policy [`AWSSecurityHubServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-awsmanpol-awssecurityhubservicerolepolicy). You must grant permissions to allow an IAM identity (such as a role, group, or user) to create, edit, or delete a service-linked role. For the `AWSServiceRoleForSecurityHub` service-linked role to be successfully created, the IAM identity that you use to access Security Hub CSPM must have the required permissions. To grant the required permissions, attach the following policy to the IAM identity. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } } ] } ``` ------ ## Creating a service-linked role for Security Hub CSPM The `AWSServiceRoleForSecurityHub` service-linked role is created automatically when you enable Security Hub CSPM for the first time or you enable Security Hub CSPM in a Region where you didn't previously enable it. You can also create the `AWSServiceRoleForSecurityHub` service-linked role manually by using the IAM console, the IAM CLI, or the IAM API. For more information about creating the role manually, see [Creating a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. **Important** The service-linked role that's created for a Security Hub CSPM administrator account doesn't apply to associated Security Hub CSPM member accounts. ## Editing a service-linked role for Security Hub CSPM Security Hub CSPM doesn't allow you to edit the `AWSServiceRoleForSecurityHub` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see [Editing a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a service-linked role for Security Hub CSPM If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don't have an unused entity that isn't actively monitored or maintained. When you disable Security Hub CSPM, Security Hub CSPM doesn't automatically delete the `AWSServiceRoleForSecurityHub` service-linked role for you. If you enable Security Hub CSPM again, the service can then start using the existing service-linked role again. If you no longer need to use Security Hub CSPM, you can manually delete the service-linked role. **Important** Before you delete the `AWSServiceRoleForSecurityHub` service-linked role, you must first disable Security Hub CSPM in all the Regions where it's enabled. For more information, see [Disabling Security Hub CSPM](securityhub-disable.md). If Security Hub CSPM isn't disabled when you try to delete the service-linked role, the deletion fails. To delete the `AWSServiceRoleForSecurityHub` service-linked role, you can use the IAM console, the IAM CLI, or the IAM API. For more information, see [Deleting a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Service-linked role for Amazon Security Hub V2 uses the service-linked role named `AWSServiceRoleForSecurityHubV2`. This service-linked role allows to manage Amazon Config rules and resources for your organization and on your behalf. The `AWSServiceRoleForSecurityHubV2` service-linked role trusts the `securityhub.amazonaws.com` service to assume the role. The `AWSServiceRoleForSecurityHubV2` service-linked role uses the managed policy [`AWSSecurityHubV2ServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy). **Permissions details** This policy includes the following permissions: + `cloudwatch` – Allows the role to retrieve metrics data to support metering capabilities for resources. + `config` – Allows the role to manage service-linked configuration recorders for resources, including support for global Amazon Config recorders. + `ecr` – Allows the role to retrieve information about Amazon Elastic Container Registry images and repositories to support metering capabilities. + `iam` – Allows the role to create the service-linked role for Amazon Config and retrieve account information to support metering capabilities. + `lambda` – Allows the role to retrieve Amazon Lambda function information to support metering capabilities. + `organizations` – Allows the role to retrieve account and organizational unit (OU) information for an organization. + `securityhub` – Allows the role to manage the configuration. + `tag` – Allows the role to retrieve information about resource tags. You must grant permissions to allow an IAM identity (such as a role, group, or user) to create, edit, or delete a service-linked role. For the `AWSServiceRoleForSecurityHubV2` service-linked role to be successfully created, the IAM identity that you use to access must have the required permissions. To grant the required permissions, attach the following policy to the IAM identity. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } } ] } ``` ------ ### Creating a service-linked role for Amazon Security Hub V2 The `AWSServiceRoleForSecurityHubV2` service-linked role is created automatically when you enable for the first time or you enable in a Region where you didn't previously enable it. You can also create the `AWSServiceRoleForSecurityHubV2` service-linked role manually by using the IAM console, the IAM CLI, or the IAM API. For more information about creating the role manually, see [Creating a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. **Important** The service-linked role that's created for a administrator account doesn't apply to associated member accounts. ### Editing a service-linked role for Amazon Security Hub V2 doesn't allow you to edit the `AWSServiceRoleForSecurityHubV2` service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role by using IAM. For more information, see [Editing a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ### Deleting a service-linked role for Amazon Security Hub V2 If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete the role. That way, you don't have an unused entity that isn't actively monitored or maintained. When you disable , doesn't automatically delete the `AWSServiceRoleForSecurityHubV2` service-linked role for you. If you enable again, the service can then start using the existing service-linked role again. If you no longer need to use , you can manually delete the service-linked role. **Important** Before you delete the `AWSServiceRoleForSecurityHubV2` service-linked role, you must first disable in all the Regions where it's enabled. For more information, see [Disabling Security Hub CSPM](securityhub-disable.md). If isn't disabled when you try to delete the service-linked role, the deletion fails. To delete the `AWSServiceRoleForSecurityHubV2` service-linked role, you can use the IAM console, the IAM CLI, or the IAM API. For more information, see [Deleting a service-linked role](https://docs.amazonaws.cn/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. # Amazon managed policies for Security Hub Amazon managed policies An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles. Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services. For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. ## Amazon managed policy: AWSSecurityHubFullAccess AWSSecurityHubFullAccess You can attach the `AWSSecurityHubFullAccess` policy to your IAM identities. This policy grants administrative permissions that allow a principal full access to all Security Hub CSPM actions. This policy must be attached to a principal before they enable Security Hub CSPM manually for their account. For example, principals with these permissions can both view and update the status of findings. They can also configure custom insights, enable integrations, and enable and disable standards and controls. Principals for an administrator account can also manage member accounts. **Permissions details** This policy includes the following permissions: + `securityhub` – Allows principals full access to all Security Hub CSPM actions. + `guardduty` – Allows principals perform full lifecycle management of a detector, organization admin management, member account mnagement, and organiation-wide configuration in Amazon GuardDuty. This includes API actions: GetDetector, ListDetector, CreateDetector, UpdateDetector, DeleteDetector, EnableOrganizationAdminAccount, ListOrganizationAdminAccounts, CreateMembers, UpdateOrganizationConfiguration, DescribeOrganizationConfiguration. + `iam` – Allows principals to create a service-linked role for Security Hub CSPM and Security Hub and to get roles, policies, and policy versions. + `inspector` – Allows principals to get information about account status, enable or disable, delegate admin management, and perform organization configuration management in Amazon Inspector. This includes API actions: BatchGetAccountStatus, Enable, Disable, EnableDelegatedAdminAccount, DisableDelegatedAdminAccount, ListDelegatedAdminAccounts, UpdateOrganizationConfiguration, DescribeOrganizationConfiguration. + `pricing` – Allows principals to get a price list of Amazon Web Services services and products. + `account` – Allows principals to get information about account Regions to support Region management in Security Hub. To review the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubFullAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubFullAccess.html) in the *Amazon Managed Policy Reference Guide*. ## Amazon managed policy: AWSSecurityHubReadOnlyAccess AWSSecurityHubReadOnlyAccess You can attach the `AWSSecurityHubReadOnlyAccess` policy to your IAM identities. This policy grants read-only permissions that allow users to view information in Security Hub CSPM. Principals with this policy attached cannot make any updates in Security Hub CSPM. For example, principals with these permissions can view the list of findings associated with their account, but cannot change the status of a finding. They can view the results of insights, but cannot create or configure custom insights. They cannot configure controls or product integrations. **Permissions details** This policy includes the following permissions: + `securityhub` – Allows users to perform actions that return a list of items or details about an item. This includes API operations that start with `Get`, `List`, or `Describe`. To review the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubReadOnlyAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubReadOnlyAccess.html) in the *Amazon Managed Policy Reference Guide*. ## Amazon managed policy: AWSSecurityHubOrganizationsAccess AWSSecurityHubOrganizationsAccess You can attach the `AWSSecurityHubOrganizationsAccess` policy to your IAM identities. This policy grants administrative permissions to enable and manage Security Hub, Security Hub CSPM, Amazon GuardDuty and Amazon Inspector for an organization in Amazon Organizations. The permissions for this policy allow the organization management account to designate the delegated administrator account for Security Hub, Security Hub CSPM, Amazon GuardDuty and Amazon Inspector. They also allow the delegated administrator account to enable organization accounts as member accounts. This policy only provides permissions for Amazon Organizations. The organization management account and delegated administrator account also require permissions for associated actions. These permissions can be granted using the `AWSSecurityHubFullAccess` managed policy. Creating or updating a delegated administrator policy in a management account requires additional permissions that are not provided in this policy. To perform these actions is is recommended to add permissions for `organizations:PutResourcePolicy` or attach the AWSOrganizationsFullAccess policy. **Permissions details** This policy includes the following permissions: + `organizations:ListAccounts` – Allows principals to retrieve the list of accounts that are part of an organization. + `organizations:DescribeOrganization` – Allows principals to retrieve information about the organization. + `organizations:ListRoots` – Allows principals to list the root of an organization. + `organizations:ListDelegatedAdministrators` – Allows principals to list the delegated administrator of an organization. + `organizations:ListAWSServiceAccessForOrganization` – Allows principals to list the Amazon Web Services services that an organization uses. + `organizations:ListOrganizationalUnitsForParent` – Allows principals to list the child organizational units (OU) of a parent OU. + `organizations:ListAccountsForParent` – Allows principals to list the child accounts of a parent OU. + `organizations:ListParents` – Lists the root or organizational units (OUs) that serve as the immediate parent of the specified child OU or account. + `organizations:DescribeAccount` – Allows principals to retrieve information about an account in the organization. + `organizations:DescribeOrganizationalUnit` – Allows principals to retrieve information about an OU in the organization. + `organizations:ListPolicies` – Retrieves the list of all policies in an organization of a specified type. + `organizations:ListPoliciesForTarget` – Lists the policies that are directly attached to the specified target root, organizational unit (OU), or account. + `organizations:ListTargetsForPolicy` – Lists all the roots, organizational units (OUs), and accounts that the specified policy is attached to. + `organizations:EnableAWSServiceAccess` – Allows principals to enable the integration with Organizations. + `organizations:RegisterDelegatedAdministrator` – Allows principals to designate the delegated administrator account. + `organizations:DeregisterDelegatedAdministrator` – Allows principals to remove the delegated administrator account. + `organizations:DescribePolicy` – Retrieves information about a policy. + `organizations:DescribeEffectivePolicy` – Returns the contents of the effective policy for specified policy type and account. + `organizations:CreatePolicy` – Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual Amazon account. + `organizations:UpdatePolicy` – Updates an existing policy with a new name, description, or content. + `organizations:DeletePolicy` – Deletes the specified policy from your organization. + `organizations:AttachPolicy` – Attaches a policy to a root, an organizational unit (OU), or an individual account. + `organizations:DetachPolicy` – Detaches a policy from a target root, organizational unit (OU), or account. + `organizations:EnablePolicyType` – Enables a policy type in a root. + `organizations:DisablePolicyType` – Disables an organizational policy type in a root. + `organizations:TagResource` – Adds one or more tags to a specified resource. + `organizations:UntagResource` – Removes any tags with the specified keys from a specified resource. + `organizations:ListTagsForResource` – Lists tags that are attached to a specified resource. + `organizations:DescribeResourcePolicy` – Retrieves information about a resource policy. To review the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubOrganizationsAccess.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubOrganizationsAccess.html) in the *Amazon Managed Policy Reference Guide*. ## Amazon managed policy: AWSSecurityHubServiceRolePolicy AWSSecurityHubServiceRolePolicy You can't attach `AWSSecurityHubServiceRolePolicy` to your IAM entities. This policy is attached to a service-linked role that allows Security Hub CSPM to perform actions on your behalf. For more information, see [Service-linked roles for Amazon Security Hub CSPM](using-service-linked-roles.md). This policy grants administrative permissions that allow the service-linked role to perform tasks such as run security checks for Security Hub CSPM controls. **Permissions details** This policy includes the following permissions: + `cloudtrail` – Retrieve information about CloudTrail trails. + `cloudwatch` – Retrieve current CloudWatch alarms. + `logs` – Retrieve metric filters for CloudWatch logs. + `sns` – Retrieve the list of subscriptions to an SNS topic. + `config` – Retrieve information about configuration recorders, resources, and Amazon Config rules. Also allows the service-linked role to create and delete Amazon Config rules, and to run evaluations against the rules. + `iam` – Retrieve and generate credential reports for accounts. + `organizations` – Retrieve account and organizational unit (OU) information for an organization. + `securityhub` – Retrieve information about how the Security Hub CSPM service, standards, and controls are configured. + `tag` – Retrieve information about resource tags. To review the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubServiceRolePolicy.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubServiceRolePolicy.html) in the *Amazon Managed Policy Reference Guide*. ## Amazon managed policy: AWSSecurityHubV2ServiceRolePolicy AWSSecurityHubV2ServiceRolePolicy **Note** Security Hub is in preview release and subject to change. This policy allows Security Hub to manage Amazon Config rules and Security Hub resources for your organization and on your behalf. This policy is attached to a service-linked role that allows the service to perform actions on your behalf. You cannot attach this policy to your IAM identities. For more information, see [Service-linked roles for Amazon Security Hub CSPM](using-service-linked-roles.md). **Permissions details** This policy includes the following permissions: + `cloudwatch` – Retrieve metrics data to support metering capabilities for Security Hub resources. + `config` – Manage service-linked configuration recorders for Security Hub resources, including support for global Config recorders. + `ecr` – Retrieve information about Amazon Elastic Container Registry images and repositories to support metering capabilities. + `iam` – Create the service-linked role for Amazon Config and retrieve account information to support metering capabilities. + `lambda` – Retrieve Amazon Lambda function information to support metering capabilities. + `organizations` – Retrieve account and organizational unit (OU) information for an organization. + `securityhub` – Manage the Security Hub configuration. + `tag` – Retrieve information about resource tags. To review the permissions for this policy, see [https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubV2ServiceRolePolicy.html](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AWSSecurityHubV2ServiceRolePolicy.html) in the *Amazon Managed Policy Reference Guide*. ## Security Hub updates to Amazon managed policies Policy updates The following table provides details about updates to Amazon managed policies for Amazon Security Hub and Security Hub CSPM since this service began tracking these changes. For automatic alerts about updates to the policies, subscribe to the RSS feed on the [Security Hub document history](doc-history.md) page. | Change | Description | Date | | --- | --- | --- | | [AWSSecurityHubOrganizationsAccess](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Updated policy | Security Hub updated the policy to add permissions to describe resource policies to support Security Hub features. Security Hub is in preview release and subject to change. | November 12, 2025 | | [AWSSecurityHubFullAccess](#security-iam-awsmanpol-awssecurityhubfullaccess) – Updated policy | Security Hub updated the policy to add capabilities around managing GuardDuty, Amazon Inspector, and account management to support Security Hub features. Security Hub is in preview release and subject to change. | November 17, 2025 | | [AWSSecurityHubV2ServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubv2servicerolepolicy) – Updated policy | Security Hub updated the policy to add metering capabilities for Amazon Elastic Container Registry, Amazon Lambda, Amazon CloudWatch, and Amazon Identity and Access Management to support Security Hub features. The update also added support for global Amazon Config recorders. Security Hub is in preview release and subject to change. | November 5, 2025 | | [AWSSecurityHubOrganizationsAccess](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Update to an existing policy | Security Hub added new permissions to the policy. The permissions allow the organization management to enable and manage Security Hub and Security Hub CSPM for an organization. | June 17, 2025 | | [AWSSecurityHubFullAccess](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM added new permissions that allow principals to create a service-linked role for Security Hub. | June 17, 2025 | | [AWSSecurityHubFullAccess ](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM updated the policy to get pricing details for Amazon Web Services services and products. | April 24, 2024 | | [AWSSecurityHubReadOnlyAccess ](#security-iam-awsmanpol-awssecurityhubreadonlyaccess) – Update to an existing policy | Security Hub CSPM updated this managed policy by adding a Sid field. | February 22, 2024 | | [AWSSecurityHubFullAccess ](#security-iam-awsmanpol-awssecurityhubfullaccess) – Update to an existing policy | Security Hub CSPM updated the policy so it can determine if Amazon GuardDuty and Amazon Inspector are enabled in an account. This helps customers bring together security-related information from multiple Amazon Web Services services. | November 16, 2023 | | [AWSSecurityHubOrganizationsAccess ](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – Update to an existing policy | Security Hub CSPM updated the policy to grant additional permissions to allow read-only access to Amazon Organizations delegated administrator functionality. This includes details like the root, organizational units (OUs), accounts, organizational structure, and service access. | November 16, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the BatchGetSecurityControls, DisassociateFromAdministratorAccount, and UpdateSecurityControl permissions to read and update customizable security control properties. | November 26, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the tag:GetResources permission to read resource tags related to findings. | November 7, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added the BatchGetStandardsControlAssociations permission to get information about the enablement status of a control in a standard. | September 27, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added new permissions to get Amazon Organizations data and read and update Security Hub CSPM configurations, including standards and controls. | September 20, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM moved the existing config:DescribeConfigRuleEvaluationStatus permission to a different statement within the policy. The config:DescribeConfigRuleEvaluationStatus permission is now applied to all resources. | March 17, 2023 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM moved the existing config:PutEvaluations permission to a different statement within the policy. The config:PutEvaluations permission is now applied to all resources. | July 14, 2021 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Update to an existing policy | Security Hub CSPM added a new permission to allow the service-linked role to deliver evaluation results to Amazon Config. | June 29, 2021 | | [AWSSecurityHubServiceRolePolicy](#security-iam-awsmanpol-awssecurityhubservicerolepolicy) – Added to the list of managed policies | Added information about the managed policy AWSSecurityHubServiceRolePolicy, which is used by the Security Hub CSPM service-linked role. | June 11, 2021 | | [AWSSecurityHubOrganizationsAccess ](#security-iam-awsmanpol-awssecurityhuborganizationsaccess) – New policy | Security Hub CSPM added a new policy that grants permissions that are needed for the Security Hub CSPM integration with Organizations. | March 15, 2021 | | Security Hub CSPM started tracking changes | Security Hub CSPM started tracking changes for its Amazon managed policies. | March 15, 2021 | # Troubleshooting Amazon Security Hub CSPM identity and access Troubleshooting Use the following information to help you diagnose and fix common issues that you might encounter when working with Amazon Security Hub CSPM and IAM. **Topics** + [ ## I am not authorized to perform an action in Security Hub CSPM ](#security_iam_troubleshoot-no-permissions) + [ ## I am not authorized to perform iam:PassRole ](#security_iam_troubleshoot-passrole) + [ ## I want programmatic access to Security Hub CSPM ](#security_iam_troubleshoot-access-keys) + [ ## I'm an administrator and want to allow others to access Security Hub CSPM ](#security_iam_troubleshoot-admin-delegate) + [ ## I want to allow people outside my Amazon Web Services account to access my Security Hub CSPM resources ](#security_iam_troubleshoot-cross-account-access) ## I am not authorized to perform an action in Security Hub CSPM If the Amazon Web Services Management Console tells you that you're not authorized to perform an action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your sign-in credentials. The following example error occurs when the user `mateojackson` tries to use the console to view details about a *widget* but does not have `securityhub:GetWidget` permissions. ``` User: arn:aws-cn:iam::123456789012:user/mateojackson is not authorized to perform: securityhub:GetWidget on resource: my-example-widget ``` In this case, Mateo asks his administrator to update his policies to allow him to access the `my-example-widget` resource using the `securityhub:GetWidget` action. ## I am not authorized to perform iam:PassRole If you receive an error that you're not authorized to perform the `iam:PassRole` action, your policies must be updated to allow you to pass a role to Security Hub. Some Amazon Web Services services allow you to pass an existing role to that service instead of creating a new service role or service-linked role. To do this, you must have permissions to pass the role to the service. The following example error occurs when an IAM user named `marymajor` tries to use the console to perform an action in Security Hub. However, the action requires the service to have permissions that are granted by a service role. Mary does not have permissions to pass the role to the service. ``` User: arn:aws-cn:iam::123456789012:user/marymajor is not authorized to perform: iam:PassRole ``` In this case, Mary's policies must be updated to allow her to perform the `iam:PassRole` action. If you need help, contact your Amazon administrator. Your administrator is the person who provided you with your sign-in credentials. ## I want programmatic access to Security Hub CSPM Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire. To grant users programmatic access, choose one of the following options. **** | Which user needs programmatic access? | To | By | | --- | --- | --- | | IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Using temporary credentials with Amazon resources](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. | | IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in [Managing access keys for IAM users](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. | ## I'm an administrator and want to allow others to access Security Hub CSPM To provide access, add permissions to your users, groups, or roles: + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ## I want to allow people outside my Amazon Web Services account to access my Security Hub CSPM resources You can create a role that users in other accounts or people outside of your organization can use to access your resources. You can specify who is trusted to assume the role. For services that support resource-based policies or access control lists (ACLs), you can use those policies to grant people access to your resources. To learn more, consult the following: + To learn whether Security Hub supports these features, see [How Security Hub works with IAM](security_iam_service-with-iam.md). + To learn how to provide access to your resources across Amazon Web Services accounts that you own, see [Providing access to an IAM user in another Amazon Web Services account that you own](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html) in the *IAM User Guide*. + To learn how to provide access to your resources to third-party Amazon Web Services accounts, see [Providing access to Amazon Web Services accounts owned by third parties](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html) in the *IAM User Guide*. + To learn how to provide access through identity federation, see [Providing access to externally authenticated users (identity federation)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html) in the *IAM User Guide*. + To learn the difference between using roles and resource-based policies for cross-account access, see [Cross account resource access in IAM](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*. # Compliance validation for Amazon Security Hub CSPM Compliance validation To learn whether an Amazon Web Services service is within the scope of specific compliance programs, see [Amazon Web Services services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [Amazon Web Services Compliance Programs](https://aws.amazon.com/compliance/programs/). You can download third-party audit reports using Amazon Artifact. For more information, see [Downloading Reports in Amazon Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html). Your compliance responsibility when using Amazon Web Services services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using Amazon Web Services services, see [Amazon Security Documentation](https://docs.amazonaws.cn/security/). # Resilience in Amazon Security Hub Resilience The Amazon global infrastructure is built around Amazon Web Services Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures. For more information about Amazon Web Services Regions and Availability Zones, see [Amazon Global Infrastructure](https://www.amazonaws.cn/about-aws/global-infrastructure/). # Infrastructure security in Amazon Security Hub CSPM Infrastructure security As a managed service, Amazon Security Hub CSPM is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see [Amazon Cloud Security](https://www.amazonaws.cn/security/). To design your Amazon environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.amazonaws.cn/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar Amazon Well‐Architected Framework*. You use Amazon published API calls to access Security Hub CSPM through the network. Clients must support the following: + Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3. + Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes. # Amazon Security Hub CSPM and interface VPC endpoints (Amazon PrivateLink) VPC endpoints (Amazon PrivateLink) You can establish a private connection between your VPC and Amazon Security Hub CSPM by creating an *interface VPC endpoint*. Interface endpoints are powered by [Amazon PrivateLink](https://www.amazonaws.cn/privatelink), a technology that enables you to privately access Security Hub CSPM APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Security Hub CSPM APIs. Traffic between your VPC and Security Hub CSPM does not leave the Amazon network. Each interface endpoint is represented by one or more [Elastic Network Interfaces](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-eni.html) in your subnets. For more information, see [Access an Amazon Web Services service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/vpce-interface.html) in the *Amazon Virtual Private Cloud Guide*. ## Considerations for Security Hub CSPM VPC endpoints Before you set up an interface VPC endpoint for Security Hub CSPM, ensure that you review the prerequisites and other information in the [Amazon Virtual Private Cloud Guide](https://docs.amazonaws.cn/vpc/latest/privatelink/what-is-privatelink.html). Security Hub CSPM supports making calls to all of its API actions from your VPC. ## Creating an interface VPC endpoint for Security Hub CSPM You can create a VPC endpoint for the Security Hub CSPM service using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see [Create a VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/vpce-interface.html#create-interface-endpoint) in the *Amazon Virtual Private Cloud Guide*. Create a VPC endpoint for Security Hub CSPM using the following service name: `com.amazonaws.region.securityhub` Where *region* is the Region code for the applicable Amazon Web Services Region. If you enable private DNS for the endpoint, you can make API requests to Security Hub CSPM using its default DNS name for the Region, for example, `securityhub.us-east-1.amazonaws.com` for the US East (N. Virginia) Region. ## Creating a VPC endpoint policy for Security Hub CSPM You can attach an endpoint policy to your VPC endpoint that controls access to Security Hub CSPM. The policy specifies the following information: + The principal that can perform actions. + The actions that can be performed. + The resources on which actions can be performed. For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.amazonaws.cn/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon Virtual Private Cloud Guide*. **Example: VPC endpoint policy for Security Hub CSPM actions** The following is an example of an endpoint policy for Security Hub CSPM. When attached to an endpoint, this policy grants access to the listed Security Hub CSPM actions for all principals on all resources. ``` { "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "securityhub:getFindings", "securityhub:getEnabledStandards", "securityhub:getInsights" ], "Resource":"*" } ] } ``` ## Shared subnets You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you. For information about VPC sharing, see [Share your VPC subnets with other accounts](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-sharing.html) in the *Amazon Virtual Private Cloud Guide*. # Logging Security Hub API calls with CloudTrail Logging API calls Amazon Security Hub CSPM is integrated with Amazon CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon service in Security Hub CSPM. CloudTrail captures API calls for Security Hub CSPM as events. The captured calls include calls from the Security Hub CSPM console and code calls to the Security Hub CSPM API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Security Hub CSPM. If you don't configure a trail, you can still view the most recent events on the CloudTrail console in **Event history**. Using the information that CloudTrail collects, you can determine the request that was made to Security Hub CSPM, the IP address that the request was made from, who made the request, when it was made, and additional details. To learn more about CloudTrail, including how to configure and enable it, see the [Amazon CloudTrail User Guide](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). ## Security Hub CSPM information in CloudTrail CloudTrail is enabled on your Amazon Web Services account when you create the account. When supported event activity occurs in Security Hub CSPM, that activity is recorded in a CloudTrail event along with other Amazon service events in **Event history**. You can view, search, and download recent events in your account. For more information, see [Viewing events with CloudTrail event history](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/view-cloudtrail-events.html). For an ongoing record of events in your account, including events for Security Hub CSPM, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail on the console, the trail applies to all Amazon Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following: + [Overview for creating a trail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) + [CloudTrail supported services and integrations](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations) + [Configuring Amazon SNS notifications for CloudTrail](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html) + [Receiving CloudTrail log files from multiple regions](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) Security Hub CSPM supports logging all of the Security Hub CSPM API actions as events in CloudTrail logs. To view a list of Security Hub CSPM operations, see the [Security Hub CSPM API Reference](https://docs.amazonaws.cn/securityhub/1.0/APIReference/Welcome.html). When activity for the following actions is logged to CloudTrail, the value for `responseElements` is set to `null`. This ensures that sensitive information isn't included in CloudTrail logs. + `BatchImportFindings` + `GetFindings` + `GetInsights` + `GetMembers` + `UpdateFindings` Every event or log entry contains information about who generated the request. The identity information helps you determine the following: + Whether the request was made with root or Amazon Identity and Access Management (IAM) user credentials + Whether the request was made with temporary security credentials for a role or federated user + Whether the request was made by another Amazon service For more information, see the [CloudTrail userIdentity element](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). ## Example: Security Hub CSPM log file entries A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. The following example shows a CloudTrail log entry that demonstrates the `CreateInsight` action. In this example, an insight called `Test Insight` is created. The `ResourceId` attribute is specified as the **Group by** aggregator, and no optional filters for this insight are specified. For more information about insights, see [Viewing insights in Security Hub CSPM](securityhub-insights.md). ``` { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJK6U5DS22IAVUI7BW", "arn": "arn:aws-cn:iam::012345678901:user/TestUser", "accountId": "012345678901", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "TestUser" }, "eventTime": "2018-11-25T01:02:18Z", "eventSource": "securityhub.amazonaws.com", "eventName": "CreateInsight", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.179", "userAgent": "aws-cli/1.11.76 Python/2.7.10 Darwin/17.7.0 botocore/1.5.39", "requestParameters": { "Filters": {}, "ResultField": "ResourceId", "Name": "Test Insight" }, "responseElements": { "InsightArn": "arn:aws-cn:securityhub:us-west-2:0123456789010:insight/custom/f4c4890b-ac6b-4c26-95f9-e62cc46f3055" }, "requestID": "c0fffccd-f04d-11e8-93fc-ddcd14710066", "eventID": "3dabcebf-35b0-443f-a1a2-26e186ce23bf", "readOnly": false, "eventType": "AwsApiCall", "recipientAccountId": "012345678901" } ```