合并对 ASFF 字段和值的影响
Amazon Security Hub CSPM 提供两种类型的控件整合:
-
整合控件视图 – 通过这种类型的整合,每个控件在所有标准中都有一个标识符。此外,在 Security Hub CSPM 控制台上,控件页面显示所有标准的所有控件。
-
整合的控件调查发现 – 通过这种整合,Security Hub CSPM 可以为控件生成一个调查发现,即使该控件适用于多个已启用标准也是如此。这样可以减少调查发现噪音。
您无法启用或禁用整合控件视图。如果您在 2023 年 2 月 23 日当天或之后启用 Security Hub CSPM,则默认情况下会启用整合的控件调查发现。否则,默认情况下禁用。但是,对于组织,只有当为管理员账户启用整合的控件调查发现时,Security Hub CSPM 成员帐户才能启用该功能。要了解有关整合的控件调查发现的更多信息,请参阅生成和更新控件调查发现。
这两种类型的整合都会影响 Amazon安全调查发现格式 (ASFF) 安全调查发现格式 (ASFF) 中控件调查发现的字段和值。
整合的控件视图——ASFF 变更
整合的控件视图功能对 ASFF 中的控件调查发现的字段和值进行了以下更改。如果您的工作流不依赖于这些 ASFF 字段的值,则无需执行任何操作。如果有工作流依赖于这些字段的特定值,请更新工作流以使用当前值。
| ASFF 字段 | 整合的控件视图之前的样本值 | 整合的控件视图后的样本值以及更改描述 |
|---|---|---|
|
Compliance.SecurityControlId |
不适用(新字段) |
EC2.2 引入各类标准的单一控件 ID。 |
|
Compliance.AssociatedStandards |
不适用(新字段) |
[{"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}] 显示启用控件的标准。 |
|
ProductFields.ArchivalReasons:0/Description |
不适用(新字段) |
“调查发现处于已存档状态,因为整合的控件调查发现已开启或关闭。这会导致在生成新调查发现时存档先前状态的调查发现。” 描述 Security Hub CSPM 为何对现有调查发现进行存档。 |
|
ProductFields.ArchivalReasons:0/ReasonCode |
不适用(新字段) |
"CONSOLIDATED_CONTROL_FINDINGS_UPDATE" 提供 Security Hub CSPM 存档现有调查发现的原因。 |
|
ProductFields.RecommendationUrl |
https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation |
https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation 此字段不再引用标准。 |
|
Remediation.Recommendation.Text |
“有关如何解决此问题的说明,请参阅 Amazon Security Hub CSPM PCI DSS 文档。” |
“有关如何更正此问题的说明,请参阅 Amazon Security Hub CSPM 控件文档。” 此字段不再引用标准。 |
|
Remediation.Recommendation.Url |
https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation |
https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation 此字段不再引用标准。 |
整合的控件调查发现——ASFF 的变化
如果您启用整合的控件调查发现,则可能会受到 ASFF 中的控件调查发现的字段和值的以下更改影响。这些更改是对整合的控件视图功能引入的更改的补充。如果您的工作流不依赖于这些 ASFF 字段的值,则无需执行任何操作。如果有工作流依赖于这些字段的特定值,请更新工作流以使用当前值。
提示
如果您使用的是 Amazon 上的自动化安全响应 v2.0.0
| ASFF 字段 | 启用整合的控件调查发现之前的示例值 | 启用整合的控件调查发现后的示例值和更改的描述 |
|---|---|---|
| GeneratorId | aws-foundational-security-best-practices/v/1.0.0/Config.1 |
security-control/Config.1 此字段不再引用标准。 |
| 标题 | PCI.Config.1 应启用 Amazon Config |
应该启用了 Amazon Config 该字段将不再引用特定于标准的信息。 |
| Id |
arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956 |
arn:aws:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956 此字段不再引用标准。 |
| ProductFields.ControlId | PCI.EC2.2 |
已删除。请改而参阅 该字段已被删除,取而代之的是单一的、与标准无关的控制 ID。 |
| ProductFields.RuleId | 1.3 |
已删除。请改而参阅 该字段已被删除,取而代之的是单一的、与标准无关的控制 ID。 |
| 描述 | 该 PCI DSS 控件检查是否在当前账户和区域中启用了 Amazon Config。 |
该 Amazon 控件检查是否在当前账户和区域中启用了 Amazon Config。 此字段不再引用标准。 |
| 严重性 |
"Severity": { “产品”:90, “标签”:“重大”, “标准化”:90, “原始”:“重大” } |
"Severity": { “标签”:“重大”, “标准化”:90, “原始”:“重大” } Security Hub CSPM 将不再使用“产品”字段描述调查发现的严重性。 |
| 类型 | [“软件和配置检查/行业和监管标准/PCI-DSS”] | [“软件和配置检查/行业和监管标准”] 此字段不再引用标准。 |
| Compliance.RelatedRequirements |
["PCI DSS 10.5.2", "PCI DSS 11.5", "CIS Amazon Foundations 2.5"] |
["PCI DSS v3.2.1/10.5.2", "PCI DSS v3.2.1/11.5", “CIS Amazon 基金会基准 v1.2.0/2.5”] 该字段将显示所有启用标准中的相关要求。 |
| CreatedAt | 2022-05-05T08:18:13.138Z |
2022-09-25T08:18:13.138Z 格式将保持不变,但是当您打开整合的控件调查发现时,值将重置。 |
| FirstObservedAt |
2022-05-07T08:18:13.138Z |
2022-09-28T08:18:13.138Z 格式将保持不变,但是当您打开整合的控件调查发现时,值将重置。 |
| ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation |
已删除。请改而参阅 |
| ProductFields.StandardsArn |
arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0 |
已删除。请改而参阅 |
| ProductFields.StandardsControlArn |
arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1 |
已删除。Security Hub CSPM 针对各标准的安全检查生成调查发现。 |
| ProductFields.StandardsGuideArn | arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 |
已删除。请改而参阅 |
| ProductFields.StandardsGuideSubscriptionArn | arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0 |
已删除。Security Hub CSPM 针对各标准的安全检查生成调查发现。 |
| ProductFields.StandardsSubscriptionArn | arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 |
已删除。Security Hub CSPM 针对各标准的安全检查生成调查发现。 |
| ProductFields.aws/securityhub/FindingId | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 |
arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 此字段不再引用标准。 |
启用整合的控件调查发现后,客户提供的 ASFF 字段的值
如果您启用整合的控件调查发现,Security Hub CSPM 会生成一个各类标准的调查发现并存档原始调查发现(每个标准都有单独的调查发现)。
使用 Security Hub CSPM 控制台或 BatchUpdateFindings 操作对原始调查发现所做的更新将不会保留在新调查发现中。如有必要,您可以参考存档的调查发现来恢复此数据。要查看已存档的调查发现,您可以使用 Security Hub CSPM 控制台上的调查发现页面,并将记录状态筛选条件设置为 ARCHIVED。或者,您可以使用 Security Hub CSPM API 的 GetFindings 操作。
| 客户提供的 ASFF 字段 | 启用整合的控件调查发现后的更改的描述 |
|---|---|
| 置信度 | 重置为空状态。 |
| 严重性 | 重置为空状态。 |
| 注意 | 重置为空状态。 |
| 相关结果 | 重置为空状态。 |
| 严重性 | 调查发现的默认严重性(与控件的严重性相匹配)。 |
| 类型 | 重置为与标准无关的值。 |
| 用户定义字段 | 重置为空状态。 |
| 验证状态 | 重置为空状态。 |
| 工作流 | 新的失败调查发现的默认值为 NEW。新通过的调查发现的默认值为 RESOLVED。 |
启用整合的控件调查发现之前和之后的生成器 ID
下表列出了启用整合的控件调查发现时控件的生成器 ID 值的变化。这些更改适用于自 2023 年 2 月 15 日起 Security Hub CSPM 支持的控件。
| 启用整合的控件调查发现之前的生成器 ID | 启用整合的控件调查发现之后的生成器 ID |
|---|---|
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1 |
security-control/CloudWatch.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.10 |
security-control/IAM.16 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.11 |
security-control/IAM.17 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.12 |
security-control/IAM.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13 |
security-control/IAM.9 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.14 |
security-control/IAM.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.16 |
security-control/IAM.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.2 |
security-control/IAM.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.20 |
security-control/IAM.18 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.22 |
security-control/IAM.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.3 |
security-control/IAM.8 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.4 |
security-control/IAM.3 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.5 |
security-control/IAM.11 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.6 |
security-control/IAM.12 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.7 |
security-control/IAM.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.8 |
security-control/IAM.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.9 |
security-control/IAM.15 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.1 |
security-control/CloudTrail.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.2 |
security-control/CloudTrail.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.3 |
security-control/CloudTrail.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.4 |
security-control/CloudTrail.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5 |
security-control/Config.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.6 |
security-control/CloudTrail.7 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7 |
security-control/CloudTrail.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.8 |
security-control/KMS.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9 |
security-control/EC2.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1 |
security-control/CloudWatch.2 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2 |
security-control/CloudWatch.3 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3 |
security-control/CloudWatch.1 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4 |
security-control/CloudWatch.4 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5 |
security-control/CloudWatch.5 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6 |
security-control/CloudWatch.6 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7 |
security-control/CloudWatch.7 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8 |
security-control/CloudWatch.8 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9 |
security-control/CloudWatch.9 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10 |
security-control/CloudWatch.10 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11 |
security-control/CloudWatch.11 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12 |
security-control/CloudWatch.12 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13 |
security-control/CloudWatch.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14 |
security-control/CloudWatch.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1 |
security-control/EC2.13 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2 |
security-control/EC2.14 |
|
arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.3 |
security-control/EC2.2 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.10 |
security-control/IAM.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.14 |
security-control/IAM.3 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.16 |
security-control/IAM.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.17 |
security-control/IAM.18 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.4 |
security-control/IAM.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.5 |
security-control/IAM.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.6 |
security-control/IAM.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.7 |
security-control/CloudWatch.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.8 |
security-control/IAM.15 |
|
cis-aws-foundations-benchmark/v/1.4.0/1.9 |
security-control/IAM.16 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.2 |
security-control/S3.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.5.1 |
security-control/S3.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.1.5.2 |
security-control/S3.8 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.2.1 |
security-control/EC2.7 |
|
cis-aws-foundations-benchmark/v/1.4.0/2.3.1 |
security-control/RDS.3 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.1 |
security-control/CloudTrail.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.2 |
security-control/CloudTrail.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.4 |
security-control/CloudTrail.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.5 |
security-control/Config.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.6 |
security-control/S3.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.7 |
security-control/CloudTrail.2 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.8 |
security-control/KMS.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/3.9 |
security-control/EC2.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.3 |
security-control/CloudWatch.1 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.4 |
security-control/CloudWatch.4 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.5 |
security-control/CloudWatch.5 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.6 |
security-control/CloudWatch.6 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.7 |
security-control/CloudWatch.7 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.8 |
security-control/CloudWatch.8 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.9 |
security-control/CloudWatch.9 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.10 |
security-control/CloudWatch.10 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.11 |
security-control/CloudWatch.11 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.12 |
security-control/CloudWatch.12 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.13 |
security-control/CloudWatch.13 |
|
cis-aws-foundations-benchmark/v/1.4.0/4.14 |
security-control/CloudWatch.14 |
|
cis-aws-foundations-benchmark/v/1.4.0/5.1 |
security-control/EC2.21 |
|
cis-aws-foundations-benchmark/v/1.4.0/5.3 |
security-control/EC2.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Account.1 |
security-control/Account.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ACM.1 |
security-control/ACM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.1 |
security-control/APIGateway.1 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.2 |
security-control/APIGateway.2 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.3 |
security-control/APIGateway.3 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.4 |
security-control/APIGateway.4 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.5 |
security-control/APIGateway.5 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.8 |
security-control/APIGateway.8 |
|
aws-foundational-security-best-practices/v/1.0.0/APIGateway.9 |
security-control/APIGateway.9 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.1 |
security-control/AutoScaling.1 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.2 |
security-control/AutoScaling.2 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.3 |
security-control/AutoScaling.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Autoscaling.5 |
security-control/Autoscaling.5 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.6 |
security-control/AutoScaling.6 |
|
aws-foundational-security-best-practices/v/1.0.0/AutoScaling.9 |
security-control/AutoScaling.9 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.1 |
security-control/CloudFront.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.3 |
security-control/CloudFront.3 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.4 |
security-control/CloudFront.4 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.5 |
security-control/CloudFront.5 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.6 |
security-control/CloudFront.6 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.7 |
security-control/CloudFront.7 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.8 |
security-control/CloudFront.8 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.9 |
security-control/CloudFront.9 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.10 |
security-control/CloudFront.10 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudFront.12 |
security-control/CloudFront.12 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.1 |
security-control/CloudTrail.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2 |
security-control/CloudTrail.2 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.4 |
security-control/CloudTrail.4 |
|
aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5 |
security-control/CloudTrail.5 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.1 |
security-control/CodeBuild.1 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.2 |
security-control/CodeBuild.2 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.3 |
security-control/CodeBuild.3 |
|
aws-foundational-security-best-practices/v/1.0.0/CodeBuild.4 |
security-control/CodeBuild.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Config.1 |
security-control/Config.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DMS.1 |
security-control/DMS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.1 |
security-control/DynamoDB.1 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.2 |
security-control/DynamoDB.2 |
|
aws-foundational-security-best-practices/v/1.0.0/DynamoDB.3 |
security-control/DynamoDB.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.1 |
security-control/EC2.1 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.3 |
security-control/EC2.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.4 |
security-control/EC2.4 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.6 |
security-control/EC2.6 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.7 |
security-control/EC2.7 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.8 |
security-control/EC2.8 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.9 |
security-control/EC2.9 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.10 |
security-control/EC2.10 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.15 |
security-control/EC2.15 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.16 |
security-control/EC2.16 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.17 |
security-control/EC2.17 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.18 |
security-control/EC2.18 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.19 |
security-control/EC2.19 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.2 |
security-control/EC2.2 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.20 |
security-control/EC2.20 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.21 |
security-control/EC2.21 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.23 |
security-control/EC2.23 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.24 |
security-control/EC2.24 |
|
aws-foundational-security-best-practices/v/1.0.0/EC2.25 |
security-control/EC2.25 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.1 |
security-control/ECR.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.2 |
security-control/ECR.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ECR.3 |
security-control/ECR.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.1 |
security-control/ECS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.10 |
security-control/ECS.10 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.12 |
security-control/ECS.12 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.2 |
security-control/ECS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.3 |
security-control/ECS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.4 |
security-control/ECS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.5 |
security-control/ECS.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ECS.8 |
security-control/ECS.8 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.1 |
security-control/EFS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.2 |
security-control/EFS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.3 |
security-control/EFS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/EFS.4 |
security-control/EFS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/EKS.2 |
security-control/EKS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.1 |
security-control/ElasticBeanstalk.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.2 |
security-control/ElasticBeanstalk.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ELBv2.1 |
security-control/ELB.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.2 |
security-control/ELB.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.3 |
security-control/ELB.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.4 |
security-control/ELB.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.5 |
security-control/ELB.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.6 |
security-control/ELB.6 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.7 |
security-control/ELB.7 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.8 |
security-control/ELB.8 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.9 |
security-control/ELB.9 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.10 |
security-control/ELB.10 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.11 |
security-control/ELB.11 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.12 |
security-control/ELB.12 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.13 |
security-control/ELB.13 |
|
aws-foundational-security-best-practices/v/1.0.0/ELB.14 |
security-control/ELB.14 |
|
aws-foundational-security-best-practices/v/1.0.0/EMR.1 |
security-control/EMR.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.1 |
security-control/ES.1 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.2 |
security-control/ES.2 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.3 |
security-control/ES.3 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.4 |
security-control/ES.4 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.5 |
security-control/ES.5 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.6 |
security-control/ES.6 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.7 |
security-control/ES.7 |
|
aws-foundational-security-best-practices/v/1.0.0/ES.8 |
security-control/ES.8 |
|
aws-foundational-security-best-practices/v/1.0.0/GuardDuty.1 |
security-control/GuardDuty.1 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.1 |
security-control/IAM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.2 |
security-control/IAM.2 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.21 |
security-control/IAM.21 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.3 |
security-control/IAM.3 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.4 |
security-control/IAM.4 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.5 |
security-control/IAM.5 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.6 |
security-control/IAM.6 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.7 |
security-control/IAM.7 |
|
aws-foundational-security-best-practices/v/1.0.0/IAM.8 |
security-control/IAM.8 |
|
aws-foundational-security-best-practices/v/1.0.0/Kinesis.1 |
security-control/Kinesis.1 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.1 |
security-control/KMS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.2 |
security-control/KMS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/KMS.3 |
security-control/KMS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.1 |
security-control/Lambda.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.2 |
security-control/Lambda.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Lambda.5 |
security-control/Lambda.5 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.3 |
security-control/NetworkFirewall.3 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.4 |
security-control/NetworkFirewall.4 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.5 |
security-control/NetworkFirewall.5 |
|
aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.6 |
security-control/NetworkFirewall.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.1 |
security-control/Opensearch.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.2 |
security-control/Opensearch.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.3 |
security-control/Opensearch.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.4 |
security-control/Opensearch.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.5 |
security-control/Opensearch.5 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.6 |
security-control/Opensearch.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.7 |
security-control/Opensearch.7 |
|
aws-foundational-security-best-practices/v/1.0.0/Opensearch.8 |
security-control/Opensearch.8 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.1 |
security-control/RDS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.10 |
security-control/RDS.10 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.11 |
security-control/RDS.11 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.12 |
security-control/RDS.12 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.13 |
security-control/RDS.13 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.14 |
security-control/RDS.14 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.15 |
security-control/RDS.15 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.16 |
security-control/RDS.16 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.17 |
security-control/RDS.17 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.19 |
security-control/RDS.19 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.2 |
security-control/RDS.2 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.20 |
security-control/RDS.20 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.21 |
security-control/RDS.21 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.22 |
security-control/RDS.22 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.23 |
security-control/RDS.23 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.24 |
security-control/RDS.24 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.25 |
security-control/RDS.25 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.3 |
security-control/RDS.3 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.4 |
security-control/RDS.4 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.5 |
security-control/RDS.5 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.6 |
security-control/RDS.6 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.7 |
security-control/RDS.7 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.8 |
security-control/RDS.8 |
|
aws-foundational-security-best-practices/v/1.0.0/RDS.9 |
security-control/RDS.9 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.1 |
security-control/Redshift.1 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.2 |
security-control/Redshift.2 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.3 |
security-control/Redshift.3 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.4 |
security-control/Redshift.4 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.6 |
security-control/Redshift.6 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.7 |
security-control/Redshift.7 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.8 |
security-control/Redshift.8 |
|
aws-foundational-security-best-practices/v/1.0.0/Redshift.9 |
security-control/Redshift.9 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.1 |
security-control/S3.1 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.12 |
security-control/S3.12 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.13 |
security-control/S3.13 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.2 |
security-control/S3.2 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.3 |
security-control/S3.3 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.5 |
security-control/S3.5 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.6 |
security-control/S3.6 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.8 |
security-control/S3.8 |
|
aws-foundational-security-best-practices/v/1.0.0/S3.9 |
security-control/S3.9 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.1 |
security-control/SageMaker.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.2 |
security-control/SageMaker.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SageMaker.3 |
security-control/SageMaker.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.1 |
security-control/SecretsManager.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.2 |
security-control/SecretsManager.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.3 |
security-control/SecretsManager.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SecretsManager.4 |
security-control/SecretsManager.4 |
|
aws-foundational-security-best-practices/v/1.0.0/SQS.1 |
security-control/SQS.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.1 |
security-control/SSM.1 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.2 |
security-control/SSM.2 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.3 |
security-control/SSM.3 |
|
aws-foundational-security-best-practices/v/1.0.0/SSM.4 |
security-control/SSM.4 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.1 |
security-control/WAF.1 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.2 |
security-control/WAF.2 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.3 |
security-control/WAF.3 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.4 |
security-control/WAF.4 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.6 |
security-control/WAF.6 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.7 |
security-control/WAF.7 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.8 |
security-control/WAF.8 |
|
aws-foundational-security-best-practices/v/1.0.0/WAF.10 |
security-control/WAF.10 |
|
pci-dss/v/3.2.1/PCI.AutoScaling.1 |
security-control/AutoScaling.1 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.1 |
security-control/CloudTrail.2 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.2 |
security-control/CloudTrail.3 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.3 |
security-control/CloudTrail.4 |
|
pci-dss/v/3.2.1/PCI.CloudTrail.4 |
security-control/CloudTrail.5 |
|
pci-dss/v/3.2.1/PCI.CodeBuild.1 |
security-control/CodeBuild.1 |
|
pci-dss/v/3.2.1/PCI.CodeBuild.2 |
security-control/CodeBuild.2 |
|
pci-dss/v/3.2.1/PCI.Config.1 |
security-control/Config.1 |
|
pci-dss/v/3.2.1/PCI.CW.1 |
security-control/CloudWatch.1 |
|
pci-dss/v/3.2.1/PCI.DMS.1 |
security-control/DMS.1 |
|
pci-dss/v/3.2.1/PCI.EC2.1 |
security-control/EC2.1 |
|
pci-dss/v/3.2.1/PCI.EC2.2 |
security-control/EC2.2 |
|
pci-dss/v/3.2.1/PCI.EC2.4 |
security-control/EC2.12 |
|
pci-dss/v/3.2.1/PCI.EC2.5 |
security-control/EC2.13 |
|
pci-dss/v/3.2.1/PCI.EC2.6 |
security-control/EC2.6 |
|
pci-dss/v/3.2.1/PCI.ELBv2.1 |
security-control/ELB.1 |
|
pci-dss/v/3.2.1/PCI.ES.1 |
security-control/ES.2 |
|
pci-dss/v/3.2.1/PCI.ES.2 |
security-control/ES.1 |
|
pci-dss/v/3.2.1/PCI.GuardDuty.1 |
security-control/GuardDuty.1 |
|
pci-dss/v/3.2.1/PCI.IAM.1 |
security-control/IAM.4 |
|
pci-dss/v/3.2.1/PCI.IAM.2 |
security-control/IAM.2 |
|
pci-dss/v/3.2.1/PCI.IAM.3 |
security-control/IAM.1 |
|
pci-dss/v/3.2.1/PCI.IAM.4 |
security-control/IAM.6 |
|
pci-dss/v/3.2.1/PCI.IAM.5 |
security-control/IAM.9 |
|
pci-dss/v/3.2.1/PCI.IAM.6 |
security-control/IAM.19 |
|
pci-dss/v/3.2.1/PCI.IAM.7 |
security-control/IAM.8 |
|
pci-dss/v/3.2.1/PCI.IAM.8 |
security-control/IAM.10 |
|
pci-dss/v/3.2.1/PCI.KMS.1 |
security-control/KMS.4 |
|
pci-dss/v/3.2.1/PCI.Lambda.1 |
security-control/Lambda.1 |
|
pci-dss/v/3.2.1/PCI.Lambda.2 |
security-control/Lambda.3 |
|
pci-dss/v/3.2.1/PCI.Opensearch.1 |
security-control/Opensearch.2 |
|
pci-dss/v/3.2.1/PCI.Opensearch.2 |
security-control/Opensearch.1 |
|
pci-dss/v/3.2.1/PCI.RDS.1 |
security-control/RDS.1 |
|
pci-dss/v/3.2.1/PCI.RDS.2 |
security-control/RDS.2 |
|
pci-dss/v/3.2.1/PCI.Redshift.1 |
security-control/Redshift.1 |
|
pci-dss/v/3.2.1/PCI.S3.1 |
security-control/S3.3 |
|
pci-dss/v/3.2.1/PCI.S3.2 |
security-control/S3.2 |
|
pci-dss/v/3.2.1/PCI.S3.3 |
security-control/S3.7 |
|
pci-dss/v/3.2.1/PCI.S3.5 |
security-control/S3.5 |
|
pci-dss/v/3.2.1/PCI.S3.6 |
security-control/S3.1 |
|
pci-dss/v/3.2.1/PCI.SageMaker.1 |
security-control/SageMaker.1 |
|
pci-dss/v/3.2.1/PCI.SSM.1 |
security-control/SSM.2 |
|
pci-dss/v/3.2.1/PCI.SSM.2 |
security-control/SSM.3 |
|
pci-dss/v/3.2.1/PCI.SSM.3 |
security-control/SSM.1 |
|
service-managed-aws-control-tower/v/1.0.0/ACM.1 |
security-control/ACM.1 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.1 |
security-control/APIGateway.1 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.2 |
security-control/APIGateway.2 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.3 |
security-control/APIGateway.3 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.4 |
security-control/APIGateway.4 |
|
service-managed-aws-control-tower/v/1.0.0/APIGateway.5 |
security-control/APIGateway.5 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.1 |
security-control/AutoScaling.1 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.2 |
security-control/AutoScaling.2 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.3 |
security-control/AutoScaling.3 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.4 |
security-control/AutoScaling.4 |
|
service-managed-aws-control-tower/v/1.0.0/Autoscaling.5 |
security-control/Autoscaling.5 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.6 |
security-control/AutoScaling.6 |
|
service-managed-aws-control-tower/v/1.0.0/AutoScaling.9 |
security-control/AutoScaling.9 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.1 |
security-control/CloudTrail.1 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.2 |
security-control/CloudTrail.2 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.4 |
security-control/CloudTrail.4 |
|
service-managed-aws-control-tower/v/1.0.0/CloudTrail.5 |
security-control/CloudTrail.5 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.1 |
security-control/CodeBuild.1 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.2 |
security-control/CodeBuild.2 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.4 |
security-control/CodeBuild.4 |
|
service-managed-aws-control-tower/v/1.0.0/CodeBuild.5 |
security-control/CodeBuild.5 |
|
service-managed-aws-control-tower/v/1.0.0/DMS.1 |
security-control/DMS.1 |
|
service-managed-aws-control-tower/v/1.0.0/DynamoDB.1 |
security-control/DynamoDB.1 |
|
service-managed-aws-control-tower/v/1.0.0/DynamoDB.2 |
security-control/DynamoDB.2 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.1 |
security-control/EC2.1 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.2 |
security-control/EC2.2 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.3 |
security-control/EC2.3 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.4 |
security-control/EC2.4 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.6 |
security-control/EC2.6 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.7 |
security-control/EC2.7 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.8 |
security-control/EC2.8 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.9 |
security-control/EC2.9 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.10 |
security-control/EC2.10 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.15 |
security-control/EC2.15 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.16 |
security-control/EC2.16 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.17 |
security-control/EC2.17 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.18 |
security-control/EC2.18 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.19 |
security-control/EC2.19 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.20 |
security-control/EC2.20 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.21 |
security-control/EC2.21 |
|
service-managed-aws-control-tower/v/1.0.0/EC2.22 |
security-control/EC2.22 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.1 |
security-control/ECR.1 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.2 |
security-control/ECR.2 |
|
service-managed-aws-control-tower/v/1.0.0/ECR.3 |
security-control/ECR.3 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.1 |
security-control/ECS.1 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.2 |
security-control/ECS.2 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.3 |
security-control/ECS.3 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.4 |
security-control/ECS.4 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.5 |
security-control/ECS.5 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.8 |
security-control/ECS.8 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.10 |
security-control/ECS.10 |
|
service-managed-aws-control-tower/v/1.0.0/ECS.12 |
security-control/ECS.12 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.1 |
security-control/EFS.1 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.2 |
security-control/EFS.2 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.3 |
security-control/EFS.3 |
|
service-managed-aws-control-tower/v/1.0.0/EFS.4 |
security-control/EFS.4 |
|
service-managed-aws-control-tower/v/1.0.0/EKS.2 |
security-control/EKS.2 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.2 |
security-control/ELB.2 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.3 |
security-control/ELB.3 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.4 |
security-control/ELB.4 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.5 |
security-control/ELB.5 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.6 |
security-control/ELB.6 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.7 |
security-control/ELB.7 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.8 |
security-control/ELB.8 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.9 |
security-control/ELB.9 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.10 |
security-control/ELB.10 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.12 |
security-control/ELB.12 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.13 |
security-control/ELB.13 |
|
service-managed-aws-control-tower/v/1.0.0/ELB.14 |
security-control/ELB.14 |
|
service-managed-aws-control-tower/v/1.0.0/ELBv2.1 |
security-control/ELBv2.1 |
|
service-managed-aws-control-tower/v/1.0.0/EMR.1 |
security-control/EMR.1 |
|
service-managed-aws-control-tower/v/1.0.0/ES.1 |
security-control/ES.1 |
|
service-managed-aws-control-tower/v/1.0.0/ES.2 |
security-control/ES.2 |
|
service-managed-aws-control-tower/v/1.0.0/ES.3 |
security-control/ES.3 |
|
service-managed-aws-control-tower/v/1.0.0/ES.4 |
security-control/ES.4 |
|
service-managed-aws-control-tower/v/1.0.0/ES.5 |
security-control/ES.5 |
|
service-managed-aws-control-tower/v/1.0.0/ES.6 |
security-control/ES.6 |
|
service-managed-aws-control-tower/v/1.0.0/ES.7 |
security-control/ES.7 |
|
service-managed-aws-control-tower/v/1.0.0/ES.8 |
security-control/ES.8 |
|
service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.1 |
security-control/ElasticBeanstalk.1 |
|
service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.2 |
security-control/ElasticBeanstalk.2 |
|
service-managed-aws-control-tower/v/1.0.0/GuardDuty.1 |
security-control/GuardDuty.1 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.1 |
security-control/IAM.1 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.2 |
security-control/IAM.2 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.3 |
security-control/IAM.3 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.4 |
security-control/IAM.4 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.5 |
security-control/IAM.5 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.6 |
security-control/IAM.6 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.7 |
security-control/IAM.7 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.8 |
security-control/IAM.8 |
|
service-managed-aws-control-tower/v/1.0.0/IAM.21 |
security-control/IAM.21 |
|
service-managed-aws-control-tower/v/1.0.0/Kinesis.1 |
security-control/Kinesis.1 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.1 |
security-control/KMS.1 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.2 |
security-control/KMS.2 |
|
service-managed-aws-control-tower/v/1.0.0/KMS.3 |
security-control/KMS.3 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.1 |
security-control/Lambda.1 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.2 |
security-control/Lambda.2 |
|
service-managed-aws-control-tower/v/1.0.0/Lambda.5 |
security-control/Lambda.5 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.3 |
security-control/NetworkFirewall.3 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.4 |
security-control/NetworkFirewall.4 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.5 |
security-control/NetworkFirewall.5 |
|
service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.6 |
security-control/NetworkFirewall.6 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.1 |
security-control/Opensearch.1 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.2 |
security-control/Opensearch.2 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.3 |
security-control/Opensearch.3 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.4 |
security-control/Opensearch.4 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.5 |
security-control/Opensearch.5 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.6 |
security-control/Opensearch.6 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.7 |
security-control/Opensearch.7 |
|
service-managed-aws-control-tower/v/1.0.0/Opensearch.8 |
security-control/Opensearch.8 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.1 |
security-control/RDS.1 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.2 |
security-control/RDS.2 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.3 |
security-control/RDS.3 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.4 |
security-control/RDS.4 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.5 |
security-control/RDS.5 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.6 |
security-control/RDS.6 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.8 |
security-control/RDS.8 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.9 |
security-control/RDS.9 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.10 |
security-control/RDS.10 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.11 |
security-control/RDS.11 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.13 |
security-control/RDS.13 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.17 |
security-control/RDS.17 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.18 |
security-control/RDS.18 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.19 |
security-control/RDS.19 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.20 |
security-control/RDS.20 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.21 |
security-control/RDS.21 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.22 |
security-control/RDS.22 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.23 |
security-control/RDS.23 |
|
service-managed-aws-control-tower/v/1.0.0/RDS.25 |
security-control/RDS.25 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.1 |
security-control/Redshift.1 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.2 |
security-control/Redshift.2 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.4 |
security-control/Redshift.4 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.6 |
security-control/Redshift.6 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.7 |
security-control/Redshift.7 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.8 |
security-control/Redshift.8 |
|
service-managed-aws-control-tower/v/1.0.0/Redshift.9 |
security-control/Redshift.9 |
|
service-managed-aws-control-tower/v/1.0.0/S3.1 |
security-control/S3.1 |
|
service-managed-aws-control-tower/v/1.0.0/S3.2 |
security-control/S3.2 |
|
service-managed-aws-control-tower/v/1.0.0/S3.3 |
security-control/S3.3 |
|
service-managed-aws-control-tower/v/1.0.0/S3.5 |
security-control/S3.5 |
|
service-managed-aws-control-tower/v/1.0.0/S3.6 |
security-control/S3.6 |
|
service-managed-aws-control-tower/v/1.0.0/S3.8 |
security-control/S3.8 |
|
service-managed-aws-control-tower/v/1.0.0/S3.9 |
security-control/S3.9 |
|
service-managed-aws-control-tower/v/1.0.0/S3.12 |
security-control/S3.12 |
|
service-managed-aws-control-tower/v/1.0.0/S3.13 |
security-control/S3.13 |
|
service-managed-aws-control-tower/v/1.0.0/SageMaker.1 |
security-control/SageMaker.1 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.1 |
security-control/SecretsManager.1 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.2 |
security-control/SecretsManager.2 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.3 |
security-control/SecretsManager.3 |
|
service-managed-aws-control-tower/v/1.0.0/SecretsManager.4 |
security-control/SecretsManager.4 |
|
service-managed-aws-control-tower/v/1.0.0/SQS.1 |
security-control/SQS.1 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.1 |
security-control/SSM.1 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.2 |
security-control/SSM.2 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.3 |
security-control/SSM.3 |
|
service-managed-aws-control-tower/v/1.0.0/SSM.4 |
security-control/SSM.4 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.2 |
security-control/WAF.2 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.3 |
security-control/WAF.3 |
|
service-managed-aws-control-tower/v/1.0.0/WAF.4 |
security-control/WAF.4 |
整合如何影响控件 ID 和标题
整合的控件视图和整合的控件调查发现标准化了各类标准的控件 ID 和标题。安全控件 ID 和安全控件标题这两个术语是指这些与标准无关的值。
无论您的账户启用还是禁用了整合的控件调查发现,Security Hub CSPM 控制台都会显示与标准无关的安全控件 ID 和安全控件标题。但是,如果您的账户禁用了整合的控件调查发现,则 Security Hub CSPM 调查发现包含针对 PCI DSS 和 CIS v1.2.0 的特定于标准的控件标题。此外,Security Hub CSPM 调查发现包含特定于标准的控件 ID 和安全控件 ID。有关整合如何影响控件调查发现的示例,请参阅控件调查发现样本。
对于属于 Amazon Control Tower 服务托管标准一部分的控件,启用整合的控件调查发现后,将从调查发现的控件 ID 和标题中删除前缀 CT.。
要在 Security Hub CSPM 中禁用安全控件,必须禁用与该安全控件对应的所有标准控件。下表显示了安全控件 ID 和标题与特定标准的控件 ID 和标题的映射。属于 Amazon 基础安全最佳实践 (FSBP) 标准的控件的 ID 和标题已与标准无关。有关控件与 Center for Internet Security(CIS)v3.0.0 要求的映射,请参阅 将控件映射到每个版本中的 CIS 要求。要在此表上运行您自己的脚本,您可以将其下载为 .csv 文件。
| Standard | 标准控件 ID 和标题 | 安全控件 ID 和标题 |
|---|---|---|
|
CIS v1.2.0 |
1.1 避免使用根用户 |
|
|
CIS v1.2.0 |
1.10 确保 IAM 密码策略阻止重复使用密码 |
|
|
CIS v1.2.0 |
1.11 确保 IAM 密码策略使密码在 90 天或更短时间内失效 |
|
|
CIS v1.2.0 |
1.12 确保不存在根用户访问密钥 |
|
|
CIS v1.2.0 |
1.13 确保为根用户启用 MFA |
|
|
CIS v1.2.0 |
1.14 确保为根用户启用硬件 MFA |
|
|
CIS v1.2.0 |
1.16 确保 IAM policy 仅附加到组或角色 |
|
|
CIS v1.2.0 |
1.2 确保为拥有控制台密码的所有 IAM 用户启用多重身份验证(MFA) |
|
|
CIS v1.2.0 |
1.20 确保创建支持角色来管理涉及 Amazon Web Services 支持 的事务 |
|
|
CIS v1.2.0 |
1.22 确保未创建允许完全“*.*”管理权限的 IAM policy |
|
|
CIS v1.2.0 |
1.3 确保禁用 90 天或更长时间未使用的凭证 |
|
|
CIS v1.2.0 |
1.4 确保访问密钥每 90 天或更短时间轮换一次 |
|
|
CIS v1.2.0 |
1.5 确保 IAM 密码策略要求包含至少一个大写字母 |
|
|
CIS v1.2.0 |
1.6 确保 IAM 密码策略要求包含至少一个小写字母 |
|
|
CIS v1.2.0 |
1.7 确保 IAM 密码策略要求包含至少一个符号 |
|
|
CIS v1.2.0 |
1.8 确保 IAM 密码策略要求包含至少一个数字 |
|
|
CIS v1.2.0 |
1.9 确保 IAM 密码策略要求最短密码长度不低于 14 |
|
|
CIS v1.2.0 |
2.1 确保在所有区域启用 CloudTrail |
|
|
CIS v1.2.0 |
2.2 确保启用 CloudTrail 日志文件验证 |
|
|
CIS v1.2.0 |
2.3 确保用来存储 CloudTrail 日志的 S3 存储桶不可公开访问 |
|
|
CIS v1.2.0 |
2.4 确保 CloudTrail 跟踪与 CloudWatch Logs 集成 |
|
|
CIS v1.2.0 |
2.5 确保已启用 Amazon Config |
|
|
CIS v1.2.0 |
2.6 确保在 CloudTrail S3 存储桶上启用 S3 存储桶访问日志记录 |
|
|
CIS v1.2.0 |
2.7 确保使用 KMS CMK 对 CloudTrail 日志进行静态加密 |
|
|
CIS v1.2.0 |
2.8 确保为客户创建的 CMK 启用轮换 |
|
|
CIS v1.2.0 |
2.9 确保在所有 VPC 中启用 VPC 流日志记录 |
|
|
CIS v1.2.0 |
3.1 确保存在关于未经授权的 API 调用的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.10 确保存在关于安全组更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.11 确保存在关于网络访问控制列表 (NACL) 更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.12 确保存在关于网络网关更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.13 确保存在关于路由表更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.14 确保存在关于 VPC 更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.2 确保存在关于无 MFA 的管理控制台登录的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.3 确保存在关于使用根用户的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.4 确保存在关于 IAM policy 更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.5 确保存在关于 CloudTrail 配置更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.6 确保存在关于 Amazon Web Services 管理控制台 身份验证失败的日志指标筛选条件和警报 |
[CloudWatch.6] 确保存在关于 Amazon Web Services 管理控制台 身份验证失败的日志指标筛选条件和警报 |
|
CIS v1.2.0 |
3.7 确保存在关于禁用或计划删除客户创建的 CMK 的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.8 确保存在关于 S3 存储桶策略更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
3.9 确保存在关于 Amazon Config 配置更改的日志指标筛选条件和警报 |
|
|
CIS v1.2.0 |
4.1 确保没有安全组允许从 0.0.0.0/0 到端口 22 的传入流量 |
|
|
CIS v1.2.0 |
4.2 确保没有安全组允许从 0.0.0.0/0 到端口 3389 的传入流量 |
|
|
CIS v1.2.0 |
4.3 确保每个 VPC 的默认安全组限制所有流量 |
|
|
CIS v1.4.0 |
1.10 确保为拥有控制台密码的所有 IAM 用户启用多重身份验证(MFA) |
|
|
CIS v1.4.0 |
1.14 确保访问密钥每 90 天或更短时间轮换一次 |
|
|
CIS v1.4.0 |
1.16 确保未附加的允许完全“*.*”管理权限的 IAM policy |
|
|
CIS v1.4.0 |
1.17 确保创建支持角色来管理涉及 Amazon Web Services 支持 的事务 |
|
|
CIS v1.4.0 |
1.4 确保不存在根用户账户访问密钥 |
|
|
CIS v1.4.0 |
1.5 确保为根用户账户启用 MFA |
|
|
CIS v1.4.0 |
1.6 确保为根用户账户启用硬件 MFA |
|
|
CIS v1.4.0 |
1.7 避免使用根用户执行管理和日常任务 |
|
|
CIS v1.4.0 |
1.8 确保 IAM 密码策略要求最短长度不低于 14 |
|
|
CIS v1.4.0 |
1.9 确保 IAM 密码策略阻止重复使用密码 |
|
|
CIS v1.4.0 |
2.1.2 确保 S3 存储桶策略设置为拒绝 HTTP 请求 |
|
|
CIS v1.4.0 |
2.1.5.1 应启用 S3 阻止公有访问设置 |
|
|
CIS v1.4.0 |
2.1.5.2 应在存储桶级别启用 S3 阻止公有访问设置 |
|
|
CIS v1.4.0 |
2.2.1 确保启用 EBS 卷加密 |
|
|
CIS v1.4.0 |
2.3.1 确保已为 RDS 实例启用加密 |
|
|
CIS v1.4.0 |
3.1 确保在所有区域启用 CloudTrail |
|
|
CIS v1.4.0 |
3.2 确保启用 CloudTrail 日志文件验证 |
|
|
CIS v1.4.0 |
3.4 确保 CloudTrail 跟踪与 CloudWatch Logs 集成 |
|
|
CIS v1.4.0 |
3.5 确保 Amazon Config 在所有区域启用 |
|
|
CIS v1.4.0 |
3.6 确保在 CloudTrail S3 存储桶上启用 S3 存储桶访问日志记录 |
|
|
CIS v1.4.0 |
3.7 确保使用 KMS CMK 对 CloudTrail 日志进行静态加密 |
|
|
CIS v1.4.0 |
3.8 确保为客户创建的 CMK 启用轮换 |
|
|
CIS v1.4.0 |
3.9 确保在所有 VPC 中启用 VPC 流日志记录 |
|
|
CIS v1.4.0 |
4.4 确保存在关于 IAM policy 更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.5 确保存在关于 CloudTrail 配置更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.6 确保存在关于 Amazon Web Services 管理控制台 身份验证失败的日志指标筛选条件和警报 |
[CloudWatch.6] 确保存在关于 Amazon Web Services 管理控制台 身份验证失败的日志指标筛选条件和警报 |
|
CIS v1.4.0 |
4.7 确保存在关于禁用或计划删除客户创建的 CMK 的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.8 确保存在关于 S3 存储桶策略更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.9 确保存在关于 Amazon Config 配置更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.10 确保存在关于安全组更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.11 确保存在关于网络访问控制列表 (NACL) 更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.12 确保存在关于网络网关更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.13 确保存在关于路由表更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
4.14 确保存在关于 VPC 更改的日志指标筛选条件和警报 |
|
|
CIS v1.4.0 |
5.1 确保网络 ACL 不允许从 0.0.0.0/0 进入远程服务器管理端口 |
|
|
CIS v1.4.0 |
5.3 确保每个 VPC 的默认安全组限制所有流量 |
|
|
PCI DSS v3.2.1 |
PCI.AutoScaling.1 与负载均衡器关联的自动扩缩组应使用负载均衡器运行状况检查 |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.1 应使用 Amazon KMS CMK 对 CloudTrail 日志进行静态加密 |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.2 应启用 CloudTrail |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.3 应启用 CloudTrail 日志文件验证 |
|
|
PCI DSS v3.2.1 |
PCI.CloudTrail.4 CloudTrail 跟踪应与 Amazon CloudWatch Logs 集成在一起 |
|
|
PCI DSS v3.2.1 |
PCI.CodeBuild.1 CodeBuild GitHub 或 Bitbucket 源存储库 URL 应使用 OAuth |
|
|
PCI DSS v3.2.1 |
PCI.CodeBuild.2 CodeBuild 项目环境变量不应包含明文凭证 |
|
|
PCI DSS v3.2.1 |
PCI.Config.1 应启用 Amazon Config |
|
|
PCI DSS v3.2.1 |
PCI.CW.1 应具有有关“根”用户使用的日志指标筛选条件和警报 |
|
|
PCI DSS v3.2.1 |
PCI.DMS.1 Database Migration Service 复制实例不应公开 |
|
|
PCI DSS v3.2.1 |
PCI.EC2.1 不应公开还原 EBS 快照 |
|
|
PCI DSS v3.2.1 |
PCI.EC2.2 VPC 默认安全组应禁止入站和出站流量 |
|
|
PCI DSS v3.2.1 |
PCI.EC2.4 应删除未使用的 EC2 EIP |
|
|
PCI DSS v3.2.1 |
PCI.EC2.5 不允许安全组从 0.0.0.0/0 到端口 22 的入站流量 |
|
|
PCI DSS v3.2.1 |
应在所有 VPC 中启用 PCI.EC2.6 VPC 流日志记录 |
|
|
PCI DSS v3.2.1 |
PCI.ELBv2.1 应用程序负载均衡器应配置为将所有 HTTP 请求重定向到 HTTPS |
|
|
PCI DSS v3.2.1 |
PCI.ES.1 Elasticsearch 域应位于 VPC 中 |
|
|
PCI DSS v3.2.1 |
PCI.ES.2 Elasticsearch 域应启用静态加密 |
|
|
PCI DSS v3.2.1 |
应该启用 PCI.GuardDuty.1 GuardDuty |
|
|
PCI DSS v3.2.1 |
PCI.IAM.1 IAM 根用户访问密钥不应存在 |
|
|
PCI DSS v3.2.1 |
PCI.IAM.2 IAM 用户不应附加 IAM policy |
|
|
PCI DSS v3.2.1 |
PCI.IAM.3 IAM policy 不应允许完全“*”管理权限 |
|
|
PCI DSS v3.2.1 |
PCI.IAM.4 应该为根用户启用硬件 MFA |
|
|
PCI DSS v3.2.1 |
PCI.IAM.5 应该为根用户启用虚拟 MFA |
|
|
PCI DSS v3.2.1 |
PCI.IAM.6 应该为所有 IAM 用户启用 MFA |
|
|
PCI DSS v3.2.1 |
如果未在预定义的天数内使用 PCI.IAM.7 IAM 用户凭证,则应禁用 |
|
|
PCI DSS v3.2.1 |
PCI.IAM.8 IAM 用户的密码策略应具有可靠的配置 |
|
|
PCI DSS v3.2.1 |
PCI.KMS.1 应启用客户主密钥 (CMK) 轮换 |
|
|
PCI DSS v3.2.1 |
PCI.Lambda.1 Lambda 函数应禁止公开访问 |
|
|
PCI DSS v3.2.1 |
PCI.Lambda.2 Lambda 函数应位于 VPC 中 |
|
|
PCI DSS v3.2.1 |
PCI.Opensearch.1 OpenSearch 域名应该在 VPC 中 |
|
|
PCI DSS v3.2.1 |
PCI.Opensearch.2 不应公开还原 EBS 快照 |
|
|
PCI DSS v3.2.1 |
PCI.RDS.1 RDS 快照应为私有快照 |
|
|
PCI DSS v3.2.1 |
PCI.RDS.2 RDS 数据库实例应禁止公开访问 |
|
|
PCI DSS v3.2.1 |
PCI.Redshift.1 Amazon Redshift 集群应禁止公共访问 |
|
|
PCI DSS v3.2.1 |
PCI.S3.1 S3 存储桶应禁止公开写入访问 |
|
|
PCI DSS v3.2.1 |
PCI.S3.2 S3 存储桶应禁止公开读取访问 |
|
|
PCI DSS v3.2.1 |
PCI.S3.3 S3 存储桶应启用跨区域复制 |
|
|
PCI DSS v3.2.1 |
PCI.S3.5 S3 存储桶应要求请求才能使用安全套接字层 |
|
|
PCI DSS v3.2.1 |
PCI.S3.6 应启用 S3 阻止公有访问设置 |
|
|
PCI DSS v3.2.1 |
PCI.SageMaker.1 Amazon SageMaker 笔记本实例不应直接访问 Internet |
|
|
PCI DSS v3.2.1 |
PCI.SSM.1 由 Systems Manager 管理的 EC2 实例在安装补丁后应具有 COMPLIANT 的补丁合规性状态 |
[SSM.2] 由 Systems Manager 管理的 Amazon EC2 实例在安装补丁后应具有 COMPLIANT 的补丁合规性状态 |
|
PCI DSS v3.2.1 |
由 Systems Manager 管理的 PCI.SSM.2 EC2 实例的关联合规性的状态应为 COMPLIANT |
[SSM.3] 由 Systems Manager 管理的 Amazon EC2 实例的关联合规状态应为 COMPLIANT |
|
PCI DSS v3.2.1 |
PCI.SSM.3 EC2 实例应由 Amazon Systems Manager 管理 |
更新工作流以进行整合。
如果工作流不依赖于控件调查发现中任何字段的特定格式,则无需执行任何操作。
如果工作流依赖于控件调查发现中一个或多个字段的特定格式,则应更新工作流。例如,如果您创建的 Amazon EventBridge 规则触发了针对特定控件 ID 的操作(例如,如果控件 ID 等于 CIS 2.7,则调用 Amazon Lambda 函数),则应更新该规则才能使用 CloudTrail.2(即该控件的 Compliance.SecurityControlId 字段的值)。
如果您创建了使用任何已更改字段或值的自定义见解,请更新这些见解以使用新字段或值。