Security Hub 控制结果所需的 Amazon Config 资源 - Amazon Security Hub
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Security Hub 控制结果所需的 Amazon Config 资源

某些 Amazon Security Hub 控件使用服务相关 Amazon Config 规则来检测 Amazon 资源中的配置更改。为了让 Security Hub 生成准确的控制结果,您必须在中启用 Amazon Config 并打开资源记录 Amazon Config。有关 Security Hub 如何使用 Amazon Config 规则以及如何启用和配置的背景信息 Amazon Config,请参阅为 Security Hub 启用和配置 Amazon Config

要获得准确的控制结果,您必须为已启用控件开启 Amazon Config 资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。

本页列出了每个 Security Hub 控件所需的资源。

Security Hub 控件可以依赖托管 Amazon Config 规则或自定义 Security Hub 规则。确保 Organizations 中没有管理的 Amazon Identity and Access Management (IAM) 策略或策略会 Amazon Config 阻止您有权记录您的资源。Security Hub 控制检查直接评估资源的配置,不考虑组织策略。有关 Amazon Config 录制的更多信息,请参阅Amazon Config 开发者指南》中的 Amazon Config 托管规则列表-注意事项

注意

Amazon Web Services 区域 如果控件不可用,则相应的资源在中不可用 Amazon Config。有关 Security Hub 控件的区域限制列表,请参阅 对 Security Hub 控件的区域限制

所有 Security Hub 控件所需的资源

要让 Security Hub 为启用的 Security Hub 更改触发的使用 Amazon Config 规则的控件生成调查结果,您必须将这些资源记录在中 Amazon Config。此表还指出了哪些控件评估特定资源。单个控件可以评估多个资源。

服务 所需资源 相关控件
亚马逊API网关 AWS::ApiGateway::Stage

APIGateway1.

APIGateway2.

APIGateway3.

APIGateway4.

APIGateway5.

AWS::ApiGatewayV2::Stage

APIGateway1.

APIGateway.9

Amazon AppSync AWS::AppSync::GraphQLApi

AppSync2.

AppSync4.

AppSync5.

AWS::AppSync::ApiCache

AppSync1.

AppSync.6

Amazon Backup (Amazon Backup) AWS::Backup::BackupPlan

Backup.5

AWS::Backup::BackupVault

Backup.3

AWS::Backup::RecoveryPoint

Backup.1

Backup.2

AWS::Backup::ReportPlan

Backup.4

Amazon Certificate Manager (ACM) AWS::ACM::Certificate

ACM1.

ACM2.

ACM3.

Amazon Athena AWS::Athena::DataCatalog Athena.2
AWS::Athena::WorkGroup

Athena.3

Athena.4

Amazon CloudFormation AWS::CloudFormation::Stack

CloudFormation2.

Amazon CloudFront AWS::CloudFront::Distribution

CloudFront1.

CloudFront3.

CloudFront4.

CloudFront5.

CloudFront.6

CloudFront.7

CloudFront.8

CloudFront.9

CloudFront.10

CloudFront.13

CloudFront.14

Amazon CloudTrail AWS::CloudTrail::Trail CloudTrail.9
Amazon CloudWatch AWS::CloudWatch::Alarm

CloudWatch.15

CloudWatch.17

Amazon CodeArtifact AWS::CodeArtifact::Repository CodeArtifact1.
Amazon CodeBuild AWS::CodeBuild::Project

CodeBuild1.

CodeBuild2.

CodeBuild3.

CodeBuild4.

AWS::CodeBuild::ReportGroup

CodeBuild.7

Amazon Cognito AWS::Cognito::UserPool Cognito1
Amazon DataSync AWS::DataSync::Task DataSync1.
Amazon Detective AWS::Detective::Graph Detective.1
Amazon Database Migration Service (Amazon DMS) AWS::DMS::Certificate

DMS2.

AWS::DMS::Endpoint

DMS.9

DMS.10

DMS.11

DMS.12

AWS::DMS::EventSubscription DMS3.
AWS::DMS::ReplicationInstance

DMS4.

DMS.6

AWS::DMS::ReplicationSubnetGroup DMS5.
AWS::DMS::ReplicationTask

DMS.7

DMS.8

Amazon DynamoDB AWS::DynamoDB::Table

DynamoDB.1

DynamoDB.2

DynamoDB.5

DynamodB.6

亚马逊弹性计算云 (EC2) AWS::EC2::ClientVpnEndpoint

EC2.51

AWS::EC2::CustomerGateway EC2.36
AWS::EC2::EIP

EC2.12

EC2.37

AWS::EC2::FlowLog EC2.48
AWS::EC2::Instance

EC24.

EC2.8

EC2.9

EC2.17

EC2.24

EC2.38

EMR1.

SSM1.

AWS::EC2::InternetGateway

EC2.39

AWS::EC2::LaunchTemplate

EC2.25

EC2.170

AWS::EC2::NatGateway

EC2.40

AWS::EC2::NetworkAcl

EC2.16

EC2.21

EC2.41

AWS::EC2::NetworkInterface

EC2.22

EC2.35

AWS::EC2::RouteTable EC2.42
AWS::EC2::SecurityGroup

EC22.

EC2.13

EC2.14

EC2.18

EC2.19

EC2.43

AWS::EC2::Subnet

EC2.15

EC2.44

ElastiCache.7

AWS::EC2::TransitGateway

EC2.23

EC2.52

AWS::EC2::TransitGatewayAttachment EC2.33
AWS::EC2::TransitGatewayRouteTable EC2.34
AWS::EC2::Volume

EC23.

EC2.45

AWS::EC2::VPC

EC2.6

EC2.46

AWS::EC2::VPCEndpointService EC2.47
AWS::EC2::VPCPeeringConnection EC2.49
AWS::EC2::VPNConnection EC2.20

EC2.171

AWS::EC2::VPNGateway EC2.50
Amazon A EC2 uto Scaling AWS::AutoScaling::AutoScalingGroup

AutoScaling1.

AutoScaling2.

AutoScaling.6

AutoScaling.9

AutoScaling.10

AWS::AutoScaling::LaunchConfiguration

AutoScaling3.

Autoscaling.5

亚马逊 S EC2 ystems Manager (SSM) AWS::SSM::AssociationCompliance

SSM3.

AWS::SSM::ManagedInstanceInventory

SSM1.

AWS::SSM::PatchCompliance

SSM2.

亚马逊弹性容器注册表(亚马逊ECR) AWS::ECR::PublicRepository ECR4.
AWS::ECR::Repository

ECR2.

ECR3.

亚马逊弹性容器服务(亚马逊ECS) AWS::ECS::Cluster

ECS.12

ECS.14

AWS::ECS::Service

ECS2.

ECS.10

ECS.13

AWS::ECS::TaskDefinition

ECS1.

ECS3.

ECS4.

ECS5.

ECS.8

ECS.9

ECS.15

AWS::ECS::TaskSet

ECS.16

亚马逊 Elastic File System(亚马逊EFS) AWS::EFS::AccessPoint

EFS3.

EFS4.

EFS5.

AWS::EFS::FileSystem

EFS.7

EFS.8

亚马逊 Elastic Kubernetes Service(亚马逊)EKS AWS::EKS::Cluster

EKS2.

EKS.6

EKS.8

AWS::EKS::IdentityProviderConfig EKS.7
Amazon Elastic Beanstalk AWS::ElasticBeanstalk::Environment

ElasticBeanstalk1.

ElasticBeanstalk2.

ElasticBeanstalk3.

Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer

ELB2.

ELB3.

ELB5.

ELB.7

ELB.8

ELB.9

ELB.10

ELB.14

AWS::ElasticLoadBalancingV2::LoadBalancer

ELB1.

ELB4.

ELB5.

ELB.6

ELB.12

ELB.13

ELB.16

ElasticSearch AWS::Elasticsearch::Domain

ES.3

ES.4

ES.5

ES.6

ES.7

ES.8

ES.9

Amazon EventBridge AWS::Events::EventBus

EventBridge2.

EventBridge3.

AWS::Events::Endpoint

EventBridge4.

Amazon Global Accelerator AWS::GlobalAccelerator::Accelerator

GlobalAccelerator1.

Amazon Glue AWS::Glue::Job

Glue.1

AWS::Glue::MLTransform

Glue.3

Amazon GuardDuty AWS::GuardDuty::Detector

GuardDuty4.

AWS::GuardDuty::Filter

GuardDuty2.

AWS::GuardDuty::IPSet

GuardDuty3.

Amazon Identity and Access Management (IAM) AWS::IAM::Group

IAM.27

KMS2.

AWS::IAM::Policy

IAM1.

IAM.21

KMS1.

AWS::IAM::Role

IAM.24

IAM.27

KMS2.

AWS::IAM::User

IAM2.

IAM3.

IAM5.

IAM.8

IAM.19

IAM.22

IAM.25

IAM.27

KMS2.

Amazon Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer

IAM.23

Amazon IoT AWS::IoT::Authorizer

IoT.4

AWS::IoT::Dimension

IoT.3

AWS::IoT::MitigationAction

IoT.2

AWS::IoT::Policy

IoT.6

AWS::IoT::RoleAlias

IoT.5

AWS::IoT::SecurityProfile

IoT.1

Amazon Kinesis AWS::Kinesis::Stream

Kinesis.1

Kinesis.2

Kinesis.3

Amazon Key Management Service (Amazon KMS) AWS::KMS::Alias

S3.17

AWS::KMS::Key

KMS3.

KMS5.

S3.17

Amazon Lambda AWS::Lambda::Function

Lambda.1

Lambda.2

Lambda.3

Lambda.5

Lambda.6

Amazon MSK AWS::MSK::Cluster

MSK1.

MSK2.

AWS::KafkaConnect::Connector

MSK3.

Amazon MQ AWS::AmazonMQ::Broker

MQ.2

MQ.3

MQ.4

MQ.5

MQ.6

Amazon Network Firewall AWS::NetworkFirewall::Firewall

NetworkFirewall1.

NetworkFirewall.7

NetworkFirewall.9

AWS::NetworkFirewall::FirewallPolicy

NetworkFirewall3.

NetworkFirewall4.

NetworkFirewall5.

NetworkFirewall.8

AWS::NetworkFirewall::RuleGroup

NetworkFirewall.6

亚马逊 OpenSearch 服务 AWS::OpenSearch::Domain

Opensearch.1

Opensearch.2

Opensearch.3

Opensearch.4

Opensearch.5

Opensearch.6

Opensearch.7

Opensearch.8

OpenSearch.9

Opensearch.10

Opensearch.11

亚马逊 Relational Database Service(亚马逊RDS) AWS::RDS::DBCluster

DocumentDB.1

DocumentDB.2

DocumentDB.4

DocumentDB.5

Neptune.1

Neptune.2

Neptune.4

Neptune.5

Neptune.7

Neptune.8

Neptune.9

RDS.7

RDS.12

RDS.14

RDS.15

RDS.16

RDS.24

RDS.27

RDS.28

RDS.34

RDS.35

RDS.37

AWS::RDS::DBClusterSnapshot

DocumentDB.3

Neptune.3

Neptune.6

RDS1.

RDS4.

RDS.29

AWS::RDS::DBInstance

RDS2.

RDS3.

RDS5.

RDS.6

RDS.8

RDS.9

RDS.10

RDS.11

RDS.13

RDS.17

RDS.18

RDS.23

RDS.25

RDS.30

RDS.36

AWS::RDS::DBSecurityGroup

RDS.31

AWS::RDS::DBSnapshot

RDS1.

RDS4.

RDS.32

AWS::RDS::DBSubnetGroup

RDS.33

AWS::RDS::EventSubscription

RDS.19

RDS.20

RDS.21

RDS.22

Amazon Redshift AWS::Redshift::Cluster

Redshift.1

Redshift.2

Redshift.3

Redshift.4

Redshift.6

Redshift.7

Redshift.8

Redshift.9

Redshift.10

Redshift.11

AWS::Redshift::ClusterParameterGroup

Redshift.2

AWS::Redshift::ClusterSnapshot

Redshift.13

AWS::Redshift::ClusterSubnetGroup

Redshift.14

Redshift.16

AWS::Redshift::EventSubscription

Redshift.12

Amazon Route 53 AWS::Route53::HostedZone

Route53.2

AWS::Route53::HealthCheck

Route53.1

Amazon Simple Storage Service(Amazon S3) AWS::S3::AccessPoint

S3.19

AWS::S3::AccountPublicAccessBlock

S3.2

S3.3

AWS::S3::Bucket

S3.2

S3.3

S3.5

S3.6

S3.7

S3.8

S3.9

S3.10

S3.11

S3.12

S3.13

S3.14

S3.15

S3.17

S3.20

AWS::S3::MultiRegionAccessPoint

S3.24

亚马逊 SageMaker AI AWS::SageMaker::NotebookInstance

SageMaker2.

SageMaker3.

Amazon Secrets Manager AWS::SecretsManager::Secret

SecretsManager1.

SecretsManager2.

SecretsManager5.

Amazon Service Catalog AWS::ServiceCatalog::Portfolio

ServiceCatalog1.

亚马逊简单电子邮件服务(亚马逊SES) AWS::SES::ConfigurationSet

SES2.

AWS::SES::ContactList

SES1.

亚马逊简单通知服务(亚马逊SNS) AWS::SNS::Topic

SNS1.

SNS3.

SNS4.

亚马逊简单队列服务(亚马逊SQS) AWS::SQS::Queue

SQS1.

SQS2.

Amazon Step Functions AWS::StepFunctions::StateMachine

StepFunctions1.

AWS::StepFunctions::Activity

StepFunctions2.

Amazon Transfer Family AWS::Transfer::Workflow

Transfer.1

Amazon WAF AWS::WAF::Rule

WAF.6

AWS::WAF::RuleGroup

WAF.7

AWS::WAF::WebACL

WAF1.

WAF.8

AWS::WAFRegional::Rule

WAF2.

AWS::WAFRegional::RuleGroup

WAF3.

AWS::WAFRegional::WebACL

WAF4.

AWS::WAFv2::RuleGroup

WAF.12

AWS::WAFv2::WebACL

WAF.10

WAF.11

Amazon WorkSpaces AWS::WorkSpaces::WorkSpace

WorkSpaces1.

WorkSpaces2.

FSBP标准版所需资源

为了让 Security Hub 准确报告已启用的 Amazon 基础安全最佳实践 v1.0.0 (FSBP) 更改触发的使用 Amazon Config 规则的控件的发现,您必须将这些资源记录在中。 Amazon Config有关此标准的更多信息,请参阅 Amazon 基础安全最佳实践 v1.0.0 () 标准 FSBP

服务 所需的 资源

亚马逊API网关

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

Amazon AppSync

AWS::AppSync::ApiCache

AWS::AppSync::GraphQLApi

Amazon Backup

AWS::Backup::RecoveryPoint

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CodeBuild

AWS::CodeBuild::Project

AWS::CodeBuild::ReportGroup

Amazon Cognito

AWS::Cognito::UserPool

Amazon DataSync

AWS::DataSync::Task

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

亚马逊 S EC2 ystems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

亚马逊弹性计算云 (EC2)

AWS::EC2::ClientVpnEndpoint

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon A EC2 uto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

亚马逊弹性容器注册表(亚马逊ECR)

AWS::ECR::Repository

亚马逊弹性容器服务(亚马逊ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

AWS::ECS::TaskSet

亚马逊 Elastic File System(亚马逊EFS)

AWS::EFS::AccessPoint

AWS::EFS::FileSystem

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon Glue

AWS::Glue::Job

AWS::Glue::MLTransform

Amazon Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Key

Amazon Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

AWS::KafkaConnect::Connector

Amazon Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

亚马逊 OpenSearch 服务

AWS::OpenSearch::Domain

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccessPoint

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

AWS::S3::MultiRegionAccessPoint

亚马逊 SageMaker AI

AWS::SageMaker::NotebookInstance

亚马逊简单通知服务(亚马逊SNS)

AWS::SNS::Topic

亚马逊简单队列服务(亚马逊SQS)

AWS::SQS::Queue

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon Step Functions

AWS::StepFunctions::StateMachine

Amazon WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

Amazon WorkSpaces

AWS::WorkSpaces::WorkSpace

CIS Amazon 基金会基准测试所需的资源

要对适用于互联网安全中心 (CIS) Amazon Foundations Benchmark 的已启用控件进行安全检查,Security Hub 要么按照保护 Amazon Web Services 中为检查规定的确切审计步骤运行,要么使用特定的 Amazon Config 托管规则。

有关此标准的更多信息,请参阅 CIS Amazon 基金会基准

CISv3.0.0 所需的资源

为使 Security Hub 能够准确报告已启用 CIS v3.0.0 且使用 Amazon Config 规则的变更触发控件的发现结果,您必须将这些资源记录在中。 Amazon Config

服务 所需的 资源

亚马逊弹性计算云(亚马逊EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

Amazon Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::User

AWS::IAM::Role

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service(Amazon S3)

AWS::S3::Bucket

CISv1.4.0 所需的资源

为使 Security Hub 能够准确报告已启用 CIS v1.4.0 且使用 Amazon Config 规则的变更触发控件的发现,您必须将这些资源记录在中。 Amazon Config

服务 所需的 资源

亚马逊弹性计算云 (EC2)

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

Amazon Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service(Amazon S3)

AWS::S3::Bucket

1.2.0 CIS 版所需的资源

为使 Security Hub 能够准确报告已启用 CIS v1.2.0 的使用 Amazon Config 规则的变更触发控件的发现,您必须将这些资源记录在中。 Amazon Config

服务 所需的 资源

亚马逊弹性计算云 (EC2)

AWS::EC2::SecurityGroup

Amazon Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

NISTSP 800-53 修订版 5 所需的资源

为了让 Security Hub 准确报告已启用的美国国家标准与技术研究院 (NIST) SP 800-53 Rev. 5 使用 Amazon Config 规则的变更触发控件的调查结果,您必须将这些资源记录在中。 Amazon Config您只需要记录已触发计划类型变更的控件的资源即可。有关此标准的更多信息,请参阅 NISTSP 800-53 Rev. 5 在 Security Hub

服务 所需的 资源

亚马逊API网关

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

Amazon AppSync

AWS::AppSync::GraphQLApi

Amazon Backup

AWS::Backup::RecoveryPoint

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

亚马逊弹性计算云 (EC2)

AWS::EC2::ClientVpnEndpoint

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon A EC2 uto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

亚马逊弹性容器注册表(亚马逊ECR)

AWS::ECR::Repository

亚马逊弹性容器服务(亚马逊ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

亚马逊 Elastic File System(亚马逊EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EventBridge

AWS::Events::Endpoint

AWS::Events::EventBus

Amazon Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

Amazon Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

亚马逊 OpenSearch 服务

AWS::OpenSearch::Domain

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::AccessPoint

AWS::S3::Bucket

Amazon Service Catalog

AWS::ServiceCatalog::Portfolio

亚马逊简单通知服务(亚马逊SNS)

AWS::SNS::Topic

亚马逊简单队列服务(亚马逊SQS)

AWS::SQS::Queue

亚马逊 S EC2 ystems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

亚马逊 SageMaker AI

AWS::SageMaker::NotebookInstance

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

PCIDSSv3.2.1 所需的资源

为使 Security Hub 能够准确报告使用 Amazon Config 规则的已启用的支付卡行业数据安全标准 (PCIDSS) 控件的调查结果,您必须将这些资源记录在中 Amazon Config。有关此标准的更多信息,请参阅 PCIDSS在 Security Hub 中

服务 所需的 资源

Amazon CodeBuild

AWS::CodeBuild::Project

亚马逊弹性计算云 (EC2)

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::SecurityGroup

Amazon A EC2 uto Scaling

AWS::AutoScaling::AutoScalingGroup

Amazon Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

Amazon Lambda

AWS::Lambda::Function

亚马逊 OpenSearch 服务

AWS::OpenSearch::Domain

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

亚马逊 S EC2 ystems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

资源标签标准 Amazon 版所需的资源

Amazon 资源标签标准中的所有控件都是变更触发的,并使用 Amazon Config 规则。为了让 Security Hub 准确报告这些控件的调查结果,您必须在中记录以下资源 Amazon Config。您只需要记录已触发计划类型变更的控件的资源即可。有关此标准的更多信息,请参阅 Amazon 资源标签标准

服务 所需的 资源
Amazon AppSync

AWS::AppSync::GraphQLApi

Amazon Athena

AWS::Athena::DataCatalog

AWS::Athena::WorkGroup

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon Backup (Amazon Backup)

AWS::Backup::BackupPlan

AWS::Backup::BackupVault

AWS::Backup::RecoveryPlan

AWS::Backup::ReportPlan

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudTrail

AWS::CloudTrail::Trail

Amazon CodeArtifact

AWS::CodeArtifact::Repository

Amazon Detective

AWS::Detective::Graph

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Certificate

AWS::DMS::EventSubscription

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationSubnetGroup

Amazon DynamoDB

AWS::DynamoDB::Trail

亚马逊弹性计算云 (EC2)

AWS::EC2::CustomerGateway

AWS::EC2::EIP

AWS::EC2::FlowLog

AWS::EC2::Instance

AWS::EC2::InternetGateway

AWS::EC2::NatGateway

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::RouteTable

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::TransitGatewayAttachment

AWS::EC2::TransitGatewayRouteTable

AWS::EC2::Volume

AWS::EC2::VPC

AWS::EC2::VPCEndpointService

AWS::EC2::VPCPeeringConnection

AWS::EC2::VPNGateway

Amazon A EC2 uto Scaling

AWS::AutoScaling::AutoScalingGroup

亚马逊弹性容器注册表(亚马逊ECR)

AWS::ECR::PublicRepository

亚马逊弹性容器服务(亚马逊ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

亚马逊 Elastic File System(亚马逊EFS)

AWS::EFS::AccessPoint

亚马逊 Elastic Kubernetes Service(亚马逊)EKS

AWS::EKS::Cluster

AWS::EKS::IdentityProviderConfig

Amazon Elastic Beanstalk (Elastic Beanstalk)

AWS::ElasticBeanstalk::Environment

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EventBridge

AWS::Events::EventBus

Amazon Global Accelerator

AWS::GlobalAccelerator::Accelerator

Amazon Glue

AWS::Glue::Job

Amazon GuardDuty

AWS::GuardDuty::Detector

AWS::GuardDuty::Filter

AWS::GuardDuty::IPSet

Amazon Identity and Access Management (IAM)

AWS::IAM::Role

AWS::IAM::User

Amazon Identity and Access Management Access Analyzer (IAM访问分析器)

AWS::AccessAnalyzer::Analyzer

Amazon IoT

AWS::IoT::Authorizer

AWS::IoT::Dimension

AWS::IoT::MitigationAction

AWS::IoT::Policy

AWS::IoT::RoleAlias

AWS::IoT::SecurityProfile

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon MQ

AWS::AmazonMQ::Broker

Amazon Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

亚马逊 OpenSearch 服务

AWS::OpenSearch::Domain

Amazon Relational Database Service

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSecurityGroup

AWS::RDS::DBSnapshot

AWS::RDS::DBSubnetGroup

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSnapshot

AWS::Redshift::ClusterSubnetGroup

AWS::Redshift::EventSubscription

Amazon Route 53

AWS::Route53::HealthCheck

Amazon Secrets Manager

AWS::SecretsManager::Secret

亚马逊简单电子邮件服务(亚马逊SES)

AWS::SES::ConfigurationSet

AWS::SES::ContactList

亚马逊简单通知服务(亚马逊SNS)

AWS::SNS::Topic

亚马逊简单队列服务(亚马逊SQS)

AWS::SQS::Queue

Amazon Step Functions

AWS::StepFunctions::Activity

Amazon Transfer Family

AWS::Transfer::Workflow

服务管理标准所需的资源: Amazon Control Tower

为了让 Security Hub 准确报告已启用的服务管理标准:使用 Amazon Config 规则的 Amazon Control Tower 变更触发控件的发现,您必须在中 Amazon Config记录以下资源。有关此标准的更多信息,请参阅 服务管理标准: Amazon Control Tower

服务 所需的 资源

亚马逊API网关

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

亚马逊弹性计算云 (EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon A EC2 uto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

亚马逊弹性容器注册表(亚马逊ECR)

AWS::ECR::Repository

亚马逊弹性容器服务(亚马逊ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

亚马逊 Elastic File System(亚马逊EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

亚马逊 OpenSearch 服务

AWS::OpenSearch::Domain

亚马逊 Relational Database Service(亚马逊RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

亚马逊简单通知服务(亚马逊SNS)

AWS::SNS::Topic

亚马逊简单队列服务(亚马逊SQS)

AWS::SQS::Queue

亚马逊 S EC2 ystems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon WAF

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::WebACL