本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Security Hub 控件调查发现所需的 Amazon Config 资源
某些 Amazon Security Hub 控件使用与服务相关的 Amazon Config 规则来检测 Amazon 资源中的配置更改。为了让 Security Hub 为这些控件生成准确的调查发现,您必须在中启用 Amazon Config 并启用资源记录功能 Amazon Config。有关 Security Hub 如何使用 Amazon Config 规则以及如何启用和配置的信息 Amazon Config,请参阅为 Security Hub 启用和配置 Amazon Config。有关资源记录的详细信息,请参阅《Amazon Config 开发人员指南》中的使用配置记录器。
要获得准确的控制结果,您必须为已启用控件开启 Amazon Config 资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub 控件所需的资源。
Security Hub 控件可以依赖托管 Amazon Config 规则或自定义 Security Hub 规则。确保没有任何 Amazon Identity and Access Management (IAM) 策略或 Amazon Organizations 托管策略会 Amazon Config 阻止您获得记录资源的权限。Security Hub 控件直接评估资源配置,不考虑 Amazon Organizations 策略。
注意
Amazon Web Services 区域 如果在中控件不可用,则相应的资源在中也不可用 Amazon Config。有关这些限制的列表,请参阅对 Security Hub 控件的区域限制。
主题
所有 Security Hub 控件所需的资源
为了让 Security Hub 为已启用的变更触发的 Amazon Config 控件生成调查发现,您必须在中记录以下类型的资源 Amazon Config。此表还指出了哪些控件可以评估特定类型的资源。单个控件可以评估多种类型的资源。
| Amazon Web Services 服务 | 资源类型 | 相关控件 |
|---|---|---|
| Amazon Amplify | AWS::Amplify::App |
Amplify.1 |
AWS::Amplify::Branch |
Amplify.2 |
|
| Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway1. APIGateway2. APIGateway3. APIGateway4. APIGateway5. |
AWS::ApiGatewayV2::Stage |
APIGateway1. APIGateway.9 |
|
| Amazon AppConfig | AWS::AppConfig::Application
|
AppConfig1. |
AWS::AppConfig::ConfigurationProfile
|
AppConfig2. |
|
AWS::AppConfig::Environment
|
AppConfig3. |
|
AWS::AppConfig::ExtensionAssociation
|
AppConfig4. |
|
| Amazon AppFlow | AWS::AppFlow::Flow
|
AppFlow1. |
| Amazon App Runner | AWS::AppRunner::Service
|
AppRunner1. |
AWS::AppRunner::VpcConnector
|
AppRunner2. |
|
| Amazon AppSync | AWS::AppSync::GraphQLApi
|
AppSync2. AppSync4. AppSync5. |
AWS::AppSync::ApiCache
|
AppSync1. AppSync.6 |
|
| Amazon Backup | AWS::Backup::BackupPlan
|
Backup.5 |
AWS::Backup::BackupVault
|
Backup.3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
Backup.4 |
|
| Amazon Batch | AWS::Batch::ComputeEnvironment
|
Batch.3 Batch.4 |
AWS::Batch::JobQueue
|
Batch.1 |
|
AWS::Batch::SchedulingPolicy
|
Batch.2 |
|
| Amazon Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
| Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 Athena.4 |
|
| Amazon CloudFormation | AWS::CloudFormation::Stack |
CloudFormation2. |
| Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront1. CloudFront3. CloudFront4. CloudFront5. CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 |
| Amazon CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
| Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
| Amazon CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact1. |
| Amazon CodeBuild | AWS::CodeBuild::Project
|
CodeBuild1. CodeBuild2. CodeBuild3. CodeBuild4. |
AWS::CodeBuild::ReportGroup
|
CodeBuild.7 |
|
| Amazon P CodeGuru rofiler | AWS::CodeGuruProfiler::ProfilingGroup |
CodeGuruProfiler1. |
| Amazon CodeGuru Reviewer | AWS::CodeGuruReviewer::RepositoryAssociation |
CodeGuruReviewer1. |
| Amazon Cognito | AWS::Cognito::UserPool |
Cognito1 |
| Amazon Connect | AWS::CustomerProfiles::ObjectType |
Connect.1 |
AWS::Connect::Instance |
Connect.2 | |
| Amazon DataSync | AWS::DataSync::Task |
DataSync1. DataSync2. |
| Amazon Detective | AWS::Detective::Graph |
Detective.1 |
| Amazon Database Migration Service (Amazon DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 DMS.10 DMS.11 DMS.12 |
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
| Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamodB.6 |
| Amazon Elasti EC2 c Compute | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::DHCPOptions |
EC2.174 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC24. EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 EC2.170 EC2.175 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 |
|
AWS::EC2::PrefixList |
EC2.176 | |
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC22. EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::SpotFleet |
EC2.173 | |
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TrafficMirrorFilter |
EC2.178 | |
AWS::EC2::TrafficMirrorSession |
EC2.177 | |
AWS::EC2::TrafficMirrorTarget |
EC2.179 | |
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC23. EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCBlockPublicAccessOptions |
EC2.172 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 EC2.171 |
|
AWS::EC2::VPNGateway |
EC2.50 | |
| Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling1. AutoScaling2. AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling3. Autoscaling.5 |
|
| Amazon S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
| Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 ECR.5 |
|
| Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 |
|
AWS::ECS::TaskSet |
ECS.16 |
|
| Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
AWS::EFS::FileSystem
|
EFS.7 EFS.8 |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
| Amazon Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk1. ElasticBeanstalk2. ElasticBeanstalk3. |
| Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::Listener |
ELB.17 |
|
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
| ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
| Amazon EMR | AWS::EMR::SecurityConfiguration |
EMR.3 EMR.4 |
| Amazon EventBridge | AWS::Events::EventBus |
EventBridge2. EventBridge3. |
AWS::Events::Endpoint |
EventBridge4. |
|
| Amazon Fraud Detector | AWS::FraudDetector::EntityType |
FraudDetector1. |
AWS::FraudDetector::Label |
FraudDetector2. |
|
AWS::FraudDetector::Outcome |
FraudDetector3. |
|
AWS::FraudDetector::Variable |
FraudDetector4. |
|
| Amazon Global Accelerator | AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator1. |
| Amazon Glue | AWS::Glue::Job |
Glue.1 Glue.4 |
AWS::Glue::MLTransform |
Glue.3 |
|
| Amazon GuardDuty | AWS::GuardDuty::Detector |
GuardDuty4. |
AWS::GuardDuty::Filter |
GuardDuty2. |
|
AWS::GuardDuty::IPSet |
GuardDuty3. |
|
| Amazon Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
| Amazon Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
| Amazon Interactive Video Service (Amazon IVS) | AWS::IVS::PlaybackKeyPair |
IVS.1 |
AWS::IVS::RecordingConfiguration |
IVS.2 |
|
AWS::IVS::Channel |
IVS.3 |
|
| Amazon IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
| Amazon IoT Events | AWS::IoTEvents::AlarmModel |
Io TEvents .3 |
AWS::IoTEvents::DetectorModel |
Io TEvents .2 |
|
AWS::IoTEvents::Input |
Io TEvents .1 |
|
| Amazon IoT SiteWise | AWS::IoTSiteWise::AssetModel |
Io TSite Wise.1 |
AWS::IoTSiteWise::Dashboard |
Io TSite Wise.2 |
|
AWS::IoTSiteWise::Gateway |
Io TSite Wise.3 |
|
AWS::IoTSiteWise::Portal |
Io TSite Wise.4 |
|
AWS::IoTSiteWise::Project |
Io TSite Wise.5 |
|
| Amazon IoT TwinMaker | AWS::IoTTwinMaker::Entity |
Io TTwin Maker.4 |
AWS::IoTTwinMaker::Scene |
Io TTwin Maker.3 |
|
AWS::IoTTwinMaker::SyncJob |
Io TTwin Maker.1 |
|
AWS::IoTTwinMaker::Workspace |
Io TTwin Maker.2 |
|
| Amazon IoT Wireless | AWS::IoTWireless::MulticastGroup |
Io TWireless .1 |
AWS::IoTWireless::ServiceProfile |
Io TWireless .2 |
|
AWS::IoTWireless::FuotaTask |
Io TWireless .3 |
|
| Amazon Keyspaces(Apache Cassandra 兼容) | AWS::Cassandra::Keyspace |
Keyspaces 1 |
| Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 Kinesis.3 |
| Amazon Key Management Service (Amazon KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 KMS.5 S3.17 |
|
| Amazon Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 |
| Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
AWS::KafkaConnect::Connector |
MSK.3 |
|
| Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
| Amazon Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall1. NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall3. NetworkFirewall4. NetworkFirewall5. NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
| 亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 Opensearch.11 |
| Amazon Private CA | AWS::ACMPCA::CertificateAuthority |
PCA.2 |
| Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.408 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
| Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 Redshift.17 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 Redshift.16 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
| Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
Route53.1 |
|
| Amazon Simple Storage Service(Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS::S3::MultiRegionAccessPoint |
S3.24 |
|
| 亚马逊 SageMaker AI | AWS::SageMaker::AppImageConfig
|
SageMaker.6 |
AWS::SageMaker::Image
|
SageMaker.7 |
|
AWS::SageMaker::Model
|
SageMaker5. |
|
AWS::SageMaker::NotebookInstance
|
SageMaker2. SageMaker3. |
|
| Amazon Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager1. SecretsManager2. SecretsManager5. |
| Amazon Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog1. |
| Amazon Simple Email Service(Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 |
AWS::SES::ContactList
|
SES.1 |
|
| Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 SNS.4 |
| Amazon Simple Queue Service(Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 SQS.3 |
| Amazon Step Functions | AWS::StepFunctions::StateMachine |
StepFunctions1. |
AWS::StepFunctions::Activity |
StepFunctions2. |
|
| Amazon Systems Manager (SSM) | AWS::SSM::Document
|
SM.5 |
| Amazon Transfer Family | AWS::Transfer::Agreement |
转移。4 |
AWS::Transfer::Certificate |
转账.5 |
|
AWS::Transfer::Connector |
转账。3 转移。6 |
|
AWS::Transfer::Profile |
转移。7 |
|
AWS::Transfer::Workflow |
Transfer.1 |
|
| Amazon WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
|
| Amazon WorkSpaces | AWS::WorkSpaces::WorkSpace |
WorkSpaces1. WorkSpaces2. |
Amazon 基础安全最佳实践标准所需的资源
为了让 Security Hub 准确报告适用于 Amazon 基础安全最佳实践标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config Amazon Config有关此标准的信息,请参阅Amazon Security Hub 的基础安全最佳实践标准。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
Amazon AppSync |
|
|
Amazon Backup |
|
|
Amazon Certificate Manager (ACM) |
|
|
Amazon CloudFormation |
|
|
Amazon CloudFront |
|
|
Amazon CodeBuild |
|
|
Amazon Cognito |
|
|
Amazon Connect |
|
|
Amazon DataSync |
|
|
Amazon Database Migration Service (Amazon DMS) |
|
|
Amazon DynamoDB |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
Amazon Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon EMR |
|
|
Amazon Glue |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Kinesis |
|
|
Amazon Key Management Service (Amazon KMS) |
|
|
Amazon Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Redshift Serverless |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
|
Amazon Secrets Manager |
|
|
Amazon Step Functions |
|
|
Amazon Transfer Family |
|
|
Amazon WAF |
|
|
Amazon WorkSpaces |
|
独联体 Amazon 基金会基准测试所需的资源
要对适用于 Center for Internet Security(CIS) Amazon 基金会基准的已启用控件进行安全检查,Security Hub 要么按照检查规定的确切审计步骤运行,要么使用特定的 Amazon Config 托管规则。有关 Security Hub 中此标准的信息,请参阅Security Hub 中的独联体 Amazon 基金会基准。
CIS v3.0.0 所需的资源
为了让 Security Hub 准确报告已启用 CIS v3.0.0 更改触发的使用 Amazon Config 规则的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.4.0 所需的 资源
为了让 Security Hub 准确报告已启用 CIS v1.4.0 更改触发的使用 Amazon Config 规则的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 资源
为了让 Security Hub 准确报告已启用 CIS v1.2.0 更改触发的使用 Amazon Config 规则的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon Identity and Access Management (IAM) |
|
NIST SP 800-53 Rev 5 标准所需的资源
为了让 Security Hub 准确报告适用于 NIST SP 800-53 Rev 5 标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config Amazon Config有关此标准的信息,请参阅Security Hub 中的 NIST SP 800-53 第 5 版。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
Amazon AppSync |
|
|
Amazon Backup |
|
|
Amazon Certificate Manager (ACM) |
|
|
Amazon CloudFormation |
|
|
Amazon CloudFront |
|
|
Amazon CloudWatch |
|
|
Amazon CodeBuild |
|
|
Amazon Database Migration Service (Amazon DMS) |
|
|
Amazon DynamoDB |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
Amazon Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
Amazon ElasticSearch |
|
|
Amazon EMR |
|
|
Amazon EventBridge |
|
|
Amazon Glue |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Key Management Service (Amazon KMS) |
|
|
Amazon Kinesis |
|
|
Amazon Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon MQ |
|
|
Amazon Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
Amazon Service Catalog |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Secrets Manager |
|
|
Amazon Transfer Family |
|
|
Amazon WAF |
|
NIST SP 800-171 Rev 2 标准所需的资源
为了让 Security Hub 准确报告适用于 NIST SP 800-171 Rev 2 标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config Amazon Config有关此标准的信息,请参阅NIST SP 800-171 Security Hub 中第 2 版。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
| Amazon Certificate Manager(ACM) |
|
| Amazon API Gateway |
|
| Amazon CloudFront |
|
| Amazon CloudWatch |
|
| Amazon Elastic Compute Cloud EC2 |
|
| Elastic Load Balancing |
|
| Amazon Identity and Access Management(IAM) |
|
| Amazon Key Management Service (Amazon KMS) |
|
| Amazon Network Firewall |
|
| Amazon Simple Storage (Amazon S3) |
|
| Amazon Simple Notion Service (Amazon SNS) |
|
| Amazon Systems Manager(SSM) |
|
| Amazon WAF |
|
PCI DSS v3.2.1 所需的资源
为了让 Security Hub 准确报告适用于 PCI DSS v3.2.1 中的控件调查发现,您必须在中记录以下类型的资源。 Amazon Config Amazon Config有关此标准的信息,请参阅Security Hub 中的 PCI DSS。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon CodeBuild |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Lambda |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
| Amazon S EC2 ystems Manager (SSM) |
|
资源标签标准所需的 Amazon 资源
所有适用于 Amazon 资源标记标准的控件都是触发变更的,并使用 Amazon Config 规则。为了让 Security Hub 准确报告这些控件的调查发现,您必须在中记录以下类型的资源 Amazon Config。有关此标准的信息,请参阅Amazon Security Hub 中的资源标记标准。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
| Amazon Amplify |
|
| Amazon AppFlow |
|
| Amazon App Runner |
|
| Amazon AppConfig |
|
| Amazon AppSync |
|
| Amazon Athena |
|
| Amazon Backup |
|
| Amazon Batch |
|
| Amazon Certificate Manager (ACM) |
|
| Amazon CloudFormation |
|
| Amazon CloudFront |
|
| Amazon CloudTrail |
|
| Amazon CodeArtifact |
|
| Amazon CodeGuru |
|
| Amazon Connect |
|
| Amazon Database Migration Service (Amazon DMS) |
|
| Amazon DataSync |
|
| Amazon Detective |
|
| Amazon DynamoDB |
|
| Amazon Elasti EC2 c Compute |
|
| Amazon A EC2 uto Scaling |
|
| Amazon Elastic Container Registry(Amazon ECR) |
|
| Amazon Elastic Container Service(Amazon ECS) |
|
| Amazon Elastic File System(Amazon EFS) |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) |
|
| Amazon Elastic Beanstalk |
|
| ElasticSearch |
|
| Amazon EventBridge |
|
| Amazon Fraud Detector |
|
| Amazon Global Accelerator |
|
| Amazon Glue |
|
| Amazon GuardDuty |
|
| Amazon Identity and Access Management (IAM) |
|
| Amazon Identity and Access Management Access Analyzer (IAM Acess Analy |
|
| Amazon IoT |
|
| Amazon IoT 活动 |
|
| Amazon IoT SiteWise |
|
| Amazon IoT TwinMaker |
|
| Amazon IoT Aliv |
|
| Amazon Interactive Video Service (Amazon IVS) |
|
| Amazon Keyspaces (for Apache Cassandra) |
|
| Amazon Kinesis |
|
| Amazon Lambda |
|
| Amazon MQ |
|
| Amazon Network Firewall |
|
| 亚马逊 OpenSearch 服务 |
|
| Amazon Private Certificate Authority |
|
| Amazon Relational Database Service |
|
| Amazon Redshift |
|
| Amazon Route 53 |
|
| 亚马逊 SageMaker AI |
|
| Amazon Secrets Manager |
|
| Amazon Simple Email Service(Amazon SES) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Simple Queue Service(Amazon SQS) |
|
| Amazon Step Functions |
|
| Amazon Systems Manager (SSM) |
|
| Amazon Transfer Family |
|
Amazon Control Tower 服务管理标准所需的资源
为了让 Security Hub 准确报告适用于 Security Hub 的变更触发的控件调查发现,您必须在中 Amazon Config记录以下类型的资源。 Amazon Control Tower Amazon Config 有关此标准的信息,请参阅服务托管标准: Amazon Control Tower。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
Amazon Certificate Manager (ACM) |
|
|
Amazon CodeBuild |
|
|
Amazon DynamoDB |
|
|
Amazon Elasti EC2 c Compute |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon EKS |
|
|
ElasticBeanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon Identity and Access Management (IAM) |
|
|
Amazon Key Management Service (Amazon KMS) |
|
|
Amazon Kinesis |
|
|
Amazon Lambda |
|
|
Amazon Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
|
Amazon Secrets Manager |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
Amazon WAF |
|