本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
控制结果所需的Amazon Config资源
在 S Amazon ecurity Hub CSPM 中,某些控件使用服务相关Amazon Config规则来检测资源中的配置更改。Amazon要让 Security Hub CSPM 为这些控件生成准确的调查结果,您必须在中启用Amazon Config并打开资源记录。Amazon Config有关 Security Hub CSPM 如何使用Amazon Config规则以及如何启用和配置的信息Amazon Config,请参阅。为 Security Hub CSPM 启用和配置 Amazon Config有关资源记录的详细信息,请参阅《Amazon Config 开发人员指南》中的使用配置记录器。
要获得准确的控制结果,您必须为已启用控件开启Amazon Config资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub CSPM 控件所需的资源。
Security Hub CSPM 控件可以依赖托管Amazon Config规则或自定义 Security Hub CSPM 规则。确保没有任何 Amazon Identity and Access Management (IAM) 策略或Amazon Organizations托管策略会Amazon Config阻止您获得记录资源的权限。Security Hub CSPM 控件直接评估资源配置,不考虑Amazon Organizations策略。
注意
Amazon Web Services 区域如果控件不可用,则相应的资源在中不可用Amazon Config。有关这些限制的列表,请参阅对 Security Hub CSPM 控件的区域限制。
主题
所有 Security Hub CSPM 控件所需的资源
要让 Security Hub CSPM 生成已启用的变更触发控件的发现结果并使用Amazon Config规则,您必须在中记录以下类型的资源。Amazon Config此表还指出了哪些控件评估特定类型的资源。一个控件可以评估多种类型的资源。
| Amazon Web Services 服务 | 资源类型 | 相关控件 |
|---|---|---|
| Amazon Amplify | AWS::Amplify::App |
Amplify.1 |
AWS::Amplify::Branch |
Amplify.2 |
|
| Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway1. APIGateway2. APIGateway3. APIGateway4. APIGateway5. |
AWS::ApiGatewayV2::Stage |
APIGateway1. APIGateway.9 |
|
| Amazon AppConfig | AWS::AppConfig::Application
|
AppConfig1. |
AWS::AppConfig::ConfigurationProfile
|
AppConfig2. |
|
AWS::AppConfig::Environment
|
AppConfig3. |
|
AWS::AppConfig::ExtensionAssociation
|
AppConfig4. |
|
| Amazon AppFlow | AWS::AppFlow::Flow
|
AppFlow1. |
| Amazon App Runner | AWS::AppRunner::Service
|
AppRunner1. |
AWS::AppRunner::VpcConnector
|
AppRunner2. |
|
| Amazon AppSync | AWS::AppSync::GraphQLApi
|
AppSync2. AppSync4. AppSync5. |
AWS::AppSync::ApiCache
|
AppSync1. AppSync.6 |
|
| Amazon Backup | AWS::Backup::BackupPlan
|
Backup.5 |
AWS::Backup::BackupVault
|
Backup.3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
Backup.4 |
|
| Amazon Batch | AWS::Batch::ComputeEnvironment
|
Batch.3 Batch.4 |
AWS::Batch::JobQueue
|
Batch.1 |
|
AWS::Batch::SchedulingPolicy
|
Batch.2 |
|
| Amazon Certificate Manager(ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
| Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 Athena.4 |
|
| Amazon CloudFormation | AWS::CloudFormation::Stack |
CloudFormation2. CloudFormation3. CloudFormation4. |
| Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront1. CloudFront3. CloudFront4. CloudFront5. CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 CloudFront.15 CloudFront.16 CloudFront.17 |
| Amazon CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
| 亚马逊 CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
| Amazon CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact1. |
| Amazon CodeBuild | AWS::CodeBuild::Project
|
CodeBuild1. CodeBuild2. CodeBuild3. CodeBuild4. |
AWS::CodeBuild::ReportGroup
|
CodeBuild.7 |
|
| Amazon P CodeGuru rofiler | AWS::CodeGuruProfiler::ProfilingGroup |
CodeGuruProfiler1. |
| Amazon CodeGuru Reviewer | AWS::CodeGuruReviewer::RepositoryAssociation |
CodeGuruReviewer1. |
| Amazon Cognito | AWS::Cognito::IdentityPool |
Cognito.2 |
AWS::Cognito::UserPool |
Cognito.1 Cognito.3 Cognito.4 Cognito.5 Cognito.6 |
|
| Amazon Connect | AWS::CustomerProfiles::ObjectType |
Connect.1 |
AWS::Connect::Instance |
Connect.2 | |
| Amazon DataSync | AWS::DataSync::Task |
DataSync1. DataSync2. |
| Amazon Detective | AWS::Detective::Graph |
Detective.1 |
| Amazon Database Migration Service(Amazon DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 DMS.10 DMS.11 DMS.12 |
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 DMS.13 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
| Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamodB.6 |
| 亚马逊弹性计算云 (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::DHCPOptions |
EC2.174 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC24. EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 EC2.170 EC2.175 EC2.181 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 EC2.180 |
|
AWS::EC2::PrefixList |
EC2.176 | |
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC22. EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::SnapshotBlockPublicAccess |
EC2.182 |
|
AWS::EC2::SpotFleet |
EC2.173 | |
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TrafficMirrorFilter |
EC2.178 | |
AWS::EC2::TrafficMirrorSession |
EC2.177 | |
AWS::EC2::TrafficMirrorTarget |
EC2.179 | |
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC23. EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCBlockPublicAccessOptions |
EC2.172 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 EC2.171 |
|
AWS::EC2::VPNGateway |
EC2.50 | |
| Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling1. AutoScaling2. AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling3. Autoscaling.5 |
|
| 亚马逊 S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
| Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 ECR.5 |
|
| Amazon Elastic Container Service(Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::CapacityProvider |
ECS.19 |
|
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 ECS.18 ECS.20 ECS.21 |
|
AWS::ECS::TaskSet |
ECS.16 |
|
| Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
AWS::EFS::FileSystem
|
EFS.7 EFS.8 |
|
| Amazon Elastic Kubernetes Service (Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
| Amazon Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk1. ElasticBeanstalk2. ElasticBeanstalk3. |
| Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::Listener |
ELB.17 ELB.18 |
|
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
| ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
| Amazon EMR | AWS::EMR::SecurityConfiguration |
EMR.3 EMR.4 |
| 亚马逊 EventBridge | AWS::Events::EventBus |
EventBridge2. EventBridge3. |
AWS::Events::Endpoint |
EventBridge4. |
|
| Amazon Fraud Detector | AWS::FraudDetector::EntityType |
FraudDetector1. |
AWS::FraudDetector::Label |
FraudDetector2. |
|
AWS::FraudDetector::Outcome |
FraudDetector3. |
|
AWS::FraudDetector::Variable |
FraudDetector4. |
|
| Amazon Global Accelerator | AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator1. |
| Amazon Glue | AWS::Glue::Job |
Glue.1 胶水。4 |
AWS::Glue::MLTransform |
Glue.3 |
|
| 亚马逊 GuardDuty | AWS::GuardDuty::Detector |
GuardDuty4. |
AWS::GuardDuty::Filter |
GuardDuty2. |
|
AWS::GuardDuty::IPSet |
GuardDuty3. |
|
| Amazon Identity and Access Management(IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
| Amazon Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
| Amazon Interactive Video Service (Amazon IVS) | AWS::IVS::PlaybackKeyPair |
IVS.1 |
AWS::IVS::RecordingConfiguration |
IVS.2 |
|
AWS::IVS::Channel |
IVS.3 |
|
| Amazon IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
| AmazonIoT Events | AWS::IoTEvents::AlarmModel |
Io TEvents .3 |
AWS::IoTEvents::DetectorModel |
Io TEvents 2 |
|
AWS::IoTEvents::Input |
Io TEvents .1 |
|
| Amazon物联网 SiteWise | AWS::IoTSiteWise::AssetModel |
Io TSite Wise.1 |
AWS::IoTSiteWise::Dashboard |
Io TSite Wise.2 |
|
AWS::IoTSiteWise::Gateway |
Io TSite Wise.3 |
|
AWS::IoTSiteWise::Portal |
Io TSite Wise.4 |
|
AWS::IoTSiteWise::Project |
Io TSite Wise.5 |
|
| Amazon物联网 TwinMaker | AWS::IoTTwinMaker::Entity |
Io TTwin Maker.4 |
AWS::IoTTwinMaker::Scene |
Io TTwin Maker.3 |
|
AWS::IoTTwinMaker::SyncJob |
Io TTwin Maker.1 |
|
AWS::IoTTwinMaker::Workspace |
Io TTwin Maker.2 |
|
| AmazonIoT Wireless | AWS::IoTWireless::MulticastGroup |
Io TWireless .1 |
AWS::IoTWireless::ServiceProfile |
Io TWireless 2 |
|
AWS::IoTWireless::FuotaTask |
Io TWireless .3 |
|
| Amazon Keyspaces(Apache Cassandra 兼容) | AWS::Cassandra::Keyspace |
Keyspaces.1 |
| Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 Kinesis.3 |
| Amazon Key Management Service(Amazon KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 KMS.5 S3.17 |
|
| Amazon Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 Lambda.7 |
| Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 MSK.4 MSK.6 |
AWS::KafkaConnect::Connector |
MSK.3 MSK.5 |
|
| Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
| Amazon Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall1. NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall3. NetworkFirewall4. NetworkFirewall5. NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
| 亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 Opensearch.11 |
| Amazon 私有 CA | AWS::ACMPCA::CertificateAuthority |
PCA.2 |
| Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37 RDS.47 RDS.48 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.40 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
| Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.10 Redshift.11 Redshift.18 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 Redshift.17 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 Redshift.16 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
| Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
Route53.1 |
|
| Amazon Simple Storage Service(Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS::S3::MultiRegionAccessPoint |
S3.24 |
|
AWS::S3Express::DirectoryBucket |
S3.25 |
|
| 亚马逊 SageMaker AI | AWS::SageMaker::AppImageConfig
|
SageMaker.6 |
AWS::SageMaker::Image
|
SageMaker.7 |
|
AWS::SageMaker::Model
|
SageMaker5. |
|
AWS::SageMaker::NotebookInstance
|
SageMaker2. SageMaker3. |
|
| Amazon Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager1. SecretsManager2. SecretsManager5. |
| Amazon Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog1. |
| Amazon Simple Email Service (Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 SES.3 |
AWS::SES::ContactList
|
SES.1 |
|
| Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 SNS.4 |
| Amazon Simple Queue Service (Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 SQS.3 |
| Amazon Step Functions | AWS::StepFunctions::StateMachine |
StepFunctions1. |
AWS::StepFunctions::Activity |
StepFunctions2. |
|
| Amazon Systems Manager(SSM) | AWS::SSM::Document
|
SSM.5 |
| Amazon Transfer Family | AWS::Transfer::Agreement |
转账。4 |
AWS::Transfer::Certificate |
转账.5 |
|
AWS::Transfer::Connector |
转账。3 Transfer.6 |
|
AWS::Transfer::Profile |
Transfer.7 |
|
AWS::Transfer::Workflow |
Transfer.1 |
|
| Amazon WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
|
| 亚马逊 WorkSpaces | AWS::WorkSpaces::WorkSpace |
WorkSpaces1. WorkSpaces2. |
Amazon 基础安全最佳实践标准所需的资源
为了让 Security Hub CSPM 准确报告适用于Amazon基础安全最佳实践标准 (v.1.0.0)、已启用并使用Amazon Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。Amazon Config有关此标准的信息,请参阅 AmazonSecurity Hub CSPM 中的基础安全最佳实践标准。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
Amazon AppSync |
|
|
Amazon Backup |
|
|
Amazon Certificate Manager(ACM) |
|
|
Amazon CloudFormation |
|
|
亚马逊 CloudFront |
|
|
Amazon CodeBuild |
|
|
Amazon Cognito |
|
|
Amazon Connect |
|
|
Amazon DataSync |
|
|
Amazon Database Migration Service(Amazon DMS) |
|
|
Amazon DynamoDB |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
Amazon Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon EMR |
|
|
Amazon Glue |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Kinesis |
|
|
Amazon Key Management Service(Amazon KMS) |
|
|
Amazon Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Redshift Serverless |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
|
Amazon Secrets Manager |
|
|
Amazon Step Functions |
|
|
Amazon Transfer Family |
|
|
Amazon WAF |
|
|
亚马逊 WorkSpaces |
|
独联体Amazon基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) Amazon 基金会基准测试的已启用控件进行安全检查,Security Hub CSPM 要么执行为检查规定的确切审计步骤,要么使用特定的Amazon Config托管规则。有关 Security Hub CSPM 中此标准的更多信息,请参阅 CIS Amazon 基金会在 Security Hub CSPM 中的基准。
CIS v5.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v5.0.0 更改触发的使用Amazon Config规则的控件的调查结果,您必须在中记录以下类型的资源。Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon Elastic File System (Amazon EFS) |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v3.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v3.0.0 更改触发的使用Amazon Config规则的控件的调查结果,您必须在中记录以下类型的资源。Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.4.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.4.0 更改触发的使用Amazon Config规则的控件的调查结果,您必须在中记录以下类型的资源。Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.2.0 更改触发的使用Amazon Config规则的控件的调查结果,您必须在中记录以下类型的资源。Amazon Config
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon Identity and Access Management(IAM) |
|
NIST SP 800-53 修订版 5 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-53 修订版 5 标准、已启用并使用Amazon Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。Amazon Config有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-53 修订版 5。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
Amazon AppSync |
|
|
Amazon Backup |
|
|
Amazon Certificate Manager(ACM) |
|
|
Amazon CloudFormation |
|
|
亚马逊 CloudFront |
|
|
亚马逊 CloudWatch |
|
|
Amazon CodeBuild |
|
|
Amazon Database Migration Service(Amazon DMS) |
|
|
Amazon DynamoDB |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
Amazon Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
亚马逊 ElasticSearch |
|
|
Amazon EMR |
|
|
亚马逊 EventBridge |
|
|
Amazon Glue |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Key Management Service(Amazon KMS) |
|
|
Amazon Kinesis |
|
|
Amazon Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon MQ |
|
|
Amazon Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
Amazon Service Catalog |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Secrets Manager |
|
|
Amazon Transfer Family |
|
|
Amazon WAF |
|
NIST SP 800-171 修订版 2 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-171 修订版 2 标准、已启用并使用Amazon Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。Amazon Config有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-171 修订版 2。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
| Amazon Certificate Manager (ACM) |
|
| Amazon API Gateway |
|
| 亚马逊 CloudFront |
|
| 亚马逊 CloudWatch |
|
| 亚马逊弹性计算云(亚马逊 EC2) |
|
| Elastic Load Balancing |
|
| Amazon Identity and Access Management (IAM) |
|
| Amazon Key Management Service (Amazon KMS) |
|
| Amazon Network Firewall |
|
| Amazon Simple Storage Service (Amazon S3) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Systems Manager (SSM) |
|
| Amazon WAF |
|
PCI DSS v3.2.1 所需的资源
为了使 Security Hub CSPM 能够为适用于支付卡行业数据安全标准(PCI DSS)v3.2.1、已启用并且使用 Amazon Config 规则的控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 PCI DSS。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
|
Amazon CodeBuild |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Identity and Access Management(IAM) |
|
|
Amazon Lambda |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
资源标签标准所需的Amazon资源
所有适用于Amazon资源标记标准的控件都是触发变更的,并使用Amazon Config规则。为了让 Security Hub CSPM 准确报告这些控件的调查结果,您必须在中记录以下类型的资源。Amazon Config有关此标准的信息,请参阅 AmazonSecurity Hub CSPM 中的资源标记标准。
| Amazon Web Services 服务 | 资源类型 |
|---|---|
| Amazon Amplify |
|
| 亚马逊 AppFlow |
|
| Amazon App Runner |
|
| Amazon AppConfig |
|
| Amazon AppSync |
|
| Amazon Athena |
|
| Amazon Backup |
|
| Amazon Batch |
|
| Amazon Certificate Manager(ACM) |
|
| Amazon CloudFormation |
|
| 亚马逊 CloudFront |
|
| Amazon CloudTrail |
|
| Amazon CodeArtifact |
|
| 亚马逊 CodeGuru |
|
| Amazon Connect |
|
| Amazon Database Migration Service(Amazon DMS) |
|
| Amazon DataSync |
|
| Amazon Detective |
|
| Amazon DynamoDB |
|
| 亚马逊弹性计算云 (EC2) |
|
| Amazon A EC2 uto Scaling |
|
| Amazon Elastic Container Registry(Amazon ECR) |
|
| Amazon Elastic Container Service(Amazon ECS) |
|
| Amazon Elastic File System(Amazon EFS) |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) |
|
| Amazon Elastic Beanstalk |
|
| ElasticSearch |
|
| 亚马逊 EventBridge |
|
| Amazon Fraud Detector |
|
| Amazon Global Accelerator |
|
| Amazon Glue |
|
| 亚马逊 GuardDuty |
|
| Amazon Identity and Access Management(IAM) |
|
| Amazon Identity and Access Management Access Analyzer(IAM 访问分析器) |
|
| Amazon IoT |
|
| Amazon IoT活动 |
|
| Amazon IoTSiteWise |
|
| Amazon IoTTwinMaker |
|
| Amazon IoT无线 |
|
| Amazon Interactive Video Service (Amazon IVS) |
|
| Amazon Keyspaces(Apache Cassandra 兼容) |
|
| Amazon Kinesis |
|
| Amazon Lambda |
|
| Amazon MQ |
|
| Amazon Network Firewall |
|
| 亚马逊 OpenSearch 服务 |
|
| Amazon 私有证书颁发机构 |
|
| Amazon Relational Database Service |
|
| Amazon Redshift |
|
| Amazon Route 53 |
|
| 亚马逊 SageMaker AI |
|
| Amazon Secrets Manager |
|
| Amazon Simple Email Service (Amazon SES) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Simple Queue Service (Amazon SQS) |
|
| Amazon Step Functions |
|
| Amazon Systems Manager(SSM) |
|
| Amazon Transfer Family |
|