控件调查发现所需的 Amazon Config 资源 - Amazon Security Hub
所有 Security Hub CSPM 控件所需的资源Amazon 基础安全最佳实践标准所需的资源CIS Amazon 基金会基准所需的资源NIST SP 800-53 修订版 5 标准所需的资源NIST SP 800-171 修订版 2 标准所需的资源PCI DSS v3.2.1 所需的资源Amazon 资源标注标准所需的资源Amazon Control Tower 服务托管标准所需的资源
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

控件调查发现所需的 Amazon Config 资源

在 Amazon Security Hub CSPM 中,某些控件使用服务相关 Amazon Config 规则来检测 Amazon 资源中的配置更改。为了让 Security Hub CSPM 为这些控件生成准确的调查发现,您必须在 Amazon Config 中启用 Amazon Config 和开启资源记录。有关 Security Hub CSPM 如何使用 Amazon Config 规则以及如何启用和配置 Amazon Config 的信息,请参阅 为 Security Hub CSPM 启用和配置 Amazon Config。有关资源记录的详细信息,请参阅《Amazon Config 开发人员指南》中的 Working with the configuration recorder

要获得准确的控件调查发现,您必须为计划类型为变更已触发的已启用控件开启 Amazon Config 资源记录。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub CSPM 控件所需的资源。

Security Hub CSPM 控件可以依赖托管 Amazon Config 规则或自定义 Security Hub CSPM 规则。确保没有任何 Amazon Identity and Access Management (IAM) 策略或 Amazon Organizations 托管策略会阻止 Amazon Config 获得记录资源的权限。Security Hub CSPM 控件直接评估资源配置,而不考虑 Amazon Organizations 策略。

注意

如果在 Amazon Web Services 区域 中控件不可用,则相应的资源在 Amazon Config 中也不可用。有关这些限制的列表,请参阅对 Security Hub CSPM 控件的区域限制

所有 Security Hub CSPM 控件所需的资源

要使 Security Hub CSPM 为已启用并使用 Amazon Config 规则的变更触发的控件生成调查发现,您必须在 Amazon Config 中记录以下类型的资源。此表还指出了哪些控件评估特定类型的资源。一个控件可以评估多种类型的资源。

Amazon Web Services 服务 资源类型 相关控件
Amazon Amplify AWS::Amplify::App

Amplify.1
AWS::Amplify::Branch

Amplify.2
Amazon API Gateway AWS::ApiGateway::Stage

APIGateway.1

APIGateway.2

APIGateway.3

APIGateway.4

APIGateway.5
AWS::ApiGatewayV2::Stage

APIGateway.1

APIGateway.9
Amazon AppConfig AWS::AppConfig::Application

AppConfig.1
AWS::AppConfig::ConfigurationProfile

AppConfig.2
AWS::AppConfig::Environment

AppConfig.3
AWS::AppConfig::ExtensionAssociation

AppConfig.4
Amazon AppFlow AWS::AppFlow::Flow

AppFlow.1
Amazon App Runner AWS::AppRunner::Service

AppRunner.1
AWS::AppRunner::VpcConnector

AppRunner.2
Amazon AppSync AWS::AppSync::GraphQLApi

AppSync.2

AppSync.4

AppSync.5
AWS::AppSync::ApiCache

AppSync.1

AppSync.6
Amazon Backup AWS::Backup::BackupPlan

Backup.5
AWS::Backup::BackupVault

Backup.3
AWS::Backup::RecoveryPoint

Backup.1

Backup.2
AWS::Backup::ReportPlan

Backup.4
Amazon Batch AWS::Batch::ComputeEnvironment

Batch.3

Batch.4
AWS::Batch::JobQueue

Batch.1
AWS::Batch::SchedulingPolicy

Batch.2
Amazon Certificate Manager (ACM) AWS::ACM::Certificate

ACM.1

ACM.2

ACM.3
Amazon Athena AWS::Athena::DataCatalog Athena.2
AWS::Athena::WorkGroup

Athena.3

Athena.4
Amazon CloudFormation AWS::CloudFormation::Stack

CloudFormation.2
Amazon CloudFront AWS::CloudFront::Distribution

CloudFront.1

CloudFront.3

CloudFront.4

CloudFront.5

CloudFront.6

CloudFront.7

CloudFront.8

CloudFront.9

CloudFront.10

CloudFront.13

CloudFront.14

CoudFront.15

CoudFront.16
Amazon CloudTrail AWS::CloudTrail::Trail CloudTrail.9
Amazon CloudWatch AWS::CloudWatch::Alarm

CloudWatch.15

CloudWatch.17
Amazon CodeArtifact AWS::CodeArtifact::Repository CodeArtifact.1
Amazon CodeBuild AWS::CodeBuild::Project

CodeBuild.1

CodeBuild.2

CodeBuild.3

CodeBuild.4
AWS::CodeBuild::ReportGroup

CodeBuild.7
Amazon CodeGuru Profiler AWS::CodeGuruProfiler::ProfilingGroup CodeGurProfiler.1
Amazon CodeGuru Reviewer AWS::CodeGuruReviewer::RepositoryAssociation CodeGurureViewer.1
Amazon Cognito AWS::Cognito::IdentityPool Cognito.2
AWS::Cognito::UserPool

Cognito.1

Cognito.3
Amazon Connect AWS::CustomerProfiles::ObjectType Connect.1
AWS::Connect::Instance Connect.2
Amazon DataSync AWS::DataSync::Task

DataSync.1

DataSync.2
Amazon Detective AWS::Detective::Graph Detective.1
Amazon Database Migration Service (Amazon DMS) AWS::DMS::Certificate

DMS.2
AWS::DMS::Endpoint

DMS.9

DMS.10

DMS.11

DMS.12
AWS::DMS::EventSubscription DMS.3
AWS::DMS::ReplicationInstance

DMS.4

DMS.6

DMS.13
AWS::DMS::ReplicationSubnetGroup DMS.5
AWS::DMS::ReplicationTask

DMS.7

DMS.8
Amazon DynamoDB AWS::DynamoDB::Table

DynamoDB.1

DynamoDB.2

DynamoDB.5

DynamodB.6
Amazon Elastic Compute Cloud (EC2) AWS::EC2::ClientVpnEndpoint

EC2.51
AWS::EC2::CustomerGateway EC2.36
AWS::EC2::DHCPOptions EC2.174
AWS::EC2::EIP

EC2.12

EC2.37
AWS::EC2::FlowLog EC2.48
AWS::EC2::Instance

EC2.4

EC2.8

EC2.9

EC2.17

EC2.24

EC2.38

EMR.1

SSM.1
AWS::EC2::InternetGateway

EC2.39
AWS::EC2::LaunchTemplate

EC2.25

EC2.170

EC2.175

EC2.181
AWS::EC2::NatGateway

EC2.40
AWS::EC2::NetworkAcl

EC2.16

EC2.21

EC2.41
AWS::EC2::NetworkInterface

EC2.22

EC2.35

EC2.180
AWS::EC2::PrefixList EC2.176
AWS::EC2::RouteTable EC2.42
AWS::EC2::SecurityGroup

EC2.2

EC2.13

EC2.14

EC2.18

EC2.19

EC2.43
AWS::EC2::SpotFleet EC2.173
AWS::EC2::Subnet

EC2.15

EC2.44

ElastiCache.7
AWS::EC2::TrafficMirrorFilter EC2.178
AWS::EC2::TrafficMirrorSession EC2.177
AWS::EC2::TrafficMirrorTarget EC2.179
AWS::EC2::TransitGateway

EC2.23

EC2.52
AWS::EC2::TransitGatewayAttachment EC2.33
AWS::EC2::TransitGatewayRouteTable EC2.34
AWS::EC2::Volume

EC2.3

EC2.45
AWS::EC2::VPC

EC2.6

EC2.46
AWS::EC2::VPCBlockPublicAccessOptions

EC2.172
AWS::EC2::VPCEndpointService EC2.47
AWS::EC2::VPCPeeringConnection EC2.49
AWS::EC2::VPNConnection EC2.20

EC2.171
AWS::EC2::VPNGateway EC2.50
Amazon EC2 Auto Scaling AWS::AutoScaling::AutoScalingGroup

AutoScaling.1

AutoScaling.2

AutoScaling.6

AutoScaling.9

AutoScaling.10
AWS::AutoScaling::LaunchConfiguration

AutoScaling.3

Autoscaling.5
Amazon EC2 Systems Manager (SSM) AWS::SSM::AssociationCompliance

SSM.3
AWS::SSM::ManagedInstanceInventory

SSM.1
AWS::SSM::PatchCompliance

SSM.2
Amazon Elastic Container Registry (Amazon ECR) AWS::ECR::PublicRepository ECR.4
AWS::ECR::Repository

ECR.2

ECR.3

ECR.5
Amazon Elastic Container Service (Amazon ECS) AWS::ECS::Cluster

ECS.12

ECS.14
AWS::ECS::Service

ECS.2

ECS.10

ECS.13
AWS::ECS::TaskDefinition

ECS.1

ECS.3

ECS.4

ECS.5

ECS.8

ECS.9

ECS.15

ECS.17
AWS::ECS::TaskSet

ECS.16
Amazon Elastic File System (Amazon EFS) AWS::EFS::AccessPoint

EFS.3

EFS.4

EFS.5
AWS::EFS::FileSystem

EFS.7

EFS.8
Amazon Elastic Kubernetes Service(Amazon EKS) AWS::EKS::Cluster

EKS.2

EKS.6

EKS.8
AWS::EKS::IdentityProviderConfig EKS.7
Amazon Elastic Beanstalk AWS::ElasticBeanstalk::Environment

ElasticBeanstalk.1

ElasticBeanstalk.2

ElasticBeanstalk.3
Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer

ELB.2

ELB.3

ELB.5

ELB.7

ELB.8

ELB.9

ELB.10

ELB.14
AWS::ElasticLoadBalancingV2::Listener

ELB.17

ELB.18
AWS::ElasticLoadBalancingV2::LoadBalancer

ELB.1

ELB.4

ELB.5

ELB.6

ELB.12

ELB.13

ELB.16
ElasticSearch AWS::Elasticsearch::Domain

ES.3

ES.4

ES.5

ES.6

ES.7

ES.8

ES.9
Amazon EMR AWS::EMR::SecurityConfiguration

EMR.3

EMR.4
Amazon EventBridge AWS::Events::EventBus

EventBridge.2

EventBridge.3
AWS::Events::Endpoint

EventBridge.4
Amazon Fraud Detector AWS::FraudDetector::EntityType

FraudDetector.1
AWS::FraudDetector::Label

FraudDetector.2
AWS::FraudDetector::Outcome

FraudDetector.3
AWS::FraudDetector::Variable

FraudDetector.4
Amazon Global Accelerator AWS::GlobalAccelerator::Accelerator

GlobalAccelerator.1
Amazon Glue AWS::Glue::Job

Glue.1

Glue.4
AWS::Glue::MLTransform

Glue.3
Amazon GuardDuty AWS::GuardDuty::Detector

GuardDuty.4
AWS::GuardDuty::Filter

GuardDuty.2
AWS::GuardDuty::IPSet

GuardDuty.3
Amazon Identity and Access Management(IAM) AWS::IAM::Group

IAM.27

KMS.2
AWS::IAM::Policy

IAM.1

IAM.21

KMS.1
AWS::IAM::Role

IAM.24

IAM.27

KMS.2
AWS::IAM::User

IAM.2

IAM.3

IAM.5

IAM.8

IAM.19

IAM.22

IAM.25

IAM.27

KMS.2
Amazon Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer

IAM.23
Amazon Interactive Video Service (Amazon IVS) AWS::IVS::PlaybackKeyPair

IVS.1
AWS::IVS::RecordingConfiguration

IVS.2
AWS::IVS::Channel

IVS.3
Amazon IoT AWS::IoT::Authorizer

IoT.4
AWS::IoT::Dimension

IoT.3
AWS::IoT::MitigationAction

IoT.2
AWS::IoT::Policy

IoT.6
AWS::IoT::RoleAlias

IoT.5
AWS::IoT::SecurityProfile

IoT.1
Amazon IoT Events AWS::IoTEvents::AlarmModel

IoTEvents.3
AWS::IoTEvents::DetectorModel

IoTEvents.2
AWS::IoTEvents::Input

IoTEvents.1
Amazon IoT SiteWise AWS::IoTSiteWise::AssetModel

IoTSiteWise.1
AWS::IoTSiteWise::Dashboard

IoTSiteWise.2
AWS::IoTSiteWise::Gateway

IoTSiteWise.3
AWS::IoTSiteWise::Portal

IoTSiteWise.4
AWS::IoTSiteWise::Project

IoTSiteWise.5
Amazon IoT TwinMaker AWS::IoTTwinMaker::Entity

IoTTwinMaker.4
AWS::IoTTwinMaker::Scene

IoTTwinMaker.3
AWS::IoTTwinMaker::SyncJob

IoTTwinMaker.1
AWS::IoTTwinMaker::Workspace

IoTTwinMaker.2
Amazon IoT Wireless AWS::IoTWireless::MulticastGroup

IoTWireless.1
AWS::IoTWireless::ServiceProfile

IoTWireless.2
AWS::IoTWireless::FuotaTask

IoTWireless.3
Amazon Keyspaces(Apache Cassandra 兼容) AWS::Cassandra::Keyspace

Keyspaces.1
Amazon Kinesis AWS::Kinesis::Stream

Kinesis.1

Kinesis.2

Kinesis.3
Amazon Key Management Service (Amazon KMS) AWS::KMS::Alias

S3.17
AWS::KMS::Key

KMS.3

KMS.5

S3.17
Amazon Lambda AWS::Lambda::Function

Lambda.1

Lambda.2

Lambda.3

Lambda.5

Lambda.6

Lambda.7
Amazon MSK AWS::MSK::Cluster

MSK.1

MSK.2

MSK.4

MSK.6
AWS::KafkaConnect::Connector

MSK.3

MSK.5
Amazon MQ AWS::AmazonMQ::Broker

MQ.2

MQ.3

MQ.4

MQ.5

MQ.6
Amazon Network Firewall AWS::NetworkFirewall::Firewall

NetworkFirewall.1

NetworkFirewall.7

NetworkFirewall.9

NetworkFirewall.10
AWS::NetworkFirewall::FirewallPolicy

NetworkFirewall.3

NetworkFirewall.4

NetworkFirewall.5

NetworkFirewall.8
AWS::NetworkFirewall::RuleGroup

NetworkFirewall.6
Amazon OpenSearch Service AWS::OpenSearch::Domain

Opensearch.1

Opensearch.2

Opensearch.3

Opensearch.4

Opensearch.5

Opensearch.6

Opensearch.7

Opensearch.8

OpenSearch.9

Opensearch.10

Opensearch.11
Amazon 私有 CA AWS::ACMPCA::CertificateAuthority

PCA.2
Amazon Relational Database Service (Amazon RDS) AWS::RDS::DBCluster

DocumentDB.1

DocumentDB.2

DocumentDB.4

DocumentDB.5

Neptune.1

Neptune.2

Neptune.4

Neptune.5

Neptune.7

Neptune.8

Neptune.9

RDS.7

RDS.12

RDS.14

RDS.15

RDS.16

RDS.24

RDS.27

RDS.28

RDS.34

RDS.35

RDS.37

RDS.47

RDS.48
AWS::RDS::DBClusterSnapshot

DocumentDB.3

Neptune.3

Neptune.6

RDS.1

RDS.4

RDS.29
AWS::RDS::DBInstance

RDS.2

RDS.3

RDS.5

RDS.6

RDS.8

RDS.9

RDS.10

RDS.11

RDS.13

RDS.17

RDS.18

RDS.23

RDS.25

RDS.30

RDS.36

RDS.40
AWS::RDS::DBSecurityGroup

RDS.31
AWS::RDS::DBSnapshot

RDS.1

RDS.4

RDS.32
AWS::RDS::DBSubnetGroup

RDS.33
AWS::RDS::EventSubscription

RDS.19

RDS.20

RDS.21

RDS.22
Amazon Redshift AWS::Redshift::Cluster

Redshift.1

Redshift.2

Redshift.3

Redshift.4

Redshift.6

Redshift.7

Redshift.8

Redshift.10

Redshift.11

Redshift.18
AWS::Redshift::ClusterParameterGroup

Redshift.2

Redshift.17
AWS::Redshift::ClusterSnapshot

Redshift.13
AWS::Redshift::ClusterSubnetGroup

Redshift.14

Redshift.16
AWS::Redshift::EventSubscription

Redshift.12
Amazon Route 53 AWS::Route53::HostedZone

Route53.2
AWS::Route53::HealthCheck

Route53.1
Amazon Simple Storage Service(Amazon S3) AWS::S3::AccessPoint

S3.19
AWS::S3::AccountPublicAccessBlock

S3.2

S3.3
AWS::S3::Bucket

CloudTrail.6

CloudTrail.7

S3.2

S3.3

S3.5

S3.6

S3.7

S3.8

S3.9

S3.10

S3.11

S3.12

S3.13

S3.14

S3.15

S3.17

S3.20
AWS::S3::MultiRegionAccessPoint

S3.24
AWS::S3Express::DirectoryBucket

S3.25
Amazon SageMaker AI AWS::SageMaker::AppImageConfig

SageMaker.6
AWS::SageMaker::Image

SageMaker.7
AWS::SageMaker::Model

SageMaker.5
AWS::SageMaker::NotebookInstance

SageMaker.2

SageMaker.3
Amazon Secrets Manager AWS::SecretsManager::Secret

SecretsManager.1

SecretsManager.2

SecretsManager.5
Amazon Service Catalog AWS::ServiceCatalog::Portfolio

ServiceCatalog.1
Amazon Simple Email Service(Amazon SES) AWS::SES::ConfigurationSet

SES.2
AWS::SES::ContactList

SES.1
Amazon Simple Notification Service (Amazon SNS) AWS::SNS::Topic

SNS.1

SNS.3

SNS.4
Amazon Simple Queue Service(Amazon SQS) AWS::SQS::Queue

SQS.1

SQS.2

SQS.3
Amazon Step Functions AWS::StepFunctions::StateMachine

StepFunctions.1
AWS::StepFunctions::Activity

StepFunctions.2
Amazon Systems Manager (SSM) AWS::SSM::Document

SSM.5
Amazon Transfer Family AWS::Transfer::Agreement

Transfer.4
AWS::Transfer::Certificate

Transfer.5
AWS::Transfer::Connector

Transfer.3

Transfer.6
AWS::Transfer::Profile

Transfer.7
AWS::Transfer::Workflow

Transfer.1
Amazon WAF AWS::WAF::Rule

WAF.6
AWS::WAF::RuleGroup

WAF.7
AWS::WAF::WebACL

WAF.1

WAF.8
AWS::WAFRegional::Rule

WAF.2
AWS::WAFRegional::RuleGroup

WAF.3
AWS::WAFRegional::WebACL

WAF.4
AWS::WAFv2::RuleGroup

WAF.12
AWS::WAFv2::WebACL

WAF.10

WAF.11
Amazon WorkSpaces AWS::WorkSpaces::WorkSpace

WorkSpaces.1

WorkSpaces.2

Amazon 基础安全最佳实践标准所需的资源

为了使 Security Hub CSPM 能够为适用于 Amazon 基础安全最佳实践标准 (v.1.0.0)、已启用并且使用 Amazon Config 规则的变更触发的控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 Amazon 基础安全最佳实践标准

Amazon Web Services 服务 资源类型

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

Amazon AppSync

AWS::AppSync::ApiCache, AWS::AppSync::GraphQLApi

Amazon Backup

AWS::Backup::RecoveryPoint

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CodeBuild

AWS::CodeBuild::Project, AWS::CodeBuild::ReportGroup

Amazon Cognito

AWS::Cognito::IdentityPool, AWS::Cognito::UserPool

Amazon Connect

AWS::Connect::Instance

Amazon DataSync

AWS::DataSync::Task

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::SpotFleet, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPCBlockPublicAccessOptions, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry(Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service(Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition, AWS::ECS::TaskSet

Amazon Elastic File System(Amazon EFS)

AWS::EFS::AccessPoint, AWS::EFS::FileSystem

Amazon Elastic Kubernetes Service(Amazon EKS)

AWS::EKS::Cluster

Amazon Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon Glue

AWS::Glue::Job, AWS::Glue::MLTransform

Amazon Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Key

Amazon Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster, AWS::KafkaConnect::Connector

Amazon Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBProxy, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon Redshift Serverless

AWS::RedshiftServerless::Workgroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket, AWS::S3::MultiRegionAccessPoint, AWS::S3Express::DirectoryBucket

Amazon SageMaker AI

AWS::SageMaker::Model, AWS::SageMaker::NotebookInstance

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service(Amazon SQS)

AWS::SQS::Queue

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon Step Functions

AWS::StepFunctions::StateMachine

Amazon Transfer Family

AWS::Transfer::Connector

Amazon WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

Amazon WorkSpaces

AWS::WorkSpaces::WorkSpace

CIS Amazon 基金会基准所需的资源

要对适用于 Center for Internet Security (CIS) Amazon 基金会基准的已启用控件运行安全检查,Security Hub CSPM 要么按照为检查规定的确切审计步骤运行,要么使用特定的 Amazon Config 托管规则。有关 Security Hub CSPM 中此标准的更多信息,请参阅 Security Hub CSPM 中的 CIS Amazon 基金会基准

CIS v5.0.0 所需的资源

为了使 Security Hub CSPM 能够为已启用 CIS v5.0.0 更改触发的、使用 Amazon Config 规则的控件准确报告调查发现,您必须 Amazon Config 中记录以下类型的资源。

Amazon Web Services 服务 资源类型

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::Instance, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC

Amazon Elastic File System (Amazon EFS)

AWS::EFS::FileSystem

Amazon Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::User, AWS::IAM::Role

Amazon Relational Database Service(Amazon RDS)

AWS::RDS::DBInstance, AWS::RDS::DBCluster

Amazon Simple Storage Service(Amazon S3)

AWS::S3::Bucket

CIS v3.0.0 所需的资源

为了使 Security Hub CSPM 能够为已启用 CIS v3.0.0 且使用 Amazon Config 规则的变更触发的控件准确报告调查发现,您必须 Amazon Config 中记录以下类型的资源。

Amazon Web Services 服务 资源类型

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::Instance, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC

Amazon Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::User, AWS::IAM::Role

Amazon Relational Database Service(Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service(Amazon S3)

AWS::S3::Bucket

CIS v1.4.0 所需的 资源

为了使 Security Hub CSPM 能够为已启用 CIS v1.4.0 且使用 Amazon Config 规则的变更触发的控件准确报告调查发现,您必须 Amazon Config 中记录以下类型的资源。

Amazon Web Services 服务 资源类型

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup

Amazon Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

Amazon Relational Database Service(Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service(Amazon S3)

AWS::S3::Bucket

CIS v1.2.0 所需的 资源

为了使 Security Hub CSPM 能够为已启用 CIS v1.2.0 且使用 Amazon Config 规则的变更触发的控件准确报告调查发现,您必须 Amazon Config 中记录以下类型的资源。

Amazon Web Services 服务 资源类型

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::SecurityGroup

Amazon Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

NIST SP 800-53 修订版 5 标准所需的资源

为了使 Security Hub CSPM 能够为适用于 NIST SP 800-53 修订版 5 标准、已启用并且使用 Amazon Config 规则的控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-53 修订版 5

Amazon Web Services 服务 资源类型

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

Amazon AppSync

AWS::AppSync::GraphQLApi

Amazon Backup

AWS::Backup::RecoveryPoint

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry(Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service(Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition

Amazon Elastic File System(Amazon EFS)

AWS::EFS::AccessPoint

Amazon Elastic Kubernetes Service(Amazon EKS)

AWS::EKS::Cluster

Amazon Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

Amazon ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon EventBridge

AWS::Events::Endpoint, AWS::Events::EventBus

Amazon Glue

AWS::Glue::Job

Amazon Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias, AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

Amazon Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket

Amazon Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service(Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon SageMaker AI

AWS::SageMaker::NotebookInstance

Amazon Secrets Manager

AWS::SecretsManager::Secret

Amazon Transfer Family

AWS::Transfer::Connector

Amazon WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

NIST SP 800-171 修订版 2 标准所需的资源

为了使 Security Hub CSPM 能够为适用于 NIST SP 800-171 修订版 2 标准、已启用并且使用 Amazon Config 规则的控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-171 修订版 2

Amazon Web Services 服务 资源类型
Amazon Certificate Manager (ACM)

AWS::ACM::Certificate
Amazon API Gateway

AWS::ApiGateway::Stage
Amazon CloudFront

AWS::CloudFront::Distribution
Amazon CloudWatch

AWS::CloudWatch::Alarm
Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC, AWS::EC2::VPNConnection
Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer
Amazon Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User
Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias, AWS::KMS::Key
Amazon Network Firewall

AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup
Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket
Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic
Amazon Systems Manager (SSM)

AWS::SSM::PatchCompliance
Amazon WAF

AWS::WAFv2::RuleGroup

PCI DSS v3.2.1 所需的资源

为了使 Security Hub CSPM 能够为适用于支付卡行业数据安全标准 (PCI DSS) v3.2.1、已启用并且使用 Amazon Config 规则的控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 PCI DSS

Amazon Web Services 服务 资源类型

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon Elastic Compute Cloud(Amazon EC2)

AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::SecurityGroup

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

Amazon Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

Amazon Lambda

AWS::Lambda::Function

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon 资源标注标准所需的资源

适用于 Amazon 资源标注标准的所有控件都是变更触发的,并且使用 Amazon Config 规则。为了使 Security Hub CSPM 能够为这些控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 Amazon 资源标注标准

Amazon Web Services 服务 资源类型
Amazon Amplify

AWS::Amplify::App, AWS::Amplify::Branch
Amazon AppFlow

AWS::AppFlow::Flow
Amazon App Runner

AWS::AppRunner::Service, AWS::AppRunner::VpcConnector
Amazon AppConfig

AWS::AppConfig::Application, AWS::AppConfig::ConfigurationProfile, AWS::AppConfig::Environment, AWS::AppConfig::ExtensionAssociation
Amazon AppSync

AWS::AppSync::GraphQLApi
Amazon Athena

AWS::Athena::DataCatalog, AWS::Athena::WorkGroup
Amazon Backup

AWS::Backup::BackupPlan, AWS::Backup::BackupVault, AWS::Backup::RecoveryPlan, AWS::Backup::ReportPlan
Amazon Batch

AWS::Batch::ComputeEnvironment, AWS::Batch::JobQueue, AWS::Batch::SchedulingPolicy
Amazon Certificate Manager (ACM)

AWS::ACM::Certificate
Amazon CloudFormation

AWS::CloudFormation::Stack
Amazon CloudFront

AWS::CloudFront::Distribution
Amazon CloudTrail

AWS::CloudTrail::Trail
Amazon CodeArtifact

AWS::CodeArtifact::Repository
Amazon CodeGuru

AWS::CodeGuruProfiler::ProfilingGroup, AWS::CodeGuruReviewer::RepositoryAssociation
Amazon Connect

AWS::CustomerProfiles::ObjectType
Amazon Database Migration Service (Amazon DMS)

AWS::DMS::Certificate, AWS::DMS::EventSubscription

AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationSubnetGroup
Amazon DataSync

AWS::DataSync::Task
Amazon Detective

AWS::Detective::Graph
Amazon DynamoDB

AWS::DynamoDB::Trail
Amazon Elastic Compute Cloud (EC2)

AWS::EC2::CustomerGateway, AWS::EC2::DHCPOptions, AWS::EC2::EIP, AWS::EC2::FlowLog, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::LaunchTemplate, AWS::EC2::NatGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::PrefixList, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TrafficMirrorFilter, AWS::EC2::TrafficMirrorSession, AWS::EC2::TrafficMirrorTarget, AWS::EC2::TransitGateway, AWS::EC2::TransitGatewayAttachment, AWS::EC2::TransitGatewayRouteTable, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPCEndpointService, AWS::EC2::VPCPeeringConnection, AWS::EC2::VPNGateway
Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup
Amazon Elastic Container Registry(Amazon ECR)

AWS::ECR::PublicRepository
Amazon Elastic Container Service(Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition
Amazon Elastic File System(Amazon EFS)

AWS::EFS::AccessPoint
Amazon Elastic Kubernetes Service(Amazon EKS)

AWS::EKS::Cluster, AWS::EKS::IdentityProviderConfig
Amazon Elastic Beanstalk

AWS::ElasticBeanstalk::Environment
ElasticSearch

AWS::Elasticsearch::Domain
Amazon EventBridge

AWS::Events::EventBus
Amazon Fraud Detector

AWS::FraudDetector::EntityType, AWS::FraudDetector::Label

AWS::FraudDetector::Outcome, AWS::FraudDetector::Variable
Amazon Global Accelerator

AWS::GlobalAccelerator::Accelerator
Amazon Glue

AWS::Glue::Job
Amazon GuardDuty

AWS::GuardDuty::Detector, AWS::GuardDuty::Filter, AWS::GuardDuty::IPSet
Amazon Identity and Access Management(IAM)

AWS::IAM::Role, AWS::IAM::User
Amazon Identity and Access Management Access Analyzer(IAM Access Analyzer)

AWS::AccessAnalyzer::Analyzer
Amazon IoT

AWS::IoT::Authorizer, AWS::IoT::Dimension, AWS::IoT::MitigationAction, AWS::IoT::Policy, AWS::IoT::RoleAlias, AWS::IoT::SecurityProfile
Amazon IoT事件

AWS::IoTEvents::AlarmModel, AWS::IoTEvents::DetectorModel, AWS::IoTEvents::Input
Amazon IoT SiteWise

AWS::IoTSiteWise::Dashboard, AWS::IoTSiteWise::Gateway, AWS::IoTSiteWise::Portal, AWS::IoTSiteWise::Project
Amazon IoT TwinMaker

AWS::IoTTwinMaker::Entity, AWS::IoTTwinMaker::Scene, AWS::IoTTwinMaker::SyncJob, AWS::IoTTwinMaker::Workspace
Amazon IoT 无线

AWS::IoTWireless::FuotaTask, AWS::IoTWireless::MulticastGroup, AWS::IoTWireless::ServiceProfile
Amazon Interactive Video Service (Amazon IVS)

AWS::IVS::Channel, AWS::IVS::PlaybackKeyPair, AWS::IVS::RecordingConfiguration
Amazon Keyspaces (for Apache Cassandra)

AWS::Cassandra::Keyspace
Amazon Kinesis

AWS::Kinesis::Stream
Amazon Lambda

AWS::Lambda::Function
Amazon MQ

AWS::AmazonMQ::Broker
Amazon Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy
Amazon OpenSearch Service

AWS::OpenSearch::Domain
Amazon 私有证书颁发机构

AWS::ACMPCA::CertificateAuthority
Amazon Relational Database Service

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSnapshot, AWS::RDS::DBSubnetGroup
Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSnapshot, AWS::Redshift::ClusterSubnetGroup, AWS::Redshift::EventSubscription
Amazon Route 53

AWS::Route53::HealthCheck
Amazon SageMaker AI

AWS::SageMaker::AppImageConfig, AWS::SageMaker::Image
Amazon Secrets Manager

AWS::SecretsManager::Secret
Amazon Simple Email Service(Amazon SES)

AWS::SES::ConfigurationSet, AWS::SES::ContactList
Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic
Amazon Simple Queue Service(Amazon SQS)

AWS::SQS::Queue
Amazon Step Functions

AWS::StepFunctions::Activity
Amazon Systems Manager (SSM)

AWS::SSM::Document
Amazon Transfer Family

AWS::Transfer::Agreement, AWS::Transfer::Certificate, AWS::Transfer::Connector, AWS::Transfer::Profile, AWS::Transfer::Workflow

Amazon Control Tower 服务托管标准所需的资源

为了使 Security Hub CSPM 能够为适用于 Amazon Control Tower 服务托管标准、已启用并且使用 Amazon Config 规则的变更触发控件准确报告调查发现,您必须在 Amazon Config 中记录以下类型的资源。有关此标准的信息,请参阅 服务托管标准:Amazon Control Tower

Amazon Web Services 服务 资源类型

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

Amazon Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry(Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service(Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System(Amazon EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon Identity and Access Management(IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Key Management Service (Amazon KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

Amazon Lambda

AWS::Lambda::Function

Amazon Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service(Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service(Amazon SQS)

AWS::SQS::Queue

Amazon Secrets Manager

AWS::SecretsManager::Secret
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Amazon WAF

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::WebACL