本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Config 生成控制结果所需的资源
Amazon Security Hub 通过对 Security Hub 控件执行安全检查来生成控制结果。一些控制使用 Amazon Config 规则来评估对特定资源的合规性。要让 Security Hub 为具有变更触发计划类型的控件生成调查发现,您必须在 Amazon Config中开启所需资源的记录。对于大多数具有定期计划类型的控件,您无需记录资源。但是,一些定期控制需要记录资源以检测合规性变化。
此页面提供了各类标准所需资源的列表以及按标准划分的所需资源列表。第一张表还列出了使用每种资源的 Security Hub 控件。
如果调查结果是由基于 Amazon Config 规则的安全检查生成的,则查找结果详细信息将包括指向关联规则的 Amazon Config 规则链接。要导航到 Amazon Config 规则,您的账户必须拥有 IAM 权限才能查看 Amazon Config 规则。
注意
Amazon Web Services 区域 如果控件不可用,则相应的资源在中不可用 Amazon Config。有关 Security Hub 控件的区域限制列表,请参阅 按地区划分的控件可用性。
Amazon Config 所有控制所需的资源
要让 Security Hub 为启用的 Security Hub 更改触发的使用 Amazon Config 规则的控件生成调查结果,您必须将这些资源记录在中 Amazon Config。此表还指出了哪些控件需要特定的资源。控件可能需要多个资源。
服务 | 所需资源 | 相关控件 |
---|---|---|
Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway.1 APIGateway.2 APIGateway.3 APIGateway.4 APIGateway.5 |
AWS::ApiGatewayV2::Stage |
APIGateway.1 APIGateway.9 |
|
Amazon AppSync | AWS::AppSync::GraphQLApi
|
AppSync.2 AppSync.5 |
Amazon Athena | AWS::Athena::WorkGroup |
Athena.1 |
Amazon Backup (Amazon Backup) | AWS::Backup::RecoveryPoint
|
Backup.1 |
Amazon Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 |
Amazon CloudFormation | AWS::CloudFormation::Stack
|
CloudFormation.1 |
Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront.1 CloudFront.3 CloudFront.4 CloudFront.5 CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 |
Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
Amazon CodeBuild | AWS::CodeBuild::Project
|
CodeBuild.1 CodeBuild.2 CodeBuild.3 CodeBuild.4 CodeBuild.5 |
Amazon Database Migration Service (Amazon DMS) | AWS::DMS::Endpoint |
DMS.9 |
AWS::DMS::ReplicationInstance
|
DMS.6 |
|
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.2 DynamodB.6 |
Amazon Elastic Compute Cloud (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::EIP |
EC2.12 |
|
AWS::EC2::Instance |
EC2.4 EC2.8 EC2.9 EC2.17 EC2.24 EMR.1 SSM.1 |
|
AWS::EC2::LaunchTemplate |
EC2.25 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 |
|
AWS::EC2::NetworkInterface |
EC2.22 |
|
AWS::EC2::SecurityGroup |
EC2.2 EC2.13 EC2.14 EC2.18 EC2.19 |
|
AWS::EC2::Subnet |
EC2.15 ElastiCache.7 Lambda.5 |
|
AWS::EC2::TransitGateway |
EC2.23 |
|
AWS::EC2::VPNConnection |
EC2.20 |
|
AWS::EC2::Volume |
EC2.3 |
|
Amazon EC2 Auto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling.1 AutoScaling.2 AutoScaling.6 AutoScaling.9 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling.3 AutoScaling.4 Autoscaling.5 |
|
Amazon EC2 Systems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::Repository |
ECR.2 ECR.3 |
Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 |
AWS::ECS::Service |
ECS.2 ECS.10 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 |
|
Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 |
Amazon Elastic Kubernetes Service(Amazon EKS) | AWS::EKS::Cluster |
EKS.2 |
Amazon Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk.1 ElasticBeanstalk.2 ElasticBeanstalk.3 |
Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 |
Amazon EventBridge | AWS::Events::EventBus |
EventBridge.3 |
AWS::Events::Endpoint |
EventBridge.4 |
|
Amazon FSx |
AWS::FSx::FileSystem |
fsx.1 |
Amazon Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.18 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.18 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.18 KMS.2 |
|
Amazon Key Management Service (Amazon KMS) | AWS::KMS::Key |
KMS.3 |
Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 |
Amazon Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 |
Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
Amazon MQ | AWS::AmazonMQ::Broker |
MQ.5 MQ.6 |
Amazon Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall.1 NetworkFirewall.9 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.10 |
Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.34 RDS.35 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 |
|
AWS::RDS::DBSnapshot |
DocumentDB.3 RDS.1 RDS.4 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 |
Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
Amazon Simple Storage Service (Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::Bucket |
S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.2 |
Amazon Simple Queue Service(Amazon SQS) | AWS::SQS::Queue
|
SQS.1 |
Amazon SageMaker | AWS::SageMaker::NotebookInstance
|
SageMaker.2 SageMaker.3 |
Amazon Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager.1 SecretsManager.2 |
Amazon Step Functions | AWS::StepFunctions::StateMachine
|
StepFunctions.1 |
Amazon WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 |
Amazon Config FSBP 标准所需的资源
为了让 Security Hub 准确报告已启用的 Amazon 基础安全最佳实践 (FSBP) 变更触发的使用 Amazon Config 规则的控件的调查结果,您必须将这些资源记录在中。 Amazon Config有关此标准的更多信息,请参阅 Amazon 基础安全最佳实践 (FSBP) 标准。
服务 | 所需的 资源 |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Athena |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CodeBuild |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon FSx |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MSK |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon SageMaker |
|
Amazon Secrets Manager |
|
Amazon Step Functions |
|
Amazon WAF |
|
Amazon Config 独联体 Amazon 基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) Amazon Foundations Benchmark v1.2.0 和 v1.4.0 的已启用控件进行安全检查,Security Hub 要么按照保护亚马逊 Web Services
有关此标准的更多信息,请参阅 Center for Internet Security (CIS) Amazon 基金会基准 v1.2.0 和 v1.4.0。
CIS v1.4.0 所需的 Amazon Config 资源
为了让 Security Hub 准确报告已启用 CIS v1.4.0 更改触发的使用 Amazon Config 规则的控件的调查结果,您必须将这些资源记录在中。 Amazon Config
服务 | 所需的 资源 |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Relational Database Service(Amazon RDS) |
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 Amazon Config 资源
为了让 Security Hub 准确报告已启用 CIS v1.2.0 更改触发的使用 Amazon Config 规则的控件的调查结果,您必须在中记录这些资源。 Amazon Config
服务 | 所需的 资源 |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Config NIST SP 800-53 Rev. 5 所需的资源
为了让 Security Hub 准确报告已启用的美国国家标准与技术研究院 (NIST) SP 800-53 Rev. 5 使用 Amazon Config 规则的变更触发控件的调查结果,您必须将这些资源记录在中。 Amazon Config您只需要记录已触发计划类型变更的控件的资源即可。有关此标准的更多信息,请参阅 美国国家标准与技术研究院 (NIST) SP 800-53 Rev. 5。
服务 | 所需的 资源 |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Athena |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
Amazon CodeBuild |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon EventBridge |
|
Amazon FSx |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MSK |
|
Amazon MQ |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon SageMaker |
|
Amazon Secrets Manager |
|
Amazon WAF |
|
Amazon Config PCI DSS 所需的资源
为了让 Security Hub 准确报告使用 Amazon Config 规则的已启用的支付卡行业数据安全标准 (PCI DSS) 控件的调查结果,您必须将这些资源记录在中。 Amazon Config有关此标准的更多信息,请参阅 支付卡行业数据安全标准 (PCI DSS)。
服务 | 所需的 资源 |
---|---|
Amazon CodeBuild |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Lambda |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon Config 服务管理标准所需的资源: Amazon Control Tower
为了让 Security Hub 准确报告已启用的服务管理标准:使用 Amazon Config 规则的 Amazon Control Tower 变更触发控件的发现,您必须在中 Amazon Config记录以下资源。有关此标准的更多信息,请参阅 服务管理标准: Amazon Control Tower。
服务 | 所需的 资源 |
---|---|
Amazon API Gateway |
|
Amazon Certificate Manager (ACM) |
|
Amazon CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon EC2 Auto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon Secrets Manager |
|
Amazon WAF |
|