本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
控制结果所需的 Amazon Config 资源
在 Sec Amazon urity Hub 云安全态势管理 (CSPM) 中,一些控件使用服务相关 Amazon Config 规则来检测资源中的配置更改。 Amazon 要让 Security Hub CSPM 为这些控件生成准确的调查结果,您必须在中启用 Amazon Config 并打开资源记录。 Amazon Config有关 Security Hub CSPM 如何使用 Amazon Config 规则以及如何启用和配置的信息 Amazon Config,请参阅。为 Security Hub CSPM 启用和配置 Amazon Config有关资源记录的详细信息,请参阅《Amazon Config 开发人员指南》中的使用配置记录器。
要获得准确的控制结果,您必须为已启用控件开启 Amazon Config 资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub CSPM 控件所需的资源。
Security Hub CSPM 控件可以依赖托管 Amazon Config 规则或自定义 Security Hub CSPM 规则。确保没有任何 Amazon Identity and Access Management (IAM) 策略或 Amazon Organizations 托管策略会 Amazon Config 阻止您获得记录资源的权限。Security Hub CSPM 控件直接评估资源配置,不考虑 Amazon Organizations 策略。
注意
Amazon Web Services 区域 如果控件不可用,则相应的资源在中不可用 Amazon Config。有关这些限制的列表,请参阅对 Security Hub CSPM 控制的区域限制。
主题
所有 Security Hub CSPM 控件所需的资源
要让 Security Hub CSPM 生成已启用的变更触发控件的发现结果并使用 Amazon Config 规则,您必须在中记录以下类型的资源。 Amazon Config此表还指出了哪些控件评估特定类型的资源。单个控件可以评估多种类型的资源。
Amazon Web Services 服务 | 资源类型 | 相关控件 |
---|---|---|
Amazon Amplify | AWS::Amplify::App |
Amplify.1 |
AWS::Amplify::Branch |
Amplify.2 |
|
Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway1. APIGateway2. APIGateway3. APIGateway4. APIGateway5. |
AWS::ApiGatewayV2::Stage |
APIGateway1. APIGateway.9 |
|
Amazon AppConfig | AWS::AppConfig::Application
|
AppConfig1. |
AWS::AppConfig::ConfigurationProfile
|
AppConfig2. |
|
AWS::AppConfig::Environment
|
AppConfig3. |
|
AWS::AppConfig::ExtensionAssociation
|
AppConfig4. |
|
Amazon AppFlow | AWS::AppFlow::Flow
|
AppFlow1. |
Amazon App Runner | AWS::AppRunner::Service
|
AppRunner1. |
AWS::AppRunner::VpcConnector
|
AppRunner2. |
|
Amazon AppSync | AWS::AppSync::GraphQLApi
|
AppSync2. AppSync4. AppSync5. |
AWS::AppSync::ApiCache
|
AppSync1. AppSync.6 |
|
Amazon Backup | AWS::Backup::BackupPlan
|
Backup.5 |
AWS::Backup::BackupVault
|
Backup.3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
Backup.4 |
|
Amazon Batch | AWS::Batch::ComputeEnvironment
|
Batch.3 Batch.4 |
AWS::Batch::JobQueue
|
Batch.1 |
|
AWS::Batch::SchedulingPolicy
|
Batch.2 |
|
Amazon Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 Athena.4 |
|
Amazon CloudFormation | AWS::CloudFormation::Stack |
CloudFormation2. |
Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront1. CloudFront3. CloudFront4. CloudFront5. CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 |
Amazon CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
Amazon CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact1. |
Amazon CodeBuild | AWS::CodeBuild::Project
|
CodeBuild1. CodeBuild2. CodeBuild3. CodeBuild4. |
AWS::CodeBuild::ReportGroup
|
CodeBuild.7 |
|
Amazon P CodeGuru rofiler | AWS::CodeGuruProfiler::ProfilingGroup |
CodeGuruProfiler1. |
Amazon CodeGuru Reviewer | AWS::CodeGuruReviewer::RepositoryAssociation |
CodeGuruReviewer1. |
Amazon Cognito | AWS::Cognito::UserPool |
Cognito1 |
Amazon Connect | AWS::CustomerProfiles::ObjectType |
Connect.1 |
AWS::Connect::Instance |
Connect.2 | |
Amazon DataSync | AWS::DataSync::Task |
DataSync1. DataSync2. |
Amazon Detective | AWS::Detective::Graph |
Detective.1 |
Amazon Database Migration Service (Amazon DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 DMS.10 DMS.11 DMS.12 |
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamodB.6 |
Amazon 弹性计算云 (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::DHCPOptions |
EC2.174 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC24. EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 EC2.170 EC2.175 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 |
|
AWS::EC2::PrefixList |
EC2.176 | |
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC22. EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::SpotFleet |
EC2.173 | |
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TrafficMirrorFilter |
EC2.178 | |
AWS::EC2::TrafficMirrorSession |
EC2.177 | |
AWS::EC2::TrafficMirrorTarget |
EC2.179 | |
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC23. EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCBlockPublicAccessOptions |
EC2.172 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 EC2.171 |
|
AWS::EC2::VPNGateway |
EC2.50 | |
Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling1. AutoScaling2. AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling3. Autoscaling.5 |
|
亚马逊 S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 ECR.5 |
|
Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 |
|
AWS::ECS::TaskSet |
ECS.16 |
|
Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
AWS::EFS::FileSystem
|
EFS.7 EFS.8 |
|
Amazon Elastic Kubernetes Service(Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
Amazon Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk1. ElasticBeanstalk2. ElasticBeanstalk3. |
Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::Listener |
ELB.17 |
|
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
Amazon EMR | AWS::EMR::SecurityConfiguration |
EMR.3 EMR.4 |
Amazon EventBridge | AWS::Events::EventBus |
EventBridge2. EventBridge3. |
AWS::Events::Endpoint |
EventBridge4. |
|
Amazon Fraud Detector | AWS::FraudDetector::EntityType |
FraudDetector1. |
AWS::FraudDetector::Label |
FraudDetector2. |
|
AWS::FraudDetector::Outcome |
FraudDetector3. |
|
AWS::FraudDetector::Variable |
FraudDetector4. |
|
Amazon Global Accelerator | AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator1. |
Amazon Glue | AWS::Glue::Job |
Glue.1 胶水。4 |
AWS::Glue::MLTransform |
Glue.3 |
|
Amazon GuardDuty | AWS::GuardDuty::Detector |
GuardDuty4. |
AWS::GuardDuty::Filter |
GuardDuty2. |
|
AWS::GuardDuty::IPSet |
GuardDuty3. |
|
Amazon Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
Amazon Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
Amazon Interactive Video Service (Amazon IVS) | AWS::IVS::PlaybackKeyPair |
IVS.1 |
AWS::IVS::RecordingConfiguration |
IVS.2 |
|
AWS::IVS::Channel |
IVS.3 |
|
Amazon IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
Amazon IoT Events | AWS::IoTEvents::AlarmModel |
Io TEvents .3 |
AWS::IoTEvents::DetectorModel |
Io TEvents .2 |
|
AWS::IoTEvents::Input |
Io TEvents .1 |
|
Amazon IoT SiteWise | AWS::IoTSiteWise::AssetModel |
Io TSite Wise.1 |
AWS::IoTSiteWise::Dashboard |
Io TSite Wise.2 |
|
AWS::IoTSiteWise::Gateway |
Io TSite Wise.3 |
|
AWS::IoTSiteWise::Portal |
Io TSite Wise.4 |
|
AWS::IoTSiteWise::Project |
Io TSite Wise.5 |
|
Amazon IoT TwinMaker | AWS::IoTTwinMaker::Entity |
Io TTwin Maker.4 |
AWS::IoTTwinMaker::Scene |
Io TTwin Maker.3 |
|
AWS::IoTTwinMaker::SyncJob |
Io TTwin Maker.1 |
|
AWS::IoTTwinMaker::Workspace |
Io TTwin Maker.2 |
|
Amazon IoT Wireless | AWS::IoTWireless::MulticastGroup |
Io TWireless .1 |
AWS::IoTWireless::ServiceProfile |
Io TWireless .2 |
|
AWS::IoTWireless::FuotaTask |
Io TWireless .3 |
|
Amazon Keyspaces(Apache Cassandra 兼容) | AWS::Cassandra::Keyspace |
密钥空间。1 |
Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 Kinesis.3 |
Amazon Key Management Service (Amazon KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 KMS.5 S3.17 |
|
Amazon Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 |
Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
AWS::KafkaConnect::Connector |
MSK.3 |
|
Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
Amazon Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall1. NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall3. NetworkFirewall4. NetworkFirewall5. NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 Opensearch.11 |
Amazon Private CA | AWS::ACMPCA::CertificateAuthority |
PCA.2 |
Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.40 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 Redshift.17 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 Redshift.16 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
Route53.1 |
|
Amazon Simple Storage Service(Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS::S3::MultiRegionAccessPoint |
S3.24 |
|
亚马逊 SageMaker AI | AWS::SageMaker::AppImageConfig
|
SageMaker.6 |
AWS::SageMaker::Image
|
SageMaker.7 |
|
AWS::SageMaker::Model
|
SageMaker5. |
|
AWS::SageMaker::NotebookInstance
|
SageMaker2. SageMaker3. |
|
Amazon Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager1. SecretsManager2. SecretsManager5. |
Amazon Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog1. |
Amazon Simple Email Service(Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 |
AWS::SES::ContactList
|
SES.1 |
|
Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 SNS.4 |
Amazon Simple Queue Service(Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 SQS.3 |
Amazon Step Functions | AWS::StepFunctions::StateMachine |
StepFunctions1. |
AWS::StepFunctions::Activity |
StepFunctions2. |
|
Amazon Systems Manager (SSM) | AWS::SSM::Document
|
SSM.5 |
Amazon Transfer Family | AWS::Transfer::Agreement |
转账。4 |
AWS::Transfer::Certificate |
转账.5 |
|
AWS::Transfer::Connector |
转账。3 转账。6 |
|
AWS::Transfer::Profile |
转账。7 |
|
AWS::Transfer::Workflow |
Transfer.1 |
|
Amazon WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
|
Amazon WorkSpaces | AWS::WorkSpaces::WorkSpace |
WorkSpaces1. WorkSpaces2. |
Amazon 基础安全最佳实践标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 Amazon 基础安全最佳实践标准 (v.1.0.0)、已启用并使用 Amazon Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见Amazon Security Hub CSPM 中的基础安全最佳实践标准。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CodeBuild |
|
Amazon Cognito |
|
Amazon Connect |
|
Amazon DataSync |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon A EC2 uto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
Amazon Elastic Beanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon EMR |
|
Amazon Glue |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Kinesis |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Lambda |
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Redshift Serverless |
|
Amazon Route 53 |
|
Amazon Simple Storage Service(Amazon S3) |
|
亚马逊 SageMaker AI |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon Secrets Manager |
|
Amazon Step Functions |
|
Amazon Transfer Family |
|
Amazon WAF |
|
Amazon WorkSpaces |
|
独联体 Amazon 基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) Amazon 基金会基准测试的已启用控件进行安全检查,Security Hub CSPM 要么执行为检查规定的确切审计步骤,要么使用特定的 Amazon Config 托管规则。有关 Security Hub CSPM 中该标准的信息,请参阅。CIS Amazon 基金会在 Security Hub CSPM 中的基准
CIS v3.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v3.0.0 更改触发的使用 Amazon Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 Amazon Config
Amazon Web Services 服务 | 资源类型 |
---|---|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Relational Database Service(Amazon RDS) |
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.4.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.4.0 更改触发的使用 Amazon Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 Amazon Config
Amazon Web Services 服务 | 资源类型 |
---|---|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Relational Database Service(Amazon RDS) |
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.2.0 更改触发的使用 Amazon Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 Amazon Config
Amazon Web Services 服务 | 资源类型 |
---|---|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon Identity and Access Management (IAM) |
|
NIST SP 800-53 修订版 5 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-53 修订版 5 标准、已启用并使用 Amazon Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见Security Hub CSPM 中的 NIST SP 800-53 修订版 5。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon API Gateway |
|
Amazon AppSync |
|
Amazon Backup |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
Amazon CodeBuild |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DynamoDB |
|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon A EC2 uto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
Amazon Elastic Beanstalk |
|
Elastic Load Balancing |
|
Amazon ElasticSearch |
|
Amazon EMR |
|
Amazon EventBridge |
|
Amazon Glue |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
Amazon MQ |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service(Amazon S3) |
|
Amazon Service Catalog |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
亚马逊 SageMaker AI |
|
Amazon Secrets Manager |
|
Amazon Transfer Family |
|
Amazon WAF |
|
NIST SP 800-171 修订版 2 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-171 修订版 2 标准、已启用并使用 Amazon Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见Security Hub CSPM 中的 NIST SP 800-171 修订版 2。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon Certificate Manager(ACM) |
|
Amazon API Gateway |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
亚马逊弹性计算云(亚马逊 EC2) |
|
Elastic Load Balancing |
|
Amazon Identity and Access Management(IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Network Firewall |
|
亚马逊简单存储服务(亚马逊 S3) |
|
亚马逊简单通知服务(亚马逊 SNS) |
|
Amazon Systems Manager(SSM) |
|
Amazon WAF |
|
PCI DSS v3.2.1 所需的资源
为了让 Security Hub CSPM 准确报告适用于支付卡行业数据安全标准 (PCI DSS) v3.2.1、已启用、并使用 Amazon Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见Security Hub CSPM 中的 PCI DSS。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon CodeBuild |
|
亚马逊弹性计算云(亚马逊 EC2) |
|
Amazon A EC2 uto Scaling |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Lambda |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service(Amazon S3) |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
资源标签标准所需的 Amazon 资源
所有适用于 Amazon 资源标记标准的控件都是触发变更的,并使用 Amazon Config 规则。为了让 Security Hub CSPM 准确报告这些控件的调查结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见Amazon Security Hub CSPM 中的资源标记标准。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon Amplify |
|
Amazon AppFlow |
|
Amazon App Runner |
|
Amazon AppConfig |
|
Amazon AppSync |
|
Amazon Athena |
|
Amazon Backup |
|
Amazon Batch |
|
Amazon Certificate Manager (ACM) |
|
Amazon CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudTrail |
|
Amazon CodeArtifact |
|
Amazon CodeGuru |
|
Amazon Connect |
|
Amazon Database Migration Service (Amazon DMS) |
|
Amazon DataSync |
|
Amazon Detective |
|
Amazon DynamoDB |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
Amazon Elastic Beanstalk |
|
ElasticSearch |
|
Amazon EventBridge |
|
Amazon Fraud Detector |
|
Amazon Global Accelerator |
|
Amazon Glue |
|
Amazon GuardDuty |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Identity and Access Management Access Analyzer (IAM 访问分析器) |
|
Amazon IoT |
|
Amazon IoT 活动 |
|
Amazon IoT SiteWise |
|
Amazon IoT TwinMaker |
|
Amazon IoT 无线 |
|
Amazon Interactive Video Service (Amazon IVS) |
|
Amazon Keyspaces (for Apache Cassandra) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon MQ |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Private Certificate Authority |
|
Amazon Relational Database Service |
|
Amazon Redshift |
|
Amazon Route 53 |
|
亚马逊 SageMaker AI |
|
Amazon Secrets Manager |
|
Amazon Simple Email Service(Amazon SES) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon Step Functions |
|
Amazon Systems Manager (SSM) |
|
Amazon Transfer Family |
|
Amazon Control Tower 服务管理标准所需的资源
为使 Security Hub CSPM 能够准确报告适用于 Amazon Control Tower 服务管理标准、已启用和使用 Amazon Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 Amazon Config有关该标准的信息,请参见服务管理标准: Amazon Control Tower。
Amazon Web Services 服务 | 资源类型 |
---|---|
Amazon API Gateway |
|
Amazon Certificate Manager (ACM) |
|
Amazon CodeBuild |
|
Amazon DynamoDB |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
Amazon Elastic Container Registry(Amazon ECR) |
|
Amazon Elastic Container Service(Amazon ECS) |
|
Amazon Elastic File System(Amazon EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon Identity and Access Management (IAM) |
|
Amazon Key Management Service (Amazon KMS) |
|
Amazon Kinesis |
|
Amazon Lambda |
|
Amazon Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service(Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service(Amazon SQS) |
|
Amazon Secrets Manager |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
Amazon WAF |
|