Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Esempi di risultati di controllo
Gli esempi seguenti forniscono esempi di risultati del controllo AWS Security Hub Cloud Security Posture Management (CSPM) nel AWS Security Finding Format (ASFF). Il contenuto dei risultati di controllo varia a seconda che siano stati abilitati o meno i risultati di controllo consolidati.
Se abiliti i risultati del controllo consolidato, Security Hub CSPM genera un singolo risultato per un controllo, anche se il controllo si applica a più standard abilitati. Se non abiliti questa funzionalità, Security Hub CSPM genera un risultato di controllo separato per ogni standard abilitato a cui si applica un controllo. Ad esempio, se si abilitano due standard e un controllo si applica a entrambi, si ottengono due risultati distinti per il controllo, uno per ogni standard. Se si abilitano i risultati del controllo consolidato, si riceve un solo risultato per il controllo. Per ulteriori informazioni, consulta Risultati di controllo consolidati.
Gli esempi in questa pagina forniscono esempi per entrambi gli scenari. Gli esempi includono: risultati di controllo per i singoli standard CSPM di Security Hub quando i risultati del controllo consolidato sono disabilitati e risultati di controllo per più standard CSPM di Security Hub quando i risultati del controllo consolidato sono abilitati.
Esempi di risultati del controllo
Esempi di risultati relativi allo standard AWS Foundational Security Best Practices
Risultati di esempio per CIS AWS Foundations Benchmark v3.0.0
Risultati di esempio per CIS AWS Foundations Benchmark v1.4.0
Risultati di esempio per CIS AWS Foundations Benchmark v1.2.0
Risultati di esempio per lo standard NIST SP 800-53 Revisione 5
Esempio di risultato per lo standard NIST SP 800-171 Revisione 2
Esempio di risultato per lo standard gestito dai AWS Control Tower servizi
Nota
I risultati del controllo fanno riferimento a campi e valori diversi nelle regioni e nelle AWS GovCloud (US) regioni della Cina. Per ulteriori informazioni, consulta Impatto del consolidamento sui campi e sui valori ASFF.
Esempi di risultati relativi allo standard AWS Foundational Security Best Practices
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica allo standard AWS Foundational Security Best Practices (FSBP). In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "FirstObservedAt": "2020-08-06T02:18:23.076Z", "LastObservedAt": "2021-09-28T16:10:06.956Z", "CreatedAt": "2020-08-06T02:18:23.076Z", "UpdatedAt": "2021-09-28T16:10:00.093Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "Related AWS Resources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/aws-foundation-best-practices/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ] } }
Risultati di esempio per CIS AWS Foundations Benchmark v3.0.0
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica a CIS Foundations Benchmark v3.0.0. AWS In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2024-04-18T07:46:18.193Z", "LastObservedAt": "2024-04-23T07:47:01.137Z", "CreatedAt": "2024-04-18T07:46:18.193Z", "UpdatedAt": "2024-04-23T07:46:46.165Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.2.1 EBS default encryption should be enabled", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/3.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0", "ControlId": "2.2.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2843ed9e", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v3.0.0/2.2.1" ], "SecurityControlId": "EC2.7", "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "ProcessedAt": "2024-04-23T07:47:07.088Z" }
Risultati di esempio per CIS AWS Foundations Benchmark v1.4.0
L'esempio seguente fornisce un esempio di risultato di un controllo che si applica a AWS CIS Foundations Benchmark v1.4.0. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/3.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2022-10-21T22:14:48.913Z", "LastObservedAt": "2022-12-22T22:24:56.980Z", "CreatedAt": "2022-10-21T22:14:48.913Z", "UpdatedAt": "2022-12-22T22:24:52.409Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and AWS KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0", "ControlId": "3.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-855f82d1", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.4.0/3.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.7" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } }
Risultati di esempio per CIS AWS Foundations Benchmark v1.2.0
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica a AWS CIS Foundations Benchmark v1.2.0. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2020-08-29T04:10:06.337Z", "LastObservedAt": "2021-09-28T16:10:05.350Z", "CreatedAt": "2020-08-29T04:10:06.337Z", "UpdatedAt": "2021-09-28T16:10:00.087Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "2.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "Related AWS Resources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/2.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } }
Risultati di esempio per lo standard NIST SP 800-53 Revisione 5
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica allo standard NIST SP 800-53 Revisione 5. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "nist-800-53/v/5.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2023-02-17T14:22:46.726Z", "LastObservedAt": "2023-02-17T14:22:50.846Z", "CreatedAt": "2023-02-17T14:22:46.726Z", "UpdatedAt": "2023-02-17T14:22:46.726Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) NIST 800-53 R5 documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/nist-800-53/v/5.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.9/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "NIST.800-53.r5 AU-9", "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", "NIST.800-53.r5 SC-13", "NIST.800-53.r5 SC-28", "NIST.800-53.r5 SC-28(1)", "NIST.800-53.r5 SC-7(10)", "NIST.800-53.r5 SI-7(6)" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [ { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2023-02-17T14:22:53.572Z" }
Esempio di risultato per lo standard NIST SP 800-171 Revisione 2
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica allo standard NIST SP 800-171 Revisione 2. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "nist-800-171/v/2.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "AwsAccountName": "TestAcct", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2025-05-29T05:23:58.690Z", "LastObservedAt": "2025-05-30T05:50:11.898Z", "CreatedAt": "2025-05-29T05:24:24.772Z", "UpdatedAt": "2025-05-30T05:50:34.292Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/nist-800-171/v/2.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-0ab1c2d4", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/nist-800-171/v/2.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "Partition": "aws", "Region": "us-east-1", "Type": "AwsCloudTrailTrail" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "NIST.800-171.r2/3.3.8" ], "AssociatedStandards": [ { "StandardsId": "standards/nist-800-171/v/2.0.0" } ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T05:50:40.297Z" }
Esempio di risultato relativo allo standard di sicurezza dei dati del settore delle carte di pagamento v3.2.1
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica al Payment Card Industry Data Security Standard (PCI DSS) v3.2.1. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "pci-dss/v/3.2.1/PCI.CloudTrail.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FirstObservedAt": "2020-08-06T02:18:23.089Z", "LastObservedAt": "2021-09-28T16:10:06.942Z", "CreatedAt": "2020-08-06T02:18:23.089Z", "UpdatedAt": "2021-09-28T16:10:00.090Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.CloudTrail.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "Related AWS Resources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/pci-dss/v/3.2.1/PCI.CloudTrail.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "PCI DSS 3.4" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/pci-dss/v/3.2.1" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] } }
Esempio di risultato per lo standard AWS Resource Tagging
L'esempio seguente fornisce un esempio di ricerca di un controllo che si applica allo standard AWS Resource Tagging. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "eu-central-1", "GeneratorId": "security-control/EC2.44", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-02-19T21:00:32.206Z", "LastObservedAt": "2024-04-29T13:01:57.861Z", "CreatedAt": "2024-02-19T21:00:32.206Z", "UpdatedAt": "2024-04-29T13:01:41.242Z", "Severity": { "Label": "LOW", "Normalized": 1, "Original": "LOW" }, "Title": "EC2 subnets should be tagged", "Description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn't have any tag keys or if it doesn't have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-6ceafede", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "No tags are present.", "Resources:0/Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsEc2Subnet", "Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsEc2Subnet": { "AssignIpv6AddressOnCreation": false, "AvailabilityZone": "eu-central-1b", "AvailabilityZoneId": "euc1-az3", "AvailableIpAddressCount": 4091, "CidrBlock": "10.24.34.0/23", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "OwnerId": "123456789012", "State": "available", "SubnetArn": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "SubnetId": "subnet-1234567890abcdef0", "VpcId": "vpc-021345abcdef6789" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.44", "AssociatedStandards": [ { "StandardsId": "standards/aws-resource-tagging-standard/v/1.0.0" } ], "SecurityControlParameters": [ { "Name": "requiredTagKeys", "Value": [ "peepoo" ] } ], }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "LOW" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2024-04-29T13:02:03.259Z" }
Esempio di risultato per lo standard gestito dai AWS Control Tower servizi
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica allo standard gestito dai AWS Control Tower servizi. In questo esempio, i risultati del controllo consolidato sono disabilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2022-11-17T01:25:30.296Z", "LastObservedAt": "2022-11-17T01:25:45.805Z", "CreatedAt": "2022-11-17T01:25:30.296Z", "UpdatedAt": "2022-11-17T01:25:30.296Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CT.CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0", "ControlId": "CT.CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] } }
Esempio di risultato consolidato per più standard
L'esempio seguente fornisce un esempio di risultato relativo a un controllo che si applica a più standard abilitati. In questo esempio, i risultati del controllo consolidato sono abilitati.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "security-control/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-08-09T14:57:04.521Z", "LastObservedAt": "2025-05-30T03:30:17.407Z", "CreatedAt": "2024-08-09T14:57:04.521Z", "UpdatedAt": "2025-05-30T03:30:32.781Z", "Severity": { "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub Cloud Security Posture Management (CSPM) controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-01a2b345", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "Partition": "aws", "Region": "us-east-1", "Details": { "AwsCloudTrailTrail": { "HasCustomEventSelectors": false, "IncludeGlobalServiceEvents": true, "LogFileValidationEnabled": true, "HomeRegion": "us-east-1", "IsMultiRegionTrail": true, "S3BucketName": "cloudtrail-awslogs-do-not-delete", "IsOrganizationTrail": false, "Name": "TestTrail-DO-NOT-DELETE" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.2.0/2.7", "CIS AWS Foundations Benchmark v1.4.0/3.7", "CIS AWS Foundations Benchmark v3.0.0/3.5", "NIST.800-171.r2/3.3.8", "PCI DSS v3.2.1/3.4", "PCI DSS v4.0.1/10.3.2" ], "AssociatedStandards": [ { "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0"}, { "StandardsId": "standards/nist-800-171/v/2.0.0"}, { "StandardsId": "standards/pci-dss/v/3.2.1"}, { "StandardsId": "standards/pci-dss/v/4.0.1"} ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T03:31:00.831Z" }
