기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
제어 조사 결과 샘플
다음 샘플은 AWS Security Hub CSPM 제어 조사 결과의 예를 AWS Security Finding Format(ASFF)으로 제공합니다. 제어 조사 결과의 내용은 통합 제어 조사 결과를 활성화했는지 여부에 따라 달라집니다.
통합 제어 조사 결과를 활성화하면 Security Hub CSPM은 제어가 여러 활성화된 표준에 포함되어 있더라도 제어에 대한 단일 조사 결과를 생성합니다. 이 기능을 활성화하지 않으면 Security Hub CSPM은 제어가 적용되는 활성화된 표준 각각에 대해 별도의 제어 조사 결과를 생성합니다. 예를 들어 2개의 표준을 활성화하고 두 표준 모두에 제어가 적용되는 경우 각 표준에 대해 하나씩 2개의 개별 제어 조사 결과를 수신하게 됩니다. 통합 제어 조사 결과를 활성화하면 해당 제어에 대해 하나의 조사 결과만 수신됩니다. 자세한 내용은 통합 제어 조사 결과 섹션을 참조하세요.
이 페이지의 샘플은 두 시나리오 모두의 예를 제공합니다. 샘플에는 통합 제어 조사 결과가 비활성화된 경우 개별 Security Hub CSPM 표준에 대한 제어 조사 결과와 통합 제어 조사 결과가 활성화된 경우 여러 Security Hub CSPM 표준에 대한 제어 조사 결과가 포함됩니다.
제어 조사 결과 샘플
참고
제어 조사 결과는 중국 리전 및 AWS GovCloud (US) 리전의 다양한 필드 및 값을 참조합니다. 자세한 내용은 ASFF 필드 및 값에 대한 통합의 영향 섹션을 참조하세요.
AWS 기본 보안 모범 사례 표준에 대한 샘플 조사 결과
다음 샘플은 AWS 기본 보안 모범 사례(FSBP) 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ], "FirstObservedAt": "2020-08-06T02:18:23.076Z", "LastObservedAt": "2021-09-28T16:10:06.956Z", "CreatedAt": "2020-08-06T02:18:23.076Z", "UpdatedAt": "2021-09-28T16:10:00.093Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/aws-foundation-best-practices/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices" ] } }
CIS AWS Foundations Benchmark v5.0.0에 대한 샘플 조사 결과
다음 샘플은 CIS AWS Foundations Benchmark v5.0.0에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "AwsAccountId": "123456789012", "CompanyName": "AWS", "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.7", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v5.0.0/5.1.1" ], "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/5.0.0" } ] }, "CreatedAt": "2025-10-10T17:04:00.952Z", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Product": 40, "Original": "MEDIUM" } }, "FirstObservedAt": "2025-10-10T17:03:57.895Z", "GeneratorId": "cis-aws-foundations-benchmark/v/5.0.0/5.1.1", "Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111", "LastObservedAt": "2025-10-14T05:22:28.667Z", "ProcessedAt": "2025-10-14T05:22:50.099Z", "ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub", "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/5.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0", "ControlId": "5.1.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2a99554f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/5.0.0/5.1.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111", "PreviousComplianceStatus": "FAILED" }, "ProductName": "Security Hub CSPM", "RecordState": "ACTIVE", "Region": "us-west-1", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "Resources": [ { "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-west-1", "Type": "AwsAccount" } ], "SchemaVersion": "2018-10-08", "Severity": { "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM", "Product": 40 }, "Title": "5.1.1 EBS default encryption should be enabled", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "UpdatedAt": "2025-10-14T05:22:38.671Z", "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW" }
CIS AWS Foundations Benchmark v3.0.0에 대한 샘플 조사 결과
다음 샘플은 CIS AWS Foundations Benchmark v3.0.0에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2024-04-18T07:46:18.193Z", "LastObservedAt": "2024-04-23T07:47:01.137Z", "CreatedAt": "2024-04-18T07:46:18.193Z", "UpdatedAt": "2024-04-23T07:46:46.165Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.2.1 EBS default encryption should be enabled", "Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/3.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0", "ControlId": "2.2.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation", "RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2843ed9e", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/3.0.0/2.2.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "EBS Encryption by default is not enabled.", "Resources:0/Id": "arn:aws:iam::123456789012:root", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v3.0.0/2.2.1" ], "SecurityControlId": "EC2.7", "AssociatedStandards": [ { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] }, "ProcessedAt": "2024-04-23T07:47:07.088Z" }
CIS AWS Foundations Benchmark v1.4.0 v1.4.0에 대한 샘플 조사 결과
다음 샘플은 CIS AWS Foundations Benchmark v1.4.0에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/3.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2022-10-21T22:14:48.913Z", "LastObservedAt": "2022-12-22T22:24:56.980Z", "CreatedAt": "2022-10-21T22:14:48.913Z", "UpdatedAt": "2022-12-22T22:24:52.409Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and AWS KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0", "ControlId": "3.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-855f82d1", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.4.0/3.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.4.0/3.7" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } }
CIS AWS Foundations Benchmark v1.2.0에 대한 샘플 조사 결과
다음 샘플은 CIS AWS Foundations Benchmark v1.2.0에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ], "FirstObservedAt": "2020-08-29T04:10:06.337Z", "LastObservedAt": "2021-09-28T16:10:05.350Z", "CreatedAt": "2020-08-29T04:10:06.337Z", "UpdatedAt": "2021-09-28T16:10:00.087Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", "Description": "AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", "StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0", "RuleId": "2.7", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/2.7", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark" ] } }
NIST SP 800-53 개정 5 표준에 대한 샘플 조사 결과
다음 샘플은 NIST SP 800-53 개정 5 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "nist-800-53/v/5.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2023-02-17T14:22:46.726Z", "LastObservedAt": "2023-02-17T14:22:50.846Z", "CreatedAt": "2023-02-17T14:22:46.726Z", "UpdatedAt": "2023-02-17T14:22:46.726Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to fix this issue, consult the AWS Security Hub CSPM NIST 800-53 R5 documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/nist-800-53/v/5.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.9/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "NIST.800-53.r5 AU-9", "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", "NIST.800-53.r5 SC-13", "NIST.800-53.r5 SC-28", "NIST.800-53.r5 SC-28(1)", "NIST.800-53.r5 SC-7(10)", "NIST.800-53.r5 SI-7(6)" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [ { "StandardsId": "standards/nist-800-53/v/5.0.0" } ] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2023-02-17T14:22:53.572Z" }
NIST SP 800-171 개정 2 표준에 대한 샘플 조사 결과
다음 샘플은 NIST SP 800-171 개정 2 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "nist-800-171/v/2.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "AwsAccountName": "TestAcct", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2025-05-29T05:23:58.690Z", "LastObservedAt": "2025-05-30T05:50:11.898Z", "CreatedAt": "2025-05-29T05:24:24.772Z", "UpdatedAt": "2025-05-30T05:50:34.292Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/nist-800-171/v/2.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0", "ControlId": "CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-0ab1c2d4", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/nist-800-171/v/2.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail", "Partition": "aws", "Region": "us-east-1", "Type": "AwsCloudTrailTrail" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "NIST.800-171.r2/3.3.8" ], "AssociatedStandards": [ { "StandardsId": "standards/nist-800-171/v/2.0.0" } ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T05:50:40.297Z" }
PCI DSS v3.2.1에 대한 샘플 조사 결과
다음 샘플은 PCI DSS(지불 카드 산업 데이터 보안 표준) v3.2.1에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-2", "GeneratorId": "pci-dss/v/3.2.1/PCI.CloudTrail.1", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ], "FirstObservedAt": "2020-08-06T02:18:23.089Z", "LastObservedAt": "2021-09-28T16:10:06.942Z", "CreatedAt": "2020-08-06T02:18:23.089Z", "UpdatedAt": "2021-09-28T16:10:00.090Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1", "ControlId": "PCI.CloudTrail.1", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/pci-dss/v/3.2.1/PCI.CloudTrail.1", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "Partition": "aws", "Region": "us-east-2" } ], "Compliance": { "Status": "FAILED", "RelatedRequirements": [ "PCI DSS 3.4" ], "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/pci-dss/v/3.2.1" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS" ] } }
AWS 리소스 태그 지정 표준에 대한 샘플 조사 결과
다음 샘플은 AWS 리소스 태그 지정 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "eu-central-1", "GeneratorId": "security-control/EC2.44", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-02-19T21:00:32.206Z", "LastObservedAt": "2024-04-29T13:01:57.861Z", "CreatedAt": "2024-02-19T21:00:32.206Z", "UpdatedAt": "2024-04-29T13:01:41.242Z", "Severity": { "Label": "LOW", "Normalized": 1, "Original": "LOW" }, "Title": "EC2 subnets should be tagged", "Description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn't have any tag keys or if it doesn't have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-6ceafede", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "aws/securityhub/annotation": "No tags are present.", "Resources:0/Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsEc2Subnet", "Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "Partition": "aws", "Region": "eu-central-1", "Details": { "AwsEc2Subnet": { "AssignIpv6AddressOnCreation": false, "AvailabilityZone": "eu-central-1b", "AvailabilityZoneId": "euc1-az3", "AvailableIpAddressCount": 4091, "CidrBlock": "10.24.34.0/23", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "OwnerId": "123456789012", "State": "available", "SubnetArn": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0", "SubnetId": "subnet-1234567890abcdef0", "VpcId": "vpc-021345abcdef6789" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "EC2.44", "AssociatedStandards": [ { "StandardsId": "standards/aws-resource-tagging-standard/v/1.0.0" } ], "SecurityControlParameters": [ { "Name": "requiredTagKeys", "Value": [ "peepoo" ] } ], }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "LOW", "Original": "LOW" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] }, "ProcessedAt": "2024-04-29T13:02:03.259Z" }
AWS Control Tower 서비스 관리형 표준에 대한 샘플 조사 결과
다음 샘플은 AWS Control Tower 서비스 관리형 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 비활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub CSPM", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2022-11-17T01:25:30.296Z", "LastObservedAt": "2022-11-17T01:25:45.805Z", "CreatedAt": "2022-11-17T01:25:30.296Z", "UpdatedAt": "2022-11-17T01:25:30.296Z", "Severity": { "Product": 40, "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CT.CloudTrail.2 CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "StandardsArn": "arn:aws:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0", "StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0", "ControlId": "CT.CloudTrail.2", "RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation", "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2", "aws/securityhub/ProductName": "Security Hub CSPM", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsAccount", "Id": "AWS::::Account:123456789012", "Partition": "aws", "Region": "us-east-1" } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "AssociatedStandards": [{ "StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0" }] }, "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "MEDIUM", "Original": "MEDIUM" }, "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ] } }
여러 표준에 대한 샘플 통합 조사 결과
다음 샘플은 여러 활성화된 표준에 적용되는 제어에 대한 조사 결과의 예를 제공합니다. 이 샘플에서는 통합 제어 조사 결과가 활성화되어 있습니다.
{ "SchemaVersion": "2018-10-08", "Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub", "ProductName": "Security Hub", "CompanyName": "AWS", "Region": "us-east-1", "GeneratorId": "security-control/CloudTrail.2", "AwsAccountId": "123456789012", "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "FirstObservedAt": "2024-08-09T14:57:04.521Z", "LastObservedAt": "2025-05-30T03:30:17.407Z", "CreatedAt": "2024-08-09T14:57:04.521Z", "UpdatedAt": "2025-05-30T03:30:32.781Z", "Severity": { "Label": "MEDIUM", "Normalized": 40, "Original": "MEDIUM" }, "Title": "CloudTrail should have encryption at-rest enabled", "Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.", "Remediation": { "Recommendation": { "Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.", "Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation" } }, "ProductFields": { "RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-01a2b345", "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", "aws/securityhub/ProductName": "Security Hub", "aws/securityhub/CompanyName": "AWS", "Resources:0/Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "Resources": [ { "Type": "AwsCloudTrailTrail", "Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE", "Partition": "aws", "Region": "us-east-1", "Details": { "AwsCloudTrailTrail": { "HasCustomEventSelectors": false, "IncludeGlobalServiceEvents": true, "LogFileValidationEnabled": true, "HomeRegion": "us-east-1", "IsMultiRegionTrail": true, "S3BucketName": "cloudtrail-awslogs-do-not-delete", "IsOrganizationTrail": false, "Name": "TestTrail-DO-NOT-DELETE" } } } ], "Compliance": { "Status": "FAILED", "SecurityControlId": "CloudTrail.2", "RelatedRequirements": [ "CIS AWS Foundations Benchmark v1.2.0/2.7", "CIS AWS Foundations Benchmark v1.4.0/3.7", "CIS AWS Foundations Benchmark v3.0.0/3.5", "NIST.800-171.r2/3.3.8", "PCI DSS v3.2.1/3.4", "PCI DSS v4.0.1/10.3.2" ], "AssociatedStandards": [ { "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"}, { "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"}, { "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0"}, { "StandardsId": "standards/nist-800-171/v/2.0.0"}, { "StandardsId": "standards/pci-dss/v/3.2.1"}, { "StandardsId": "standards/pci-dss/v/4.0.1"} ] }, "Workflow": { "Status": "NEW" }, "WorkflowState": "NEW", "RecordState": "ACTIVE", "FindingProviderFields": { "Types": [ "Software and Configuration Checks/Industry and Regulatory Standards" ], "Severity": { "Normalized": 40, "Label": "MEDIUM", "Original": "MEDIUM" } }, "ProcessedAt": "2025-05-30T03:31:00.831Z" }
