NIST SP 800-53 Revision 5 in Security Hub CSPM - AWS Security Hub
Configuring resource recording for the standardDetermining which controls apply to the standard

NIST SP 800-53 Revision 5 in Security Hub CSPM

NIST Special Publication 800-53 Revision 5 (NIST SP 800-53 Rev. 5) is a cybersecurity and compliance framework developed by the National Institute of Standards and Technology (NIST), an agency that's part of the U.S. Department of Commerce. This compliance framework provides a catalog of security and privacy requirements for protecting the confidentiality, integrity, and availability of information systems and critical resources. U.S. federal government agencies and contractors must comply with these requirements to protect their systems and organizations. Private organizations can also voluntarily use the requirements as a guiding framework for reducing cybersecurity risk. For more information about the framework and its requirements, see NIST SP 800-53 Rev. 5 in the NIST Computer Security Resource Center.

AWS Security Hub Cloud Security Posture Management (CSPM) provides security controls that support a subset of NIST SP 800-53 Revision 5 requirements. The controls perform automated security checks for certain AWS services and resources. To enable and manage these controls, you can enable the NIST SP 800-53 Revision 5 framework as a standard in Security Hub CSPM. Note that the controls don't support NIST SP 800-53 Revision 5 requirements that require manual checks.

Unlike other frameworks, the NIST SP 800-53 Revision 5 framework isn't prescriptive about how its requirements should be evaluated. Instead, the framework provides guidelines. In Security Hub CSPM, the NIST SP 800-53 Revision 5 standard and controls represent the service's understanding of these guidelines.

Configuring resource recording for controls that apply to the standard

To optimize coverage and the accuracy of findings, it's important to enable and configure resource recording in AWS Config before you enable the NIST SP 800-53 Revision 5 standard in AWS Security Hub Cloud Security Posture Management (CSPM). When you configure resource recording, also be sure to enable it for all the types of AWS resources that are checked by controls that apply to the standard. This is primarily for controls that have a change triggered schedule type. However, some controls with a periodic schedule type also require resource recording. If resource recording isn't enabled or configured correctly, Security Hub CSPM might not be able to evaluate the appropriate resources, and generate accurate findings for controls that apply to the standard.

For information about how Security Hub CSPM uses resource recording in AWS Config, see Enabling and configuring AWS Config for Security Hub CSPM. For information about configuring resource recording in AWS Config, see Working with the configuration recorder in the AWS Config Developer Guide.

The following table specifies the types of resources to record for controls that apply to the NIST SP 800-53 Revision 5 standard in Security Hub CSPM.

AWS service Resource types

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

AWS Database Migration Service (AWS DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

AWS Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

Amazon ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon EventBridge

AWS::Events::Endpoint, AWS::Events::EventBus

AWS Glue

AWS::Glue::Job

AWS Identity and Access Management (IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Alias, AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

AWS Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon RouteĀ 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket

AWS Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon SageMaker AI

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS Transfer Family

AWS::Transfer::Connector

AWS WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

Determining which controls apply to the standard

The following list specifies the controls that support NIST SP 800-53 Revision 5 requirements and apply to the NIST SP 800-53 Revision 5 standard in AWS Security Hub Cloud Security Posture Management (CSPM). For details about specific requirements that a control supports, choose the control. Then refer to the Related requirements field in the details for the control. This field specifies each NIST requirement that the control supports. If the field doesn't specify a particular NIST requirement, the control doesn't support the requirement.