本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Security Hub 控件调查发现所需的 AWS Config 资源
某些 AWS Security Hub 控件使用与服务相关的 AWS Config 规则来检测 AWS 资源中的配置更改。为了让 Security Hub 为这些控件生成准确的调查发现,您必须在中启用 AWS Config 并启用资源记录功能 AWS Config。有关 Security Hub 如何使用 AWS Config 规则以及如何启用和配置的信息 AWS Config,请参阅为 Security Hub 启用和配置 AWS Config。有关资源记录的详细信息,请参阅《AWS Config 开发人员指南》中的使用配置记录器。
要获得准确的控制结果,您必须为已启用控件开启 AWS Config 资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub 控件所需的资源。
Security Hub 控件可以依赖托管 AWS Config 规则或自定义 Security Hub 规则。确保没有任何 AWS Identity and Access Management (IAM) 策略或 AWS Organizations 托管策略会 AWS Config 阻止您获得记录资源的权限。Security Hub 控件直接评估资源配置,不考虑 AWS Organizations 策略。
注意
AWS 区域 如果在中控件不可用,则相应的资源在中也不可用 AWS Config。有关这些限制的列表,请参阅对 Security Hub 控件的区域限制。
主题
所有 Security Hub 控件所需的资源
为了让 Security Hub 为已启用的变更触发的 AWS Config 控件生成调查发现,您必须在中记录以下类型的资源 AWS Config。此表还指出了哪些控件可以评估特定类型的资源。单个控件可以评估多种类型的资源。
| AWS 服务 | 资源类型 | 相关控件 |
|---|---|---|
| AWS Amplify | AWS::Amplify::App |
Amplify.1 |
AWS::Amplify::Branch |
Amplify.2 |
|
| Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway1. APIGateway2. APIGateway3. APIGateway4. APIGateway5. |
AWS::ApiGatewayV2::Stage |
APIGateway1. APIGateway.9 |
|
| AWS AppConfig | AWS::AppConfig::Application
|
AppConfig1. |
AWS::AppConfig::ConfigurationProfile
|
AppConfig2. |
|
AWS::AppConfig::Environment
|
AppConfig3. |
|
AWS::AppConfig::ExtensionAssociation
|
AppConfig4. |
|
| Amazon AppFlow | AWS::AppFlow::Flow
|
AppFlow1. |
| AWS App Runner | AWS::AppRunner::Service
|
AppRunner1. |
AWS::AppRunner::VpcConnector
|
AppRunner2. |
|
| AWS AppSync | AWS::AppSync::GraphQLApi
|
AppSync2. AppSync4. AppSync5. |
AWS::AppSync::ApiCache
|
AppSync1. AppSync.6 |
|
| AWS Backup | AWS::Backup::BackupPlan
|
Backup.5 |
AWS::Backup::BackupVault
|
Backup.3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
Backup.4 |
|
| AWS Batch | AWS::Batch::ComputeEnvironment
|
Batch.3 Batch.4 |
AWS::Batch::JobQueue
|
Batch.1 |
|
AWS::Batch::SchedulingPolicy
|
Batch.2 |
|
| AWS Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
| Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 Athena.4 |
|
| AWS CloudFormation | AWS::CloudFormation::Stack |
CloudFormation2. |
| Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront1. CloudFront3. CloudFront4. CloudFront5. CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 |
| AWS CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
| Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
| AWS CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact1. |
| AWS CodeBuild | AWS::CodeBuild::Project
|
CodeBuild1. CodeBuild2. CodeBuild3. CodeBuild4. |
AWS::CodeBuild::ReportGroup
|
CodeBuild.7 |
|
| Amazon P CodeGuru rofiler | AWS::CodeGuruProfiler::ProfilingGroup |
CodeGuruProfiler1. |
| Amazon CodeGuru Reviewer | AWS::CodeGuruReviewer::RepositoryAssociation |
CodeGuruReviewer1. |
| Amazon Cognito | AWS::Cognito::UserPool |
Cognito1 |
| Amazon Connect | AWS::CustomerProfiles::ObjectType |
Connect.1 |
AWS::Connect::Instance |
Connect.2 | |
| AWS DataSync | AWS::DataSync::Task |
DataSync1. DataSync2. |
| Amazon Detective | AWS::Detective::Graph |
Detective.1 |
| AWS Database Migration Service (AWS DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 DMS.10 DMS.11 DMS.12 |
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
| Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamodB.6 |
| Amazon Elasti EC2 c Compute | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::DHCPOptions |
EC2.174 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC24. EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 EC2.170 EC2.175 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 |
|
AWS::EC2::PrefixList |
EC2.176 | |
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC22. EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::SpotFleet |
EC2.173 | |
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TrafficMirrorFilter |
EC2.178 | |
AWS::EC2::TrafficMirrorSession |
EC2.177 | |
AWS::EC2::TrafficMirrorTarget |
EC2.179 | |
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC23. EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCBlockPublicAccessOptions |
EC2.172 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 EC2.171 |
|
AWS::EC2::VPNGateway |
EC2.50 | |
| Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling1. AutoScaling2. AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling3. Autoscaling.5 |
|
| Amazon S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
| Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 ECR.5 |
|
| Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 |
|
AWS::ECS::TaskSet |
ECS.16 |
|
| Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
AWS::EFS::FileSystem
|
EFS.7 EFS.8 |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
| AWS Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk1. ElasticBeanstalk2. ElasticBeanstalk3. |
| Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::Listener |
ELB.17 |
|
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
| ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
| Amazon EMR | AWS::EMR::SecurityConfiguration |
EMR.3 EMR.4 |
| Amazon EventBridge | AWS::Events::EventBus |
EventBridge2. EventBridge3. |
AWS::Events::Endpoint |
EventBridge4. |
|
| Amazon Fraud Detector | AWS::FraudDetector::EntityType |
FraudDetector1. |
AWS::FraudDetector::Label |
FraudDetector2. |
|
AWS::FraudDetector::Outcome |
FraudDetector3. |
|
AWS::FraudDetector::Variable |
FraudDetector4. |
|
| AWS Global Accelerator | AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator1. |
| AWS Glue | AWS::Glue::Job |
Glue.1 Glue.4 |
AWS::Glue::MLTransform |
Glue.3 |
|
| Amazon GuardDuty | AWS::GuardDuty::Detector |
GuardDuty4. |
AWS::GuardDuty::Filter |
GuardDuty2. |
|
AWS::GuardDuty::IPSet |
GuardDuty3. |
|
| AWS Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
| AWS Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
| Amazon Interactive Video Service (Amazon IVS) | AWS::IVS::PlaybackKeyPair |
IVS.1 |
AWS::IVS::RecordingConfiguration |
IVS.2 |
|
AWS::IVS::Channel |
IVS.3 |
|
| AWS IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
| AWS IoT Events | AWS::IoTEvents::AlarmModel |
Io TEvents .3 |
AWS::IoTEvents::DetectorModel |
Io TEvents .2 |
|
AWS::IoTEvents::Input |
Io TEvents .1 |
|
| AWS IoT SiteWise | AWS::IoTSiteWise::AssetModel |
Io TSite Wise.1 |
AWS::IoTSiteWise::Dashboard |
Io TSite Wise.2 |
|
AWS::IoTSiteWise::Gateway |
Io TSite Wise.3 |
|
AWS::IoTSiteWise::Portal |
Io TSite Wise.4 |
|
AWS::IoTSiteWise::Project |
Io TSite Wise.5 |
|
| AWS IoT TwinMaker | AWS::IoTTwinMaker::Entity |
Io TTwin Maker.4 |
AWS::IoTTwinMaker::Scene |
Io TTwin Maker.3 |
|
AWS::IoTTwinMaker::SyncJob |
Io TTwin Maker.1 |
|
AWS::IoTTwinMaker::Workspace |
Io TTwin Maker.2 |
|
| AWS IoT Wireless | AWS::IoTWireless::MulticastGroup |
Io TWireless .1 |
AWS::IoTWireless::ServiceProfile |
Io TWireless .2 |
|
AWS::IoTWireless::FuotaTask |
Io TWireless .3 |
|
| Amazon Keyspaces(Apache Cassandra 兼容) | AWS::Cassandra::Keyspace |
Keyspaces 1 |
| Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 Kinesis.3 |
| AWS Key Management Service (AWS KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 KMS.5 S3.17 |
|
| AWS Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 |
| Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
AWS::KafkaConnect::Connector |
MSK.3 |
|
| Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
| AWS Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall1. NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall3. NetworkFirewall4. NetworkFirewall5. NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
| 亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 Opensearch.11 |
| AWS Private CA | AWS::ACMPCA::CertificateAuthority |
PCA.2 |
| Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.408 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
| Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 Redshift.17 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 Redshift.16 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
| Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
Route53.1 |
|
| Amazon Simple Storage Service(Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS::S3::MultiRegionAccessPoint |
S3.24 |
|
| 亚马逊 SageMaker AI | AWS::SageMaker::AppImageConfig
|
SageMaker.6 |
AWS::SageMaker::Image
|
SageMaker.7 |
|
AWS::SageMaker::Model
|
SageMaker5. |
|
AWS::SageMaker::NotebookInstance
|
SageMaker2. SageMaker3. |
|
| AWS Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager1. SecretsManager2. SecretsManager5. |
| AWS Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog1. |
| Amazon Simple Email Service(Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 |
AWS::SES::ContactList
|
SES.1 |
|
| Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 SNS.4 |
| Amazon Simple Queue Service(Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 SQS.3 |
| AWS Step Functions | AWS::StepFunctions::StateMachine |
StepFunctions1. |
AWS::StepFunctions::Activity |
StepFunctions2. |
|
| AWS Systems Manager (SSM) | AWS::SSM::Document
|
SM.5 |
| AWS Transfer Family | AWS::Transfer::Agreement |
转移。4 |
AWS::Transfer::Certificate |
转账.5 |
|
AWS::Transfer::Connector |
转账。3 转移。6 |
|
AWS::Transfer::Profile |
转移。7 |
|
AWS::Transfer::Workflow |
Transfer.1 |
|
| AWS WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
|
| Amazon WorkSpaces | AWS::WorkSpaces::WorkSpace |
WorkSpaces1. WorkSpaces2. |
AWS 基础安全最佳实践标准所需的资源
为了让 Security Hub 准确报告适用于 AWS 基础安全最佳实践标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 AWS Config AWS Config有关此标准的信息,请参阅AWS Security Hub 的基础安全最佳实践标准。
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager (ACM) |
|
|
AWS CloudFormation |
|
|
Amazon CloudFront |
|
|
AWS CodeBuild |
|
|
Amazon Cognito |
|
|
Amazon Connect |
|
|
AWS DataSync |
|
|
AWS Database Migration Service (AWS DMS) |
|
|
Amazon DynamoDB |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
AWS Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon EMR |
|
|
AWS Glue |
|
|
AWS Identity and Access Management (IAM) |
|
|
Amazon Kinesis |
|
|
AWS Key Management Service (AWS KMS) |
|
|
AWS Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
AWS Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Redshift Serverless |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
|
AWS Secrets Manager |
|
|
AWS Step Functions |
|
|
AWS Transfer Family |
|
|
AWS WAF |
|
|
Amazon WorkSpaces |
|
独联体 AWS 基金会基准测试所需的资源
要对适用于 Center for Internet Security(CIS) AWS 基金会基准的已启用控件进行安全检查,Security Hub 要么按照检查规定的确切审计步骤运行,要么使用特定的 AWS Config 托管规则。有关 Security Hub 中此标准的信息,请参阅Security Hub 中的独联体 AWS 基金会基准。
CIS v3.0.0 所需的资源
为了让 Security Hub 准确报告已启用 CIS v3.0.0 更改触发的使用 AWS Config 规则的控件调查发现,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
AWS Identity and Access Management (IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.4.0 所需的 资源
为了让 Security Hub 准确报告已启用 CIS v1.4.0 更改触发的使用 AWS Config 规则的控件调查发现,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
AWS Identity and Access Management (IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 资源
为了让 Security Hub 准确报告已启用 CIS v1.2.0 更改触发的使用 AWS Config 规则的控件调查发现,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon Elastic Compute Cloud EC2 |
|
|
AWS Identity and Access Management (IAM) |
|
NIST SP 800-53 Rev 5 标准所需的资源
为了让 Security Hub 准确报告适用于 NIST SP 800-53 Rev 5 标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 AWS Config AWS Config有关此标准的信息,请参阅Security Hub 中的 NIST SP 800-53 第 5 版。
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager (ACM) |
|
|
AWS CloudFormation |
|
|
Amazon CloudFront |
|
|
Amazon CloudWatch |
|
|
AWS CodeBuild |
|
|
AWS Database Migration Service (AWS DMS) |
|
|
Amazon DynamoDB |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
AWS Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
Amazon ElasticSearch |
|
|
Amazon EMR |
|
|
Amazon EventBridge |
|
|
AWS Glue |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Key Management Service (AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon MQ |
|
|
AWS Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
AWS Service Catalog |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
亚马逊 SageMaker AI |
|
|
AWS Secrets Manager |
|
|
AWS Transfer Family |
|
|
AWS WAF |
|
NIST SP 800-171 Rev 2 标准所需的资源
为了让 Security Hub 准确报告适用于 NIST SP 800-171 Rev 2 标准的变更触发的控件调查发现,您必须在中记录以下类型的资源。 AWS Config AWS Config有关此标准的信息,请参阅NIST SP 800-171 Security Hub 中第 2 版。
| AWS 服务 | 资源类型 |
|---|---|
| AWS Certificate Manager(ACM) |
|
| Amazon API Gateway |
|
| Amazon CloudFront |
|
| Amazon CloudWatch |
|
| Amazon Elastic Compute Cloud EC2 |
|
| Elastic Load Balancing |
|
| AWS Identity and Access Management(IAM) |
|
| AWS Key Management Service (AWS KMS) |
|
| AWS Network Firewall |
|
| Amazon Simple Storage (Amazon S3) |
|
| Amazon Simple Notion Service (Amazon SNS) |
|
| AWS Systems Manager(SSM) |
|
| AWS WAF |
|
PCI DSS v3.2.1 所需的资源
为了让 Security Hub 准确报告适用于 PCI DSS v3.2.1 中的控件调查发现,您必须在中记录以下类型的资源。 AWS Config AWS Config有关此标准的信息,请参阅Security Hub 中的 PCI DSS。
| AWS 服务 | 资源类型 |
|---|---|
|
AWS CodeBuild |
|
|
Amazon Elastic Compute Cloud EC2 |
|
|
Amazon A EC2 uto Scaling |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Lambda |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
| Amazon S EC2 ystems Manager (SSM) |
|
资源标签标准所需的 AWS 资源
所有适用于 AWS 资源标记标准的控件都是触发变更的,并使用 AWS Config 规则。为了让 Security Hub 准确报告这些控件的调查发现,您必须在中记录以下类型的资源 AWS Config。有关此标准的信息,请参阅AWS Security Hub 中的资源标记标准。
| AWS 服务 | 资源类型 |
|---|---|
| AWS Amplify |
|
| Amazon AppFlow |
|
| AWS App Runner |
|
| AWS AppConfig |
|
| AWS AppSync |
|
| Amazon Athena |
|
| AWS Backup |
|
| AWS Batch |
|
| AWS Certificate Manager (ACM) |
|
| AWS CloudFormation |
|
| Amazon CloudFront |
|
| AWS CloudTrail |
|
| AWS CodeArtifact |
|
| Amazon CodeGuru |
|
| Amazon Connect |
|
| AWS Database Migration Service (AWS DMS) |
|
| AWS DataSync |
|
| Amazon Detective |
|
| Amazon DynamoDB |
|
| Amazon Elasti EC2 c Compute |
|
| Amazon A EC2 uto Scaling |
|
| Amazon Elastic Container Registry(Amazon ECR) |
|
| Amazon Elastic Container Service(Amazon ECS) |
|
| Amazon Elastic File System(Amazon EFS) |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) |
|
| AWS Elastic Beanstalk |
|
| ElasticSearch |
|
| Amazon EventBridge |
|
| Amazon Fraud Detector |
|
| AWS Global Accelerator |
|
| AWS Glue |
|
| Amazon GuardDuty |
|
| AWS Identity and Access Management (IAM) |
|
| AWS Identity and Access Management Access Analyzer (IAM Acess Analy |
|
| AWS IoT |
|
| AWS IoT 活动 |
|
| AWS IoT SiteWise |
|
| AWS IoT TwinMaker |
|
| AWS IoT Aliv |
|
| Amazon Interactive Video Service (Amazon IVS) |
|
| Amazon Keyspaces (for Apache Cassandra) |
|
| Amazon Kinesis |
|
| AWS Lambda |
|
| Amazon MQ |
|
| AWS Network Firewall |
|
| 亚马逊 OpenSearch 服务 |
|
| AWS Private Certificate Authority |
|
| Amazon Relational Database Service |
|
| Amazon Redshift |
|
| Amazon Route 53 |
|
| 亚马逊 SageMaker AI |
|
| AWS Secrets Manager |
|
| Amazon Simple Email Service(Amazon SES) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Simple Queue Service(Amazon SQS) |
|
| AWS Step Functions |
|
| AWS Systems Manager (SSM) |
|
| AWS Transfer Family |
|
AWS Control Tower 服务管理标准所需的资源
为了让 Security Hub 准确报告适用于 Security Hub 的变更触发的控件调查发现,您必须在中 AWS Config记录以下类型的资源。 AWS Control Tower AWS Config 有关此标准的信息,请参阅服务托管标准: AWS Control Tower。
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
AWS Certificate Manager (ACM) |
|
|
AWS CodeBuild |
|
|
Amazon DynamoDB |
|
|
Amazon Elasti EC2 c Compute |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon EKS |
|
|
ElasticBeanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Key Management Service (AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
AWS Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service(Amazon SQS) |
|
|
AWS Secrets Manager |
|
| Amazon S EC2 ystems Manager (SSM) |
|
|
AWS WAF |
|
