本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
控制结果所需的AWS Config资源
在 S AWS ecurity Hub CSPM 中,某些控件使用服务相关AWS Config规则来检测资源中的配置更改。AWS要让 Security Hub CSPM 为这些控件生成准确的调查结果,您必须在中启用AWS Config并打开资源记录。AWS Config有关 Security Hub CSPM 如何使用AWS Config规则以及如何启用和配置的信息AWS Config,请参阅。为 Security Hub CSPM 启用和配置 AWS Config有关资源记录的详细信息,请参阅《AWS Config 开发人员指南》中的使用配置记录器。
要获得准确的控制结果,您必须为已启用控件开启AWS Config资源记录,并使用更改触发的计划类型。某些具有定期计划类型的控件也需要资源记录。本页列出了这些 Security Hub CSPM 控件所需的资源。
Security Hub CSPM 控件可以依赖托管AWS Config规则或自定义 Security Hub CSPM 规则。确保没有任何 AWS Identity and Access Management (IAM) 策略或AWS Organizations托管策略会AWS Config阻止您获得记录资源的权限。Security Hub CSPM 控件直接评估资源配置,不考虑AWS Organizations策略。
注意
AWS 区域如果控件不可用,则相应的资源在中不可用AWS Config。有关这些限制的列表,请参阅对 Security Hub CSPM 控件的区域限制。
主题
所有 Security Hub CSPM 控件所需的资源
要让 Security Hub CSPM 生成已启用的变更触发控件的发现结果并使用AWS Config规则,您必须在中记录以下类型的资源。AWS Config此表还指出了哪些控件评估特定类型的资源。一个控件可以评估多种类型的资源。
| AWS 服务 | 资源类型 | 相关控件 |
|---|---|---|
| AWS Amplify | AWS::Amplify::App |
Amplify.1 |
AWS::Amplify::Branch |
Amplify.2 |
|
| Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway1. APIGateway2. APIGateway3. APIGateway4. APIGateway5. |
AWS::ApiGatewayV2::Stage |
APIGateway1. APIGateway.9 |
|
| AWS AppConfig | AWS::AppConfig::Application
|
AppConfig1. |
AWS::AppConfig::ConfigurationProfile
|
AppConfig2. |
|
AWS::AppConfig::Environment
|
AppConfig3. |
|
AWS::AppConfig::ExtensionAssociation
|
AppConfig4. |
|
| Amazon AppFlow | AWS::AppFlow::Flow
|
AppFlow1. |
| AWS App Runner | AWS::AppRunner::Service
|
AppRunner1. |
AWS::AppRunner::VpcConnector
|
AppRunner2. |
|
| AWS AppSync | AWS::AppSync::GraphQLApi
|
AppSync2. AppSync4. AppSync5. |
AWS::AppSync::ApiCache
|
AppSync1. AppSync.6 |
|
| AWS Backup | AWS::Backup::BackupPlan
|
Backup.5 |
AWS::Backup::BackupVault
|
Backup.3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
Backup.4 |
|
| AWS Batch | AWS::Batch::ComputeEnvironment
|
Batch.3 Batch.4 |
AWS::Batch::JobQueue
|
Batch.1 |
|
AWS::Batch::SchedulingPolicy
|
Batch.2 |
|
| AWS Certificate Manager(ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
| Amazon Athena | AWS::Athena::DataCatalog |
Athena.2 |
AWS::Athena::WorkGroup |
Athena.3 Athena.4 |
|
| AWS CloudFormation | AWS::CloudFormation::Stack |
CloudFormation2. CloudFormation3. CloudFormation4. |
| Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront1. CloudFront3. CloudFront4. CloudFront5. CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 CloudFront.15 CloudFront.16 CloudFront.17 |
| AWS CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
| 亚马逊 CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
| AWS CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact1. |
| AWS CodeBuild | AWS::CodeBuild::Project
|
CodeBuild1. CodeBuild2. CodeBuild3. CodeBuild4. |
AWS::CodeBuild::ReportGroup
|
CodeBuild.7 |
|
| Amazon P CodeGuru rofiler | AWS::CodeGuruProfiler::ProfilingGroup |
CodeGuruProfiler1. |
| Amazon CodeGuru Reviewer | AWS::CodeGuruReviewer::RepositoryAssociation |
CodeGuruReviewer1. |
| Amazon Cognito | AWS::Cognito::IdentityPool |
Cognito.2 |
AWS::Cognito::UserPool |
Cognito.1 Cognito.3 Cognito.4 Cognito.5 Cognito.6 |
|
| Amazon Connect | AWS::CustomerProfiles::ObjectType |
Connect.1 |
AWS::Connect::Instance |
Connect.2 | |
| AWS DataSync | AWS::DataSync::Task |
DataSync1. DataSync2. |
| Amazon Detective | AWS::Detective::Graph |
Detective.1 |
| AWS Database Migration Service(AWS DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
DMS.9 DMS.10 DMS.11 DMS.12 |
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 DMS.13 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
| Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamoDB.5 DynamodB.6 |
| 亚马逊弹性计算云 (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::DHCPOptions |
EC2.174 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC24. EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 EC2.170 EC2.175 EC2.181 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 EC2.180 |
|
AWS::EC2::PrefixList |
EC2.176 | |
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC22. EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::SnapshotBlockPublicAccess |
EC2.182 |
|
AWS::EC2::SpotFleet |
EC2.173 | |
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TrafficMirrorFilter |
EC2.178 | |
AWS::EC2::TrafficMirrorSession |
EC2.177 | |
AWS::EC2::TrafficMirrorTarget |
EC2.179 | |
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC23. EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCBlockPublicAccessOptions |
EC2.172 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 EC2.171 |
|
AWS::EC2::VPNGateway |
EC2.50 | |
| Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling1. AutoScaling2. AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling3. Autoscaling.5 |
|
| 亚马逊 S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
| Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 ECR.5 |
|
| Amazon Elastic Container Service(Amazon ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::CapacityProvider |
ECS.19 |
|
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 ECS.17 ECS.18 ECS.20 ECS.21 |
|
AWS::ECS::TaskSet |
ECS.16 |
|
| Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
AWS::EFS::FileSystem
|
EFS.7 EFS.8 |
|
| Amazon Elastic Kubernetes Service (Amazon EKS) | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
| AWS Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk1. ElasticBeanstalk2. ElasticBeanstalk3. |
| Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::Listener |
ELB.17 ELB.18 |
|
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
| ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
| Amazon EMR | AWS::EMR::SecurityConfiguration |
EMR.3 EMR.4 |
| 亚马逊 EventBridge | AWS::Events::EventBus |
EventBridge2. EventBridge3. |
AWS::Events::Endpoint |
EventBridge4. |
|
| Amazon Fraud Detector | AWS::FraudDetector::EntityType |
FraudDetector1. |
AWS::FraudDetector::Label |
FraudDetector2. |
|
AWS::FraudDetector::Outcome |
FraudDetector3. |
|
AWS::FraudDetector::Variable |
FraudDetector4. |
|
| AWS Global Accelerator | AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator1. |
| AWS Glue | AWS::Glue::Job |
Glue.1 胶水。4 |
AWS::Glue::MLTransform |
Glue.3 |
|
| 亚马逊 GuardDuty | AWS::GuardDuty::Detector |
GuardDuty4. |
AWS::GuardDuty::Filter |
GuardDuty2. |
|
AWS::GuardDuty::IPSet |
GuardDuty3. |
|
| AWS Identity and Access Management(IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
| AWS Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
| Amazon Interactive Video Service (Amazon IVS) | AWS::IVS::PlaybackKeyPair |
IVS.1 |
AWS::IVS::RecordingConfiguration |
IVS.2 |
|
AWS::IVS::Channel |
IVS.3 |
|
| AWS IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
| AWSIoT Events | AWS::IoTEvents::AlarmModel |
Io TEvents .3 |
AWS::IoTEvents::DetectorModel |
Io TEvents 2 |
|
AWS::IoTEvents::Input |
Io TEvents .1 |
|
| AWS物联网 SiteWise | AWS::IoTSiteWise::AssetModel |
Io TSite Wise.1 |
AWS::IoTSiteWise::Dashboard |
Io TSite Wise.2 |
|
AWS::IoTSiteWise::Gateway |
Io TSite Wise.3 |
|
AWS::IoTSiteWise::Portal |
Io TSite Wise.4 |
|
AWS::IoTSiteWise::Project |
Io TSite Wise.5 |
|
| AWS物联网 TwinMaker | AWS::IoTTwinMaker::Entity |
Io TTwin Maker.4 |
AWS::IoTTwinMaker::Scene |
Io TTwin Maker.3 |
|
AWS::IoTTwinMaker::SyncJob |
Io TTwin Maker.1 |
|
AWS::IoTTwinMaker::Workspace |
Io TTwin Maker.2 |
|
| AWSIoT Wireless | AWS::IoTWireless::MulticastGroup |
Io TWireless .1 |
AWS::IoTWireless::ServiceProfile |
Io TWireless 2 |
|
AWS::IoTWireless::FuotaTask |
Io TWireless .3 |
|
| Amazon Keyspaces(Apache Cassandra 兼容) | AWS::Cassandra::Keyspace |
Keyspaces.1 |
| Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 Kinesis.3 |
| AWS Key Management Service(AWS KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 KMS.5 S3.17 |
|
| AWS Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 Lambda.7 |
| Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 MSK.4 MSK.6 |
AWS::KafkaConnect::Connector |
MSK.3 MSK.5 |
|
| Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
| AWS Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall1. NetworkFirewall.7 NetworkFirewall.9 NetworkFirewall.10 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall3. NetworkFirewall4. NetworkFirewall5. NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
| 亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 Opensearch.11 |
| AWS 私有 CA | AWS::ACMPCA::CertificateAuthority |
PCA.2 |
| Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 RDS.37 RDS.47 RDS.48 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 RDS.36 RDS.40 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
| Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.10 Redshift.11 Redshift.18 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 Redshift.17 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 Redshift.16 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
| Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
Route53.1 |
|
| Amazon Simple Storage Service(Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
CloudTrail.6 CloudTrail.7 S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS::S3::MultiRegionAccessPoint |
S3.24 |
|
AWS::S3Express::DirectoryBucket |
S3.25 |
|
| 亚马逊 SageMaker AI | AWS::SageMaker::AppImageConfig
|
SageMaker.6 |
AWS::SageMaker::Image
|
SageMaker.7 |
|
AWS::SageMaker::Model
|
SageMaker5. |
|
AWS::SageMaker::NotebookInstance
|
SageMaker2. SageMaker3. |
|
| AWS Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager1. SecretsManager2. SecretsManager5. |
| AWS Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog1. |
| Amazon Simple Email Service (Amazon SES) | AWS::SES::ConfigurationSet
|
SES.2 SES.3 |
AWS::SES::ContactList
|
SES.1 |
|
| Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 SNS.4 |
| Amazon Simple Queue Service (Amazon SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 SQS.3 |
| AWS Step Functions | AWS::StepFunctions::StateMachine |
StepFunctions1. |
AWS::StepFunctions::Activity |
StepFunctions2. |
|
| AWS Systems Manager(SSM) | AWS::SSM::Document
|
SSM.5 |
| AWS Transfer Family | AWS::Transfer::Agreement |
转账。4 |
AWS::Transfer::Certificate |
转账.5 |
|
AWS::Transfer::Connector |
转账。3 Transfer.6 |
|
AWS::Transfer::Profile |
Transfer.7 |
|
AWS::Transfer::Workflow |
Transfer.1 |
|
| AWS WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
|
| 亚马逊 WorkSpaces | AWS::WorkSpaces::WorkSpace |
WorkSpaces1. WorkSpaces2. |
AWS 基础安全最佳实践标准所需的资源
为了让 Security Hub CSPM 准确报告适用于AWS基础安全最佳实践标准 (v.1.0.0)、已启用并使用AWS Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。AWS Config有关此标准的信息,请参阅 AWSSecurity Hub CSPM 中的基础安全最佳实践标准。
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager(ACM) |
|
|
AWS CloudFormation |
|
|
亚马逊 CloudFront |
|
|
AWS CodeBuild |
|
|
Amazon Cognito |
|
|
Amazon Connect |
|
|
AWS DataSync |
|
|
AWS Database Migration Service(AWS DMS) |
|
|
Amazon DynamoDB |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
AWS Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon EMR |
|
|
AWS Glue |
|
|
AWS Identity and Access Management(IAM) |
|
|
Amazon Kinesis |
|
|
AWS Key Management Service(AWS KMS) |
|
|
AWS Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
AWS Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Redshift Serverless |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
亚马逊 SageMaker AI |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
|
AWS Secrets Manager |
|
|
AWS Step Functions |
|
|
AWS Transfer Family |
|
|
AWS WAF |
|
|
亚马逊 WorkSpaces |
|
独联体AWS基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) AWS 基金会基准测试的已启用控件进行安全检查,Security Hub CSPM 要么执行为检查规定的确切审计步骤,要么使用特定的AWS Config托管规则。有关 Security Hub CSPM 中此标准的更多信息,请参阅 CIS AWS 基金会在 Security Hub CSPM 中的基准。
CIS v5.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v5.0.0 更改触发的使用AWS Config规则的控件的调查结果,您必须在中记录以下类型的资源。AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon Elastic File System (Amazon EFS) |
|
|
AWS Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v3.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v3.0.0 更改触发的使用AWS Config规则的控件的调查结果,您必须在中记录以下类型的资源。AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
AWS Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.4.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.4.0 更改触发的使用AWS Config规则的控件的调查结果,您必须在中记录以下类型的资源。AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
AWS Identity and Access Management(IAM) |
|
|
Amazon Relational Database Service(Amazon RDS) |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
CIS v1.2.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.2.0 更改触发的使用AWS Config规则的控件的调查结果,您必须在中记录以下类型的资源。AWS Config
| AWS 服务 | 资源类型 |
|---|---|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
AWS Identity and Access Management(IAM) |
|
NIST SP 800-53 修订版 5 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-53 修订版 5 标准、已启用并使用AWS Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。AWS Config有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-53 修订版 5。
| AWS 服务 | 资源类型 |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager(ACM) |
|
|
AWS CloudFormation |
|
|
亚马逊 CloudFront |
|
|
亚马逊 CloudWatch |
|
|
AWS CodeBuild |
|
|
AWS Database Migration Service(AWS DMS) |
|
|
Amazon DynamoDB |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
Amazon Elastic Container Registry(Amazon ECR) |
|
|
Amazon Elastic Container Service(Amazon ECS) |
|
|
Amazon Elastic File System(Amazon EFS) |
|
|
Amazon Elastic Kubernetes Service(Amazon EKS) |
|
|
AWS Elastic Beanstalk |
|
|
Elastic Load Balancing |
|
|
亚马逊 ElasticSearch |
|
|
Amazon EMR |
|
|
亚马逊 EventBridge |
|
|
AWS Glue |
|
|
AWS Identity and Access Management(IAM) |
|
|
AWS Key Management Service(AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
Amazon Managed Streaming for Apache Kafka (Amazon MSK) |
|
|
Amazon MQ |
|
|
AWS Network Firewall |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
|
AWS Service Catalog |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
|
亚马逊 SageMaker AI |
|
|
AWS Secrets Manager |
|
|
AWS Transfer Family |
|
|
AWS WAF |
|
NIST SP 800-171 修订版 2 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-171 修订版 2 标准、已启用并使用AWS Config规则的变更触发控制的结果,您必须在中记录以下类型的资源。AWS Config有关此标准的信息,请参阅 Security Hub CSPM 中的 NIST SP 800-171 修订版 2。
| AWS 服务 | 资源类型 |
|---|---|
| AWS Certificate Manager (ACM) |
|
| Amazon API Gateway |
|
| 亚马逊 CloudFront |
|
| 亚马逊 CloudWatch |
|
| 亚马逊弹性计算云(亚马逊 EC2) |
|
| Elastic Load Balancing |
|
| AWS Identity and Access Management (IAM) |
|
| AWS Key Management Service (AWS KMS) |
|
| AWS Network Firewall |
|
| Amazon Simple Storage Service (Amazon S3) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| AWS Systems Manager (SSM) |
|
| AWS WAF |
|
PCI DSS v3.2.1 所需的资源
为了使 Security Hub CSPM 能够为适用于支付卡行业数据安全标准(PCI DSS)v3.2.1、已启用并且使用 AWS Config 规则的控件准确报告调查发现,您必须在 AWS Config 中记录以下类型的资源。有关此标准的信息,请参阅 Security Hub CSPM 中的 PCI DSS。
| AWS 服务 | 资源类型 |
|---|---|
|
AWS CodeBuild |
|
|
亚马逊弹性计算云(亚马逊 EC2) |
|
|
Amazon A EC2 uto Scaling |
|
|
AWS Identity and Access Management(IAM) |
|
|
AWS Lambda |
|
|
亚马逊 OpenSearch 服务 |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service(Amazon S3) |
|
| 亚马逊 S EC2 ystems Manager (SSM) |
|
资源标签标准所需的AWS资源
所有适用于AWS资源标记标准的控件都是触发变更的,并使用AWS Config规则。为了让 Security Hub CSPM 准确报告这些控件的调查结果,您必须在中记录以下类型的资源。AWS Config有关此标准的信息,请参阅 AWSSecurity Hub CSPM 中的资源标记标准。
| AWS 服务 | 资源类型 |
|---|---|
| AWS Amplify |
|
| 亚马逊 AppFlow |
|
| AWS App Runner |
|
| AWS AppConfig |
|
| AWS AppSync |
|
| Amazon Athena |
|
| AWS Backup |
|
| AWS Batch |
|
| AWS Certificate Manager(ACM) |
|
| AWS CloudFormation |
|
| 亚马逊 CloudFront |
|
| AWS CloudTrail |
|
| AWS CodeArtifact |
|
| 亚马逊 CodeGuru |
|
| Amazon Connect |
|
| AWS Database Migration Service(AWS DMS) |
|
| AWS DataSync |
|
| Amazon Detective |
|
| Amazon DynamoDB |
|
| 亚马逊弹性计算云 (EC2) |
|
| Amazon A EC2 uto Scaling |
|
| Amazon Elastic Container Registry(Amazon ECR) |
|
| Amazon Elastic Container Service(Amazon ECS) |
|
| Amazon Elastic File System(Amazon EFS) |
|
| Amazon Elastic Kubernetes Service(Amazon EKS) |
|
| AWS Elastic Beanstalk |
|
| ElasticSearch |
|
| 亚马逊 EventBridge |
|
| Amazon Fraud Detector |
|
| AWS Global Accelerator |
|
| AWS Glue |
|
| 亚马逊 GuardDuty |
|
| AWS Identity and Access Management(IAM) |
|
| AWS Identity and Access Management Access Analyzer(IAM 访问分析器) |
|
| AWS IoT |
|
| AWS IoT活动 |
|
| AWS IoTSiteWise |
|
| AWS IoTTwinMaker |
|
| AWS IoT无线 |
|
| Amazon Interactive Video Service (Amazon IVS) |
|
| Amazon Keyspaces(Apache Cassandra 兼容) |
|
| Amazon Kinesis |
|
| AWS Lambda |
|
| Amazon MQ |
|
| AWS Network Firewall |
|
| 亚马逊 OpenSearch 服务 |
|
| AWS 私有证书颁发机构 |
|
| Amazon Relational Database Service |
|
| Amazon Redshift |
|
| Amazon Route 53 |
|
| 亚马逊 SageMaker AI |
|
| AWS Secrets Manager |
|
| Amazon Simple Email Service (Amazon SES) |
|
| Amazon Simple Notification Service (Amazon SNS) |
|
| Amazon Simple Queue Service (Amazon SQS) |
|
| AWS Step Functions |
|
| AWS Systems Manager(SSM) |
|
| AWS Transfer Family |
|
