本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 整合對 ASFF 欄位和值的影響
AWS Security Hub CSPM 為控制項提供兩種類型的整合:
+ **合併控制項檢視** – 使用這種類型的合併,每個控制項在所有標準中都有一個識別符。此外,在 Security Hub CSPM 主控台上,**控制**頁面會顯示所有標準的所有控制項。
+ **合併控制問題清單** – 使用這種類型的整合,Security Hub CSPM 會為控制項產生單一問題清單,即使控制項適用於多個啟用的標準。這可以減少問題清單雜訊。
您無法啟用或停用合併控制項檢視。如果您在 2023 年 2 月 23 日或之後啟用 Security Hub CSPM,則預設會啟用合併控制調查結果。否則,預設為停用。不過,對於組織,只有在管理員帳戶啟用合併控制問題清單時,才能為 Security Hub CSPM 成員帳戶啟用合併控制問題清單。若要進一步了解合併控制問題清單,請參閱 [產生和更新控制問題清單](controls-findings-create-update.md)。
這兩種類型的合併都會影響 中控制項問題清單的欄位和值[AWS 安全調查結果格式 (ASFF)](securityhub-findings-format.md)。
**Topics**
+ [合併控制項檢視 – ASFF 變更](#securityhub-findings-format-consolidated-controls-view)
+ [合併控制調查結果 – ASFF 變更](#securityhub-findings-format-consolidated-control-findings)
+ [啟用合併控制調查結果前後IDs](#securityhub-findings-format-changes-generator-ids)
+ [合併如何影響控制 IDs和標題](#securityhub-findings-format-changes-ids-titles)
+ [更新整合的工作流程](#securityhub-findings-format-changes-prepare)
## 合併控制項檢視 – ASFF 變更
合併控制項檢視功能對 ASFF 中控制項調查結果的欄位和值進行了下列變更。如果您的工作流程不依賴這些 ASFF 欄位的值,則不需要採取任何動作。如果您有依賴這些欄位特定值的工作流程,請更新您的工作流程以使用目前的值。
| ASFF 欄位 | 合併控制項檢視之前的範本值 | 合併控制項檢視之後的範例值,以及變更的說明 |
| --- | --- | --- |
| Compliance.SecurityControlId | 不適用 (新欄位) | EC2.2 跨標準引進單一控制項 ID。 `ProductFields.RuleId`仍然為 CIS v1.2.0 控制項提供標準型控制項 ID。 `ProductFields.ControlId`仍然為其他標準中的控制項提供標準型控制項 ID。 |
| Compliance.AssociatedStandards | 不適用 (新欄位) | 【\$1"StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"\$1】 顯示要在哪些標準中啟用控制項。 |
| ProductFields.ArchivalReasons:0/Description | 不適用 (新欄位) | 「調查結果處於封存狀態,因為已開啟或關閉合併控制調查結果。這會導致在產生新問題清單時封存先前狀態的問題清單。」 說明 Security Hub CSPM 封存現有問題清單的原因。 |
| ProductFields.ArchivalReasons:0/ReasonCode | 不適用 (新欄位) | 「CONSOLIDATED\$1CONTROL\$1FINDINGS\$1UPDATE」 提供 Security Hub CSPM 已封存現有問題清單的原因。 |
| ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation 此欄位不再參考標準。 |
| Remediation.Recommendation.Text | 「如需如何修正此問題的指示,請參閱 AWS Security Hub CSPM PCI DSS 文件。」 | 「如需如何修正此問題的指示,請參閱 AWS Security Hub CSPM 控制文件。」 此欄位不再參考標準。 |
| Remediation.Recommendation.Url | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation 此欄位不再參考標準。 |
## 合併控制調查結果 – ASFF 變更
如果您啟用合併控制調查結果,則 ASFF 中控制調查結果的欄位和值可能會受到下列變更的影響。這些變更是合併控制項檢視功能所引進的變更之外的變更。如果您的工作流程不依賴這些 ASFF 欄位的值,則不需要採取任何動作。如果您有依賴這些欄位特定值的工作流程,請更新您的工作流程以使用目前的值。
**提示**
如果您使用 v[2 AWS .0.0 上的自動化安全回應](https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/)解決方案,請注意它支援合併的控制問題清單。這表示如果您啟用合併控制問題清單,您可以維護目前的工作流程。
| ASFF 欄位 | 啟用合併控制問題清單之前的範例值 | 啟用合併控制調查結果後的範例值,以及變更的說明 |
| --- | --- | --- |
| GeneratorId | aws-foundational-security-best-practices/v/1.0.0/Config.1 | security-control/Config.1 此欄位不再參考標準。 |
| Title | AWS Config 應啟用 PCI.Config.1 | AWS Config 應啟用 此欄位不再參考標準特定資訊。 |
| Id | arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956 | arn:aws:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956 此欄位不再參考標準。 |
| ProductFields.ControlId | PCI.EC2.2 | 已移除。請`Compliance.SecurityControlId`改為參閱 。 此欄位會移除,以便使用單一、標準無關的控制 ID。 |
| ProductFields.RuleId | 1.3 | 已移除。請`Compliance.SecurityControlId`改為參閱 。 此欄位會移除,以便使用單一、標準無關的控制 ID。 |
| Description | 此 PCI DSS 控制項 AWS Config 會檢查目前帳戶和區域中是否已啟用 。 | 此 AWS 控制項 AWS Config 會檢查目前帳戶和區域中是否已啟用 。此欄位不再參考標準。 |
| 嚴重性 | 「嚴重性」:\$1 「產品」:90、 "標籤": "CRITICAL", 「標準化」:90、 "Original": "CRITICAL" \$1 | 「嚴重性」:\$1 "標籤": "CRITICAL", 「標準化」:90、 "Original": "CRITICAL" \$1 Security Hub CSPM 不再使用產品欄位來描述調查結果的嚴重性。 |
| 類型 | 【「軟體和組態檢查/產業和法規標準/PCI-DSS」】 | 【「軟體和組態檢查/產業和法規標準」】 此欄位不再參考標準。 |
| Compliance.RelatedRequirements | 【「PCI DSS 10.5.2」, 「PCI DSS 11.5」, 「CIS AWS Foundations 2.5」】 | 【「PCI DSS v3.2.1/10.5.2」, 「PCI DSS v3.2.1/11.5」, 「CIS AWS Foundations Benchmark v1.2.0/2.5」】 此欄位顯示所有啟用標準中的相關需求。 |
| CreatedAt | 2022-05-05T08:18:13.138Z | 2022-09-25T08:18:13.138Z 格式保持不變,但值會在您啟用合併控制問題清單時重設。 |
| FirstObservedAt | 2022-05-07T08:18:13.138Z | 2022-09-28T08:18:13.138Z 格式保持不變,但值會在您啟用合併控制問題清單時重設。 |
| ProductFields.RecommendationUrl | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation | 已移除。請`Remediation.Recommendation.Url`改為參閱 。 |
| ProductFields.StandardsArn | arn:aws:securityhub::standards/aws-foundational-security-best-practices/v/1.0.0 | 已移除。請`Compliance.AssociatedStandards`改為參閱 。 |
| ProductFields.StandardsControlArn | arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1 | 已移除。Security Hub CSPM 會針對跨標準的安全性檢查產生一個問題清單。 |
| ProductFields.StandardsGuideArn | arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0 | 已移除。請`Compliance.AssociatedStandards`改為參閱 。 |
| ProductFields.StandardsGuideSubscriptionArn | arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0 | 已移除。Security Hub CSPM 會針對跨標準的安全性檢查產生一個問題清單。 |
| ProductFields.StandardsSubscriptionArn | arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 | 已移除。Security Hub CSPM 會針對跨標準的安全性檢查產生一個問題清單。 |
| ProductFields.aws/securityhub/FindingId | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 此欄位不再參考標準。 |
### 開啟合併控制問題清單後,客戶提供 ASFF 欄位的值
如果您啟用合併控制問題清單,Security Hub CSPM 會跨標準產生一個問題清單,並封存原始問題清單 (每個標準都有不同的問題清單)。
您使用 Security Hub CSPM 主控台或 [https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html)操作對原始調查結果所做的更新,將不會保留在新的調查結果中。如有必要,您可以參考封存的問題清單來復原此資料。若要檢閱封存的問題清單,您可以使用 Security Hub CSPM 主控台上的**問題清單**頁面,並將**記錄狀態**篩選條件設定為**封存**。或者,您可以使用 Security Hub CSPM API [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html)的操作。
| 客戶提供的 ASFF 欄位 | 啟用合併控制問題清單之後的變更描述 |
| --- | --- |
| 可信度 | 重設為空白狀態。 |
| 重要性 | 重設為空白狀態。 |
| 注意 | 重設為空白狀態。 |
| RelatedFindings | 重設為空白狀態。 |
| 嚴重性 | 問題清單的預設嚴重性 (符合控制項的嚴重性)。 |
| 類型 | 重設為標準無關值。 |
| UserDefinedFields | 重設為空白狀態。 |
| VerificationState | 重設為空白狀態。 |
| 工作流程 | 新的失敗問題清單預設值為 NEW。新傳遞的問題清單的預設值為 RESOLVED。 |
## 啟用合併控制調查結果前後IDs
當您啟用合併控制調查結果時,下表列出控制項的產生器 ID 值變更。這些變更適用於自 2023 年 2 月 15 日起 Security Hub CSPM 支援的控制項。
| 啟用合併控制問題清單之前的 GeneratorID | 啟用合併控制問題清單後的 GeneratorID |
| --- | --- |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1 | security-control/CloudWatch.1 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.10 | security-control/IAM.16 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.11 | security-control/IAM.17 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.12 | security-control/IAM.4 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.13 | security-control/IAM.9 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.14 | security-control/IAM.6 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.16 | security-control/IAM.2 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.2 | security-control/IAM.5 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.20 | security-control/IAM.18 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.22 | security-control/IAM.1 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.3 | security-control/IAM.8 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.4 | security-control/IAM.3 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.5 | security-control/IAM.11 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.6 | security-control/IAM.12 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.7 | security-control/IAM.13 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.8 | security-control/IAM.14 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.9 | security-control/IAM.15 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.1 | security-control/CloudTrail.1 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.2 | security-control/CloudTrail.4 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.3 | security-control/CloudTrail.6 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.4 | security-control/CloudTrail.5 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.5 | security-control/Config.1 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.6 | security-control/CloudTrail.7 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7 | security-control/CloudTrail.2 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.8 | security-control/KMS.4 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.9 | security-control/EC2.6 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.1 | security-control/CloudWatch.2 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.2 | security-control/CloudWatch.3 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.3 | security-control/CloudWatch.1 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.4 | security-control/CloudWatch.4 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.5 | security-control/CloudWatch.5 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.6 | security-control/CloudWatch.6 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.7 | security-control/CloudWatch.7 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.8 | security-control/CloudWatch.8 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.9 | security-control/CloudWatch.9 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.10 | security-control/CloudWatch.10 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.11 | security-control/CloudWatch.11 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.12 | security-control/CloudWatch.12 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.13 | security-control/CloudWatch.13 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/3.14 | security-control/CloudWatch.14 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.1 | security-control/EC2.13 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.2 | security-control/EC2.14 |
| arn:aws:securityhub::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/4.3 | security-control/EC2.2 |
| cis-aws-foundations-benchmark/v/1.4.0/1.10 | security-control/IAM.5 |
| cis-aws-foundations-benchmark/v/1.4.0/1.14 | security-control/IAM.3 |
| cis-aws-foundations-benchmark/v/1.4.0/1.16 | security-control/IAM.1 |
| cis-aws-foundations-benchmark/v/1.4.0/1.17 | security-control/IAM.18 |
| cis-aws-foundations-benchmark/v/1.4.0/1.4 | security-control/IAM.4 |
| cis-aws-foundations-benchmark/v/1.4.0/1.5 | security-control/IAM.9 |
| cis-aws-foundations-benchmark/v/1.4.0/1.6 | security-control/IAM.6 |
| cis-aws-foundations-benchmark/v/1.4.0/1.7 | security-control/CloudWatch.1 |
| cis-aws-foundations-benchmark/v/1.4.0/1.8 | security-control/IAM.15 |
| cis-aws-foundations-benchmark/v/1.4.0/1.9 | security-control/IAM.16 |
| cis-aws-foundations-benchmark/v/1.4.0/2.1.2 | security-control/S3.5 |
| cis-aws-foundations-benchmark/v/1.4.0/2.1.5.1 | security-control/S3.1 |
| cis-aws-foundations-benchmark/v/1.4.0/2.1.5.2 | security-control/S3.8 |
| cis-aws-foundations-benchmark/v/1.4.0/2.2.1 | security-control/EC2.7 |
| cis-aws-foundations-benchmark/v/1.4.0/2.3.1 | security-control/RDS.3 |
| cis-aws-foundations-benchmark/v/1.4.0/3.1 | security-control/CloudTrail.1 |
| cis-aws-foundations-benchmark/v/1.4.0/3.2 | security-control/CloudTrail.4 |
| cis-aws-foundations-benchmark/v/1.4.0/3.4 | security-control/CloudTrail.5 |
| cis-aws-foundations-benchmark/v/1.4.0/3.5 | security-control/Config.1 |
| cis-aws-foundations-benchmark/v/1.4.0/3.6 | security-control/S3.9 |
| cis-aws-foundations-benchmark/v/1.4.0/3.7 | security-control/CloudTrail.2 |
| cis-aws-foundations-benchmark/v/1.4.0/3.8 | security-control/KMS.4 |
| cis-aws-foundations-benchmark/v/1.4.0/3.9 | security-control/EC2.6 |
| cis-aws-foundations-benchmark/v/1.4.0/4.3 | security-control/CloudWatch.1 |
| cis-aws-foundations-benchmark/v/1.4.0/4.4 | security-control/CloudWatch.4 |
| cis-aws-foundations-benchmark/v/1.4.0/4.5 | security-control/CloudWatch.5 |
| cis-aws-foundations-benchmark/v/1.4.0/4.6 | security-control/CloudWatch.6 |
| cis-aws-foundations-benchmark/v/1.4.0/4.7 | security-control/CloudWatch.7 |
| cis-aws-foundations-benchmark/v/1.4.0/4.8 | security-control/CloudWatch.8 |
| cis-aws-foundations-benchmark/v/1.4.0/4.9 | security-control/CloudWatch.9 |
| cis-aws-foundations-benchmark/v/1.4.0/4.10 | security-control/CloudWatch.10 |
| cis-aws-foundations-benchmark/v/1.4.0/4.11 | security-control/CloudWatch.11 |
| cis-aws-foundations-benchmark/v/1.4.0/4.12 | security-control/CloudWatch.12 |
| cis-aws-foundations-benchmark/v/1.4.0/4.13 | security-control/CloudWatch.13 |
| cis-aws-foundations-benchmark/v/1.4.0/4.14 | security-control/CloudWatch.14 |
| cis-aws-foundations-benchmark/v/1.4.0/5.1 | security-control/EC2.21 |
| cis-aws-foundations-benchmark/v/1.4.0/5.3 | security-control/EC2.2 |
| aws-foundational-security-best-practices/v/1.0.0/Account.1 | security-control/Account.1 |
| aws-foundational-security-best-practices/v/1.0.0/ACM.1 | security-control/ACM.1 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.1 | security-control/APIGateway.1 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.2 | security-control/APIGateway.2 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.3 | security-control/APIGateway.3 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.4 | security-control/APIGateway.4 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.5 | security-control/APIGateway.5 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.8 | security-control/APIGateway.8 |
| aws-foundational-security-best-practices/v/1.0.0/APIGateway.9 | security-control/APIGateway.9 |
| aws-foundational-security-best-practices/v/1.0.0/AutoScaling.1 | security-control/AutoScaling.1 |
| aws-foundational-security-best-practices/v/1.0.0/AutoScaling.2 | security-control/AutoScaling.2 |
| aws-foundational-security-best-practices/v/1.0.0/AutoScaling.3 | security-control/AutoScaling.3 |
| aws-foundational-security-best-practices/v/1.0.0/Autoscaling.5 | security-control/Autoscaling.5 |
| aws-foundational-security-best-practices/v/1.0.0/AutoScaling.6 | security-control/AutoScaling.6 |
| aws-foundational-security-best-practices/v/1.0.0/AutoScaling.9 | security-control/AutoScaling.9 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.1 | security-control/CloudFront.1 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.3 | security-control/CloudFront.3 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.4 | security-control/CloudFront.4 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.5 | security-control/CloudFront.5 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.6 | security-control/CloudFront.6 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.7 | security-control/CloudFront.7 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.8 | security-control/CloudFront.8 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.9 | security-control/CloudFront.9 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.10 | security-control/CloudFront.10 |
| aws-foundational-security-best-practices/v/1.0.0/CloudFront.12 | security-control/CloudFront.12 |
| aws-foundational-security-best-practices/v/1.0.0/CloudTrail.1 | security-control/CloudTrail.1 |
| aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2 | security-control/CloudTrail.2 |
| aws-foundational-security-best-practices/v/1.0.0/CloudTrail.4 | security-control/CloudTrail.4 |
| aws-foundational-security-best-practices/v/1.0.0/CloudTrail.5 | security-control/CloudTrail.5 |
| aws-foundational-security-best-practices/v/1.0.0/CodeBuild.1 | security-control/CodeBuild.1 |
| aws-foundational-security-best-practices/v/1.0.0/CodeBuild.2 | security-control/CodeBuild.2 |
| aws-foundational-security-best-practices/v/1.0.0/CodeBuild.3 | security-control/CodeBuild.3 |
| aws-foundational-security-best-practices/v/1.0.0/CodeBuild.4 | security-control/CodeBuild.4 |
| aws-foundational-security-best-practices/v/1.0.0/Config.1 | security-control/Config.1 |
| aws-foundational-security-best-practices/v/1.0.0/DMS.1 | security-control/DMS.1 |
| aws-foundational-security-best-practices/v/1.0.0/DynamoDB.1 | security-control/DynamoDB.1 |
| aws-foundational-security-best-practices/v/1.0.0/DynamoDB.2 | security-control/DynamoDB.2 |
| aws-foundational-security-best-practices/v/1.0.0/DynamoDB.3 | security-control/DynamoDB.3 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.1 | security-control/EC2.1 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.3 | security-control/EC2.3 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.4 | security-control/EC2.4 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.6 | security-control/EC2.6 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.7 | security-control/EC2.7 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.8 | security-control/EC2.8 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.9 | security-control/EC2.9 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.10 | security-control/EC2.10 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.15 | security-control/EC2.15 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.16 | security-control/EC2.16 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.17 | security-control/EC2.17 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.18 | security-control/EC2.18 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.19 | security-control/EC2.19 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.2 | security-control/EC2.2 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.20 | security-control/EC2.20 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.21 | security-control/EC2.21 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.23 | security-control/EC2.23 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.24 | security-control/EC2.24 |
| aws-foundational-security-best-practices/v/1.0.0/EC2.25 | security-control/EC2.25 |
| aws-foundational-security-best-practices/v/1.0.0/ECR.1 | security-control/ECR.1 |
| aws-foundational-security-best-practices/v/1.0.0/ECR.2 | security-control/ECR.2 |
| aws-foundational-security-best-practices/v/1.0.0/ECR.3 | security-control/ECR.3 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.1 | security-control/ECS.1 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.10 | security-control/ECS.10 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.12 | security-control/ECS.12 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.2 | security-control/ECS.2 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.3 | security-control/ECS.3 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.4 | security-control/ECS.4 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.5 | security-control/ECS.5 |
| aws-foundational-security-best-practices/v/1.0.0/ECS.8 | security-control/ECS.8 |
| aws-foundational-security-best-practices/v/1.0.0/EFS.1 | security-control/EFS.1 |
| aws-foundational-security-best-practices/v/1.0.0/EFS.2 | security-control/EFS.2 |
| aws-foundational-security-best-practices/v/1.0.0/EFS.3 | security-control/EFS.3 |
| aws-foundational-security-best-practices/v/1.0.0/EFS.4 | security-control/EFS.4 |
| aws-foundational-security-best-practices/v/1.0.0/EKS.2 | security-control/EKS.2 |
| aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.1 | security-control/ElasticBeanstalk.1 |
| aws-foundational-security-best-practices/v/1.0.0/ElasticBeanstalk.2 | security-control/ElasticBeanstalk.2 |
| aws-foundational-security-best-practices/v/1.0.0/ELBv2.1 | security-control/ELB.1 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.2 | security-control/ELB.2 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.3 | security-control/ELB.3 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.4 | security-control/ELB.4 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.5 | security-control/ELB.5 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.6 | security-control/ELB.6 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.7 | security-control/ELB.7 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.8 | security-control/ELB.8 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.9 | security-control/ELB.9 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.10 | security-control/ELB.10 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.11 | security-control/ELB.11 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.12 | security-control/ELB.12 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.13 | security-control/ELB.13 |
| aws-foundational-security-best-practices/v/1.0.0/ELB.14 | security-control/ELB.14 |
| aws-foundational-security-best-practices/v/1.0.0/EMR.1 | security-control/EMR.1 |
| aws-foundational-security-best-practices/v/1.0.0/ES.1 | security-control/ES.1 |
| aws-foundational-security-best-practices/v/1.0.0/ES.2 | security-control/ES.2 |
| aws-foundational-security-best-practices/v/1.0.0/ES.3 | security-control/ES.3 |
| aws-foundational-security-best-practices/v/1.0.0/ES.4 | security-control/ES.4 |
| aws-foundational-security-best-practices/v/1.0.0/ES.5 | security-control/ES.5 |
| aws-foundational-security-best-practices/v/1.0.0/ES.6 | security-control/ES.6 |
| aws-foundational-security-best-practices/v/1.0.0/ES.7 | security-control/ES.7 |
| aws-foundational-security-best-practices/v/1.0.0/ES.8 | security-control/ES.8 |
| aws-foundational-security-best-practices/v/1.0.0/GuardDuty.1 | security-control/GuardDuty.1 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.1 | security-control/IAM.1 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.2 | security-control/IAM.2 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.21 | security-control/IAM.21 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.3 | security-control/IAM.3 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.4 | security-control/IAM.4 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.5 | security-control/IAM.5 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.6 | security-control/IAM.6 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.7 | security-control/IAM.7 |
| aws-foundational-security-best-practices/v/1.0.0/IAM.8 | security-control/IAM.8 |
| aws-foundational-security-best-practices/v/1.0.0/Kinesis.1 | security-control/Kinesis.1 |
| aws-foundational-security-best-practices/v/1.0.0/KMS.1 | security-control/KMS.1 |
| aws-foundational-security-best-practices/v/1.0.0/KMS.2 | security-control/KMS.2 |
| aws-foundational-security-best-practices/v/1.0.0/KMS.3 | security-control/KMS.3 |
| aws-foundational-security-best-practices/v/1.0.0/Lambda.1 | security-control/Lambda.1 |
| aws-foundational-security-best-practices/v/1.0.0/Lambda.2 | security-control/Lambda.2 |
| aws-foundational-security-best-practices/v/1.0.0/Lambda.5 | security-control/Lambda.5 |
| aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.3 | security-control/NetworkFirewall.3 |
| aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.4 | security-control/NetworkFirewall.4 |
| aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.5 | security-control/NetworkFirewall.5 |
| aws-foundational-security-best-practices/v/1.0.0/NetworkFirewall.6 | security-control/NetworkFirewall.6 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.1 | security-control/Opensearch.1 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.2 | security-control/Opensearch.2 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.3 | security-control/Opensearch.3 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.4 | security-control/Opensearch.4 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.5 | security-control/Opensearch.5 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.6 | security-control/Opensearch.6 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.7 | security-control/Opensearch.7 |
| aws-foundational-security-best-practices/v/1.0.0/Opensearch.8 | security-control/Opensearch.8 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.1 | security-control/RDS.1 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.10 | security-control/RDS.10 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.11 | security-control/RDS.11 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.12 | security-control/RDS.12 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.13 | security-control/RDS.13 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.14 | security-control/RDS.14 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.15 | security-control/RDS.15 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.16 | security-control/RDS.16 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.17 | security-control/RDS.17 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.19 | security-control/RDS.19 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.2 | security-control/RDS.2 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.20 | security-control/RDS.20 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.21 | security-control/RDS.21 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.22 | security-control/RDS.22 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.23 | security-control/RDS.23 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.24 | security-control/RDS.24 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.25 | security-control/RDS.25 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.3 | security-control/RDS.3 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.4 | security-control/RDS.4 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.5 | security-control/RDS.5 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.6 | security-control/RDS.6 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.7 | security-control/RDS.7 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.8 | security-control/RDS.8 |
| aws-foundational-security-best-practices/v/1.0.0/RDS.9 | security-control/RDS.9 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.1 | security-control/Redshift.1 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.2 | security-control/Redshift.2 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.3 | security-control/Redshift.3 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.4 | security-control/Redshift.4 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.6 | security-control/Redshift。6 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.7 | security-control/Redshift。7 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.8 | security-control/Redshift。8 |
| aws-foundational-security-best-practices/v/1.0.0/Redshift.9 | security-control/Redshift.9 |
| aws-foundational-security-best-practices/v/1.0.0/S3.1 | security-control/S3.1 |
| aws-foundational-security-best-practices/v/1.0.0/S3.12 | security-control/S3.12 |
| aws-foundational-security-best-practices/v/1.0.0/S3.13 | security-control/S3.13 |
| aws-foundational-security-best-practices/v/1.0.0/S3.2 | security-control/S3.2 |
| aws-foundational-security-best-practices/v/1.0.0/S3.3 | security-control/S3.3 |
| aws-foundational-security-best-practices/v/1.0.0/S3.5 | security-control/S3.5 |
| aws-foundational-security-best-practices/v/1.0.0/S3.6 | security-control/S3.6 |
| aws-foundational-security-best-practices/v/1.0.0/S3.8 | security-control/S3.8 |
| aws-foundational-security-best-practices/v/1.0.0/S3.9 | security-control/S3.9 |
| aws-foundational-security-best-practices/v/1.0.0/SageMaker.1 | security-control/SageMaker.1 |
| aws-foundational-security-best-practices/v/1.0.0/SageMaker.2 | security-control/SageMaker.2 |
| aws-foundational-security-best-practices/v/1.0.0/SageMaker.3 | security-control/SageMaker.3 |
| aws-foundational-security-best-practices/v/1.0.0/SecretsManager.1 | security-control/SecretsManager.1 |
| aws-foundational-security-best-practices/v/1.0.0/SecretsManager.2 | security-control/SecretsManager.2 |
| aws-foundational-security-best-practices/v/1.0.0/SecretsManager.3 | security-control/SecretsManager.3 |
| aws-foundational-security-best-practices/v/1.0.0/SecretsManager.4 | security-control/SecretsManager.4 |
| aws-foundational-security-best-practices/v/1.0.0/SQS.1 | security-control/SQS.1 |
| aws-foundational-security-best-practices/v/1.0.0/SSM.1 | security-control/SSM.1 |
| aws-foundational-security-best-practices/v/1.0.0/SSM.2 | security-control/SSM.2 |
| aws-foundational-security-best-practices/v/1.0.0/SSM.3 | security-control/SSM.3 |
| aws-foundational-security-best-practices/v/1.0.0/SSM.4 | security-control/SSM.4 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.1 | security-control/WAF.1 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.2 | security-control/WAF.2 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.3 | security-control/WAF.3 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.4 | security-control/WAF.4 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.6 | security-control/WAF.6 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.7 | security-control/WAF.7 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.8 | security-control/WAF.8 |
| aws-foundational-security-best-practices/v/1.0.0/WAF.10 | security-control/WAF.10 |
| pci-dss/v/3.2.1/PCI.AutoScaling.1 | security-control/AutoScaling.1 |
| pci-dss/v/3.2.1/PCI.CloudTrail.1 | security-control/CloudTrail.2 |
| pci-dss/v/3.2.1/PCI.CloudTrail.2 | security-control/CloudTrail.3 |
| pci-dss/v/3.2.1/PCI.CloudTrail.3 | security-control/CloudTrail.4 |
| pci-dss/v/3.2.1/PCI.CloudTrail.4 | security-control/CloudTrail.5 |
| pci-dss/v/3.2.1/PCI.CodeBuild.1 | security-control/CodeBuild.1 |
| pci-dss/v/3.2.1/PCI.CodeBuild.2 | security-control/CodeBuild.2 |
| pci-dss/v/3.2.1/PCI.Config.1 | security-control/Config.1 |
| pci-dss/v/3.2.1/PCI.CW.1 | security-control/CloudWatch.1 |
| pci-dss/v/3.2.1/PCI.DMS.1 | security-control/DMS.1 |
| pci-dss/v/3.2.1/PCI.EC2.1 | security-control/EC2.1 |
| pci-dss/v/3.2.1/PCI.EC2.2 | security-control/EC2.2 |
| pci-dss/v/3.2.1/PCI.EC2.4 | security-control/EC2.12 |
| pci-dss/v/3.2.1/PCI.EC2.5 | security-control/EC2.13 |
| pci-dss/v/3.2.1/PCI.EC2.6 | security-control/EC2.6 |
| pci-dss/v/3.2.1/PCI.ELBv2.1 | security-control/ELB.1 |
| pci-dss/v/3.2.1/PCI.ES.1 | security-control/ES.2 |
| pci-dss/v/3.2.1/PCI.ES.2 | security-control/ES.1 |
| pci-dss/v/3.2.1/PCI.GuardDuty.1 | security-control/GuardDuty.1 |
| pci-dss/v/3.2.1/PCI.IAM.1 | security-control/IAM.4 |
| pci-dss/v/3.2.1/PCI.IAM.2 | security-control/IAM.2 |
| pci-dss/v/3.2.1/PCI.IAM.3 | security-control/IAM.1 |
| pci-dss/v/3.2.1/PCI.IAM.4 | security-control/IAM.6 |
| pci-dss/v/3.2.1/PCI.IAM.5 | security-control/IAM.9 |
| pci-dss/v/3.2.1/PCI.IAM.6 | security-control/IAM.19 |
| pci-dss/v/3.2.1/PCI.IAM.7 | security-control/IAM.8 |
| pci-dss/v/3.2.1/PCI.IAM.8 | security-control/IAM.10 |
| pci-dss/v/3.2.1/PCI.KMS.1 | security-control/KMS.4 |
| pci-dss/v/3.2.1/PCI.Lambda.1 | security-control/Lambda.1 |
| pci-dss/v/3.2.1/PCI.Lambda.2 | security-control/Lambda.3 |
| pci-dss/v/3.2.1/PCI.Opensearch.1 | security-control/Opensearch.2 |
| pci-dss/v/3.2.1/PCI.Opensearch.2 | security-control/Opensearch.1 |
| pci-dss/v/3.2.1/PCI.RDS.1 | security-control/RDS.1 |
| pci-dss/v/3.2.1/PCI.RDS.2 | security-control/RDS.2 |
| pci-dss/v/3.2.1/PCI.Redshift.1 | security-control/Redshift.1 |
| pci-dss/v/3.2.1/PCI.S3.1 | security-control/S3.3 |
| pci-dss/v/3.2.1/PCI.S3.2 | security-control/S3.2 |
| pci-dss/v/3.2.1/PCI.S3.3 | security-control/S3.7 |
| pci-dss/v/3.2.1/PCI.S3.5 | security-control/S3.5 |
| pci-dss/v/3.2.1/PCI.S3.6 | security-control/S3.1 |
| pci-dss/v/3.2.1/PCI.SageMaker.1 | security-control/SageMaker.1 |
| pci-dss/v/3.2.1/PCI.SSM.1 | security-control/SSM.2 |
| pci-dss/v/3.2.1/PCI.SSM.2 | security-control/SSM.3 |
| pci-dss/v/3.2.1/PCI.SSM.3 | security-control/SSM.1 |
| service-managed-aws-control-tower/v/1.0.0/ACM.1 | security-control/ACM.1 |
| service-managed-aws-control-tower/v/1.0.0/APIGateway.1 | security-control/APIGateway.1 |
| service-managed-aws-control-tower/v/1.0.0/APIGateway.2 | security-control/APIGateway.2 |
| service-managed-aws-control-tower/v/1.0.0/APIGateway.3 | security-control/APIGateway.3 |
| service-managed-aws-control-tower/v/1.0.0/APIGateway.4 | security-control/APIGateway.4 |
| service-managed-aws-control-tower/v/1.0.0/APIGateway.5 | security-control/APIGateway.5 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.1 | security-control/AutoScaling.1 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.2 | security-control/AutoScaling.2 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.3 | security-control/AutoScaling.3 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.4 | security-control/AutoScaling.4 |
| service-managed-aws-control-tower/v/1.0.0/Autoscaling.5 | security-control/Autoscaling.5 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.6 | security-control/AutoScaling.6 |
| service-managed-aws-control-tower/v/1.0.0/AutoScaling.9 | security-control/AutoScaling.9 |
| service-managed-aws-control-tower/v/1.0.0/CloudTrail.1 | security-control/CloudTrail.1 |
| service-managed-aws-control-tower/v/1.0.0/CloudTrail.2 | security-control/CloudTrail.2 |
| service-managed-aws-control-tower/v/1.0.0/CloudTrail.4 | security-control/CloudTrail.4 |
| service-managed-aws-control-tower/v/1.0.0/CloudTrail.5 | security-control/CloudTrail.5 |
| service-managed-aws-control-tower/v/1.0.0/CodeBuild.1 | security-control/CodeBuild.1 |
| service-managed-aws-control-tower/v/1.0.0/CodeBuild.2 | security-control/CodeBuild.2 |
| service-managed-aws-control-tower/v/1.0.0/CodeBuild.4 | security-control/CodeBuild.4 |
| service-managed-aws-control-tower/v/1.0.0/CodeBuild.5 | security-control/CodeBuild.5 |
| service-managed-aws-control-tower/v/1.0.0/DMS.1 | security-control/DMS.1 |
| service-managed-aws-control-tower/v/1.0.0/DynamoDB.1 | security-control/DynamoDB.1 |
| service-managed-aws-control-tower/v/1.0.0/DynamoDB.2 | security-control/DynamoDB.2 |
| service-managed-aws-control-tower/v/1.0.0/EC2.1 | security-control/EC2.1 |
| service-managed-aws-control-tower/v/1.0.0/EC2.2 | security-control/EC2.2 |
| service-managed-aws-control-tower/v/1.0.0/EC2.3 | security-control/EC2.3 |
| service-managed-aws-control-tower/v/1.0.0/EC2.4 | security-control/EC2.4 |
| service-managed-aws-control-tower/v/1.0.0/EC2.6 | security-control/EC2.6 |
| service-managed-aws-control-tower/v/1.0.0/EC2.7 | security-control/EC2.7 |
| service-managed-aws-control-tower/v/1.0.0/EC2.8 | security-control/EC2.8 |
| service-managed-aws-control-tower/v/1.0.0/EC2.9 | security-control/EC2.9 |
| service-managed-aws-control-tower/v/1.0.0/EC2.10 | security-control/EC2.10 |
| service-managed-aws-control-tower/v/1.0.0/EC2.15 | security-control/EC2.15 |
| service-managed-aws-control-tower/v/1.0.0/EC2.16 | security-control/EC2.16 |
| service-managed-aws-control-tower/v/1.0.0/EC2.17 | security-control/EC2.17 |
| service-managed-aws-control-tower/v/1.0.0/EC2.18 | security-control/EC2.18 |
| service-managed-aws-control-tower/v/1.0.0/EC2.19 | security-control/EC2.19 |
| service-managed-aws-control-tower/v/1.0.0/EC2.20 | security-control/EC2.20 |
| service-managed-aws-control-tower/v/1.0.0/EC2.21 | security-control/EC2.21 |
| service-managed-aws-control-tower/v/1.0.0/EC2.22 | security-control/EC2.22 |
| service-managed-aws-control-tower/v/1.0.0/ECR.1 | security-control/ECR.1 |
| service-managed-aws-control-tower/v/1.0.0/ECR.2 | security-control/ECR.2 |
| service-managed-aws-control-tower/v/1.0.0/ECR.3 | security-control/ECR.3 |
| service-managed-aws-control-tower/v/1.0.0/ECS.1 | security-control/ECS.1 |
| service-managed-aws-control-tower/v/1.0.0/ECS.2 | security-control/ECS.2 |
| service-managed-aws-control-tower/v/1.0.0/ECS.3 | security-control/ECS.3 |
| service-managed-aws-control-tower/v/1.0.0/ECS.4 | security-control/ECS.4 |
| service-managed-aws-control-tower/v/1.0.0/ECS.5 | security-control/ECS.5 |
| service-managed-aws-control-tower/v/1.0.0/ECS.8 | security-control/ECS.8 |
| service-managed-aws-control-tower/v/1.0.0/ECS.10 | security-control/ECS.10 |
| service-managed-aws-control-tower/v/1.0.0/ECS.12 | security-control/ECS.12 |
| service-managed-aws-control-tower/v/1.0.0/EFS.1 | security-control/EFS.1 |
| service-managed-aws-control-tower/v/1.0.0/EFS.2 | security-control/EFS.2 |
| service-managed-aws-control-tower/v/1.0.0/EFS.3 | security-control/EFS.3 |
| service-managed-aws-control-tower/v/1.0.0/EFS.4 | security-control/EFS.4 |
| service-managed-aws-control-tower/v/1.0.0/EKS.2 | security-control/EKS.2 |
| service-managed-aws-control-tower/v/1.0.0/ELB.2 | security-control/ELB.2 |
| service-managed-aws-control-tower/v/1.0.0/ELB.3 | security-control/ELB.3 |
| service-managed-aws-control-tower/v/1.0.0/ELB.4 | security-control/ELB.4 |
| service-managed-aws-control-tower/v/1.0.0/ELB.5 | security-control/ELB.5 |
| service-managed-aws-control-tower/v/1.0.0/ELB.6 | security-control/ELB.6 |
| service-managed-aws-control-tower/v/1.0.0/ELB.7 | security-control/ELB.7 |
| service-managed-aws-control-tower/v/1.0.0/ELB.8 | security-control/ELB.8 |
| service-managed-aws-control-tower/v/1.0.0/ELB.9 | security-control/ELB.9 |
| service-managed-aws-control-tower/v/1.0.0/ELB.10 | security-control/ELB.10 |
| service-managed-aws-control-tower/v/1.0.0/ELB.12 | security-control/ELB.12 |
| service-managed-aws-control-tower/v/1.0.0/ELB.13 | security-control/ELB.13 |
| service-managed-aws-control-tower/v/1.0.0/ELB.14 | security-control/ELB.14 |
| service-managed-aws-control-tower/v/1.0.0/ELBv2.1 | security-control/ELBv2.1 |
| service-managed-aws-control-tower/v/1.0.0/EMR.1 | security-control/EMR.1 |
| service-managed-aws-control-tower/v/1.0.0/ES.1 | security-control/ES.1 |
| service-managed-aws-control-tower/v/1.0.0/ES.2 | security-control/ES.2 |
| service-managed-aws-control-tower/v/1.0.0/ES.3 | security-control/ES.3 |
| service-managed-aws-control-tower/v/1.0.0/ES.4 | security-control/ES.4 |
| service-managed-aws-control-tower/v/1.0.0/ES.5 | security-control/ES.5 |
| service-managed-aws-control-tower/v/1.0.0/ES.6 | security-control/ES.6 |
| service-managed-aws-control-tower/v/1.0.0/ES.7 | security-control/ES.7 |
| service-managed-aws-control-tower/v/1.0.0/ES.8 | security-control/ES.8 |
| service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.1 | security-control/ElasticBeanstalk.1 |
| service-managed-aws-control-tower/v/1.0.0/ElasticBeanstalk.2 | security-control/ElasticBeanstalk.2 |
| service-managed-aws-control-tower/v/1.0.0/GuardDuty.1 | security-control/GuardDuty.1 |
| service-managed-aws-control-tower/v/1.0.0/IAM.1 | security-control/IAM.1 |
| service-managed-aws-control-tower/v/1.0.0/IAM.2 | security-control/IAM.2 |
| service-managed-aws-control-tower/v/1.0.0/IAM.3 | security-control/IAM.3 |
| service-managed-aws-control-tower/v/1.0.0/IAM.4 | security-control/IAM.4 |
| service-managed-aws-control-tower/v/1.0.0/IAM.5 | security-control/IAM.5 |
| service-managed-aws-control-tower/v/1.0.0/IAM.6 | security-control/IAM.6 |
| service-managed-aws-control-tower/v/1.0.0/IAM.7 | security-control/IAM.7 |
| service-managed-aws-control-tower/v/1.0.0/IAM.8 | security-control/IAM.8 |
| service-managed-aws-control-tower/v/1.0.0/IAM.21 | security-control/IAM.21 |
| service-managed-aws-control-tower/v/1.0.0/Kinesis.1 | security-control/Kinesis.1 |
| service-managed-aws-control-tower/v/1.0.0/KMS.1 | security-control/KMS.1 |
| service-managed-aws-control-tower/v/1.0.0/KMS.2 | security-control/KMS.2 |
| service-managed-aws-control-tower/v/1.0.0/KMS.3 | security-control/KMS.3 |
| service-managed-aws-control-tower/v/1.0.0/Lambda.1 | security-control/Lambda.1 |
| service-managed-aws-control-tower/v/1.0.0/Lambda.2 | security-control/Lambda.2 |
| service-managed-aws-control-tower/v/1.0.0/Lambda.5 | security-control/Lambda.5 |
| service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.3 | security-control/NetworkFirewall.3 |
| service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.4 | security-control/NetworkFirewall.4 |
| service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.5 | security-control/NetworkFirewall.5 |
| service-managed-aws-control-tower/v/1.0.0/NetworkFirewall.6 | security-control/NetworkFirewall.6 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.1 | security-control/Opensearch.1 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.2 | security-control/Opensearch.2 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.3 | security-control/Opensearch.3 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.4 | security-control/Opensearch.4 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.5 | security-control/Opensearch.5 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.6 | security-control/Opensearch.6 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.7 | security-control/Opensearch.7 |
| service-managed-aws-control-tower/v/1.0.0/Opensearch.8 | security-control/Opensearch.8 |
| service-managed-aws-control-tower/v/1.0.0/RDS.1 | security-control/RDS.1 |
| service-managed-aws-control-tower/v/1.0.0/RDS.2 | security-control/RDS.2 |
| service-managed-aws-control-tower/v/1.0.0/RDS.3 | security-control/RDS.3 |
| service-managed-aws-control-tower/v/1.0.0/RDS.4 | security-control/RDS.4 |
| service-managed-aws-control-tower/v/1.0.0/RDS.5 | security-control/RDS.5 |
| service-managed-aws-control-tower/v/1.0.0/RDS.6 | security-control/RDS.6 |
| service-managed-aws-control-tower/v/1.0.0/RDS.8 | security-control/RDS.8 |
| service-managed-aws-control-tower/v/1.0.0/RDS.9 | security-control/RDS.9 |
| service-managed-aws-control-tower/v/1.0.0/RDS.10 | security-control/RDS.10 |
| service-managed-aws-control-tower/v/1.0.0/RDS.11 | security-control/RDS.11 |
| service-managed-aws-control-tower/v/1.0.0/RDS.13 | security-control/RDS.13 |
| service-managed-aws-control-tower/v/1.0.0/RDS.17 | security-control/RDS.17 |
| service-managed-aws-control-tower/v/1.0.0/RDS.18 | security-control/RDS.18 |
| service-managed-aws-control-tower/v/1.0.0/RDS.19 | security-control/RDS.19 |
| service-managed-aws-control-tower/v/1.0.0/RDS.20 | security-control/RDS.20 |
| service-managed-aws-control-tower/v/1.0.0/RDS.21 | security-control/RDS.21 |
| service-managed-aws-control-tower/v/1.0.0/RDS.22 | security-control/RDS.22 |
| service-managed-aws-control-tower/v/1.0.0/RDS.23 | security-control/RDS.23 |
| service-managed-aws-control-tower/v/1.0.0/RDS.25 | security-control/RDS.25 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.1 | security-control/Redshift.1 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.2 | security-control/Redshift.2 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.4 | security-control/Redshift.4 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.6 | security-control/Redshift。6 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.7 | security-control/Redshift。7 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.8 | security-control/Redshift。8 |
| service-managed-aws-control-tower/v/1.0.0/Redshift.9 | security-control/Redshift.9 |
| service-managed-aws-control-tower/v/1.0.0/S3.1 | security-control/S3.1 |
| service-managed-aws-control-tower/v/1.0.0/S3.2 | security-control/S3.2 |
| service-managed-aws-control-tower/v/1.0.0/S3.3 | security-control/S3.3 |
| service-managed-aws-control-tower/v/1.0.0/S3.5 | security-control/S3.5 |
| service-managed-aws-control-tower/v/1.0.0/S3.6 | security-control/S3.6 |
| service-managed-aws-control-tower/v/1.0.0/S3.8 | security-control/S3.8 |
| service-managed-aws-control-tower/v/1.0.0/S3.9 | security-control/S3.9 |
| service-managed-aws-control-tower/v/1.0.0/S3.12 | security-control/S3.12 |
| service-managed-aws-control-tower/v/1.0.0/S3.13 | security-control/S3.13 |
| service-managed-aws-control-tower/v/1.0.0/SageMaker.1 | security-control/SageMaker.1 |
| service-managed-aws-control-tower/v/1.0.0/SecretsManager.1 | security-control/SecretsManager.1 |
| service-managed-aws-control-tower/v/1.0.0/SecretsManager.2 | security-control/SecretsManager.2 |
| service-managed-aws-control-tower/v/1.0.0/SecretsManager.3 | security-control/SecretsManager.3 |
| service-managed-aws-control-tower/v/1.0.0/SecretsManager.4 | security-control/SecretsManager.4 |
| service-managed-aws-control-tower/v/1.0.0/SQS.1 | security-control/SQS.1 |
| service-managed-aws-control-tower/v/1.0.0/SSM.1 | security-control/SSM.1 |
| service-managed-aws-control-tower/v/1.0.0/SSM.2 | security-control/SSM.2 |
| service-managed-aws-control-tower/v/1.0.0/SSM.3 | security-control/SSM.3 |
| service-managed-aws-control-tower/v/1.0.0/SSM.4 | security-control/SSM.4 |
| service-managed-aws-control-tower/v/1.0.0/WAF.2 | security-control/WAF.2 |
| service-managed-aws-control-tower/v/1.0.0/WAF.3 | security-control/WAF.3 |
| service-managed-aws-control-tower/v/1.0.0/WAF.4 | security-control/WAF.4 |
## 合併如何影響控制 IDs和標題
合併控制項檢視和合併的控制項調查結果會將控制 IDs和標題跨標準標準化。*安全控制 ID* 和*安全控制標題*一詞是指這些標準無關的值。
Security Hub CSPM 主控台會顯示標準無關的安全控制 IDs和安全控制標題,無論您的帳戶是否啟用或停用合併控制調查結果。不過,如果您的帳戶停用合併控制調查結果,Security Hub CSPM 調查結果會包含 PCI DSS 和 CIS 1.2.0 版的標準特定控制標題。此外,Security Hub CSPM 調查結果包含標準特定的控制 ID 和安全控制 ID。如需整合如何影響控制調查結果的範例,請參閱 [控制問題清單的範例](sample-control-findings.md)。
對於屬於[AWS Control Tower 服務受管標準的](service-managed-standard-aws-control-tower.md)控制項,在啟用合併控制項問題清單時,`CT.`會從問題清單中的控制項 ID 和標題中移除字首。
若要在 Security Hub CSPM 中停用安全控制,您必須停用對應至安全控制的所有標準控制。下表顯示安全控制 IDs和標題與標準特定控制 IDs和標題的映射。屬於 AWS 基礎安全最佳實務 (FSBP) 標準的控制項 IDs 和標題已經是標準無關的。如需符合網際網路安全中心 (CIS) v3.0.0 要求的控制項映射,請參閱 [將控制項映射至每個版本中的 CIS 需求](cis-aws-foundations-benchmark.md#cis-version-comparison)。若要在此資料表上執行您自己的指令碼,您可以將[其下載為 .csv 檔案](samples/Consolidation_ID_Title_Changes.csv.zip)。
| 標準 | 標準控制項 ID 和標題 | 安全控制 ID 和標題 |
| --- | --- | --- |
| CIS v1.2.0 | 1.1 避免使用根使用者 | [【CloudWatch.1] 應該存在日誌指標篩選條件和警示以使用「根」使用者](cloudwatch-controls.md#cloudwatch-1) |
| CIS v1.2.0 | 1.10 確保 IAM 密碼政策防止密碼重複使用 | [【IAM.16】 確保 IAM 密碼政策防止密碼重複使用](iam-controls.md#iam-16) |
| CIS v1.2.0 | 1.11 確保 IAM 密碼政策在 90 天內過期密碼 | [【IAM.17】 確保 IAM 密碼政策在 90 天內過期密碼](iam-controls.md#iam-17) |
| CIS v1.2.0 | 1.12 確保不存在根使用者存取金鑰 | [【IAM.4】 IAM 根使用者存取金鑰不應存在](iam-controls.md#iam-4) |
| CIS v1.2.0 | 1.13 確定根使用者已啟用 MFA | [【IAM.9】 應為根使用者啟用 MFA](iam-controls.md#iam-9) |
| CIS v1.2.0 | 1.14 確定已啟用根使用者的硬體 MFA | [[IAM.6] 應為根使用者啟用硬體 MFA](iam-controls.md#iam-6) |
| CIS v1.2.0 | 1.16 確保 IAM 政策僅連接到群組或角色 | [【IAM.2】 IAM 使用者不應連接 IAM 政策](iam-controls.md#iam-2) |
| CIS v1.2.0 | 1.2 確保所有具有主控台密碼的 IAM 使用者都已啟用多重驗證 (MFA) | [[IAM.5] 應為所有擁有主控台密碼的 IAM 使用者啟用 MFA](iam-controls.md#iam-5) |
| CIS v1.2.0 | 1.20 確定已建立支援角色來使用 管理事件 支援 | [【IAM.18】 確保已建立支援角色來使用 管理事件 AWS 支援](iam-controls.md#iam-18) |
| CIS v1.2.0 | 1.22 確保未建立允許完整 "\$1:\$1" 管理權限的 IAM 政策 | [【IAM.1】 IAM 政策不應允許完整的「\$1」管理權限](iam-controls.md#iam-1) |
| CIS v1.2.0 | 1.3 確定停用 90 天 (含) 以上未使用的登入資料 | [【IAM.8】 應移除未使用的 IAM 使用者登入資料](iam-controls.md#iam-8) |
| CIS v1.2.0 | 1.4 確保每 90 天或更短期限輪換存取金鑰 | [【IAM.3】 IAM 使用者的存取金鑰應每 90 天或更短時間輪換一次](iam-controls.md#iam-3) |
| CIS v1.2.0 | 1.5 確保 IAM 密碼政策至少需要一個大寫字母 | [【IAM.11】 確保 IAM 密碼政策至少需要一個大寫字母](iam-controls.md#iam-11) |
| CIS v1.2.0 | 1.6 確保 IAM 密碼政策至少需要一個小寫字母 | [【IAM.12】 確保 IAM 密碼政策至少需要一個小寫字母](iam-controls.md#iam-12) |
| CIS v1.2.0 | 1.7 確保 IAM 密碼政策至少需要一個符號 | [【IAM.13】 確保 IAM 密碼政策至少需要一個符號](iam-controls.md#iam-13) |
| CIS v1.2.0 | 1.8 確保 IAM 密碼政策至少需要一個數字 | [【IAM.14】 確保 IAM 密碼政策至少需要一個數字](iam-controls.md#iam-14) |
| CIS v1.2.0 | 1.9 確保 IAM 密碼政策要求密碼長度下限為 14 或更高 | [【IAM.15】 確保 IAM 密碼政策要求密碼長度下限為 14 或更高](iam-controls.md#iam-15) |
| CIS v1.2.0 | 2.1 確保所有區域都已啟用 CloudTrail | [【CloudTrail.1] CloudTrail 應該啟用並設定至少一個包含讀取和寫入管理事件的多區域追蹤](cloudtrail-controls.md#cloudtrail-1) |
| CIS v1.2.0 | 2.2 確保 CloudTrail 日誌檔案驗證已啟用 | [【CloudTrail.4] 應啟用 CloudTrail 日誌檔案驗證](cloudtrail-controls.md#cloudtrail-4) |
| CIS v1.2.0 | 2.3 確保用於存放 CloudTrail 日誌的 S3 儲存貯體不可公開存取 | [【CloudTrail.6] 確保用於存放 CloudTrail 日誌的 S3 儲存貯體不可公開存取](cloudtrail-controls.md#cloudtrail-6) |
| CIS v1.2.0 | 2.4 確保 CloudTrail 追蹤與 CloudWatch Logs 整合 | [【CloudTrail.5] CloudTrail 追蹤應與 Amazon CloudWatch Logs 整合](cloudtrail-controls.md#cloudtrail-5) |
| CIS v1.2.0 | 2.5 確保 AWS Config 已啟用 | [【Config.1】 AWS Config 應啟用並使用服務連結角色進行資源記錄](config-controls.md#config-1) |
| CIS v1.2.0 | 2.6 確保 CloudTrail S3 儲存貯體上已啟用 S3 儲存貯體存取記錄 | [【CloudTrail.7] 確定 CloudTrail S3 儲存貯體上已啟用 S3 儲存貯體存取記錄](cloudtrail-controls.md#cloudtrail-7) |
| CIS v1.2.0 | 2.7 確保使用 KMS CMKs對 CloudTrail 日誌進行靜態加密 | [[CloudTrail.2] CloudTrail 應啟用靜態加密](cloudtrail-controls.md#cloudtrail-2) |
| CIS v1.2.0 | 2.8 確定輪換客戶建立的 CMK | [【KMS.4】 應啟用 AWS KMS 金鑰輪換](kms-controls.md#kms-4) |
| CIS v1.2.0 | 2.9 確定所有 VPC 中皆已啟用 VPC 流程記錄 | [【EC2.6】 應在所有 VPC 中啟用 VPCs 流程記錄](ec2-controls.md#ec2-6) |
| CIS v1.2.0 | 3.1 確定未經授權的 API 呼叫中存在日誌指標篩選條件和警示 | [【CloudWatch.2] 確保未經授權的 API 呼叫存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-2) |
| CIS v1.2.0 | 3.10 確定安全群組變更存在日誌指標篩選條件和警示 | [【CloudWatch.10] 確保安全群組變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-10) |
| CIS v1.2.0 | 3.11 確定網路存取控制清單 (NACL) 變更存在日誌指標篩選條件和警示 | [【CloudWatch.11] 確定網路存取控制清單 (NACL) 的變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-11) |
| CIS v1.2.0 | 3.12 確定網路閘道變更存在日誌指標篩選條件和警示 | [【CloudWatch.12] 確保網路閘道變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-12) |
| CIS v1.2.0 | 3.13 確定路由表變更存在日誌指標篩選條件和警示 | [【CloudWatch.13] 確保路由表變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-13) |
| CIS v1.2.0 | 3.14 確定 VPC 變更存在日誌指標篩選條件和警示 | [【CloudWatch.14] 確保 VPC 變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-14) |
| CIS v1.2.0 | 3.2 確保沒有 MFA 的管理主控台登入存在日誌指標篩選條件和警示 | [【CloudWatch.3] 確保沒有 MFA 的管理主控台登入存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-3) |
| CIS v1.2.0 | 3.3 確保根使用者的用量存在日誌指標篩選條件和警示 | [【CloudWatch.1] 應該存在日誌指標篩選條件和警示以使用「根」使用者](cloudwatch-controls.md#cloudwatch-1) |
| CIS v1.2.0 | 3.4 確保 IAM 政策變更存在日誌指標篩選條件和警示 | [【CloudWatch.4] 確保 IAM 政策變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-4) |
| CIS v1.2.0 | 3.5 確保 CloudTrail 組態變更存在日誌指標篩選條件和警示 | [【CloudWatch.5] 確保 CloudTrail 組態變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-5) |
| CIS v1.2.0 | 3.6 確保 AWS 管理主控台 存在驗證失敗的日誌指標篩選條件和警示 | [【CloudWatch.6] 確保 AWS 管理主控台 驗證失敗時存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-6) |
| CIS v1.2.0 | 3.7 確定停用或排定刪除客戶建立的 CMK,存在日誌指標篩選條件和警示 | [【CloudWatch.7] 確保日誌指標篩選條件和警示存在,以停用或排程刪除客戶受管金鑰](cloudwatch-controls.md#cloudwatch-7) |
| CIS v1.2.0 | 3.8 確定 S3 儲存貯體政策變更存在日誌指標篩選條件和警示 | [【CloudWatch.8] 確保 S3 儲存貯體政策變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-8) |
| CIS v1.2.0 | 3.9 確保 AWS Config 組態變更存在日誌指標篩選條件和警示 | [【CloudWatch.9] 確保 AWS Config 組態變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-9) |
| CIS v1.2.0 | 4.1 確保無安全群組允許從 0.0.0.0/0 輸入連接埠 22 | [【EC2.13】 安全群組不應允許從 0.0.0.0/0 或 ::/0 傳入連接埠 22](ec2-controls.md#ec2-13) |
| CIS v1.2.0 | 4.2 確保無安全群組允許從 0.0.0.0/0 輸入連接埠 3389 | [【EC2.14】 安全群組不應允許從 0.0.0.0/0 或 ::/0 傳入連接埠 3389](ec2-controls.md#ec2-14) |
| CIS v1.2.0 | 4.3 確保每個 VPC 的預設安全群組都會限制所有流量 | [【EC2.2】 VPC 預設安全群組不應允許傳入或傳出流量](ec2-controls.md#ec2-2) |
| CIS 1.4.0 版 | 1.10 確保所有具有主控台密碼的 IAM 使用者都已啟用多重驗證 (MFA) | [[IAM.5] 應為所有擁有主控台密碼的 IAM 使用者啟用 MFA](iam-controls.md#iam-5) |
| CIS 1.4.0 版 | 1.14 確保每 90 天或更短時間輪換存取金鑰 | [【IAM.3】 IAM 使用者的存取金鑰應每 90 天或更短時間輪換一次](iam-controls.md#iam-3) |
| CIS 1.4.0 版 | 1.16 確保未連接允許完整 "\$1:\$1" 管理權限的 IAM 政策 | [【IAM.1】 IAM 政策不應允許完整的「\$1」管理權限](iam-controls.md#iam-1) |
| CIS 1.4.0 版 | 1.17 確定已建立支援角色來使用 管理事件 支援 | [【IAM.18】 確保已建立支援角色來使用 管理事件 AWS 支援](iam-controls.md#iam-18) |
| CIS 1.4.0 版 | 1.4 確保根使用者帳戶存取金鑰不存在 | [【IAM.4】 IAM 根使用者存取金鑰不應存在](iam-controls.md#iam-4) |
| CIS 1.4.0 版 | 1.5 確定根使用者帳戶已啟用 MFA | [【IAM.9】 應為根使用者啟用 MFA](iam-controls.md#iam-9) |
| CIS 1.4.0 版 | 1.6 確定已啟用根使用者帳戶的硬體 MFA | [[IAM.6] 應為根使用者啟用硬體 MFA](iam-controls.md#iam-6) |
| CIS 1.4.0 版 | 1.7 避免將根使用者用於管理和日常任務 | [【CloudWatch.1] 應該存在日誌指標篩選條件和警示以使用「根」使用者](cloudwatch-controls.md#cloudwatch-1) |
| CIS 1.4.0 版 | 1.8 確保 IAM 密碼政策的長度下限為 14 或更高 | [【IAM.15】 確保 IAM 密碼政策要求密碼長度下限為 14 或更高](iam-controls.md#iam-15) |
| CIS 1.4.0 版 | 1.9 確保 IAM 密碼政策防止密碼重複使用 | [【IAM.16】 確保 IAM 密碼政策防止密碼重複使用](iam-controls.md#iam-16) |
| CIS 1.4.0 版 | 2.1.2 確保 S3 儲存貯體政策設定為拒絕 HTTP 請求 | [【S3.5】 S3 一般用途儲存貯體應要求請求使用 SSL](s3-controls.md#s3-5) |
| CIS 1.4.0 版 | 應啟用 2.1.5.1 S3 封鎖公開存取設定 | [【S3.1】 S3 一般用途儲存貯體應啟用封鎖公開存取設定](s3-controls.md#s3-1) |
| CIS 1.4.0 版 | 2.1.5.2 S3 封鎖公開存取設定應在儲存貯體層級啟用 | [【S3.8】 S3 一般用途儲存貯體應封鎖公開存取](s3-controls.md#s3-8) |
| CIS 1.4.0 版 | 2.2.1 確保已啟用 EBS 磁碟區加密 | [【EC2.7】 應啟用 EBS 預設加密](ec2-controls.md#ec2-7) |
| CIS 1.4.0 版 | 2.3.1 確定已啟用 RDS 執行個體的加密 | [[RDS.3] RDS 資料庫執行個體應啟用靜態加密](rds-controls.md#rds-3) |
| CIS 1.4.0 版 | 3.1 確保所有區域都已啟用 CloudTrail | [【CloudTrail.1] CloudTrail 應該啟用並設定至少一個包含讀取和寫入管理事件的多區域追蹤](cloudtrail-controls.md#cloudtrail-1) |
| CIS 1.4.0 版 | 3.2 確保已啟用 CloudTrail 日誌檔案驗證 | [【CloudTrail.4] 應啟用 CloudTrail 日誌檔案驗證](cloudtrail-controls.md#cloudtrail-4) |
| CIS 1.4.0 版 | 3.4 確保 CloudTrail 追蹤與 CloudWatch Logs 整合 | [【CloudTrail.5] CloudTrail 追蹤應與 Amazon CloudWatch Logs 整合](cloudtrail-controls.md#cloudtrail-5) |
| CIS 1.4.0 版 | 3.5 確保所有區域 AWS Config 都已啟用 | [【Config.1】 AWS Config 應啟用並使用服務連結角色進行資源記錄](config-controls.md#config-1) |
| CIS 1.4.0 版 | 3.6 確保 CloudTrail S3 儲存貯體上已啟用 S3 儲存貯體存取記錄 | [【CloudTrail.7] 確定 CloudTrail S3 儲存貯體上已啟用 S3 儲存貯體存取記錄](cloudtrail-controls.md#cloudtrail-7) |
| CIS 1.4.0 版 | 3.7 確保使用 KMS CMKs對 CloudTrail 日誌進行靜態加密 | [[CloudTrail.2] CloudTrail 應啟用靜態加密](cloudtrail-controls.md#cloudtrail-2) |
| CIS 1.4.0 版 | 3.8 確保已啟用客戶建立CMKs 輪換 | [【KMS.4】 應啟用 AWS KMS 金鑰輪換](kms-controls.md#kms-4) |
| CIS 1.4.0 版 | 3.9 確保所有 VPC 中都已啟用 VPCs流程記錄 | [【EC2.6】 應在所有 VPC 中啟用 VPCs 流程記錄](ec2-controls.md#ec2-6) |
| CIS 1.4.0 版 | 4.4 確保 IAM 政策變更存在日誌指標篩選條件和警示 | [【CloudWatch.4] 確保 IAM 政策變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-4) |
| CIS 1.4.0 版 | 4.5 確保 CloudTrail 組態變更存在日誌指標篩選條件和警示 | [【CloudWatch.5] 確保 CloudTrail 組態變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-5) |
| CIS 1.4.0 版 | 4.6 確保 AWS 管理主控台 驗證失敗時存在日誌指標篩選條件和警示 | [【CloudWatch.6] 確保 AWS 管理主控台 驗證失敗時存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-6) |
| CIS 1.4.0 版 | 4.7 確保日誌指標篩選條件和警示存在,以停用或排程刪除客戶建立的 CMKs | [【CloudWatch.7] 確保日誌指標篩選條件和警示存在,以停用或排程刪除客戶受管金鑰](cloudwatch-controls.md#cloudwatch-7) |
| CIS 1.4.0 版 | 4.8 確保 S3 儲存貯體政策變更存在日誌指標篩選條件和警示 | [【CloudWatch.8] 確保 S3 儲存貯體政策變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-8) |
| CIS 1.4.0 版 | 4.9 確保 AWS Config 組態變更存在日誌指標篩選條件和警示 | [【CloudWatch.9] 確保 AWS Config 組態變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-9) |
| CIS 1.4.0 版 | 4.10 確保安全群組變更存在日誌指標篩選條件和警示 | [【CloudWatch.10] 確保安全群組變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-10) |
| CIS 1.4.0 版 | 4.11 確保網路存取控制清單 (NACL) 的變更存在日誌指標篩選條件和警示 | [【CloudWatch.11] 確定網路存取控制清單 (NACL) 的變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-11) |
| CIS 1.4.0 版 | 4.12 確保網路閘道變更存在日誌指標篩選條件和警示 | [【CloudWatch.12] 確保網路閘道變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-12) |
| CIS 1.4.0 版 | 4.13 確保路由表變更存在日誌指標篩選條件和警示 | [【CloudWatch.13] 確保路由表變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-13) |
| CIS 1.4.0 版 | 4.14 確保 VPC 變更存在日誌指標篩選條件和警示 | [【CloudWatch.14] 確保 VPC 變更存在日誌指標篩選條件和警示](cloudwatch-controls.md#cloudwatch-14) |
| CIS 1.4.0 版 | 5.1 確保網路 ACLs 不允許從 0.0.0.0/0 傳入遠端伺服器管理連接埠 | [【EC2.21】 網路 ACLs 不應允許從 0.0.0.0/0 傳入連接埠 22 或連接埠 3389](ec2-controls.md#ec2-21) |
| CIS 1.4.0 版 | 5.3 確保每個 VPC 的預設安全群組限制所有流量 | [【EC2.2】 VPC 預設安全群組不應允許傳入或傳出流量](ec2-controls.md#ec2-2) |
| PCI DSS v3.2.1 | 與負載平衡器相關聯的 PCI.AutoScaling.1 Auto Scaling 群組應使用負載平衡器運作狀態檢查 | [【AutoScaling.1] 與負載平衡器相關聯的 Auto Scaling 群組應使用 ELB 運作狀態檢查](autoscaling-controls.md#autoscaling-1) |
| PCI DSS v3.2.1 | PCI.CloudTrail.1 CloudTrail 日誌應使用 AWS KMS CMKs 進行靜態加密 | [[CloudTrail.2] CloudTrail 應啟用靜態加密](cloudtrail-controls.md#cloudtrail-2) |
| PCI DSS v3.2.1 | 應啟用 PCI.CloudTrail.2 CloudTrail | [【CloudTrail.3] 至少應啟用一個 CloudTrail 追蹤](cloudtrail-controls.md#cloudtrail-3) |
| PCI DSS v3.2.1 | 應啟用 PCI.CloudTrail.3 CloudTrail 日誌檔案驗證 | [【CloudTrail.4] 應啟用 CloudTrail 日誌檔案驗證](cloudtrail-controls.md#cloudtrail-4) |
| PCI DSS v3.2.1 | PCI.CloudTrail.4 CloudTrail 追蹤應與 Amazon CloudWatch Logs 整合 | [【CloudTrail.5] CloudTrail 追蹤應與 Amazon CloudWatch Logs 整合](cloudtrail-controls.md#cloudtrail-5) |
| PCI DSS v3.2.1 | PCI.CodeBuild.1 CodeBuild GitHub 或 Bitbucket 來源儲存庫 URLs應使用 OAuth | [【CodeBuild.1] CodeBuild Bitbucket 來源儲存庫 URLs 不應包含敏感登入資料](codebuild-controls.md#codebuild-1) |
| PCI DSS v3.2.1 | PCI.CodeBuild.2 CodeBuild 專案環境變數不應包含純文字登入資料 | [【CodeBuild.2] CodeBuild 專案環境變數不應包含純文字登入資料](codebuild-controls.md#codebuild-2) |
| PCI DSS v3.2.1 | AWS Config 應啟用 PCI.Config.1 | [【Config.1】 AWS Config 應啟用並使用服務連結角色進行資源記錄](config-controls.md#config-1) |
| PCI DSS v3.2.1 | PCI.CW.1 應使用「根」使用者的日誌指標篩選條件和警示 | [【CloudWatch.1] 應該存在日誌指標篩選條件和警示以使用「根」使用者](cloudwatch-controls.md#cloudwatch-1) |
| PCI DSS v3.2.1 | PCI.DMS.1 Database Migration Service 複寫執行個體不應為公有 | [【DMS.1】 Database Migration Service 複寫執行個體不應為公有](dms-controls.md#dms-1) |
| PCI DSS v3.2.1 | PCI.EC2.1 EBS 快照不應可公開還原 | [【EC2.1】 Amazon EBS 快照不應可公開還原](ec2-controls.md#ec2-1) |
| PCI DSS v3.2.1 | PCI.EC2.2 VPC 預設安全群組應禁止傳入和傳出流量 | [【EC2.2】 VPC 預設安全群組不應允許傳入或傳出流量](ec2-controls.md#ec2-2) |
| PCI DSS v3.2.1 | 應移除 PCI.EC2.4 未使用的 EC2 EIPs | [【EC2.12】 應移除未使用的 Amazon EC2 EIPs](ec2-controls.md#ec2-12) |
| PCI DSS v3.2.1 | PCI.EC2.5 安全群組不應允許從 0.0.0.0/0 傳入連接埠 22 | [【EC2.13】 安全群組不應允許從 0.0.0.0/0 或 ::/0 傳入連接埠 22](ec2-controls.md#ec2-13) |
| PCI DSS v3.2.1 | 應在所有 VPC 中啟用 PCI.EC2.6 VPCs 流程記錄 | [【EC2.6】 應在所有 VPC 中啟用 VPCs 流程記錄](ec2-controls.md#ec2-6) |
| PCI DSS v3.2.1 | PCI.ELBv2.1 Application Load Balancer 應設定為將所有 HTTP 請求重新導向至 HTTPS | [【ELB.1】 Application Load Balancer 應設定為將所有 HTTP 請求重新導向至 HTTPS](elb-controls.md#elb-1) |
| PCI DSS v3.2.1 | PCI.ES.1 Elasticsearch 網域應該位於 VPC 中 | [【ES.2】 不應公開存取 Elasticsearch 網域](es-controls.md#es-2) |
| PCI DSS v3.2.1 | PCI.ES.2 Elasticsearch 網域應該啟用靜態加密 | [【ES.1】 Elasticsearch 網域應該啟用靜態加密](es-controls.md#es-1) |
| PCI DSS v3.2.1 | 應啟用 PCI.GuardDuty.1 GuardDuty | [【GuardDuty.1] 應啟用 GuardDuty](guardduty-controls.md#guardduty-1) |
| PCI DSS v3.2.1 | PCI.IAM.1 IAM 根使用者存取金鑰不應存在 | [【IAM.4】 IAM 根使用者存取金鑰不應存在](iam-controls.md#iam-4) |
| PCI DSS v3.2.1 | PCI.IAM.2 IAM 使用者不應連接 IAM 政策 | [【IAM.2】 IAM 使用者不應連接 IAM 政策](iam-controls.md#iam-2) |
| PCI DSS v3.2.1 | PCI.IAM.3 IAM 政策不應允許完整的「\$1」管理權限 | [【IAM.1】 IAM 政策不應允許完整的「\$1」管理權限](iam-controls.md#iam-1) |
| PCI DSS v3.2.1 | 應為根使用者啟用 PCI.IAM.4 硬體 MFA | [[IAM.6] 應為根使用者啟用硬體 MFA](iam-controls.md#iam-6) |
| PCI DSS v3.2.1 | 應為根使用者啟用 PCI.IAM.5 Virtual MFA | [【IAM.9】 應為根使用者啟用 MFA](iam-controls.md#iam-9) |
| PCI DSS v3.2.1 | 應為所有 IAM 使用者啟用 PCI.IAM.6 MFA | [【IAM.19】 應為所有 IAM 使用者啟用 MFA](iam-controls.md#iam-19) |
| PCI DSS v3.2.1 | 如果未在預先定義的天數內使用 PCI.IAM.7 IAM 使用者登入資料,則應停用 | [【IAM.8】 應移除未使用的 IAM 使用者登入資料](iam-controls.md#iam-8) |
| PCI DSS v3.2.1 | IAM 使用者適用的 PCI.IAM.8 密碼政策應具有強大的組態 | [【IAM.10】 IAM 使用者的密碼政策應具有強大的組態](iam-controls.md#iam-10) |
| PCI DSS v3.2.1 | 應啟用 PCI.KMS.1 客戶主金鑰 (CMK) 輪換 | [【KMS.4】 應啟用 AWS KMS 金鑰輪換](kms-controls.md#kms-4) |
| PCI DSS v3.2.1 | PCI.Lambda.1 Lambda 函數應禁止公開存取 | [【Lambda.1】 Lambda 函數政策應禁止公開存取](lambda-controls.md#lambda-1) |
| PCI DSS v3.2.1 | PCI.Lambda.2 Lambda 函數應該位於 VPC 中 | [【Lambda.3】 Lambda 函數應該位於 VPC 中](lambda-controls.md#lambda-3) |
| PCI DSS v3.2.1 | PCI.Opensearch.1 OpenSearch 網域應該位於 VPC 中 | [【Opensearch.2】 不應公開存取 OpenSearch 網域](opensearch-controls.md#opensearch-2) |
| PCI DSS v3.2.1 | PCI.Opensearch.2 EBS 快照不應可公開還原 | [【Opensearch.1】 OpenSearch 網域應該啟用靜態加密](opensearch-controls.md#opensearch-1) |
| PCI DSS v3.2.1 | PCI.RDS.1 RDS 快照應為私有 | [【RDS.1】 RDS 快照應為私有](rds-controls.md#rds-1) |
| PCI DSS v3.2.1 | PCI.RDS.2 RDS 資料庫執行個體應禁止公開存取 | [【RDS.2】 RDS 資料庫執行個體應禁止公開存取,由 PubliclyAccessible 組態決定](rds-controls.md#rds-2) |
| PCI DSS v3.2.1 | PCI.Redshift.1 Amazon Redshift 叢集應禁止公開存取 | [【Redshift.1】 Amazon Redshift 叢集應禁止公開存取](redshift-controls.md#redshift-1) |
| PCI DSS v3.2.1 | PCI.S3.1 S3 儲存貯體應禁止公有寫入存取 | [【S3.3】 S3 一般用途儲存貯體應封鎖公有寫入存取](s3-controls.md#s3-3) |
| PCI DSS v3.2.1 | PCI.S3.2 S3 儲存貯體應禁止公開讀取存取 | [【S3.2】 S3 一般用途儲存貯體應封鎖公開讀取存取](s3-controls.md#s3-2) |
| PCI DSS v3.2.1 | PCI.S3.3 S3 儲存貯體應啟用跨區域複寫 | [【S3.7】 S3 一般用途儲存貯體應使用跨區域複寫](s3-controls.md#s3-7) |
| PCI DSS v3.2.1 | PCI.S3.5 S3 儲存貯體應要求請求使用 Secure Socket Layer | [【S3.5】 S3 一般用途儲存貯體應要求請求使用 SSL](s3-controls.md#s3-5) |
| PCI DSS v3.2.1 | 應啟用 PCI.S3.6 S3 封鎖公開存取設定 | [【S3.1】 S3 一般用途儲存貯體應啟用封鎖公開存取設定](s3-controls.md#s3-1) |
| PCI DSS v3.2.1 | PCI.SageMaker.1 Amazon SageMaker 筆記本執行個體不應具有直接網際網路存取 | [【SageMaker.1] Amazon SageMaker 筆記本執行個體不應具有直接網際網路存取](sagemaker-controls.md#sagemaker-1) |
| PCI DSS v3.2.1 | Systems Manager 管理的 PCI.SSM.1 EC2 執行個體在修補程式安裝後應具有 COMPLIANT 的修補程式合規狀態 | [【SSM.2】 Systems Manager 管理的 Amazon EC2 執行個體在修補程式安裝後應具有 COMPLIANT 的修補程式合規狀態](ssm-controls.md#ssm-2) |
| PCI DSS v3.2.1 | Systems Manager 管理的 PCI.SSM.2 EC2 執行個體應具有 COMPLIANT 的關聯合規狀態 | [【SSM.3】 Systems Manager 管理的 Amazon EC2 執行個體應具有 COMPLIANT 的關聯合規狀態](ssm-controls.md#ssm-3) |
| PCI DSS v3.2.1 | PCI.SSM.3 EC2 執行個體應該由 管理 AWS Systems Manager | [【SSM.1】 Amazon EC2 執行個體應該由 管理 AWS Systems Manager](ssm-controls.md#ssm-1) |
## 更新整合的工作流程
如果您的工作流程不依賴控制調查結果中任何欄位的特定格式,則不需要採取任何動作。
如果您的工作流程依賴控制調查結果中一或多個欄位的特定格式,如上表所述,您應該更新您的工作流程。例如,如果您建立的 Amazon EventBridge 規則觸發特定控制項 ID 的動作,例如在控制項 ID 等於 CIS 2.7 時叫用 AWS Lambda 函數,請更新規則以使用 CloudTrail.2,這是該控制項 `Compliance.SecurityControlId` 欄位的值。
如果您建立的[自訂洞見](securityhub-custom-insights.md)使用任何已變更的欄位或值,請更新這些洞見以使用新的欄位或值。