控制問題清單所需的AWS Config資源 - AWSSecurity Hub
所有 Security Hub CSPM 控制項的必要資源AWS基礎安全最佳實務標準的必要資源CIS AWSFoundations Benchmark 的必要資源NIST SP 800-53 修訂版 5 標準所需的資源NIST SP 800-171 修訂版 2 標準的必要資源PCI DSS v3.2.1 的必要資源資源標記標準所需的AWS資源

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

控制問題清單所需的AWS Config資源

在 AWSSecurity Hub CSPM 中,某些控制項使用服務連結AWS Config規則來偵測AWS資源中的組態變更。若要讓 Security Hub CSPM 產生這些控制項的準確調查結果,您必須在其中啟用AWS Config和開啟資源錄製AWS Config。如需 Security Hub CSPM 如何使用AWS Config規則以及如何啟用和設定的詳細資訊AWS Config,請參閱 啟用和設定 AWS Config Security Hub CSPM。如需資源錄製的詳細資訊,請參閱《 AWS Config開發人員指南》中的使用組態記錄器

若要接收準確的控制調查結果,您必須為具有變更觸發排程類型的已啟用控制項開啟AWS Config資源記錄。有些具有定期排程類型的控制項也需要資源記錄。此頁面列出這些 Security Hub CSPM 控制項所需的資源。

Security Hub CSPM 控制項可以依賴受管AWS Config規則或自訂 Security Hub CSPM 規則。請確定沒有任何 AWS Identity and Access Management(IAM) 政策或 AWS Organizations受管政策AWS Config會阻止 擁有記錄 資源的許可。Security Hub CSPM 控制項會直接評估資源組態,且不考慮AWS Organizations政策。

注意

在無法使用控制項AWS 區域的情況下,對應的資源無法使用AWS Config。如需這些限制的清單,請參閱 Security Hub CSPM 控制項的區域限制

所有 Security Hub CSPM 控制項的必要資源

若要讓 Security Hub CSPM 為已啟用並使用 AWS Config規則的變更觸發控制項產生調查結果,您必須在其中記錄下列類型的資源AWS Config。此資料表也會指出哪些控制項會評估特定類型的資源。單一控制項可能會評估一種以上的資源類型。

AWS 服務 資源類型 相關控制項
AWS Amplify AWS::Amplify::App

Amplify.1
AWS::Amplify::Branch

Amplify.2
Amazon API Gateway AWS::ApiGateway::Stage

APIGateway.1

APIGateway.2

APIGateway.3

APIGateway.4

APIGateway.5
AWS::ApiGatewayV2::Stage

APIGateway.1

APIGateway.9
AWS AppConfig AWS::AppConfig::Application

AppConfig.1
AWS::AppConfig::ConfigurationProfile

AppConfig.2
AWS::AppConfig::Environment

AppConfig.3
AWS::AppConfig::ExtensionAssociation

AppConfig.4
Amazon AppFlow AWS::AppFlow::Flow

AppFlow.1
AWS App Runner AWS::AppRunner::Service

AppRunner.1
AWS::AppRunner::VpcConnector

AppRunner.2
AWS AppSync AWS::AppSync::GraphQLApi

AppSync.2

AppSync.4

AppSync.5
AWS::AppSync::ApiCache

AppSync.1

AppSync.6
AWS Backup AWS::Backup::BackupPlan

備份。5
AWS::Backup::BackupVault

備份。3
AWS::Backup::RecoveryPoint

備份。1

備份。2
AWS::Backup::ReportPlan

備份。4
AWS Batch AWS::Batch::ComputeEnvironment

Batch.3

Batch.4
AWS::Batch::JobQueue

Batch.1
AWS::Batch::SchedulingPolicy

Batch.2
AWS Certificate Manager(ACM) AWS::ACM::Certificate

ACM.1

ACM.2

ACM.3
Amazon Athena AWS::Athena::DataCatalog Athena.2
AWS::Athena::WorkGroup

Athena.3

Athena.4
AWS CloudFormation AWS::CloudFormation::Stack

CloudFormation.2

CloudFormation.3

CloudFormation.4
Amazon CloudFront AWS::CloudFront::Distribution

CloudFront.1

CloudFront.3

CloudFront.4

CloudFront.5

CloudFront.6

CloudFront.7

CloudFront.8

CloudFront.9

CloudFront.10

CloudFront.13

CloudFront.14

CloudFront.15

CloudFront.16

CloudFront.17
AWS CloudTrail AWS::CloudTrail::Trail CloudTrail.9
Amazon CloudWatch AWS::CloudWatch::Alarm

CloudWatch.15

CloudWatch.17
AWS CodeArtifact AWS::CodeArtifact::Repository CodeArtifact.1
AWS CodeBuild AWS::CodeBuild::Project

CodeBuild.1

CodeBuild.2

CodeBuild.3

CodeBuild.4
AWS::CodeBuild::ReportGroup

CodeBuild.7
Amazon CodeGuru Profiler AWS::CodeGuruProfiler::ProfilingGroup CodeGuruProfiler.1
Amazon CodeGuru Reviewer AWS::CodeGuruReviewer::RepositoryAssociation CodeGuruReviewer.1
Amazon Cognito AWS::Cognito::IdentityPool Cognito.2
AWS::Cognito::UserPool

Cognito.1

Cognito.3

Cognito.4

Cognito.5

Cognito.6
Amazon Connect AWS::CustomerProfiles::ObjectType Connect.1
AWS::Connect::Instance Connect.2
AWS DataSync AWS::DataSync::Task

DataSync.1

DataSync.2
Amazon Detective AWS::Detective::Graph Detective.1
AWS Database Migration Service(AWS DMS) AWS::DMS::Certificate

DMS.2
AWS::DMS::Endpoint

DMS.9

DMS.10

DMS.11

DMS.12
AWS::DMS::EventSubscription DMS.3
AWS::DMS::ReplicationInstance

DMS.4

DMS.6

DMS.13
AWS::DMS::ReplicationSubnetGroup DMS.5
AWS::DMS::ReplicationTask

DMS.7

DMS.8
Amazon DynamoDB AWS::DynamoDB::Table

DynamoDB.1

DynamoDB.2

DynamoDB.5

DynamoDB.6
Amazon Elastic Compute Cloud (EC2) AWS::EC2::ClientVpnEndpoint

EC2.51
AWS::EC2::CustomerGateway EC2.36
AWS::EC2::DHCPOptions EC2.174
AWS::EC2::EIP

EC2.12

EC2.37
AWS::EC2::FlowLog EC2.48
AWS::EC2::Instance

EC2.4

EC2.8

EC2.9

EC2.17

EC2.24

EC2.38

EMR.1

SSM.1
AWS::EC2::InternetGateway

EC2.39
AWS::EC2::LaunchTemplate

EC2.25

EC2.170

EC2.175

EC2.181
AWS::EC2::NatGateway

EC2.40
AWS::EC2::NetworkAcl

EC2.16

EC2.21

EC2.41
AWS::EC2::NetworkInterface

EC2.22

EC2.35

EC2.180
AWS::EC2::PrefixList EC2.176
AWS::EC2::RouteTable EC2.42
AWS::EC2::SecurityGroup

EC2.2

EC2.13

EC2.14

EC2.18

EC2.19

EC2.43
AWS::EC2::SnapshotBlockPublicAccess

EC2.182
AWS::EC2::SpotFleet EC2.173
AWS::EC2::Subnet

EC2.15

EC2.44

ElastiCache.7
AWS::EC2::TrafficMirrorFilter EC2.178
AWS::EC2::TrafficMirrorSession EC2.177
AWS::EC2::TrafficMirrorTarget EC2.179
AWS::EC2::TransitGateway

EC2.23

EC2.52
AWS::EC2::TransitGatewayAttachment EC2.33
AWS::EC2::TransitGatewayRouteTable EC2.34
AWS::EC2::Volume

EC2.3

EC2.45
AWS::EC2::VPC

EC2.6

EC2.46
AWS::EC2::VPCBlockPublicAccessOptions

EC2.172
AWS::EC2::VPCEndpointService EC2.47
AWS::EC2::VPCPeeringConnection EC2.49
AWS::EC2::VPNConnection EC2.20

EC2.171
AWS::EC2::VPNGateway EC2.50
Amazon EC2 Auto Scaling AWS::AutoScaling::AutoScalingGroup

AutoScaling.1

AutoScaling.2

AutoScaling.6

AutoScaling.9

AutoScaling.10
AWS::AutoScaling::LaunchConfiguration

AutoScaling.3

Autoscaling.5
Amazon EC2 Systems Manager (SSM) AWS::SSM::AssociationCompliance

SSM.3
AWS::SSM::ManagedInstanceInventory

SSM.1
AWS::SSM::PatchCompliance

SSM.2
Amazon Elastic Container Registry (Amazon ECR) AWS::ECR::PublicRepository ECR.4
AWS::ECR::Repository

ECR.2

ECR.3

ECR.5
Amazon Elastic Container Service (Amazon ECS) AWS::ECS::Cluster

ECS.12

ECS.14
AWS::ECS::CapacityProvider

ECS.19
AWS::ECS::Service

ECS.2

ECS.10

ECS.13
AWS::ECS::TaskDefinition

ECS.1

ECS.3

ECS.4

ECS.5

ECS.8

ECS.9

ECS.15

ECS.17

ECS.18

ECS.20

ECS.21
AWS::ECS::TaskSet

ECS.16
Amazon Elastic File System (Amazon EFS) AWS::EFS::AccessPoint

EFS.3

EFS.4

EFS.5
AWS::EFS::FileSystem

EFS.7

EFS.8
Amazon Elastic Kubernetes Service (Amazon EKS) AWS::EKS::Cluster

EKS.2

EKS.6

EKS.8
AWS::EKS::IdentityProviderConfig EKS.7
AWS Elastic Beanstalk AWS::ElasticBeanstalk::Environment

ElasticBeanstalk.1

ElasticBeanstalk.2

ElasticBeanstalk.3
Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer

ELB.2

ELB.3

ELB.5

ELB.7

ELB.8

ELB.9

ELB.10

ELB.14
AWS::ElasticLoadBalancingV2::Listener

ELB.17

ELB.18
AWS::ElasticLoadBalancingV2::LoadBalancer

ELB.1

ELB.4

ELB.5

ELB.6

ELB.12

ELB.13

ELB.16
ElasticSearch AWS::Elasticsearch::Domain

ES.3

ES.4

ES.5

ES.6

ES.7

ES.8

ES.9
Amazon EMR AWS::EMR::SecurityConfiguration

EMR.3

EMR.4
Amazon EventBridge AWS::Events::EventBus

EventBridge.2

EventBridge.3
AWS::Events::Endpoint

EventBridge.4
Amazon Fraud Detector AWS::FraudDetector::EntityType

FraudDetector.1
AWS::FraudDetector::Label

FraudDetector.2
AWS::FraudDetector::Outcome

FraudDetector.3
AWS::FraudDetector::Variable

FraudDetector.4
AWS Global Accelerator AWS::GlobalAccelerator::Accelerator

GlobalAccelerator.1
AWS Glue AWS::Glue::Job

Glue.1

Glue.4
AWS::Glue::MLTransform

Glue.3
Amazon GuardDuty AWS::GuardDuty::Detector

GuardDuty.4
AWS::GuardDuty::Filter

GuardDuty.2
AWS::GuardDuty::IPSet

GuardDuty.3
AWS Identity and Access Management(IAM) AWS::IAM::Group

IAM.27

KMS.2
AWS::IAM::Policy

IAM.1

IAM.21

KMS.1
AWS::IAM::Role

IAM.24

IAM.27

KMS.2
AWS::IAM::User

IAM.2

IAM.3

IAM.5

IAM.8

IAM.19

IAM.22

IAM.25

IAM.27

KMS.2
AWS Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer

IAM.23
Amazon Interactive Video Service (Amazon IVS) AWS::IVS::PlaybackKeyPair

IVS.1
AWS::IVS::RecordingConfiguration

IVS.2
AWS::IVS::Channel

IVS.3
AWS IoT AWS::IoT::Authorizer

IoT.4
AWS::IoT::Dimension

IoT.3
AWS::IoT::MitigationAction

IoT.2
AWS::IoT::Policy

IoT.6
AWS::IoT::RoleAlias

IoT.5
AWS::IoT::SecurityProfile

IoT.1
AWSIoT 事件 AWS::IoTEvents::AlarmModel

IoTEvents.3
AWS::IoTEvents::DetectorModel

IoTEvents.2
AWS::IoTEvents::Input

IoTEvents.1
AWSIoT SiteWise AWS::IoTSiteWise::AssetModel

IoTSiteWise.1
AWS::IoTSiteWise::Dashboard

IoTSiteWise.2
AWS::IoTSiteWise::Gateway

IoTSiteWise.3
AWS::IoTSiteWise::Portal

IoTSiteWise.4
AWS::IoTSiteWise::Project

IoTSiteWise.5
AWSIoT TwinMaker AWS::IoTTwinMaker::Entity

IoTTwinMaker.4
AWS::IoTTwinMaker::Scene

IoTTwinMaker.3
AWS::IoTTwinMaker::SyncJob

IoTTwinMaker.1
AWS::IoTTwinMaker::Workspace

IoTTwinMaker.2
AWSIoT Wireless AWS::IoTWireless::MulticastGroup

IoTWireless.1
AWS::IoTWireless::ServiceProfile

IoTWireless.2
AWS::IoTWireless::FuotaTask

IoTWireless.3
Amazon Keyspaces (適用於 Apache Cassandra) AWS::Cassandra::Keyspace

鍵空間。1
Amazon Kinesis AWS::Kinesis::Stream

Kinesis.1

Kinesis.2

Kinesis.3
AWS Key Management Service(AWS KMS) AWS::KMS::Alias

S3.17
AWS::KMS::Key

KMS.3

KMS.5

S3.17
AWS Lambda AWS::Lambda::Function

Lambda.1

Lambda.2

Lambda.3

Lambda.5

Lambda.6

Lambda.7
Amazon MSK AWS::MSK::Cluster

MSK.1

MSK.2

MSK.4

MSK.6
AWS::KafkaConnect::Connector

MSK.3

MSK.5
Amazon MQ AWS::AmazonMQ::Broker

MQ.2

MQ.3

MQ.4

MQ.5

MQ.6
AWS Network Firewall AWS::NetworkFirewall::Firewall

NetworkFirewall.1

NetworkFirewall.7

NetworkFirewall.9

NetworkFirewall.10
AWS::NetworkFirewall::FirewallPolicy

NetworkFirewall.3

NetworkFirewall.4

NetworkFirewall.5

NetworkFirewall.8
AWS::NetworkFirewall::RuleGroup

NetworkFirewall.6
Amazon OpenSearch Service AWS::OpenSearch::Domain

Opensearch.1

Opensearch.2

Opensearch.3

Opensearch.4

Opensearch.5

Opensearch.6

Opensearch.7

Opensearch.8

Opensearch.9

Opensearch.10

Opensearch.11
AWS 私有 CA AWS::ACMPCA::CertificateAuthority

PCA.2
Amazon Relational Database Service (Amazon RDS) AWS::RDS::DBCluster

DocumentDB.1

DocumentDB.2

DocumentDB.4

DocumentDB.5

Neptune.1

Neptune.2

Neptune.4

Neptune.5

Neptune.7

Neptune.8

Neptune.9

RDS.7

RDS.12

RDS.14

RDS.15

RDS.16

RDS.24

RDS.27

RDS.28

RDS.34

RDS.35

RDS.37

RDS.47

RDS.48
AWS::RDS::DBClusterSnapshot

DocumentDB.3

Neptune.3

Neptune.6

RDS.1

RDS.4

RDS.29
AWS::RDS::DBInstance

RDS.2

RDS.3

RDS.5

RDS.6

RDS.8

RDS.9

RDS.10

RDS.11

RDS.13

RDS.17

RDS.18

RDS.23

RDS.25

RDS.30

RDS.36

RDS.40
AWS::RDS::DBSecurityGroup

RDS.31
AWS::RDS::DBSnapshot

RDS.1

RDS.4

RDS.32
AWS::RDS::DBSubnetGroup

RDS.33
AWS::RDS::EventSubscription

RDS.19

RDS.20

RDS.21

RDS.22
Amazon Redshift AWS::Redshift::Cluster

Redshift.1

Redshift.2

Redshift.3

Redshift.4

Redshift.6

Redshift.7

Redshift.8

Redshift.10

Redshift.11

Redshift.18
AWS::Redshift::ClusterParameterGroup

Redshift.2

Redshift.17
AWS::Redshift::ClusterSnapshot

Redshift.13
AWS::Redshift::ClusterSubnetGroup

Redshift.14

Redshift.16
AWS::Redshift::EventSubscription

Redshift.12
Amazon Route 53 AWS::Route53::HostedZone

Route53.2
AWS::Route53::HealthCheck

Route53.1
Amazon Simple Storage Service (Amazon S3) AWS::S3::AccessPoint

S3.19
AWS::S3::AccountPublicAccessBlock

S3.2

S3.3
AWS::S3::Bucket

CloudTrail.6

CloudTrail.7

S3.2

S3.3

S3.5

S3.6

S3.7

S3.8

S3.9

S3.10

S3.11

S3.12

S3.13

S3.14

S3.15

S3.17

S3.20
AWS::S3::MultiRegionAccessPoint

S3.24
AWS::S3Express::DirectoryBucket

S3.25
Amazon SageMaker AI AWS::SageMaker::AppImageConfig

SageMaker.6
AWS::SageMaker::Image

SageMaker.7
AWS::SageMaker::Model

SageMaker.5
AWS::SageMaker::NotebookInstance

SageMaker.2

SageMaker.3
AWS Secrets Manager AWS::SecretsManager::Secret

SecretsManager.1

SecretsManager.2

SecretsManager.5
AWS Service Catalog AWS::ServiceCatalog::Portfolio

ServiceCatalog.1
Amazon Simple Email Service (Amazon SES) AWS::SES::ConfigurationSet

SES.2

SES.3
AWS::SES::ContactList

SES.1
Amazon Simple Notification Service (Amazon SNS) AWS::SNS::Topic

SNS.1

SNS.3

SNS.4
Amazon Simple Queue Service (Amazon SQS) AWS::SQS::Queue

SQS.1

SQS.2

SQS.3
AWS Step Functions AWS::StepFunctions::StateMachine

StepFunctions.1
AWS::StepFunctions::Activity

StepFunctions.2
AWS Systems Manager(SSM) AWS::SSM::Document

SSM.5
AWS Transfer Family AWS::Transfer::Agreement

Transfer.4
AWS::Transfer::Certificate

Transfer.5
AWS::Transfer::Connector

Transfer.3

Transfer.6
AWS::Transfer::Profile

Transfer.7
AWS::Transfer::Workflow

Transfer.1
AWS WAF AWS::WAF::Rule

WAF.6
AWS::WAF::RuleGroup

WAF.7
AWS::WAF::WebACL

WAF.1

WAF.8
AWS::WAFRegional::Rule

WAF.2
AWS::WAFRegional::RuleGroup

WAF.3
AWS::WAFRegional::WebACL

WAF.4
AWS::WAFv2::RuleGroup

WAF.12
AWS::WAFv2::WebACL

WAF.10

WAF.11
Amazon WorkSpaces AWS::WorkSpaces::WorkSpace

WorkSpaces.1

WorkSpaces.2

AWS基礎安全最佳實務標準的必要資源

若要讓 Security Hub CSPM 準確報告適用於AWS基礎安全最佳實務標準 (v.1.0.0) 的變更觸發控制項的問題清單,並且使用 AWS Config規則,您必須在其中記錄下列類型的資源AWS Config。如需此標準的資訊,請參閱 AWSSecurity Hub CSPM 中的基礎安全最佳實務標準

AWS 服務 資源類型

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::ApiCache, AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager(ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

AWS CodeBuild

AWS::CodeBuild::Project, AWS::CodeBuild::ReportGroup

Amazon Cognito

AWS::Cognito::IdentityPool, AWS::Cognito::UserPool

Amazon Connect

AWS::Connect::Instance

AWS DataSync

AWS::DataSync::Task

AWS Database Migration Service(AWS DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::SnapshotBlockPublicAccess, AWS::EC2::SpotFleet, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPCBlockPublicAccessOptions, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::CapacityProvider, AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition, AWS::ECS::TaskSet

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint, AWS::EFS::FileSystem

Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

AWS Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

AWS Glue

AWS::Glue::Job, AWS::Glue::MLTransform

AWS Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

Amazon Kinesis

AWS::Kinesis::Stream

AWS Key Management Service(AWS KMS)

AWS::KMS::Key

AWS Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster, AWS::KafkaConnect::Connector

AWS Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBProxy, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon Redshift Serverless

AWS::RedshiftServerless::Workgroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket, AWS::S3::MultiRegionAccessPoint, AWS::S3Express::DirectoryBucket

Amazon SageMaker AI

AWS::SageMaker::Model, AWS::SageMaker::NotebookInstance

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS Step Functions

AWS::StepFunctions::StateMachine

AWS Transfer Family

AWS::Transfer::Connector

AWS WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

Amazon WorkSpaces

AWS::WorkSpaces::WorkSpace

CIS AWSFoundations Benchmark 的必要資源

若要針對適用於網際網路安全中心 (CIS) AWS基準基準的已啟用控制項執行安全檢查,Security Hub CSPM 會執行針對檢查指定的確切稽核步驟,或使用特定AWS Config受管規則。如需 Security Hub CSPM 中此標準的資訊,請參閱 Security Hub CSPM 中的 CIS AWSFoundations 基準

CIS v5.0.0 的必要資源

若要讓 Security Hub CSPM 準確報告使用 AWS Config規則的已啟用 CIS v5.0.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源AWS Config。

AWS 服務 資源類型

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::Instance, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC

Amazon Elastic File System (Amazon EFS)

AWS::EFS::FileSystem

AWS Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::User, AWS::IAM::Role

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance, AWS::RDS::DBCluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

CIS v3.0.0 的必要資源

若要讓 Security Hub CSPM 準確報告使用 AWS Config規則的已啟用 CIS v3.0.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源AWS Config。

AWS 服務 資源類型

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::Instance, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC

AWS Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::User, AWS::IAM::Role

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

CIS v1.4.0 的必要資源

若要讓 Security Hub CSPM 準確報告使用 AWS Config規則的已啟用 CIS v1.4.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源AWS Config。

AWS 服務 資源類型

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup

AWS Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

CIS v1.2.0 的必要資源

若要讓 Security Hub CSPM 準確報告使用 AWS Config規則的已啟用 CIS v1.2.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源AWS Config。

AWS 服務 資源類型

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::SecurityGroup

AWS Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

NIST SP 800-53 修訂版 5 標準所需的資源

若要讓 Security Hub CSPM 準確報告適用於 NIST SP 800-53 修訂版 5 標準、已啟用並使用 AWS Config規則的變更觸發控制項調查結果,您必須在其中記錄下列類型的資源AWS Config。如需此標準的資訊,請參閱 Security Hub CSPM 中的 NIST SP 800-53 修訂版 5

AWS 服務 資源類型

Amazon API Gateway

AWS::ApiGateway::Stage, AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager(ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

AWS Database Migration Service(AWS DMS)

AWS::DMS::Endpoint, AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::LaunchTemplate, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TransitGateway, AWS::EC2::VPNConnection, AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup, AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

AWS Elastic Beanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer, AWS::ElasticLoadBalancingV2::Listener, AWS::ElasticLoadBalancingV2::LoadBalancer

Amazon ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon EventBridge

AWS::Events::Endpoint, AWS::Events::EventBus

AWS Glue

AWS::Glue::Job

AWS Identity and Access Management(IAM)

AWS::IAM::Group, AWS::IAM::Policy, AWS::IAM::Role, AWS::IAM::User

AWS Key Management Service(AWS KMS)

AWS::KMS::Alias, AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

Amazon Managed Streaming for Apache Kafka (Amazon MSK)

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

AWS Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot, AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint, AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket

AWS Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

Amazon SageMaker AI

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS Transfer Family

AWS::Transfer::Connector

AWS WAF

AWS::WAF::Rule, AWS::WAF::RuleGroup, AWS::WAF::WebACL, AWS::WAFRegional::Rule, AWS::WAFRegional::RuleGroup, AWS::WAFRegional::WebACL, AWS::WAFv2::RuleGroup, AWS::WAFv2::WebACL

NIST SP 800-171 修訂版 2 標準的必要資源

若要讓 Security Hub CSPM 準確報告適用於 NIST SP 800-171 修訂版 2 標準、已啟用並使用 AWS Config規則的變更觸發控制項問題清單,您必須在其中記錄下列類型的資源AWS Config。如需此標準的資訊,請參閱 Security Hub CSPM 中的 NIST SP 800-171 修訂版 2

AWS 服務 資源類型
AWS Certificate Manager(ACM)

AWS::ACM::Certificate
Amazon API Gateway

AWS::ApiGateway::Stage
Amazon CloudFront

AWS::CloudFront::Distribution
Amazon CloudWatch

AWS::CloudWatch::Alarm
Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::ClientVpnEndpoint, AWS::EC2::NetworkAcl, AWS::EC2::SecurityGroup, AWS::EC2::VPC, AWS::EC2::VPNConnection
Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer
AWS Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User
AWS Key Management Service (AWS KMS)

AWS::KMS::Alias, AWS::KMS::Key
AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy, AWS::NetworkFirewall::RuleGroup
Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket
Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic
AWS Systems Manager(SSM)

AWS::SSM::PatchCompliance
AWS WAF

AWS::WAFv2::RuleGroup

PCI DSS v3.2.1 的必要資源

若要讓 Security Hub CSPM 準確報告適用於支付卡產業資料安全標準 (PCI DSS) v3.2.1 的控制項問題清單,啟用 並使用 AWS Config規則,您必須在其中記錄下列類型的資源AWS Config。如需此標準的資訊,請參閱 Security Hub CSPM 中的 PCI DSS

AWS 服務 資源類型

AWS CodeBuild

AWS::CodeBuild::Project

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::EIP, AWS::EC2::Instance, AWS::EC2::SecurityGroup

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS Identity and Access Management(IAM)

AWS::IAM::Policy, AWS::IAM::User

AWS Lambda

AWS::Lambda::Function

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock, AWS::S3::Bucket
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance, AWS::SSM::ManagedInstanceInventory, AWS::SSM::PatchCompliance

資源標記標準所需的AWS資源

套用至AWS資源標記標準的所有控制項都會觸發變更並使用 AWS Config規則。若要讓 Security Hub CSPM 準確報告這些控制項的問題清單,您必須在其中記錄下列類型的資源AWS Config。如需此標準的資訊,請參閱 AWSSecurity Hub CSPM 中的資源標記標準

AWS 服務 資源類型
AWS Amplify

AWS::Amplify::App, AWS::Amplify::Branch
Amazon AppFlow

AWS::AppFlow::Flow
AWS App Runner

AWS::AppRunner::Service, AWS::AppRunner::VpcConnector
AWS AppConfig

AWS::AppConfig::Application, AWS::AppConfig::ConfigurationProfile, AWS::AppConfig::Environment, AWS::AppConfig::ExtensionAssociation
AWS AppSync

AWS::AppSync::GraphQLApi
Amazon Athena

AWS::Athena::DataCatalog, AWS::Athena::WorkGroup
AWS Backup

AWS::Backup::BackupPlan, AWS::Backup::BackupVault, AWS::Backup::RecoveryPlan, AWS::Backup::ReportPlan
AWS Batch

AWS::Batch::ComputeEnvironment, AWS::Batch::JobQueue, AWS::Batch::SchedulingPolicy
AWS Certificate Manager(ACM)

AWS::ACM::Certificate
AWS CloudFormation

AWS::CloudFormation::Stack
Amazon CloudFront

AWS::CloudFront::Distribution
AWS CloudTrail

AWS::CloudTrail::Trail
AWS CodeArtifact

AWS::CodeArtifact::Repository
Amazon CodeGuru

AWS::CodeGuruProfiler::ProfilingGroup, AWS::CodeGuruReviewer::RepositoryAssociation
Amazon Connect

AWS::CustomerProfiles::ObjectType
AWS Database Migration Service(AWS DMS)

AWS::DMS::Certificate, AWS::DMS::EventSubscription

AWS::DMS::ReplicationInstance, AWS::DMS::ReplicationSubnetGroup
AWS DataSync

AWS::DataSync::Task
Amazon Detective

AWS::Detective::Graph
Amazon DynamoDB

AWS::DynamoDB::Trail
Amazon Elastic Compute Cloud (EC2)

AWS::EC2::CustomerGateway, AWS::EC2::DHCPOptions, AWS::EC2::EIP, AWS::EC2::FlowLog, AWS::EC2::Instance, AWS::EC2::InternetGateway, AWS::EC2::LaunchTemplate, AWS::EC2::NatGateway, AWS::EC2::NetworkAcl, AWS::EC2::NetworkInterface, AWS::EC2::PrefixList, AWS::EC2::RouteTable, AWS::EC2::SecurityGroup, AWS::EC2::Subnet, AWS::EC2::TrafficMirrorFilter, AWS::EC2::TrafficMirrorSession, AWS::EC2::TrafficMirrorTarget, AWS::EC2::TransitGateway, AWS::EC2::TransitGatewayAttachment, AWS::EC2::TransitGatewayRouteTable, AWS::EC2::Volume, AWS::EC2::VPC, AWS::EC2::VPCEndpointService, AWS::EC2::VPCPeeringConnection, AWS::EC2::VPNGateway
Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup
Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::PublicRepository
Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster, AWS::ECS::Service, AWS::ECS::TaskDefinition
Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint
Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster, AWS::EKS::IdentityProviderConfig
AWS Elastic Beanstalk

AWS::ElasticBeanstalk::Environment
ElasticSearch

AWS::Elasticsearch::Domain
Amazon EventBridge

AWS::Events::EventBus
Amazon Fraud Detector

AWS::FraudDetector::EntityType, AWS::FraudDetector::Label

AWS::FraudDetector::Outcome, AWS::FraudDetector::Variable
AWS Global Accelerator

AWS::GlobalAccelerator::Accelerator
AWS Glue

AWS::Glue::Job
Amazon GuardDuty

AWS::GuardDuty::Detector, AWS::GuardDuty::Filter, AWS::GuardDuty::IPSet
AWS Identity and Access Management(IAM)

AWS::IAM::Role, AWS::IAM::User
AWS Identity and Access Management Access Analyzer(IAM Access Analyzer)

AWS::AccessAnalyzer::Analyzer
AWS IoT

AWS::IoT::Authorizer, AWS::IoT::Dimension, AWS::IoT::MitigationAction, AWS::IoT::Policy, AWS::IoT::RoleAlias, AWS::IoT::SecurityProfile
AWS IoT活動

AWS::IoTEvents::AlarmModel, AWS::IoTEvents::DetectorModel, AWS::IoTEvents::Input
AWS IoTSiteWise

AWS::IoTSiteWise::Dashboard, AWS::IoTSiteWise::Gateway, AWS::IoTSiteWise::Portal, AWS::IoTSiteWise::Project
AWS IoTTwinMaker

AWS::IoTTwinMaker::Entity, AWS::IoTTwinMaker::Scene, AWS::IoTTwinMaker::SyncJob, AWS::IoTTwinMaker::Workspace
AWS IoT無線

AWS::IoTWireless::FuotaTask, AWS::IoTWireless::MulticastGroup, AWS::IoTWireless::ServiceProfile
Amazon Interactive Video Service (Amazon IVS)

AWS::IVS::Channel, AWS::IVS::PlaybackKeyPair, AWS::IVS::RecordingConfiguration
Amazon Keyspaces (適用於 Apache Cassandra)

AWS::Cassandra::Keyspace
Amazon Kinesis

AWS::Kinesis::Stream
AWS Lambda

AWS::Lambda::Function
Amazon MQ

AWS::AmazonMQ::Broker
AWS Network Firewall

AWS::NetworkFirewall::Firewall, AWS::NetworkFirewall::FirewallPolicy
Amazon OpenSearch Service

AWS::OpenSearch::Domain
AWS 私有憑證授權單位

AWS::ACMPCA::CertificateAuthority
Amazon Relational Database Service

AWS::RDS::DBCluster, AWS::RDS::DBClusterSnapshot, AWS::RDS::DBInstance, AWS::RDS::DBSecurityGroup, AWS::RDS::DBSnapshot, AWS::RDS::DBSubnetGroup
Amazon Redshift

AWS::Redshift::Cluster, AWS::Redshift::ClusterParameterGroup, AWS::Redshift::ClusterSnapshot, AWS::Redshift::ClusterSubnetGroup, AWS::Redshift::EventSubscription
Amazon Route 53

AWS::Route53::HealthCheck
Amazon SageMaker AI

AWS::SageMaker::AppImageConfig, AWS::SageMaker::Image
AWS Secrets Manager

AWS::SecretsManager::Secret
Amazon Simple Email Service (Amazon SES)

AWS::SES::ConfigurationSet, AWS::SES::ContactList
Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic
Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
AWS Step Functions

AWS::StepFunctions::Activity
AWS Systems Manager(SSM)

AWS::SSM::Document
AWS Transfer Family

AWS::Transfer::Agreement, AWS::Transfer::Certificate, AWS::Transfer::Connector, AWS::Transfer::Profile, AWS::Transfer::Workflow