Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich.
# Überprüfung und Verwaltung der Kontrollergebnisse in Security Hub CSPM
Auf der Seite mit den Kontrolldetails wird eine Liste der aktiven Ergebnisse für eine Kontrolle angezeigt. Die Liste enthält keine archivierten Ergebnisse.
Die Seite mit den Kontrolldetails unterstützt die regionsübergreifende Aggregation. Wenn Sie eine Aggregationsregion festgelegt haben, enthalten der Kontrollstatus und die Liste der Sicherheitsüberprüfungen auf der Seite mit den Kontrolldetails die Prüfungen aller verknüpften Kontrollen. AWS-Regionen
Die Liste enthält Tools zum Filtern und Sortieren der Ergebnisse, sodass Sie sich zuerst auf dringendere Ergebnisse konzentrieren können. Ein Ergebnis kann Links zu Ressourcendetails in der entsprechenden Servicekonsole enthalten. Bei Steuerelementen, die auf AWS Config Regeln basieren, können Sie sich Details zu der Regel anzeigen lassen.
Sie können auch die AWS Security Hub CSPM-API verwenden, um eine Liste mit Ergebnissen und Ergebnisdetails abzurufen.
Weitere Informationen finden Sie unter [Details und Verlauf der Ergebnisse überprüfen](securityhub-findings-viewing.md#finding-view-details-console).
Um den aktuellen Status Ihrer Untersuchung eines Kontrollbefundes widerzuspiegeln, legen Sie den Workflow-Status fest. Weitere Informationen finden Sie unter [Den Workflow-Status von Ergebnissen in Security Hub CSPM festlegen](findings-workflow-status.md).
Sie können auch ausgewählte Security Hub CSPM-Ergebnisse an eine benutzerdefinierte Aktion in Amazon senden. EventBridge Weitere Informationen finden Sie unter [Ergebnisse an eine benutzerdefinierte Security Hub CSPM-Aktion senden](findings-custom-action.md).
**Topics**
+ [Filterung und Sortierung der Kontrollergebnisse](control-finding-list.md)
+ [Stichproben von Kontrollbefunden](sample-control-findings.md)
# Filterung und Sortierung der Kontrollergebnisse
Wenn Sie ein Steuerelement auf der **Kontrollseite** der AWS Security Hub CSPM-Konsole oder auf der Detailseite eines Standards auswählen, gelangen Sie zur Seite mit den Kontrolldetails.
Auf der Seite mit den Kontrolldetails werden der Titel und die Beschreibung der Kontrolle, der allgemeine Kontrollstatus und eine Aufschlüsselung der Sicherheitschecks für die Kontrolle in den letzten 24 Stunden angezeigt.
Verwenden Sie die Option „**Nach filtern**“ neben der Liste der Kontrollprüfungen, um sich schnell auf Ergebnisse mit einem bestimmten [Workflow](findings-workflow-status.md) - oder [Compliance-Status](controls-overall-status.md#controls-overall-status-compliance-status) zu konzentrieren.
Zusätzlich zu den Optionen **Filtern nach** können Sie das Feld **Filter hinzufügen** verwenden, um die Prüfliste nach anderen Feldern wie AWS-Konto ID oder Ressourcen-ID zu filtern.
Standardmäßig werden Ergebnisse mit dem Konformitätsstatus **BESTANDEN** zuerst aufgeführt. Sie können die Standardsortierung ändern, indem Sie in den Spaltenüberschriften eine andere Option auswählen.
Auf der Seite mit den Kontrolldetails können Sie **Herunterladen** wählen, um die aktuelle Seite mit den Kontrollergebnissen in eine CSV-Datei herunterzuladen.
Wenn Sie die Ergebnisliste filtern, umfasst der Download nur die Steuerelemente, die dem Filter entsprechen. Wenn Sie bestimmte Ergebnisse aus der Liste auswählen, enthält der Download nur die ausgewählten Ergebnisse.
Weitere Informationen zum Filtern von Ergebnissen finden Sie unter[Ergebnisse im Security Hub CSPM filtern](securityhub-findings-manage.md).
# Stichproben von Kontrollbefunden
Die folgenden Beispiele enthalten Beispiele für Ergebnisse der AWS Security Hub CSPM-Steuerung im AWS Security Finding Format (ASFF). Der Inhalt der Kontrollergebnisse hängt davon ab, ob Sie konsolidierte Kontrollergebnisse aktiviert haben.
Wenn Sie konsolidierte Kontrollergebnisse aktivieren, generiert Security Hub CSPM ein einzelnes Ergebnis für eine Kontrolle, auch wenn die Kontrolle für mehrere aktivierte Standards gilt. Wenn Sie diese Funktion nicht aktivieren, generiert Security Hub CSPM für jeden aktivierten Standard, für den ein Steuerelement gilt, einen separaten Kontrollbefund. Wenn Sie beispielsweise zwei Standards aktivieren und eine Kontrolle für beide gilt, erhalten Sie zwei separate Ergebnisse für die Kontrolle, einen für jeden Standard. Wenn Sie konsolidierte Kontrollergebnisse aktivieren, erhalten Sie nur ein Ergebnis für die Kontrolle. Weitere Informationen finden Sie unter [Konsolidierte Kontrollergebnisse](controls-findings-create-update.md#consolidated-control-findings).
Die Beispiele auf dieser Seite enthalten Beispiele für beide Szenarien. Zu den Stichproben gehören: Kontrollergebnisse für einzelne Security Hub CSPM-Standards, wenn konsolidierte Kontrollergebnisse deaktiviert sind, und Kontrollbefunde für mehrere Security Hub CSPM-Standards, wenn konsolidierte Kontrollergebnisse aktiviert sind.
**Topics**
+ [Beispielergebnisse für den Standard „Best Practices für AWS grundlegende Sicherheit“](#sample-finding-fsbp)
+ [Beispielbefund für CIS AWS Foundations Benchmark v5.0.0](#sample-finding-cis-5)
+ [Beispielbefund für CIS AWS Foundations Benchmark v3.0.0](#sample-finding-cis-3)
+ [Stichprobenergebnis für CIS AWS Foundations Benchmark v1.4.0](#sample-finding-cis-1.4)
+ [Ergebnis eines Beispiels für CIS AWS Foundations Benchmark v1.2.0](#sample-finding-cis-1.2)
+ [Stichprobenergebnis für den Standard NIST SP 800-53 Revision 5](#sample-finding-nist-800-53)
+ [Stichprobenergebnis für den Standard NIST SP 800-171 Revision 2](#sample-finding-nist-800-171)
+ [Ergebnis eines Beispiels für den Datensicherheitsstandard v3.2.1 der Payment Card Industry](#sample-finding-pcidss-v321)
+ [Musterbefund für den AWS Resource Tagging-Standard](#sample-finding-tagging)
+ [Stichprobenergebnis für den AWS Control Tower Service-Managed-Standard](#sample-finding-service-managed-aws-control-tower)
+ [Stichprobe: konsolidiertes Ergebnis für mehrere Standards](#sample-finding-consolidation)
**Anmerkung**
Die Kontrollergebnisse beziehen sich auf verschiedene Felder und Werte in den Regionen China und den AWS GovCloud (US) Regionen. Weitere Informationen finden Sie unter [Auswirkungen der Konsolidierung auf ASFF-Felder und -Werte](asff-changes-consolidation.md).
## Beispielergebnisse für den Standard „Best Practices für AWS grundlegende Sicherheit“
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für den FSBP-Standard ( AWS Foundational Security Best Practices) gilt. In diesem Beispiel ist die Option „Consolidated Control Findings“ deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-2",
"GeneratorId": "aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
],
"FirstObservedAt": "2020-08-06T02:18:23.076Z",
"LastObservedAt": "2021-09-28T16:10:06.956Z",
"CreatedAt": "2020-08-06T02:18:23.076Z",
"UpdatedAt": "2021-09-28T16:10:00.093Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0",
"ControlId": "CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f",
"Related AWS Resources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"Partition": "aws",
"Region": "us-east-2"
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [{
"StandardsId": "standards/aws-foundation-best-practices/v/1.0.0"
}]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
]
}
}
```
## Beispielbefund für CIS AWS Foundations Benchmark v5.0.0
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für CIS AWS Foundations Benchmark v5.0.0 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"AwsAccountId": "123456789012",
"CompanyName": "AWS",
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "EC2.7",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v5.0.0/5.1.1"
],
"AssociatedStandards": [
{
"StandardsId": "standards/cis-aws-foundations-benchmark/v/5.0.0"
}
]
},
"CreatedAt": "2025-10-10T17:04:00.952Z",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
"FindingProviderFields": {
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"Severity": {
"Normalized": 40,
"Label": "MEDIUM",
"Product": 40,
"Original": "MEDIUM"
}
},
"FirstObservedAt": "2025-10-10T17:03:57.895Z",
"GeneratorId": "cis-aws-foundations-benchmark/v/5.0.0/5.1.1",
"Id": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111",
"LastObservedAt": "2025-10-14T05:22:28.667Z",
"ProcessedAt": "2025-10-14T05:22:50.099Z",
"ProductArn": "arn:aws:securityhub:us-west-1::product/aws/securityhub",
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/5.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0",
"ControlId": "5.1.1",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation",
"RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2a99554f",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-west-1:123456789012:control/cis-aws-foundations-benchmark/v/5.0.0/5.1.1",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/annotation": "EBS Encryption by default is not enabled.",
"Resources:0/Id": "arn:aws:iam::123456789012:root",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-west-1::product/aws/securityhub/arn:aws:securityhub:us-west-1:123456789012:subscription/cis-aws-foundations-benchmark/v/5.0.0/5.1.1/finding/443a9d3f-8a59-4fa0-8e2c-EXAMPLE111",
"PreviousComplianceStatus": "FAILED"
},
"ProductName": "Security Hub CSPM",
"RecordState": "ACTIVE",
"Region": "us-west-1",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation"
}
},
"Resources": [
{
"Id": "AWS::::Account:123456789012",
"Partition": "aws",
"Region": "us-west-1",
"Type": "AwsAccount"
}
],
"SchemaVersion": "2018-10-08",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM",
"Product": 40
},
"Title": "5.1.1 EBS default encryption should be enabled",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"UpdatedAt": "2025-10-14T05:22:38.671Z",
"Workflow": {
"Status": "NEW"
},
"WorkflowState": "NEW"
}
```
## Beispielbefund für CIS AWS Foundations Benchmark v3.0.0
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für CIS AWS Foundations Benchmark v3.0.0 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "cis-aws-foundations-benchmark/v/3.0.0/2.2.1",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"FirstObservedAt": "2024-04-18T07:46:18.193Z",
"LastObservedAt": "2024-04-23T07:47:01.137Z",
"CreatedAt": "2024-04-18T07:46:18.193Z",
"UpdatedAt": "2024-04-23T07:46:46.165Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "2.2.1 EBS default encryption should be enabled",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/3.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0",
"ControlId": "2.2.1",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/EC2.7/remediation",
"RelatedAWSResources:0/name": "securityhub-ec2-ebs-encryption-by-default-2843ed9e",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/3.0.0/2.2.1",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/annotation": "EBS Encryption by default is not enabled.",
"Resources:0/Id": "arn:aws:iam::123456789012:root",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/3.0.0/2.2.1/finding/38a89798-6819-4fae-861f-9cca8034602c"
},
"Resources": [
{
"Type": "AwsAccount",
"Id": "AWS::::Account:123456789012",
"Partition": "aws",
"Region": "us-east-1"
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v3.0.0/2.2.1"
],
"SecurityControlId": "EC2.7",
"AssociatedStandards": [
{
"StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
]
},
"ProcessedAt": "2024-04-23T07:47:07.088Z"
}
```
## Stichprobenergebnis für CIS AWS Foundations Benchmark v1.4.0
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für CIS AWS Foundations Benchmark v1.4.0 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "cis-aws-foundations-benchmark/v/1.4.0/3.7",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"FirstObservedAt": "2022-10-21T22:14:48.913Z",
"LastObservedAt": "2022-12-22T22:24:56.980Z",
"CreatedAt": "2022-10-21T22:14:48.913Z",
"UpdatedAt": "2022-12-22T22:24:52.409Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
"Description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and AWS KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0",
"ControlId": "3.7",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-855f82d1",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/cis-aws-foundations-benchmark/v/1.4.0/3.7",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.4.0/3.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"Partition": "aws",
"Region": "us-east-1"
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v1.4.0/3.7"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [{
"StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"
}]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
]
}
}
```
## Ergebnis eines Beispiels für CIS AWS Foundations Benchmark v1.2.0
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für CIS AWS Foundations Benchmark v1.2.0 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-2",
"GeneratorId": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/2.7",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
],
"FirstObservedAt": "2020-08-29T04:10:06.337Z",
"LastObservedAt": "2021-09-28T16:10:05.350Z",
"CreatedAt": "2020-08-29T04:10:06.337Z",
"UpdatedAt": "2021-09-28T16:10:00.087Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
"Description": "AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsGuideArn": "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
"StandardsGuideSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0",
"RuleId": "2.7",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f",
"Related AWS Resources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/cis-aws-foundations-benchmark/v/1.2.0/2.7",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/2.7/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"Partition": "aws",
"Region": "us-east-2"
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [{
"StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
]
}
}
```
## Stichprobenergebnis für den Standard NIST SP 800-53 Revision 5
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für eine Kontrolle, die für den Standard NIST SP 800-53 Revision 5 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "nist-800-53/v/5.0.0/CloudTrail.2",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2023-02-17T14:22:46.726Z",
"LastObservedAt": "2023-02-17T14:22:50.846Z",
"CreatedAt": "2023-02-17T14:22:46.726Z",
"UpdatedAt": "2023-02-17T14:22:46.726Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to fix this issue, consult the AWS Security Hub CSPM NIST 800-53 R5 documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/nist-800-53/v/5.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0",
"ControlId": "CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.9/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-west-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-53/v/5.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"Partition": "aws",
"Region": "us-east-1"
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"NIST.800-53.r5 AU-9",
"NIST.800-53.r5 CA-9(1)",
"NIST.800-53.r5 CM-3(6)",
"NIST.800-53.r5 SC-13",
"NIST.800-53.r5 SC-28",
"NIST.800-53.r5 SC-28(1)",
"NIST.800-53.r5 SC-7(10)",
"NIST.800-53.r5 SI-7(6)"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [
{
"StandardsId": "standards/nist-800-53/v/5.0.0"
}
]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2023-02-17T14:22:53.572Z"
}
```
## Stichprobenergebnis für den Standard NIST SP 800-171 Revision 2
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für eine Kontrolle, das für den Standard NIST SP 800-171 Revision 2 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "nist-800-171/v/2.0.0/CloudTrail.2",
"AwsAccountId": "123456789012",
"AwsAccountName": "TestAcct",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2025-05-29T05:23:58.690Z",
"LastObservedAt": "2025-05-30T05:50:11.898Z",
"CreatedAt": "2025-05-29T05:24:24.772Z",
"UpdatedAt": "2025-05-30T05:50:34.292Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/nist-800-171/v/2.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0",
"ControlId": "CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-0ab1c2d4",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/nist-800-171/v/2.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/nist-800-171/v/2.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Id": "arn:aws:cloudtrail:ca-central-1:123456789012:trail/aws-BaselineCloudTrail",
"Partition": "aws",
"Region": "us-east-1",
"Type": "AwsCloudTrailTrail"
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"RelatedRequirements": [
"NIST.800-171.r2/3.3.8"
],
"AssociatedStandards": [
{
"StandardsId": "standards/nist-800-171/v/2.0.0"
}
]
},
"Workflow": {
"Status": "NEW"
},
"WorkflowState": "NEW",
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
}
},
"ProcessedAt": "2025-05-30T05:50:40.297Z"
}
```
## Ergebnis eines Beispiels für den Datensicherheitsstandard v3.2.1 der Payment Card Industry
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für den Payment Card Industry Data Security Standard (PCI DSS) v3.2.1 gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-2::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-2",
"GeneratorId": "pci-dss/v/3.2.1/PCI.CloudTrail.1",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
],
"FirstObservedAt": "2020-08-06T02:18:23.089Z",
"LastObservedAt": "2021-09-28T16:10:06.942Z",
"CreatedAt": "2020-08-06T02:18:23.089Z",
"UpdatedAt": "2021-09-28T16:10:00.090Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "PCI.CloudTrail.1 CloudTrail logs should be encrypted at rest using AWS KMS CMKs",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption by checking if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For directions on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/pci-dss/v/3.2.1",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1",
"ControlId": "PCI.CloudTrail.1",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"Related AWS Resources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f",
"Related AWS Resources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-2:123456789012:control/pci-dss/v/3.2.1/PCI.CloudTrail.1",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:123456789012:subscription/pci-dss/v/3.2.1/PCI.CloudTrail.1/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWS MacieTrail-DO-NOT-EDIT",
"Partition": "aws",
"Region": "us-east-2"
}
],
"Compliance": {
"Status": "FAILED",
"RelatedRequirements": [
"PCI DSS 3.4"
],
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [{
"StandardsId": "standards/pci-dss/v/3.2.1"
}]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
]
}
}
```
## Musterbefund für den AWS Resource Tagging-Standard
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für den AWS Resource Tagging-Standard gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:eu-central-1::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "eu-central-1",
"GeneratorId": "security-control/EC2.44",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2024-02-19T21:00:32.206Z",
"LastObservedAt": "2024-04-29T13:01:57.861Z",
"CreatedAt": "2024-02-19T21:00:32.206Z",
"UpdatedAt": "2024-04-29T13:01:41.242Z",
"Severity": {
"Label": "LOW",
"Normalized": 1,
"Original": "LOW"
},
"Title": "EC2 subnets should be tagged",
"Description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn't have any tag keys or if it doesn't have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-6ceafede",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"aws/securityhub/annotation": "No tags are present.",
"Resources:0/Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0",
"aws/securityhub/FindingId": "arn:aws:securityhub:eu-central-1::product/aws/securityhub/arn:aws:securityhub:eu-central-1:123456789012:security-control/EC2.44/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsEc2Subnet",
"Id": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0",
"Partition": "aws",
"Region": "eu-central-1",
"Details": {
"AwsEc2Subnet": {
"AssignIpv6AddressOnCreation": false,
"AvailabilityZone": "eu-central-1b",
"AvailabilityZoneId": "euc1-az3",
"AvailableIpAddressCount": 4091,
"CidrBlock": "10.24.34.0/23",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"OwnerId": "123456789012",
"State": "available",
"SubnetArn": "arn:aws:ec2:eu-central-1:123456789012:subnet/subnet-1234567890abcdef0",
"SubnetId": "subnet-1234567890abcdef0",
"VpcId": "vpc-021345abcdef6789"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "EC2.44",
"AssociatedStandards": [
{
"StandardsId": "standards/aws-resource-tagging-standard/v/1.0.0"
}
],
"SecurityControlParameters": [
{
"Name": "requiredTagKeys",
"Value": [
"peepoo"
]
}
],
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "LOW",
"Original": "LOW"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
},
"ProcessedAt": "2024-04-29T13:02:03.259Z"
}
```
## Stichprobenergebnis für den AWS Control Tower Service-Managed-Standard
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für den vom AWS Control Tower Service verwalteten Standard gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse deaktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub CSPM",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "service-managed-aws-control-tower/v/1.0.0/CloudTrail.2",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2022-11-17T01:25:30.296Z",
"LastObservedAt": "2022-11-17T01:25:45.805Z",
"CreatedAt": "2022-11-17T01:25:30.296Z",
"UpdatedAt": "2022-11-17T01:25:30.296Z",
"Severity": {
"Product": 40,
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CT.CloudTrail.2 CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"StandardsArn": "arn:aws:securityhub:::standards/service-managed-aws-control-tower/v/1.0.0",
"StandardsSubscriptionArn": "arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0",
"ControlId": "CT.CloudTrail.2",
"RecommendationUrl": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation",
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-fe95bf3f",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"StandardsControlArn": "arn:aws:securityhub:us-east-1:123456789012:control/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2",
"aws/securityhub/ProductName": "Security Hub CSPM",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-east-2:123456789012:trail/AWSMacieTrail-DO-NOT-EDIT",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/service-managed-aws-control-tower/v/1.0.0/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsAccount",
"Id": "AWS::::Account:123456789012",
"Partition": "aws",
"Region": "us-east-1"
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"AssociatedStandards": [{
"StandardsId": "standards/service-managed-aws-control-tower/v/1.0.0"
}]
},
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "MEDIUM",
"Original": "MEDIUM"
},
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
]
}
}
```
## Stichprobe: konsolidiertes Ergebnis für mehrere Standards
Das folgende Beispiel enthält ein Beispiel für ein Ergebnis für ein Steuerelement, das für mehrere aktivierte Standards gilt. In diesem Beispiel sind konsolidierte Kontrollergebnisse aktiviert.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
"ProductName": "Security Hub",
"CompanyName": "AWS",
"Region": "us-east-1",
"GeneratorId": "security-control/CloudTrail.2",
"AwsAccountId": "123456789012",
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"FirstObservedAt": "2024-08-09T14:57:04.521Z",
"LastObservedAt": "2025-05-30T03:30:17.407Z",
"CreatedAt": "2024-08-09T14:57:04.521Z",
"UpdatedAt": "2025-05-30T03:30:32.781Z",
"Severity": {
"Label": "MEDIUM",
"Normalized": 40,
"Original": "MEDIUM"
},
"Title": "CloudTrail should have encryption at-rest enabled",
"Description": "This AWS control checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) customer master key (CMK) encryption. The check will pass if the KmsKeyId is defined.",
"Remediation": {
"Recommendation": {
"Text": "For information on how to correct this issue, consult the AWS Security Hub CSPM controls documentation.",
"Url": "https://docs.aws.amazon.com/console/securityhub/CloudTrail.2/remediation"
}
},
"ProductFields": {
"RelatedAWSResources:0/name": "securityhub-cloud-trail-encryption-enabled-01a2b345",
"RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
"aws/securityhub/ProductName": "Security Hub",
"aws/securityhub/CompanyName": "AWS",
"Resources:0/Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/CloudTrail.2/finding/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"Resources": [
{
"Type": "AwsCloudTrailTrail",
"Id": "arn:aws:cloudtrail:us-east-1:123456789012:trail/TestTrail-DO-NOT-DELETE",
"Partition": "aws",
"Region": "us-east-1",
"Details": {
"AwsCloudTrailTrail": {
"HasCustomEventSelectors": false,
"IncludeGlobalServiceEvents": true,
"LogFileValidationEnabled": true,
"HomeRegion": "us-east-1",
"IsMultiRegionTrail": true,
"S3BucketName": "cloudtrail-awslogs-do-not-delete",
"IsOrganizationTrail": false,
"Name": "TestTrail-DO-NOT-DELETE"
}
}
}
],
"Compliance": {
"Status": "FAILED",
"SecurityControlId": "CloudTrail.2",
"RelatedRequirements": [
"CIS AWS Foundations Benchmark v1.2.0/2.7",
"CIS AWS Foundations Benchmark v1.4.0/3.7",
"CIS AWS Foundations Benchmark v3.0.0/3.5",
"NIST.800-171.r2/3.3.8",
"PCI DSS v3.2.1/3.4",
"PCI DSS v4.0.1/10.3.2"
],
"AssociatedStandards": [
{ "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"},
{ "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"},
{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"},
{ "StandardsId": "standards/cis-aws-foundations-benchmark/v/3.0.0"},
{ "StandardsId": "standards/nist-800-171/v/2.0.0"},
{ "StandardsId": "standards/pci-dss/v/3.2.1"},
{ "StandardsId": "standards/pci-dss/v/4.0.1"}
]
},
"Workflow": {
"Status": "NEW"
},
"WorkflowState": "NEW",
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Types": [
"Software and Configuration Checks/Industry and Regulatory Standards"
],
"Severity": {
"Normalized": 40,
"Label": "MEDIUM",
"Original": "MEDIUM"
}
},
"ProcessedAt": "2025-05-30T03:31:00.831Z"
}
```