AWS Config Recursos necessários para descobertas de controle do Security Hub - AWS Security Hub

As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.

AWS Config Recursos necessários para descobertas de controle do Security Hub

Alguns AWS Security Hub controles usam AWS Config regras vinculadas a serviços que detectam alterações de configuração em seus AWS recursos. Para que o Security Hub gere descobertas de controle precisas, você deve habilitar AWS Config e ativar a gravação de recursos no AWS Config. Para obter um contexto sobre como o Security Hub usa AWS Config regras e como habilitar e configurar AWS Config, consulteHabilitando e configurando o AWS Config Security Hub.

Para receber resultados de controle precisos, você deve ativar o registro de AWS Config recursos para controles habilitados com um tipo de agendamento acionado por alteração. Alguns controles com um tipo de agendamento periódico também exigem o registro de recursos.

Esta página lista os recursos necessários para cada controle do Security Hub.

Os controles do Security Hub podem se basear em AWS Config regras gerenciadas ou em regras personalizadas do Security Hub. Certifique-se de que não haja uma política AWS Identity and Access Management (IAM) ou uma política gerenciada em Organizations que impeça a permissão AWS Config de registrar seus recursos. As verificações de controle do Security Hub avaliam diretamente a configuração de um recurso e não levam em consideração as políticas da Organizations. Para obter mais informações sobre AWS Config gravação, consulte Lista de regras AWS Config gerenciadas — Considerações no Guia do AWS Config desenvolvedor.

nota

Regiões da AWS Quando um controle não está disponível, o recurso correspondente não está disponível em AWS Config. Para obter uma lista dos limites regionais nos controles do Security Hub, consulte Limites regionais em controles do Security Hub.

Recursos obrigatórios para todos os controles do Security Hub

Para que o Security Hub gere descobertas para controles ativados por alterações do Security Hub que usam uma AWS Config regra, você deve registrar esses recursos em AWS Config. Essa tabela também indica quais controles avaliam um recurso específico. Um único controle pode avaliar mais de um recurso.

Serviço Recurso necessário Controles relacionados
Amazon API Gateway AWS::ApiGateway::Stage

APIGateway1.

APIGateway2.

APIGateway3.

APIGateway4.

APIGateway5.

AWS::ApiGatewayV2::Stage

APIGateway1.

APIGateway9.

AWS AppConfig AWS::AppConfig::Application

AppConfig1.

AWS::AppConfig::ConfigurationProfile

AppConfig2.

AWS::AppConfig::Environment

AppConfig3.

AWS::AppConfig::ExtensionAssociation

AppConfig4.

Amazon AppFlow AWS::AppFlow::Flow

AppFlow1.

AWS App Runner AWS::AppRunner::Service

AppRunner1.

AWS::AppRunner::VpcConnector

AppRunner2.

AWS AppSync AWS::AppSync::GraphQLApi

AppSync2.

AppSync4.

AppSync5.

AWS::AppSync::ApiCache

AppSync1.

AppSync.6

AWS Backup (AWS Backup) AWS::Backup::BackupPlan

Backup.5

AWS::Backup::BackupVault

Backup.3

AWS::Backup::RecoveryPoint

Backup.1

Backup.2

AWS::Backup::ReportPlan

Backup.4

AWS Batch AWS::Batch::ComputeEnvironment

Lote.3

AWS::Batch::JobQueue

Lote.1

AWS::Batch::SchedulingPolicy

Lote.2

AWS Certificate Manager (ACM) AWS::ACM::Certificate

ACM.1

ACM.2

ACM.3

Amazon Athena AWS::Athena::DataCatalog Athena.2
AWS::Athena::WorkGroup

Athena.3

Athena.4

AWS CloudFormation AWS::CloudFormation::Stack

CloudFormation2.

Amazon CloudFront AWS::CloudFront::Distribution

CloudFront1.

CloudFront3.

CloudFront4.

CloudFront5.

CloudFront.6

CloudFront7.

CloudFront8.

CloudFront9.

CloudFront.10

CloudFront1.3

CloudFront1.4

AWS CloudTrail AWS::CloudTrail::Trail CloudTrail9.
Amazon CloudWatch AWS::CloudWatch::Alarm

CloudWatch1.5

CloudWatch1.7

AWS CodeArtifact AWS::CodeArtifact::Repository CodeArtifact1.
AWS CodeBuild AWS::CodeBuild::Project

CodeBuild1.

CodeBuild2.

CodeBuild3.

CodeBuild4.

AWS::CodeBuild::ReportGroup

CodeBuild7.

Amazon CodeGuru Profiler AWS::CodeGuruProfiler::ProfilingGroup CodeGuruProfiler1.
CodeGuru Revisor da Amazon AWS::CodeGuruReviewer::RepositoryAssociation CodeGuruReviewer1.
Amazon Cognito AWS::Cognito::UserPool Cognito.1
Amazon Cognito AWS::Cognito::UserPool Cognito.1
Amazon Connect AWS::CustomerProfiles::ObjectType Conecte-se. 1
AWS DataSync AWS::DataSync::Task DataSync1.
Amazon Detective AWS::Detective::Graph Detetive.1
AWS Database Migration Service (AWS DMS) AWS::DMS::Certificate

DMS.2

AWS::DMS::Endpoint

DMS.9

DMS.10

DMS.11

DMS.12

AWS::DMS::EventSubscription DMS.3
AWS::DMS::ReplicationInstance

DMS.4

DMS.6

AWS::DMS::ReplicationSubnetGroup DMS.5
AWS::DMS::ReplicationTask

DMS.7

DMS.8

Amazon DynamoDB AWS::DynamoDB::Table

DynamoDB.1

DynamoDB.2

DynamoDB.5

DynamoDB.6

Nuvem de computação elástica Amazon () EC2 AWS::EC2::ClientVpnEndpoint

EC25.1

AWS::EC2::CustomerGateway EC23.6
AWS::EC2::EIP

EC21.2

EC23.7

AWS::EC2::FlowLog EC24.8
AWS::EC2::Instance

EC24.

EC28.

EC29.

EC21.7

EC22.4

EC23,8

EMR.1

SSM.1

AWS::EC2::InternetGateway

EC23.9

AWS::EC2::LaunchTemplate

EC22,5

EC21.70

AWS::EC2::NatGateway

EC24,0

AWS::EC2::NetworkAcl

EC21.6

EC22.1

EC24.1

AWS::EC2::NetworkInterface

EC22.2

EC23.5

AWS::EC2::RouteTable EC24.2
AWS::EC2::SecurityGroup

EC22.

EC21.3

EC21.4

EC21.8

EC21.9

EC24.3

AWS::EC2::Subnet

EC21.5

EC24.4

ElastiCache7.

AWS::EC2::TransitGateway

EC22.3

EC25.2

AWS::EC2::TransitGatewayAttachment EC23.3
AWS::EC2::TransitGatewayRouteTable EC23.4
AWS::EC2::Volume

EC23.

EC24,5

AWS::EC2::VPC

EC2.6

EC24.6

AWS::EC2::VPCBlockPublicAccessOptions

EC21.72

AWS::EC2::VPCEndpointService EC24.7
AWS::EC2::VPCPeeringConnection EC24.9
AWS::EC2::VPNConnection EC2.20

EC21.71

AWS::EC2::VPNGateway EC25,0
Amazon EC2 Auto Scaling AWS::AutoScaling::AutoScalingGroup

AutoScaling1.

AutoScaling2.

AutoScaling.6

AutoScaling9.

AutoScaling.10

AWS::AutoScaling::LaunchConfiguration

AutoScaling3.

Autoscaling.5

Amazon EC2 Systems Manager (SSM) AWS::SSM::AssociationCompliance

SSM.3

AWS::SSM::ManagedInstanceInventory

SSM.1

AWS::SSM::PatchCompliance

SSM.2

Amazon Elastic Container Registry (Amazon ECR) AWS::ECR::PublicRepository ECR.4
AWS::ECR::Repository

ECR.2

ECR.3

Amazon Elastic Container Service (Amazon ECS) AWS::ECS::Cluster

ECS.12

ECS.14

AWS::ECS::Service

ECS.2

ECS.10

ECS.13

AWS::ECS::TaskDefinition

ECS.1

ECS.3

ECS.4

ECS.5

ECS.8

ECS.9

ECS.15

AWS::ECS::TaskSet

ECS.16

Amazon Elastic File System (Amazon EFS) AWS::EFS::AccessPoint

EFS.3

EFS.4

EFS.5

AWS::EFS::FileSystem

EFS.7

EFS.8

Amazon Elastic Kubernetes Service (Amazon EKS) AWS::EKS::Cluster

eks.2

EKS.6

EKS.8

AWS::EKS::IdentityProviderConfig EKS.7
AWS Elastic Beanstalk AWS::ElasticBeanstalk::Environment

ElasticBeanstalk1.

ElasticBeanstalk2.

ElasticBeanstalk3.

Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer

ELB.1

ELB.3

ELB.5

ELB.7

ELB.1

ELB.9

ELB.10

ELB.14

AWS::ElasticLoadBalancingV2::LoadBalancer

ELB.1

ELB.4

ELB.5

ELB.6

ELB.12

ELB.13

ELB.16

ElasticSearch AWS::Elasticsearch::Domain

ES.3

ES.4

ES.5

ES.6

ES.7

ES.8

ES.9

Amazon EMR AWS::EMR::SecurityConfiguration

EMR.3

EMR.4

Amazon EventBridge AWS::Events::EventBus

EventBridge2.

EventBridge3.

AWS::Events::Endpoint

EventBridge4.

Amazon Fraud Detector AWS::FraudDetector::EntityType

FraudDetector1.

AWS::FraudDetector::Label

FraudDetector2.

AWS::FraudDetector::Outcome

FraudDetector3.

AWS::FraudDetector::Variable

FraudDetector4.

AWS Global Accelerator AWS::GlobalAccelerator::Accelerator

GlobalAccelerator1.

AWS Glue AWS::Glue::Job

Glue.1

AWS::Glue::MLTransform

Glue.3

Amazon GuardDuty AWS::GuardDuty::Detector

GuardDuty4.

AWS::GuardDuty::Filter

GuardDuty2.

AWS::GuardDuty::IPSet

GuardDuty3.

AWS Identity and Access Management (IAM) AWS::IAM::Group

IAM.27

KMS.2

AWS::IAM::Policy

IAM.1

IAM.21

KMS.1

AWS::IAM::Role

IAM.24

IAM.27

KMS.2

AWS::IAM::User

IAM.2

IAM.3

IAM.5

IAM.8

IAM.19

IAM.22

IAM.25

IAM.27

KMS.2

AWS Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer

IAM.23

Amazon Interactive Video Service (Amazon IVS) AWS::IVS::PlaybackKeyPair

IVS.1

AWS::IVS::RecordingConfiguration

IVS.2

AWS::IVS::Channel

IVS.3

AWS IoT AWS::IoT::Authorizer

IoT.4

AWS::IoT::Dimension

IoT.3

AWS::IoT::MitigationAction

IoT.2

AWS::IoT::Policy

IoT.6

AWS::IoT::RoleAlias

IoT.5

AWS::IoT::SecurityProfile

IoT.1

AWS Eventos de IoT AWS::IoTEvents::AlarmModel

IoT TEvents 3.3

AWS::IoTEvents::DetectorModel

IoT TEvents 1.2

AWS::IoTEvents::Input

IoT TEvents 1.1

AWS Eventos de IoT AWS::IoTEvents::AlarmModel

IoT TEvents 3.3

AWS::IoTEvents::DetectorModel

IoT TEvents 1.2

AWS::IoTEvents::Input

IoT TEvents 1.1

AWS IoT SiteWise AWS::IoTSiteWise::AssetModel

Eu sou TSite sábio.1

AWS::IoTSiteWise::Dashboard

Eu sou TSite sábio.2

AWS::IoTSiteWise::Gateway

Eu sou TSite sábio.3

AWS::IoTSiteWise::Portal

Eu sou TSite sábio.4

AWS::IoTSiteWise::Project

Eu sou TSite sábio.5

AWS IoT TwinMaker AWS::IoTTwinMaker::Entity

Io TTwin Maker.4

AWS::IoTTwinMaker::Scene

Io TTwin Maker.3

AWS::IoTTwinMaker::SyncJob

Io TTwin Maker. 1

AWS::IoTTwinMaker::Workspace

Io TTwin Maker.2

AWS IoT Wireless AWS::IoTWireless::MulticastGroup

IoT TWireless 1.1

AWS::IoTWireless::ServiceProfile

IoT TWireless 1.2

AWS::IoTWireless::FuotaTask

IoT TWireless 3.3

Amazon Keyspaces (para Apache Cassandra) AWS::Cassandra::Keyspace

Espaços-chave. 1

Amazon Kinesis AWS::Kinesis::Stream

Kinesis.1

Kinesis.2

Kinesis.3

AWS Key Management Service (AWS KMS) AWS::KMS::Alias

S3.17

AWS::KMS::Key

KMS.3

KMS.5

S3.17

AWS Lambda AWS::Lambda::Function

Lambda.1

Lambda.2

Lambda.3

Lambda.5

Lambda.6

Amazon MSK AWS::MSK::Cluster

MSK.1

MSK.2

AWS::KafkaConnect::Connector

MSK.3

Amazon MQ AWS::AmazonMQ::Broker

MQ.2

MQ.3

MQ.4

MQ.5

MQ.6

AWS Network Firewall AWS::NetworkFirewall::Firewall

NetworkFirewall1.

NetworkFirewall7.

NetworkFirewall9.

AWS::NetworkFirewall::FirewallPolicy

NetworkFirewall3.

NetworkFirewall4.

NetworkFirewall5.

NetworkFirewall8.

AWS::NetworkFirewall::RuleGroup

NetworkFirewall.6

OpenSearch Serviço Amazon AWS::OpenSearch::Domain

Opensearch.1

Opensearch.2

Opensearch.3

Opensearch.4

Opensearch.5

Opensearch.6

Opensearch.7

Opensearch.8

Opensearch.9

Opensearch.10

Opensearch.11

AWS Private CA AWS::ACMPCA::CertificateAuthority

PCA.2

Amazon Relational Database Service (Amazon RDS) AWS::RDS::DBCluster

DocumentDB.1

DocumentDB.2

DocumentDB.4

DocumentDB.5

Neptune.1

Neptune.2

Neptune.4

Neptune.5

Neptune.7

Neptune.8

Neptune.9

RDS.7

RDS.12

RDS.14

RDS.15

RDS.16

RDS.24

RDS.27

RDS.28

RDS.34

RDS.35

RDS.37

AWS::RDS::DBClusterSnapshot

DocumentDB.3

Neptune.3

Neptune.6

RDS.1

RDS.4

RDS.29

AWS::RDS::DBInstance

RDS.2

RDS. 3

RDS.5

RDS.6

RDS.8

RDS.9

RDS.10

RDS.11

RDS.13

RDS.17

RDS. 3

RDS.23

RDS.25

RDS.30

RDS.36

AWS::RDS::DBSecurityGroup

RDS.31

AWS::RDS::DBSnapshot

RDS.1

RDS.4

RDS.32

AWS::RDS::DBSubnetGroup

RDS.33

AWS::RDS::EventSubscription

RDS.19

RDS.20

RDS.21

RDS.22

Amazon Redshift AWS::Redshift::Cluster

Redshift.1

Redshift.2

Redshift.3

Redshift.4

Redshift.6

Redshift.7

Redshift.8

Redshift.9

Redshift.10

Redshift.11

AWS::Redshift::ClusterParameterGroup

Redshift.2

AWS::Redshift::ClusterSnapshot

Redshift.13

AWS::Redshift::ClusterSubnetGroup

Redshift.14

Desvio para o vermelho.16

AWS::Redshift::EventSubscription

Redshift.12

Amazon Route 53 AWS::Route53::HostedZone

Route53.2

AWS::Route53::HealthCheck

Route53.1

Amazon Simple Storage Service (Amazon S3) AWS::S3::AccessPoint

S3.19

AWS::S3::AccountPublicAccessBlock

S3.2

S3.3

AWS::S3::Bucket

S3.2

S3.3

S3.5

S3.6

S3.7

S3.8

S3.9

S3.10

S3.11

S3.12

S3.13

S3.14

S3.15

S3.17

S3.20

AWS::S3::MultiRegionAccessPoint

S3.24

SageMaker Inteligência Artificial da Amazon AWS::SageMaker::NotebookInstance

SageMaker2.

SageMaker3.

AWS::SageMaker::Model

SageMaker5.

AWS Secrets Manager AWS::SecretsManager::Secret

SecretsManager1.

SecretsManager2.

SecretsManager5.

AWS Service Catalog AWS::ServiceCatalog::Portfolio

ServiceCatalog1.

Amazon Simple Email Service (Amazon SES) AWS::SES::ConfigurationSet

SES.2

AWS::SES::ContactList

SES.1

Amazon Simple Notification Service (Amazon SNS) AWS::SNS::Topic

SNS.1

SNS.3

SNS.4

Amazon Simple Queue Service (Amazon SQS) AWS::SQS::Queue

SQS.1

SQS.2

AWS Step Functions AWS::StepFunctions::StateMachine

StepFunctions1.

AWS::StepFunctions::Activity

StepFunctions2.

AWS Transfer Family AWS::Transfer::Workflow

Transfer.1

AWS WAF AWS::WAF::Rule

WAF.6

AWS::WAF::RuleGroup

WAF.7

AWS::WAF::WebACL

WAF.1

WAF.8

AWS::WAFRegional::Rule

WAF.2

AWS::WAFRegional::RuleGroup

WAF.3

AWS::WAFRegional::WebACL

WAF.4

AWS::WAFv2::RuleGroup

WAF.12

AWS::WAFv2::WebACL

WAF.10

WAF.11

Amazon WorkSpaces AWS::WorkSpaces::WorkSpace

WorkSpaces1.

WorkSpaces2.

Recursos obrigatórios para o padrão FSBP

Para que o Security Hub relate com precisão as descobertas dos controles acionados por alterações ativadas pelas melhores práticas AWS básicas de segurança v1.0.0 (FSBP) que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config Para obter mais informações sobre esse padrão, consulte AWS Padrão básico de melhores práticas de segurança v1.0.0 (FSBP).

Serviço Recursos necessários

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::ApiCache

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

AWS CodeBuild

AWS::CodeBuild::Project

AWS::CodeBuild::ReportGroup

Amazon Cognito

AWS::Cognito::UserPool

AWS DataSync

AWS::DataSync::Task

AWS Database Migration Service (AWS DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Nuvem de computação elástica Amazon () EC2

AWS::EC2::ClientVpnEndpoint

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPCBlockPublicAccessOptions

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

AWS::ECS::TaskSet

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

AWS::EFS::FileSystem

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

AWS Glue

AWS::Glue::Job

AWS::Glue::MLTransform

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Kinesis

AWS::Kinesis::Stream

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

AWS Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

AWS::KafkaConnect::Connector

AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

OpenSearch Serviço Amazon

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

AWS::S3::MultiRegionAccessPoint

SageMaker Inteligência Artificial da Amazon

AWS::SageMaker::Model

AWS::SageMaker::NotebookInstance

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS Step Functions

AWS::StepFunctions::StateMachine

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

Amazon WorkSpaces

AWS::WorkSpaces::WorkSpace

Recursos necessários para o CIS AWS Foundations Benchmark

Para executar verificações de segurança de controles habilitados que se aplicam ao benchmark de AWS fundamentos do Center for Internet Security (CIS), o Security Hub executa as etapas de auditoria exatas prescritas para as verificações em Protegendo a Amazon Web Services ou usa regras gerenciadas específicas AWS Config .

Para obter mais informações sobre esse padrão, consulte Referências do CIS AWS Foundations.

Recursos obrigatórios para o CIS v3.0.0

Para que o Security Hub relate com precisão as descobertas dos controles acionados por alterações habilitados do CIS v3.0.0 que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config

Serviço Recursos necessários

Nuvem de computação elástica da Amazon (Amazon EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::User

AWS::IAM::Role

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

Recursos necessários para o CIS v1.4.0

Para que o Security Hub relate com precisão as descobertas dos controles acionados por alterações habilitados do CIS v1.4.0 que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config

Serviço Recursos necessários

Nuvem de computação elástica Amazon () EC2

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

Recursos necessários para o CIS v1.2.0

Para que o Security Hub relate com precisão as descobertas dos controles ativados por alterações do CIS v1.2.0 habilitados que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config

Serviço Recursos necessários

Nuvem de computação elástica Amazon () EC2

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

Recursos obrigatórios para o NIST SP 800-53 Rev. 5

Para que o Security Hub relate com precisão as descobertas dos controles acionados por alterações habilitados do National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config Você só precisa registrar recursos para controles que tenham um tipo de programação acionado por alterações. Para obter mais informações sobre esse padrão, consulte NIST SP 800-53 Rev. 5 no Security Hub.

Serviço Recursos necessários

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

AWS Database Migration Service (AWS DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Nuvem de computação elástica Amazon () EC2

AWS::EC2::ClientVpnEndpoint

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EMR

AWS::EMR::SecurityConfiguration

Amazon EventBridge

AWS::Events::Endpoint

AWS::Events::EventBus

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

OpenSearch Serviço Amazon

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSubnetGroup

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::AccessPoint

AWS::S3::Bucket

AWS Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

SageMaker Inteligência Artificial da Amazon

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

Recursos obrigatórios para o PCI DSS v3.2.1

Para que o Security Hub relate com precisão as descobertas dos controles do Padrão de Segurança de Dados do Setor de Cartões de Pagamento (PCI DSS) habilitados que usam uma AWS Config regra, você deve registrar esses recursos em. AWS Config Para obter mais informações sobre esse padrão, consulte PCI DSS no Security Hub.

Serviço Recursos necessários

AWS CodeBuild

AWS::CodeBuild::Project

Nuvem de computação elástica Amazon () EC2

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::SecurityGroup

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

AWS Lambda

AWS::Lambda::Function

OpenSearch Serviço Amazon

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Recursos necessários para o AWS Resource Tagging Standard

Todos os controles no AWS Resource Tagging Standard são acionados por alterações e usam uma AWS Config regra. Para que o Security Hub relate com precisão as descobertas desses controles, você deve registrar os seguintes recursos em AWS Config. Para obter mais informações sobre esse padrão, consulte AWS Padrão de marcação de recursos.

Serviço Recursos necessários
AWS AppConfig

AWS::AppConfig::Application

AWS::AppConfig::ConfigurationProfile

AWS::AppConfig::Environment

AWS::AppConfig::ExtensionAssociation

Amazon AppFlow

AWS::AppFlow::Flow

AWS App Runner

AWS::AppRunner::Service

AWS::AppRunner::VpcConnector

AWS AppSync

AWS::AppSync::GraphQLApi

Amazon Athena

AWS::Athena::DataCatalog

AWS::Athena::WorkGroup

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS Backup (AWS Backup)

AWS::Backup::BackupPlan

AWS::Backup::BackupVault

AWS::Backup::RecoveryPlan

AWS::Backup::ReportPlan

AWS Batch

AWS::Batch::ComputeEnvironment

AWS::Batch::JobQueue

AWS::Batch::SchedulingPolicy

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

AWS CloudTrail

AWS::CloudTrail::Trail

AWS CodeArtifact

AWS::CodeArtifact::Repository

Amazon CodeGuru

AWS::CodeGuruProfiler::ProfilingGroup

AWS::CodeGuruReviewer::RepositoryAssociation

Amazon Connect

AWS::CustomerProfiles::ObjectType

Amazon Detective

AWS::Detective::Graph

AWS Database Migration Service (AWS DMS)

AWS::DMS::Certificate

AWS::DMS::EventSubscription

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationSubnetGroup

Amazon DynamoDB

AWS::DynamoDB::Trail

Nuvem de computação elástica Amazon () EC2

AWS::EC2::CustomerGateway

AWS::EC2::EIP

AWS::EC2::FlowLog

AWS::EC2::Instance

AWS::EC2::InternetGateway

AWS::EC2::NatGateway

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::RouteTable

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::TransitGatewayAttachment

AWS::EC2::TransitGatewayRouteTable

AWS::EC2::Volume

AWS::EC2::VPC

AWS::EC2::VPCEndpointService

AWS::EC2::VPCPeeringConnection

AWS::EC2::VPNGateway

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::PublicRepository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

AWS::EKS::IdentityProviderConfig

AWS Elastic Beanstalk (Elastic Beanstalk)

AWS::ElasticBeanstalk::Environment

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EventBridge

AWS::Events::EventBus

Amazon Fraud Detector

AWS::FraudDetector::EntityType

AWS::FraudDetector::Label

AWS::FraudDetector::Outcome

AWS::FraudDetector::Variable

AWS Global Accelerator

AWS::GlobalAccelerator::Accelerator

AWS Glue

AWS::Glue::Job

Amazon GuardDuty

AWS::GuardDuty::Detector

AWS::GuardDuty::Filter

AWS::GuardDuty::IPSet

AWS Identity and Access Management (IAM)

AWS::IAM::Role

AWS::IAM::User

AWS Identity and Access Management Access Analyzer (Analisador de acesso IAM)

AWS::AccessAnalyzer::Analyzer

AWS IoT

AWS::IoT::Authorizer

AWS::IoT::Dimension

AWS::IoT::MitigationAction

AWS::IoT::Policy

AWS::IoT::RoleAlias

AWS::IoT::SecurityProfile

AWS IoT Eventos

AWS::IoTEvents::AlarmModel

AWS::IoTEvents::DetectorModel

AWS::IoTEvents::Input

AWS IoT SiteWise

AWS::IoTSiteWise::Dashboard

AWS::IoTSiteWise::Gateway

AWS::IoTSiteWise::Portal

AWS::IoTSiteWise::Project

AWS IoT TwinMaker

AWS::IoTTwinMaker::Entity

AWS::IoTTwinMaker::Scene

AWS::IoTTwinMaker::SyncJob

AWS::IoTTwinMaker::Workspace

AWS IoT Sem fio

AWS::IoTWireless::FuotaTask

AWS::IoTWireless::MulticastGroup

AWS::IoTWireless::ServiceProfile

Amazon Interactive Video Service (Amazon IVS)

AWS::IVS::Channel

AWS::IVS::PlaybackKeyPair

AWS::IVS::RecordingConfiguration

Amazon Keyspaces (para Apache Cassandra)

AWS::Cassandra::Keyspace

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

Amazon MQ

AWS::AmazonMQ::Broker

AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

OpenSearch Serviço Amazon

AWS::OpenSearch::Domain

AWS Private Certificate Authority

AWS::ACMPCA::CertificateAuthority

Amazon Relational Database Service

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSecurityGroup

AWS::RDS::DBSnapshot

AWS::RDS::DBSubnetGroup

Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSnapshot

AWS::Redshift::ClusterSubnetGroup

AWS::Redshift::EventSubscription

Amazon Route 53

AWS::Route53::HealthCheck

AWS Secrets Manager

AWS::SecretsManager::Secret

Amazon Simple Email Service (Amazon SES)

AWS::SES::ConfigurationSet

AWS::SES::ContactList

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

AWS Step Functions

AWS::StepFunctions::Activity

AWS Transfer Family

AWS::Transfer::Workflow

Recursos necessários para o Service-Managed Standard: AWS Control Tower

Para que o Security Hub relate com precisão as descobertas do Padrão Gerenciado por Serviços habilitado: AWS Control Tower altere os controles acionados que usam uma AWS Config regra, você deve registrar os seguintes recursos em. AWS Config Para obter mais informações sobre esse padrão, consulte Padrão gerenciado por serviços: AWS Control Tower.

Serviço Recursos necessários

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Nuvem de computação elástica Amazon () EC2

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

OpenSearch Serviço Amazon

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::WebACL