AWS Security Hub

User Guide

What is AWS Security Hub?
Security Hub concepts
Enabling Security Hub
Managing administrator and member accounts
Cross-Region aggregation
Standards
Controls
Security Hub integrations
Findings
Insights
Automations
- Automation rules
  Creating automation rules
  Viewing automation rules
  Editing automation rules
  Editing rule order
  Deleting or disabling automation rules
  Automation rule examples
- Automated response and remediation
  Security Hub event types in EventBridge
  EventBridge event formats
  Configuring a rule for Security Hub findings
  Configuring and using custom actions
  Creating a custom action
  Defining a rule in EventBridge
  Selecting a custom action for findings and insight results
Dashboard
- Filtering the Summary dashboard
- Customizing the Summary dashboard
Creating resources with CloudFormation
Subscribing to Security Hub announcements
Security
Logging API calls
Tagging resources
Quotas
Security Hub Regional limits
- Regional limits on controls
Disabling Security Hub
Controls change log
Document history

AWS Security Hub

Documentation
AWS Security Hub
User Guide

AWS Resource Tagging Standard

PDF

RSS

Focus mode

AWS Resource Tagging Standard - AWS Security Hub

Documentation AWS Security Hub User Guide

What is the AWS Resource Tagging Standard?Controls in the AWS Resource Tagging Standard

This section provides information about the AWS Resource Tagging Standard.

Note

The AWS Resource Tagging Standard isn't available in the Canada West (Calgary), China, and AWS GovCloud (US) Regions.

What is the AWS Resource Tagging Standard?

Tags are key and value pairs that act as metadata for organizing your AWS resources. With most AWS resources, you have the option of adding tags when you create the resource or after creation. Examples of resources include an Amazon CloudFront distribution, an Amazon Elastic Compute Cloud (Amazon EC2) instance, or a secret in AWS Secrets Manager. Tags can help you manage, identify, organize, search for, and filter resources.

Each tag has two parts:

A tag key—for example, CostCenter, Environment, or Project. Tag keys are case sensitive.
A tag value—for example, 111122223333 or Production. Like tag keys, tag values are case sensitive.

You can use tags to categorize resources by purpose, owner, environment, or other criteria.

For information about adding tags to AWS resources, see the Tagging AWS Resources and Tag Editor User Guide.

The AWS Resource Tagging Standard, developed by AWS Security Hub, helps you determine whether any of your AWS resources are missing tag keys. You can customize the requiredTagKeys parameter to specify tag keys that you want the controls to check for. If specific tags aren't provided, the controls only check for the existence of at least one tag key.

When you enable the AWS Resource Tagging Standard, you'll begin receiving findings in the AWS Security Finding Format (ASFF).

Note

When you enable the AWS Resource Tagging Standard, Security Hub may take up to 18 hours to generate findings for controls that use the same AWS Config service-linked rule as enabled controls in other enabled standards. For more information, see Schedule for running security checks.

This standard has the following Amazon Resource Name (ARN): arn:aws:securityhub:region::standards/aws-resource-tagging-standard/v/1.0.0.

You can also use the GetEnabledStandards operation of the Security Hub API to find the ARN of an enabled standard.

Controls in the AWS Resource Tagging Standard

The AWS Resource Tagging Standard includes the following controls. Choose a control to review a detailed description of it.

[ACM.3] ACM certificates should be tagged
[AppConfig.1] AWS AppConfig applications should be tagged
[AppConfig.2] AWS AppConfig configuration profiles should be tagged
[AppConfig.3] AWS AppConfig environments should be tagged
[AppConfig.4] AWS AppConfig extension associations should be tagged
[AppFlow.1] Amazon AppFlow flows should be tagged
[AppRunner.1] App Runner services should be tagged
[AppRunner.2] App Runner VPC connectors should be tagged
[AppSync.4] AWS AppSync GraphQL APIs should be tagged
[Athena.2] Athena data catalogs should be tagged
[Athena.3] Athena workgroups should be tagged
[AutoScaling.10] EC2 Auto Scaling groups should be tagged
[Backup.2] AWS Backup recovery points should be tagged
[Backup.3] AWS Backup vaults should be tagged
[Backup.4] AWS Backup report plans should be tagged
[Backup.5] AWS Backup backup plans should be tagged
[Batch.1] Batch job queues should be tagged
[Batch.2] Batch scheduling policies should be tagged
[Batch.3] Batch compute environments should be tagged
[CloudFormation.2] CloudFormation stacks should be tagged
[CloudFront.14] CloudFront distributions should be tagged
[CloudTrail.9] CloudTrail trails should be tagged
[CodeArtifact.1]CodeArtifact repositories should be tagged
[CodeGuruProfiler.1] CodeGuru Profiler profiling groups should be tagged
[CodeGuruReviewer.1] CodeGuru Reviewer repository associations should be tagged
[Connect.1] Amazon Connect Customer Profiles object types should be tagged
[Detective.1] Detective behavior graphs should be tagged
[DMS.2] DMS certificates should be tagged
[DMS.3] DMS event subscriptions should be tagged
[DMS.4] DMS replication instances should be tagged
[DMS.5] DMS replication subnet groups should be tagged
[DynamoDB.5] DynamoDB tables should be tagged
[EC2.33] EC2 transit gateway attachments should be tagged
[EC2.34] EC2 transit gateway route tables should be tagged
[EC2.35] EC2 network interfaces should be tagged
[EC2.36] EC2 customer gateways should be tagged
[EC2.37] EC2 Elastic IP addresses should be tagged
[EC2.38] EC2 instances should be tagged
[EC2.39] EC2 internet gateways should be tagged
[EC2.40] EC2 NAT gateways should be tagged
[EC2.41] EC2 network ACLs should be tagged
[EC2.42] EC2 route tables should be tagged
[EC2.43] EC2 security groups should be tagged
[EC2.44] EC2 subnets should be tagged
[EC2.45] EC2 volumes should be tagged
[EC2.46] Amazon VPCs should be tagged
[EC2.47] Amazon VPC endpoint services should be tagged
[EC2.48] Amazon VPC flow logs should be tagged
[EC2.49] Amazon VPC peering connections should be tagged
[EC2.50] EC2 VPN gateways should be tagged
[EC2.52] EC2 transit gateways should be tagged
[ECR.4] ECR public repositories should be tagged
[ECS.13] ECS services should be tagged
[ECS.14] ECS clusters should be tagged
[ECS.15] ECS task definitions should be tagged
[EFS.5] EFS access points should be tagged
[EKS.6] EKS clusters should be tagged
[EKS.7] EKS identity provider configurations should be tagged
[ES.9] Elasticsearch domains should be tagged
[EventBridge.2] EventBridge event buses should be tagged
[FraudDetector.1] Amazon Fraud Detector entity types should be tagged
[FraudDetector.2] Amazon Fraud Detector labels should be tagged
[FraudDetector.3] Amazon Fraud Detector outcomes should be tagged
[FraudDetector.4] Amazon Fraud Detector variables should be tagged
[GlobalAccelerator.1] Global Accelerator accelerators should be tagged
[Glue.1] AWS Glue jobs should be tagged
[GuardDuty.2] GuardDuty filters should be tagged
[GuardDuty.3] GuardDuty IPSets should be tagged
[GuardDuty.4] GuardDuty detectors should be tagged
[IAM.23] IAM Access Analyzer analyzers should be tagged
[IAM.24] IAM roles should be tagged
[IAM.25] IAM users should be tagged
[IoT.1] AWS IoT Device Defender security profiles should be tagged
[IoT.2] AWS IoT Core mitigation actions should be tagged
[IoT.3] AWS IoT Core dimensions should be tagged
[IoT.4] AWS IoT Core authorizers should be tagged
[IoT.5] AWS IoT Core role aliases should be tagged
[IoT.6] AWS IoT Core policies should be tagged
[IoTEvents.1] AWS IoT Events inputs should be tagged
[IoTEvents.2] AWS IoT Events detector models should be tagged
[IoTEvents.3] AWS IoT Events alarm models should be tagged
[IoTSiteWise.1] AWS IoT SiteWise asset models should be tagged
[IoTSiteWise.2] AWS IoT SiteWise dashboards should be tagged
[IoTSiteWise.3] AWS IoT SiteWise gateways should be tagged
[IoTSiteWise.4] AWS IoT SiteWise portals should be tagged
[IoTSiteWise.5] AWS IoT SiteWise projects should be tagged
[IoTTwinMaker.1] AWS IoT TwinMaker sync jobs should be tagged
[IoTTwinMaker.2] AWS IoT TwinMaker workspaces should be tagged
[IoTTwinMaker.3] AWS IoT TwinMaker scenes should be tagged
[IoTTwinMaker.4] AWS IoT TwinMaker entities should be tagged
[IoTWireless.1] AWS IoT Wireless multicast groups should be tagged
[IoTWireless.2] AWS IoT Wireless service profiles should be tagged
[IoTWireless.3] AWS IoT FUOTA tasks should be tagged
[IVS.1] IVS playback key pairs should be tagged
[IVS.2] IVS recording configurations should be tagged
[IVS.3] IVS channels should be tagged
[Keyspaces.1] Amazon Keyspaces keyspaces should be tagged
[Kinesis.2] Kinesis streams should be tagged
[Lambda.6] Lambda functions should be tagged
[MQ.4] Amazon MQ brokers should be tagged
[NetworkFirewall.7] Network Firewall firewalls should be tagged
[NetworkFirewall.8] Network Firewall firewall policies should be tagged
[Opensearch.9] OpenSearch domains should be tagged
[PCA.2] AWS Private CA certificate authorities should be tagged
[RDS.28] RDS DB clusters should be tagged
[RDS.29] RDS DB cluster snapshots should be tagged
[RDS.30] RDS DB instances should be tagged
[RDS.31] RDS DB security groups should be tagged
[RDS.32] RDS DB snapshots should be tagged
[RDS.33] RDS DB subnet groups should be tagged
[Redshift.11] Redshift clusters should be tagged
[Redshift.12] Redshift event notification subscriptions should be tagged
[Redshift.13] Redshift cluster snapshots should be tagged
[Redshift.14] Redshift cluster subnet groups should be tagged
[Route53.1] Route 53 health checks should be tagged
[SecretsManager.5] Secrets Manager secrets should be tagged
[SES.1] SES contact lists should be tagged
[SES.2] SES configuration sets should be tagged
[SNS.3] SNS topics should be tagged
[SQS.2] SQS queues should be tagged
[StepFunctions.2] Step Functions activities should be tagged
[Transfer.1] AWS Transfer Family workflows should be tagged

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

PCI DSS

Service-managed standards

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

Unable to save cookie preferences

AWS Resource Tagging Standard

Note

What is the AWS Resource Tagging Standard?

Note

Controls in the AWS Resource Tagging Standard

On this page

Did this page help you?

Next topic:

Previous topic:

Need help?