本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
生成 Security Hub 控制结果所需的 AWS Config 资源
AWS Security Hub 通过对控件执行安全检查来生成控制结果。一些控制使用 AWS Config 规则来评估对特定资源的合规性。要让 Security Hub 为具有变更触发计划类型的控件生成调查发现,您必须在 AWS Config中开启所需资源的记录。对于大多数具有定期计划类型的控件,您无需记录资源。但是,一些定期控制需要记录资源以检测合规性变化。
此页面提供了各类标准所需资源的列表以及按标准划分的所需资源列表。第一张表还列出了使用每种资源的 Security Hub 控件。
如果调查结果是由基于 AWS Config 规则的安全检查生成的,则查找结果详细信息将包括指向关联规则的 AWS Config 规则链接。要导航到 AWS Config 规则,您的账户必须具有 AWS Identity and Access Management (IAM) 权限才能查看 AWS Config 规则。
注意
AWS 区域 如果控件不可用,则相应的资源在中不可用 AWS Config。有关 Security Hub 控件的区域限制列表,请参阅 按地区划分的控件可用性。
所有 Security Hub 控件所需的资源
要让 Security Hub 为启用的 Security Hub 更改触发的使用 AWS Config 规则的控件生成调查结果,您必须将这些资源记录在中 AWS Config。此表还指出了哪些控件需要特定的资源。控件可能需要多个资源。
服务 | 所需资源 | 相关控件 |
---|---|---|
亚马逊API网关 | AWS::ApiGateway::Stage |
APIGateway.1 APIGateway.2 APIGateway.3 APIGateway.4 APIGateway.5 |
AWS::ApiGatewayV2::Stage |
APIGateway.1 APIGateway.9 |
|
AWS AppSync | AWS::AppSync::GraphQLApi
|
AppSync.2 AppSync.4 AppSync.5 |
AWS Backup (AWS Backup) | AWS::Backup::BackupPlan
|
备份。5 |
AWS::Backup::BackupVault
|
备份。3 |
|
AWS::Backup::RecoveryPoint
|
Backup.1 Backup.2 |
|
AWS::Backup::ReportPlan
|
备份。4 |
|
AWS Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 ACM.3 |
Amazon Athena | AWS::Athena::DataCatalog |
雅典娜.2 |
AWS::Athena::WorkGroup |
雅典娜.3 |
|
AWS CloudFormation | AWS::CloudFormation::Stack |
CloudFormation.2 |
Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront.1 CloudFront.3 CloudFront.4 CloudFront.5 CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 CloudFront.14 |
AWS CloudTrail | AWS::CloudTrail::Trail
|
CloudTrail.9 |
Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
AWS CodeArtifact | AWS::CodeArtifact::Repository
|
CodeArtifact.1 |
AWS CodeBuild | AWS::CodeBuild::Project
|
CodeBuild.1 CodeBuild.2 CodeBuild.3 CodeBuild.4 |
Amazon Detective | AWS::Detective::Graph |
侦探。1 |
AWS Database Migration Service (AWS DMS) | AWS::DMS::Certificate |
DMS.2 |
AWS::DMS::Endpoint
|
|
|
AWS::DMS::EventSubscription
|
DMS.3 | |
AWS::DMS::ReplicationInstance
|
DMS.4 DMS.6 |
|
AWS::DMS::ReplicationSubnetGroup
|
DMS.5 | |
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.1 DynamoDB.2 DynamodB.5 DynamodB.6 |
Amazon 弹性计算云 (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::CustomerGateway |
EC2.36 | |
AWS::EC2::EIP |
EC2.12 EC2.37 |
|
AWS::EC2::FlowLog |
EC2.48 | |
AWS::EC2::Instance |
EC2.4 EC2.8 EC2.9 EC2.17 EC2.24 EC2.38 EMR.1 SSM.1 |
|
AWS::EC2::InternetGateway |
EC2.39 |
|
AWS::EC2::LaunchTemplate |
EC2.25 |
|
AWS::EC2::NatGateway |
EC2.40 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 EC2.41 |
|
AWS::EC2::NetworkInterface |
EC2.22 EC2.35 |
|
AWS::EC2::RouteTable |
EC2.42 | |
AWS::EC2::SecurityGroup |
EC2.2 EC2.13 EC2.14 EC2.18 EC2.19 EC2.43 |
|
AWS::EC2::Subnet |
EC2.15 EC2.44 ElastiCache.7 |
|
AWS::EC2::TransitGateway |
EC2.23 EC2.52 |
|
AWS::EC2::TransitGatewayAttachment |
EC2.33 | |
AWS::EC2::TransitGatewayRouteTable |
EC2.34 | |
AWS::EC2::Volume |
EC2.3 EC2.45 |
|
AWS::EC2::VPC |
EC2.6 EC2.46 |
|
AWS::EC2::VPCEndpointService |
EC2.47 | |
AWS::EC2::VPCPeeringConnection |
EC2.49 | |
AWS::EC2::VPNConnection |
EC2.20 | |
AWS::EC2::VPNGateway |
EC2.50 | |
Amazon A EC2 uto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling.1 AutoScaling.2 AutoScaling.6 AutoScaling.9 AutoScaling.10 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling.3 Autoscaling.5 |
|
亚马逊 S EC2 ystems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
亚马逊弹性容器注册表(亚马逊ECR) | AWS::ECR::PublicRepository |
ECR.4 |
AWS::ECR::Repository |
ECR.2 ECR.3 |
|
亚马逊弹性容器服务(亚马逊ECS) | AWS::ECS::Cluster |
ECS.12 ECS.14 |
AWS::ECS::Service |
ECS.2 ECS.10 ECS.13 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 ECS.15 |
|
亚马逊 Elastic File System(亚马逊EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 EFS.5 |
亚马逊 Elastic Kubernetes Service(亚马逊)EKS | AWS::EKS::Cluster |
EKS.2 EKS.6 EKS.8 |
AWS::EKS::IdentityProviderConfig |
EKS.7 | |
AWS Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk.1 ElasticBeanstalk.2 ElasticBeanstalk.3 |
Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.1 ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 ES.9 |
Amazon EventBridge | AWS::Events::EventBus |
EventBridge.2 EventBridge.3 |
AWS::Events::Endpoint |
EventBridge.4 |
|
AWS Global Accelerator |
AWS::GlobalAccelerator::Accelerator |
GlobalAccelerator.1 |
AWS Glue |
AWS::Glue::Job |
胶水。1 |
Amazon GuardDuty |
AWS::GuardDuty::Detector |
GuardDuty.4 |
AWS::GuardDuty::Filter |
GuardDuty.2 |
|
AWS::GuardDuty::IPSet |
GuardDuty.3 |
|
AWS Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.27 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.24 IAM.27 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.3 IAM.5 IAM.8 IAM.19 IAM.22 IAM.25 IAM.27 KMS.2 |
|
AWS Identity and Access Management Access Analyzer | AWS::AccessAnalyzer::Analyzer |
IAM.23 |
AWS IoT | AWS::IoT::Authorizer |
IoT.4 |
AWS::IoT::Dimension |
IoT.3 |
|
AWS::IoT::MitigationAction |
IoT.2 |
|
AWS::IoT::Policy |
IoT.6 |
|
AWS::IoT::RoleAlias |
IoT.5 |
|
AWS::IoT::SecurityProfile |
IoT.1 |
|
AWS Key Management Service (AWS KMS) | AWS::KMS::Alias |
S3.17 |
AWS::KMS::Key |
KMS.3 S3.17 |
|
Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 Kinesis.2 |
AWS Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 Lambda.6 |
Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
Amazon MQ | AWS::AmazonMQ::Broker |
MQ.2 MQ.3 MQ.4 MQ.5 MQ.6 |
AWS Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall.1 NetworkFirewall.7 NetworkFirewall.9 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 NetworkFirewall.8 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
亚马逊 OpenSearch 服务 | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.9 Opensearch.10 打开搜索。11 |
亚马逊 Relational Database Service(亚马逊RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.28 RDS.34 RDS.35 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 RDS.29 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 RDS.30 |
|
AWS::RDS::DBSecurityGroup |
RDS.31 |
|
AWS::RDS::DBSnapshot |
RDS.1 RDS.4 RDS.32 |
|
AWS::RDS::DBSubnetGroup |
RDS.33 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 Redshift.11 |
AWS::Redshift::ClusterParameterGroup |
Redshift.2 |
|
AWS::Redshift::ClusterSnapshot |
Redshift.13 |
|
AWS::Redshift::ClusterSubnetGroup |
Redshift.14 |
|
AWS::Redshift::EventSubscription |
Redshift.12 |
|
Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
AWS::Route53::HealthCheck |
53.1 号公路 |
|
Amazon Simple Storage Service (Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::AccountPublicAccessBlock |
S3.2 S3.3 |
|
AWS::S3::Bucket |
S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
AWS Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager.1 SecretsManager.2 SecretsManager.5 |
AWS Service Catalog | AWS::ServiceCatalog::Portfolio
|
ServiceCatalog.1 |
亚马逊简单电子邮件服务(亚马逊SES) | AWS::SES::ConfigurationSet
|
SES.2 |
AWS::SES::ContactList
|
SES.1 |
|
亚马逊简单通知服务(亚马逊SNS) | AWS::SNS::Topic
|
SNS.1 SNS.3 |
亚马逊简单队列服务(亚马逊SQS) | AWS::SQS::Queue
|
SQS.1 SQS.2 |
Amazon SageMaker | AWS::SageMaker::NotebookInstance
|
SageMaker.2 SageMaker.3 |
AWS Step Functions | AWS::StepFunctions::StateMachine
|
StepFunctions.1 |
AWS::StepFunctions::Activity
|
StepFunctions.2 |
|
AWS Transfer Family | AWS::Transfer::Workflow
|
转账。1 |
AWS WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.1 WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 WAF.11 |
FSBP标准版所需资源
为了让 Security Hub 准确报告已启用的 AWS 基础安全最佳实践 (FSBP) 使用 AWS Config 规则的变更触发控件的调查结果,您必须将这些资源记录在中 AWS Config。有关此标准的更多信息,请参阅 AWS 基础安全最佳实践 (FSBP) 标准。
服务 | 所需的 资源 |
---|---|
亚马逊API网关 |
|
AWS AppSync |
|
AWS Backup |
|
AWS Certificate Manager (ACM) |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
AWS CodeBuild |
|
AWS Database Migration Service (AWS DMS) |
|
Amazon DynamoDB |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
亚马逊弹性容器注册表(亚马逊ECR) |
|
亚马逊弹性容器服务(亚马逊ECS) |
|
亚马逊 Elastic File System(亚马逊EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
Amazon MSK |
|
AWS Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
亚马逊简单通知服务(亚马逊SNS) |
|
亚马逊简单队列服务(亚马逊SQS) |
|
Amazon SageMaker |
|
AWS Secrets Manager |
|
AWS Step Functions |
|
AWS WAF |
|
CIS AWS 基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) AWS Foundations Benchmark 的已启用控件进行安全检查,Security Hub 要么按照保护 Amazon Web Services
有关此标准的更多信息,请参阅 CIS AWS 基金会基准。
CISv3.0.0 所需的资源
为使 Security Hub 能够准确报告已启用 CIS v3.0.0 且使用 AWS Config 规则的变更触发控件的发现结果,您必须将这些资源记录在中。 AWS Config
服务 | 所需的 资源 |
---|---|
亚马逊弹性计算云(亚马逊EC2) |
|
AWS Identity and Access Management (IAM) |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Simple Storage Service (Amazon S3) |
|
CISv1.4.0 所需的资源
为使 Security Hub 能够准确报告已启用 CIS v1.4.0 且使用 AWS Config 规则的变更触发控件的发现,您必须将这些资源记录在中。 AWS Config
服务 | 所需的 资源 |
---|---|
Amazon 弹性计算云 (EC2) |
|
AWS Identity and Access Management (IAM) |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Simple Storage Service (Amazon S3) |
|
1.2.0 CIS 版所需的资源
为使 Security Hub 能够准确报告已启用 CIS v1.2.0 的使用 AWS Config 规则的变更触发控件的发现,您必须将这些资源记录在中。 AWS Config
服务 | 所需的 资源 |
---|---|
Amazon 弹性计算云 (EC2) |
|
AWS Identity and Access Management (IAM) |
|
NISTSP 800-53 修订版 5 所需的资源
为了让 Security Hub 准确报告已启用的美国国家标准与技术研究院 (NIST) SP 800-53 Rev. 5 使用 AWS Config 规则的变更触发控件的调查结果,您必须将这些资源记录在中。 AWS Config您只需要记录已触发计划类型变更的控件的资源即可。有关此标准的更多信息,请参阅 美国国家标准与技术研究所 (NIST) SP 800-53 Rev. 5。
服务 | 所需的 资源 |
---|---|
亚马逊API网关 |
|
AWS AppSync |
|
AWS Backup |
|
AWS Certificate Manager (ACM) |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
AWS CodeBuild |
|
AWS Database Migration Service (AWS DMS) |
|
Amazon DynamoDB |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
亚马逊弹性容器注册表(亚马逊ECR) |
|
亚马逊弹性容器服务(亚马逊ECS) |
|
亚马逊 Elastic File System(亚马逊EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
Amazon EventBridge |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
Amazon MSK |
|
Amazon MQ |
|
AWS Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Redshift |
|
Amazon Route 53 |
|
Amazon Simple Storage Service (Amazon S3) |
|
AWS Service Catalog |
|
亚马逊简单通知服务(亚马逊SNS) |
|
亚马逊简单队列服务(亚马逊SQS) |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
Amazon SageMaker |
|
AWS Secrets Manager |
|
AWS WAF |
|
PCIDSSv3.2.1 所需的资源
为使 Security Hub 能够准确报告使用 AWS Config 规则的已启用的支付卡行业数据安全标准 (PCIDSS) 控件的调查结果,您必须将这些资源记录在中 AWS Config。有关此标准的更多信息,请参阅 支付卡行业数据安全标准 (PCIDSS)。
服务 | 所需的 资源 |
---|---|
AWS CodeBuild |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
AWS Identity and Access Management (IAM) |
|
AWS Lambda |
|
亚马逊 OpenSearch 服务 |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
资源标签标准 AWS 版所需的资源
AWS 资源标签标准中的所有控件都是变更触发的,并使用 AWS Config 规则。为了让 Security Hub 准确报告这些控件的调查结果,您必须在中记录以下资源 AWS Config。您只需要记录已触发计划类型变更的控件的资源即可。有关此标准的更多信息,请参阅 AWS 资源标签标准。
服务 | 所需的 资源 |
---|---|
AWS AppSync |
|
Amazon Athena |
|
AWS Certificate Manager (ACM) |
|
AWS Backup (AWS Backup) |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
AWS CloudTrail |
|
AWS CodeArtifact |
|
Amazon Detective |
|
AWS Database Migration Service (AWS DMS) |
|
Amazon DynamoDB |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
亚马逊弹性容器注册表(亚马逊ECR) |
|
亚马逊弹性容器服务(亚马逊ECS) |
|
亚马逊 Elastic File System(亚马逊EFS) |
|
亚马逊 Elastic Kubernetes Service(亚马逊)EKS |
|
AWS Elastic Beanstalk (Elastic Beanstalk) |
|
ElasticSearch |
|
Amazon EventBridge |
|
AWS Global Accelerator |
|
AWS Glue |
|
Amazon GuardDuty |
|
AWS Identity and Access Management (IAM) |
|
AWS Identity and Access Management Access Analyzer (IAM访问分析器) |
|
AWS IoT |
|
Amazon Kinesis |
|
AWS Lambda |
|
Amazon MQ |
|
AWS Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
Amazon Relational Database Service |
|
Amazon Redshift |
|
Amazon Route 53 |
|
AWS Secrets Manager |
|
亚马逊简单电子邮件服务(亚马逊SES) |
|
亚马逊简单通知服务(亚马逊SNS) |
|
亚马逊简单队列服务(亚马逊SQS) |
|
AWS Step Functions |
|
AWS Transfer Family |
|
服务管理标准版所需的资源: AWS Control Tower
为了让 Security Hub 准确报告已启用的服务管理标准:使用 AWS Config 规则的 AWS Control Tower 变更触发控件的发现,您必须在中 AWS Config记录以下资源。有关此标准的更多信息,请参阅 服务管理标准: AWS Control Tower。
服务 | 所需的 资源 |
---|---|
亚马逊API网关 |
|
AWS Certificate Manager (ACM) |
|
AWS CodeBuild |
|
Amazon DynamoDB |
|
Amazon 弹性计算云 (EC2) |
|
Amazon A EC2 uto Scaling |
|
亚马逊弹性容器注册表(亚马逊ECR) |
|
亚马逊弹性容器服务(亚马逊ECS) |
|
亚马逊 Elastic File System(亚马逊EFS) |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
AWS Network Firewall |
|
亚马逊 OpenSearch 服务 |
|
亚马逊 Relational Database Service(亚马逊RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
亚马逊简单通知服务(亚马逊SNS) |
|
亚马逊简单队列服务(亚马逊SQS) |
|
亚马逊 S EC2 ystems Manager (SSM) |
|
AWS Secrets Manager |
|
AWS WAF |
|