Using Security Hub controls with Audit Manager Supported Security Hub controls

AWS Security Hub controls supported by AWS Audit Manager

Audit Manager enables you to report the results of compliance checks directly from Security Hub. To do this, you specify one or more Security Hub controls as a data source mapping when you configure a custom control in Audit Manager.

Note

Audit Manager doesn’t collect evidence from service-linked AWS Config rules that are created by Security Hub. For more information, see the Troubleshooting section of this guide.
On November 9, 2022, Security Hub launched automated security checks aligned to the Center for Internet Security’s (CIS) AWS Foundations Benchmark version 1.4.0 requirements, Level 1 and 2 (CIS v1.4.0). In Security Hub, the CIS v1.4.0 standard is supported in addition to the CIS v1.2.0 standard.

Topics

Using Security Hub controls with Audit Manager
Supported Security Hub controls

Using Security Hub controls with Audit Manager

Tip

We recommend that you turn on the consolidated control findings setting in Security Hub if it's not turned on already. If you enable Security Hub on or after February 23, 2003, this setting is turned on by default.

When consolidated findings is enabled, Security Hub produces a single finding for each security check (even when the same check applies to multiple standards). Each Security Hub finding is collected as one unique resource assessment in Audit Manager. As a result, consolidated findings results in a decrease of the total unique resource assessments that Audit Manager performs for Security Hub findings. For this reason, using consolidated findings can often result in a reduction in your Audit Manager usages costs, without sacrificing evidence quality and availability. For more information about pricing, see AWS Audit Manager Pricing.

The following examples show a comparison of how Audit Manager collects and presents evidence depending on your Security Hub settings.

When consolidated findings is turned on

Let's say that you have enabled the following three security standards in Security Hub: AWS FSBP, PCI DSS, and CIS Benchmark v1.2.0.

All three of these standards use the same control (IAM.4) with the same underlying AWS Config rule (iam-root-access-key-check).
Because the consolidated control findings setting is turned on, Security Hub generates one single finding for this control.
Security Hub sends the consolidated finding to Audit Manager for this control.
The consolidated finding counts as one unique resource assessment in Audit Manager. As a result, one single piece of evidence is added to your assessment.

Here's an example of how that evidence might look:


{
    "SchemaVersion": "2018-10-08",
    "Id": "arn:aws:securityhub:us-west-2:111122223333:security-control/IAM.4/finding/09876543-p0o9-i8u7-y6t5-098765432109",
    "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/securityhub",
    "ProductName": "Security Hub",
    "CompanyName": "AWS",
    "Region": "us-west-2",
    "GeneratorId": "security-control/IAM.4",
    "AwsAccountId": "111122223333",
    "Types": [
        "Software and Configuration Checks/Industry and Regulatory Standards"
    ],
    "FirstObservedAt": "2023-10-25T11:32:24.861Z",
    "LastObservedAt": "2023-11-02T11:59:19.546Z",
    "CreatedAt": "2023-10-25T11:32:24.861Z",
    "UpdatedAt": "2023-11-02T11:59:15.127Z",
    "Severity": {
        "Label": "INFORMATIONAL",
        "Normalized": 0,
        "Original": "INFORMATIONAL"
    },
    "Title": "IAM root user access key should not exist",
    "Description": "This AWS control checks whether the root user access key is available.",
    "Remediation": {
        "Recommendation": {
            "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
            "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation"
        }
    },
    "ProductFields": {
        "RelatedAWSResources:0/name": "securityhub-iam-root-access-key-check-000270f5",
        "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
        "aws/securityhub/ProductName": "Security Hub",
        "aws/securityhub/CompanyName": "AWS",
        "Resources:0/Id": "arn:aws:iam::111122223333:root",
        "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:security-control/IAM.4/finding/09876543-p0o9-i8u7-y6t5-098765432109"
    },
    "Resources": [{
        "Type": "AwsAccount",
        "Id": "AWS::::Account:111122223333",
        "Partition": "aws",
        "Region": "us-west-2"
    }],
    "Compliance": {
        "Status": "PASSED",
        "RelatedRequirements": [
            "CIS AWS Foundations Benchmark v1.2.0/1.12"
        ],
        "SecurityControlId": "IAM.4",
        "AssociatedStandards": [{
                "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
            },
            {
                "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
            }
        ]
    },
    "WorkflowState": "NEW",
    "Workflow": {
        "Status": "RESOLVED"
    },
    "RecordState": "ACTIVE",
    "FindingProviderFields": {
        "Severity": {
            "Label": "INFORMATIONAL",
            "Original": "INFORMATIONAL"
        },
        "Types": [
            "Software and Configuration Checks/Industry and Regulatory Standards"
        ]
    },
    "ProcessedAt": "2023-11-02T11:59:20.980Z"
}

When consolidated findings is turned off

Let's say that you have enabled the following three security standards in Security Hub: AWS FSBP, PCI DSS, and CIS Benchmark v1.2.0.

All three of these standards use the same control (IAM.4) with the same underlying AWS Config rule (iam-root-access-key-check).
Because the consolidated findings setting is turned off, Security Hub generates a separate finding per security check for each enabled standard (in this case, three findings).
Security Hub sends three separate standard-specific findings to Audit Manager for this control.
The three findings count as three unique resource assessments in Audit Manager. As a result, three separate pieces of evidence are added to your assessment.

Here's an example of how that evidence might look. Note that in this example, each of the following three payloads has the same security control ID (SecurityControlId":"IAM.4"). For this reason, the assessment control that collects this evidence in Audit Manager (IAM.4) receives three separate pieces of evidence when the following findings come in from Security Hub.

Evidence for IAM.4 (FSBP)


{
  "version":"0",
  "id":"12345678-1q2w-3e4r-5t6y-123456789012",
  "detail-type":"Security Hub Findings - Imported",
  "source":"aws.securityhub",
  "account":"111122223333",
  "time":"2023-10-27T18:55:59Z",
  "region":"us-west-2",
  "resources":[
     "arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/Lambda.1/finding/b5e68d5d-43c3-46c8-902d-51cb0d4da568"
  ],
  "detail":{
     "findings":[
        {
           "SchemaVersion":"2018-10-08",
           "Id":"arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.4/finding/8e2e05a2-4d50-4c2e-a78f-3cbe9402d17d",
           "ProductArn":"arn:aws:securityhub:us-west-2::product/aws/securityhub",
           "ProductName":"Security Hub",
           "CompanyName":"AWS",
           "Region":"us-west-2",
           "GeneratorId":"aws-foundational-security-best-practices/v/1.0.0/IAM.4",
           "AwsAccountId":"111122223333",
           "Types":[
              "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
           ],
           "FirstObservedAt":"2020-10-05T19:18:47.848Z",
           "LastObservedAt":"2023-11-01T14:12:04.106Z",
           "CreatedAt":"2020-10-05T19:18:47.848Z",
           "UpdatedAt":"2023-11-01T14:11:53.720Z",
           "Severity":{
              "Product":0,
              "Label":"INFORMATIONAL",
              "Normalized":0,
              "Original":"INFORMATIONAL"
           },
           "Title":"IAM.4 IAM root user access key should not exist",
           "Description":"This AWS control checks whether the root user access key is available.",
           "Remediation":{
              "Recommendation":{
                 "Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                 "Url":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation"
              }
           },
           "ProductFields":{
              "StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0",
              "StandardsSubscriptionArn":"arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0",
              "ControlId":"IAM.4",
              "RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation",
              "RelatedAWSResources:0/name":"securityhub-iam-root-access-key-check-67cbb1c4",
              "RelatedAWSResources:0/type":"AWS::Config::ConfigRule",
              "StandardsControlArn":"arn:aws:securityhub:us-west-2:111122223333:control/aws-foundational-security-best-practices/v/1.0.0/IAM.4",
              "aws/securityhub/ProductName":"Security Hub",
              "aws/securityhub/CompanyName":"AWS",
              "Resources:0/Id":"arn:aws:iam::111122223333:root",
              "aws/securityhub/FindingId":"arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/IAM.4/finding/8e2e05a2-4d50-4c2e-a78f-3cbe9402d17d"
           },
           "Resources":[
              {
                 "Type":"AwsAccount",
                 "Id":"AWS::::Account:111122223333",
                 "Partition":"aws",
                 "Region":"us-west-2"
              }
           ],
           "Compliance":{
              "Status":"PASSED",
              "SecurityControlId":"IAM.4",
              "AssociatedStandards":[
                 {
                    "StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"
                 }
              ]
           },
           "WorkflowState":"NEW",
           "Workflow":{
              "Status":"RESOLVED"
           },
           "RecordState":"ACTIVE",
           "FindingProviderFields":{
              "Severity":{
                 "Label":"INFORMATIONAL",
                 "Original":"INFORMATIONAL"
              },
              "Types":[
                 "Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"
              ]
           },
           "ProcessedAt":"2023-11-01T14:12:07.395Z"
        }
     ]
  }
}

Evidence for IAM.4 (CIS 1.2)


{
  "version":"0",
  "id":"12345678-1q2w-3e4r-5t6y-123456789012",
  "detail-type":"Security Hub Findings - Imported",
  "source":"aws.securityhub",
  "account":"111122223333",
  "time":"2023-10-27T18:55:59Z",
  "region":"us-west-2",
  "resources":[
     "arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/Lambda.1/finding/1dd8f2f8-cf1b-47c9-a875-8d7387fc9c23"
  ],
  "detail":{
     "findings":[
        {
           "SchemaVersion":"2018-10-08",
           "Id":"arn:aws:securityhub:us-west-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.12/finding/1dd8f2f8-cf1b-47c9-a875-8d7387fc9c23",
           "ProductArn":"arn:aws:securityhub:us-west-2::product/aws/securityhub",
           "ProductName":"Security Hub",
           "CompanyName":"AWS",
           "Region":"us-west-2",
           "GeneratorId":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.12",
           "AwsAccountId":"111122223333",
           "Types":[
              "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
           ],
           "FirstObservedAt":"2020-10-05T19:18:47.775Z",
           "LastObservedAt":"2023-11-01T14:12:07.989Z",
           "CreatedAt":"2020-10-05T19:18:47.775Z",
           "UpdatedAt":"2023-11-01T14:11:53.720Z",
           "Severity":{
              "Product":0,
              "Label":"INFORMATIONAL",
              "Normalized":0,
              "Original":"INFORMATIONAL"
           },
           "Title":"1.12 Ensure no root user access key exists",
           "Description":"The root user is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user be removed.",
           "Remediation":{
              "Recommendation":{
                 "Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                 "Url":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation"
              }
           },
           "ProductFields":{
              "StandardsGuideArn":"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
              "StandardsGuideSubscriptionArn":"arn:aws:securityhub:us-west-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0",
              "RuleId":"1.12",
              "RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation",
              "RelatedAWSResources:0/name":"securityhub-iam-root-access-key-check-67cbb1c4",
              "RelatedAWSResources:0/type":"AWS::Config::ConfigRule",
              "StandardsControlArn":"arn:aws:securityhub:us-west-2:111122223333:control/cis-aws-foundations-benchmark/v/1.2.0/1.12",
              "aws/securityhub/ProductName":"Security Hub",
              "aws/securityhub/CompanyName":"AWS",
              "Resources:0/Id":"arn:aws:iam::111122223333:root",
              "aws/securityhub/FindingId":"arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/cis-aws-foundations-benchmark/v/1.2.0/1.12/finding/1dd8f2f8-cf1b-47c9-a875-8d7387fc9c23"
           },
           "Resources":[
              {
                 "Type":"AwsAccount",
                 "Id":"AWS::::Account:111122223333",
                 "Partition":"aws",
                 "Region":"us-west-2"
              }
           ],
           "Compliance":{
              "Status":"PASSED",
              "SecurityControlId":"IAM.4",
              "AssociatedStandards":[
                 {
                    "StandardsId":"ruleset/cis-aws-foundations-benchmark/v/1.2.0"
                 }
              ]
           },
           "WorkflowState":"NEW",
           "Workflow":{
              "Status":"RESOLVED"
           },
           "RecordState":"ACTIVE",
           "FindingProviderFields":{
              "Severity":{
                 "Label":"INFORMATIONAL",
                 "Original":"INFORMATIONAL"
              },
              "Types":[
                 "Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
              ]
           },
           "ProcessedAt":"2023-11-01T14:12:13.436Z"
        }
     ]
  }
}

Evidence for PCI.IAM.1 (PCI DSS)


{
  "version":"0",
  "id":"12345678-1q2w-3e4r-5t6y-123456789012",
  "detail-type":"Security Hub Findings - Imported",
  "source":"aws.securityhub",
  "account":"111122223333",
  "time":"2023-10-27T18:55:59Z",
  "region":"us-west-2",
  "resources":[
     "arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/aws-foundational-security-best-practices/v/1.0.0/Lambda.1/finding/1dd8f2f8-cf1b-47c9-a875-8d7387fc9c23"
  ],
  "detail":{
     "findings":[
        {
           "SchemaVersion":"2018-10-08",
           "Id":"arn:aws:securityhub:us-west-2:111122223333:subscription/pci-dss/v/3.2.1/PCI.IAM.1/finding/3c75f651-6e2e-44f4-8e22-297d5c2d0c8b",
           "ProductArn":"arn:aws:securityhub:us-west-2::product/aws/securityhub",
           "ProductName":"Security Hub",
           "CompanyName":"AWS",
           "Region":"us-west-2",
           "GeneratorId":"pci-dss/v/3.2.1/PCI.IAM.1",
           "AwsAccountId":"111122223333",
           "Types":[
              "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
           ],
           "FirstObservedAt":"2020-10-05T19:18:47.788Z",
           "LastObservedAt":"2023-11-01T14:12:02.413Z",
           "CreatedAt":"2020-10-05T19:18:47.788Z",
           "UpdatedAt":"2023-11-01T14:11:53.720Z",
           "Severity":{
              "Product":0,
              "Label":"INFORMATIONAL",
              "Normalized":0,
              "Original":"INFORMATIONAL"
           },
           "Title":"PCI.IAM.1 IAM root user access key should not exist",
           "Description":"This AWS control checks whether the root user access key is available.",
           "Remediation":{
              "Recommendation":{
                 "Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                 "Url":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation"
              }
           },
           "ProductFields":{
              "StandardsArn":"arn:aws:securityhub:::standards/pci-dss/v/3.2.1",
              "StandardsSubscriptionArn":"arn:aws:securityhub:us-west-2:111122223333:subscription/pci-dss/v/3.2.1",
              "ControlId":"PCI.IAM.1",
              "RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/IAM.4/remediation",
              "RelatedAWSResources:0/name":"securityhub-iam-root-access-key-check-67cbb1c4",
              "RelatedAWSResources:0/type":"AWS::Config::ConfigRule",
              "StandardsControlArn":"arn:aws:securityhub:us-west-2:111122223333:control/pci-dss/v/3.2.1/PCI.IAM.1",
              "aws/securityhub/ProductName":"Security Hub",
              "aws/securityhub/CompanyName":"AWS",
              "Resources:0/Id":"arn:aws:iam::111122223333:root",
              "aws/securityhub/FindingId":"arn:aws:securityhub:us-west-2::product/aws/securityhub/arn:aws:securityhub:us-west-2:111122223333:subscription/pci-dss/v/3.2.1/PCI.IAM.1/finding/3c75f651-6e2e-44f4-8e22-297d5c2d0c8b"
           },
           "Resources":[
              {
                 "Type":"AwsAccount",
                 "Id":"AWS::::Account:111122223333",
                 "Partition":"aws",
                 "Region":"us-west-2"
              }
           ],
           "Compliance":{
              "Status":"PASSED",
              "RelatedRequirements":[
                 "PCI DSS 2.1",
                 "PCI DSS 2.2",
                 "PCI DSS 7.2.1"
              ],
              "SecurityControlId":"IAM.4",
              "AssociatedStandards":[
                 {
                    "StandardsId":"standards/pci-dss/v/3.2.1"
                 }
              ]
           },
           "WorkflowState":"NEW",
           "Workflow":{
              "Status":"RESOLVED"
           },
           "RecordState":"ACTIVE",
           "FindingProviderFields":{
              "Severity":{
                 "Label":"INFORMATIONAL",
                 "Original":"INFORMATIONAL"
              },
              "Types":[
                 "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
              ]
           },
           "ProcessedAt":"2023-11-01T14:12:05.950Z"
        }
     ]
  }
}

Supported Security Hub controls

The following Security Hub controls are currently supported by Audit Manager. You can use any of the following standard-specific control ID keywords when you set up a data source for a custom control.

Security standard	Supported keyword in Audit Manager (standard control ID in Security Hub)	Related control documentation (corresponding security control ID in Security Hub)
CIS v1.2.0	1.1	IAM.20, CloudWatch.1
CIS v1.2.0	1.2	IAM.5
CIS v1.2.0	1.3	IAM.8
CIS v1.2.0	1.4	IAM.3
CIS v1.2.0	1.5	IAM.11
CIS v1.2.0	1.6	IAM.12
CIS v1.2.0	1.7	IAM.13
CIS v1.2.0	1.8	IAM.14
CIS v1.2.0	1.9	IAM.15
CIS v1.2.0	1.10	IAM.16
CIS v1.2.0	1.11	IAM.17
CIS v1.2.0	1.12	IAM.4
CIS v1.2.0	1.13	IAM.9
CIS v1.2.0	1.14	IAM.6
CIS v1.2.0	1.16	IAM.2
CIS v1.2.0	1.20	IAM.18
CIS v1.2.0	1.22	IAM.1
CIS v1.2.0	2.1	CloudTrail.1
CIS v1.2.0	2.2	CloudTrail.4
CIS v1.2.0	2.3	CloudTrail.6
CIS v1.2.0	2.4	CloudTrail.5
CIS v1.2.0	2.5	Config.1
CIS v1.2.0	2.6	CloudTrail.7
CIS v1.2.0	2.7	CloudTrail.2
CIS v1.2.0	2.8	KMS.4
CIS v1.2.0	2.9	EC2.6
CIS v1.2.0	3.1	CloudWatch.2
CIS v1.2.0	3.2	CloudWatch.3
CIS v1.2.0	3.3	CloudWatch.1
CIS v1.2.0	3.4	CloudWatch.4
CIS v1.2.0	3.5	CloudWatch.5
CIS v1.2.0	3.6	CloudWatch.6
CIS v1.2.0	3.7	CloudWatch.7
CIS v1.2.0	3.8	CloudWatch.8
CIS v1.2.0	3.9	CloudWatch.9
CIS v1.2.0	3.10	CloudWatch.10
CIS v1.2.0	3.11	CloudWatch.11
CIS v1.2.0	3.12	CloudWatch.12
CIS v1.2.0	3.13	CloudWatch.13
CIS v1.2.0	3.14	CloudWatch.14
CIS v1.2.0	4.1	EC2.13
CIS v1.2.0	4.2	EC2.14
CIS v1.2.0	4.3	EC2.2
PCI DSS	PCI.AutoScaling.1	AutoScaling.1
PCI DSS	PCI.CloudTrail.1	CloudTrail.1
PCI DSS	PCI.CloudTrail.2	CloudTrail.2
PCI DSS	PCI.CloudTrail.3	CloudTrail.3
PCI DSS	PCI.CloudTrail.4	CloudTrail.4
PCI DSS	PCI.CodeBuild.1	CodeBuild.1
PCI DSS	PCI.CodeBuild.2	CodeBuild.2
PCI DSS	PCI.Config.1	Config.1
PCI DSS	PCI.CW.1	CloudWatch.1
PCI DSS	PCI.DMS.1	DMS.1
PCI DSS	PCI.EC2.1	EC2.1
PCI DSS	PCI.EC2.2	EC2.2
PCI DSS	PCI.EC2.3	EC2.3
PCI DSS	PCI.EC2.4	EC2.12
PCI DSS	PCI.EC2.5	EC2.13
PCI DSS	PCI.EC2.6	EC2.6
PCI DSS	PCI.ELBv2.1	ELB.1
PCI DSS	PCI.ES.1	ES.1
PCI DSS	PCI.ES.2	ES.2
PCI DSS	PCI.GuardDuty.1	GuardDuty.1
PCI DSS	PCI.IAM.1	IAM.1
PCI DSS	PCI.IAM.2	IAM.2
PCI DSS	PCI.IAM.3	IAM.3
PCI DSS	PCI.IAM.4	IAM.4
PCI DSS	PCI.IAM.5	IAM.9
PCI DSS	PCI.IAM.6	IAM.6
PCI DSS	PCI.IAM.7	PCI.IAM.7
PCI DSS	PCI.IAM.8	PCI.IAM8.
PCI DSS	PCI.KMS.1	PCI.KMS.4
PCI DSS	PCI.Lambda.1	Lambda.1
PCI DSS	PCI.Lambda.2	Lambda.3
PCI DSS	PCI.Opensearch.1	Opensearch.1
PCI DSS	PCI.Opensearch.2	Opensearch.2
PCI DSS	PCI.RDS.1	RDS.1
PCI DSS	PCI.RDS.2	RDS.2
PCI DSS	PCI.Redshift.1	Redshift.1
PCI DSS	PCI.S3.1	S3.1
PCI DSS	PCI.S3.2	S3.2
PCI DSS	PCI.S3.3	S3.3
PCI DSS	PCI.S3.4	S3.4
PCI DSS	PCI.S3.5	S3.5
PCI DSS	PCI.S3.6	S3.1
PCI DSS	PCI.SageMaker.1	SageMaker.1
PCI DSS	PCI.SSM.1	SSM.1
PCI DSS	PCI.SSM.2	SSM.2
PCI DSS	PCI.SSM.3	SSM.3
AWS Foundational Security Best Practices	Account.1	Account.1
AWS Foundational Security Best Practices	ACM.1	ACM.1
AWS Foundational Security Best Practices	ACM.2	ACM.2
AWS Foundational Security Best Practices	APIGateway.1	APIGateway.1
AWS Foundational Security Best Practices	APIGateway.2	APIGateway.2
AWS Foundational Security Best Practices	APIGateway.3	APIGateway.3
AWS Foundational Security Best Practices	APIGateway.4	APIGateway.4
AWS Foundational Security Best Practices	APIGateway.5	APIGateway.5
AWS Foundational Security Best Practices	APIGateway.8	APIGateway.8
AWS Foundational Security Best Practices	APIGateway.9	APIGateway.9
AWS Foundational Security Best Practices	AppSync.2	AppSync.2
AWS Foundational Security Best Practices	AutoScaling.1	AutoScaling.1
AWS Foundational Security Best Practices	AutoScaling.2	AutoScaling.2
AWS Foundational Security Best Practices	AutoScaling.3	AutoScaling.3
AWS Foundational Security Best Practices	AutoScaling.4	AutoScaling.4
AWS Foundational Security Best Practices	Autoscaling.5	Autoscaling.5
AWS Foundational Security Best Practices	AutoScaling.6	AutoScaling.6
AWS Foundational Security Best Practices	AutoScaling.9	AutoScaling.9
AWS Foundational Security Best Practices	CloudFormation.1	CloudFormation.1
AWS Foundational Security Best Practices	CloudFront.1	CloudFront.1
AWS Foundational Security Best Practices	CloudFront.2	CloudFront.2
AWS Foundational Security Best Practices	CloudFront.3	CloudFront.3
AWS Foundational Security Best Practices	CloudFront.4	CloudFront.4
AWS Foundational Security Best Practices	CloudFront.5	CloudFront.5
AWS Foundational Security Best Practices	CloudFront.6	CloudFront.6
AWS Foundational Security Best Practices	CloudFront.7	CloudFront.7
AWS Foundational Security Best Practices	CloudFront.8	CloudFront.8
AWS Foundational Security Best Practices	CloudFront.9	CloudFront.9
AWS Foundational Security Best Practices	CloudFront.10	CloudFront.10
AWS Foundational Security Best Practices	CloudFront.12	CloudFront.12
AWS Foundational Security Best Practices	CloudFront.13	CloudFront.13
AWS Foundational Security Best Practices	CloudTrail.1	CloudTrail.1
AWS Foundational Security Best Practices	CloudTrail.2	CloudTrail.2
AWS Foundational Security Best Practices	CloudTrail.4	CloudTrail.4
AWS Foundational Security Best Practices	CloudTrail.5	CloudTrail.5
AWS Foundational Security Best Practices	CodeBuild.1	CodeBuild.1
AWS Foundational Security Best Practices	CodeBuild.2	CodeBuild.2
AWS Foundational Security Best Practices	CodeBuild.3	CodeBuild.3
AWS Foundational Security Best Practices	CodeBuild.4	CodeBuild.4
AWS Foundational Security Best Practices	CodeBuild.5	CodeBuild.5
AWS Foundational Security Best Practices	Config.1	Config.1
AWS Foundational Security Best Practices	DMS.1	DMS.1
AWS Foundational Security Best Practices	DynamoDB.1	DynamoDB.1
AWS Foundational Security Best Practices	DynamoDB.2	DynamoDB.2
AWS Foundational Security Best Practices	DynamoDB.3	DynamoDB.3
AWS Foundational Security Best Practices	EC2.1	EC2.1
AWS Foundational Security Best Practices	EC2.2	EC2.2
AWS Foundational Security Best Practices	EC2.3	EC2.3
AWS Foundational Security Best Practices	EC2.4	EC2.4
AWS Foundational Security Best Practices	EC2.6	EC2.6
AWS Foundational Security Best Practices	EC2.7	EC2.7
AWS Foundational Security Best Practices	EC2.8	EC2.8
AWS Foundational Security Best Practices	EC2.9	EC2.9
AWS Foundational Security Best Practices	EC2.10	EC2.10
AWS Foundational Security Best Practices	EC2.15	EC2.15
AWS Foundational Security Best Practices	EC2.16	EC2.16
AWS Foundational Security Best Practices	EC2.17	EC2.17
AWS Foundational Security Best Practices	EC2.18	EC2.18
AWS Foundational Security Best Practices	EC2.19	EC2.19
AWS Foundational Security Best Practices	EC2.20	EC2.20
AWS Foundational Security Best Practices	EC2.21	EC2.21
AWS Foundational Security Best Practices	EC2.22	EC2.22
AWS Foundational Security Best Practices	EC2.23	EC2.23
AWS Foundational Security Best Practices	EC2.24	EC2.24
AWS Foundational Security Best Practices	EC2.25	EC2.25
AWS Foundational Security Best Practices	ECR.1	ECR.1
AWS Foundational Security Best Practices	ECR.2	ECR.2
AWS Foundational Security Best Practices	ECR.3	ECR.3
AWS Foundational Security Best Practices	ECS.1	ECS.1
AWS Foundational Security Best Practices	ECS.2	ECS.2
AWS Foundational Security Best Practices	ECS.3	ECS.3
AWS Foundational Security Best Practices	ECS.4	ECS.4
AWS Foundational Security Best Practices	ECS.5	ECS.5
AWS Foundational Security Best Practices	ECS.8	ECS.8
AWS Foundational Security Best Practices	ECS.10	ECS.10
AWS Foundational Security Best Practices	ECS.12	ECS.12
AWS Foundational Security Best Practices	EFS.1	EFS.1
AWS Foundational Security Best Practices	EFS.2	EFS.2
AWS Foundational Security Best Practices	EFS.3	EFS.3
AWS Foundational Security Best Practices	EFS.4	EFS.4
AWS Foundational Security Best Practices	EKS.1	EKS.1
AWS Foundational Security Best Practices	EKS.2	EKS.2
AWS Foundational Security Best Practices	ElasticBeanstalk.1	ElasticBeanstalk.1
AWS Foundational Security Best Practices	ElasticBeanstalk.2	ElasticBeanstalk.2
AWS Foundational Security Best Practices	ElasticBeanstalk.3	ElasticBeanstalk.3
AWS Foundational Security Best Practices	ELB.2	ELB.2
AWS Foundational Security Best Practices	ELB.3	ELB.3
AWS Foundational Security Best Practices	ELB.4	ELB.4
AWS Foundational Security Best Practices	ELB.5	ELB.5
AWS Foundational Security Best Practices	ELB.6	ELB.6
AWS Foundational Security Best Practices	ELB.7	ELB.7
AWS Foundational Security Best Practices	ELB.8	ELB.8
AWS Foundational Security Best Practices	ELB.9	ELB.9
AWS Foundational Security Best Practices	ELB.10	ELB.10
AWS Foundational Security Best Practices	ELB.12	ELB.12
AWS Foundational Security Best Practices	ELB.13	ELB.13
AWS Foundational Security Best Practices	ELB.14	ELB.14
AWS Foundational Security Best Practices	ELBv2.1	ELB.1
AWS Foundational Security Best Practices	EMR.1	EMR.1
AWS Foundational Security Best Practices	ES.1	ES.1
AWS Foundational Security Best Practices	ES.2	ES.2
AWS Foundational Security Best Practices	ES.3	ES.3
AWS Foundational Security Best Practices	ES.4	ES.4
AWS Foundational Security Best Practices	ES.5	ES.5
AWS Foundational Security Best Practices	ES.6	ES.6
AWS Foundational Security Best Practices	ES.7	ES.7
AWS Foundational Security Best Practices	ES.8	ES.8
AWS Foundational Security Best Practices	GuardDuty.1	GuardDuty.1
AWS Foundational Security Best Practices	IAM.1	IAM.1
AWS Foundational Security Best Practices	IAM.2	IAM.2
AWS Foundational Security Best Practices	IAM.3	IAM.3
AWS Foundational Security Best Practices	IAM.4	IAM.4
AWS Foundational Security Best Practices	IAM.5	IAM.5
AWS Foundational Security Best Practices	IAM.6	IAM.6
AWS Foundational Security Best Practices	IAM.7	IAM.7
AWS Foundational Security Best Practices	IAM.8	IAM.8
AWS Foundational Security Best Practices	IAM.21	IAM.21
AWS Foundational Security Best Practices	Kinesis.1	Kinesis.1
AWS Foundational Security Best Practices	KMS.1	KMS.1
AWS Foundational Security Best Practices	KMS.2	KMS.2
AWS Foundational Security Best Practices	KMS.3	KMS.3
AWS Foundational Security Best Practices	Lambda.1	Lambda.1
AWS Foundational Security Best Practices	Lambda.2	Lambda.2
AWS Foundational Security Best Practices	Lambda.5	Lambda.5
AWS Foundational Security Best Practices	NetworkFirewall.3	NetworkFirewall.3
AWS Foundational Security Best Practices	NetworkFirewall.4	NetworkFirewall.4
AWS Foundational Security Best Practices	NetworkFirewall.5	NetworkFirewall.5
AWS Foundational Security Best Practices	NetworkFirewall.6	NetworkFirewall.6
AWS Foundational Security Best Practices	Opensearch.1	Opensearch.1
AWS Foundational Security Best Practices	Opensearch.2	Opensearch.2
AWS Foundational Security Best Practices	Opensearch.3	Opensearch.3
AWS Foundational Security Best Practices	Opensearch.4	Opensearch.4
AWS Foundational Security Best Practices	Opensearch.5	Opensearch.5
AWS Foundational Security Best Practices	Opensearch.6	Opensearch.6
AWS Foundational Security Best Practices	Opensearch.7	Opensearch.7
AWS Foundational Security Best Practices	Opensearch.8	Opensearch.8
AWS Foundational Security Best Practices	RDS.1	RDS.1
AWS Foundational Security Best Practices	RDS.2	RDS.2
AWS Foundational Security Best Practices	RDS.3	RDS.3
AWS Foundational Security Best Practices	RDS.4	RDS.4
AWS Foundational Security Best Practices	RDS.5	RDS.5
AWS Foundational Security Best Practices	RDS.6	RDS.6
AWS Foundational Security Best Practices	RDS.7	RDS.7
AWS Foundational Security Best Practices	RDS.8	RDS.8
AWS Foundational Security Best Practices	RDS.9	RDS.9
AWS Foundational Security Best Practices	RDS.10	RDS.10
AWS Foundational Security Best Practices	RDS.11	RDS.11
AWS Foundational Security Best Practices	RDS.12	RDS.12
AWS Foundational Security Best Practices	RDS.13	RDS.13
AWS Foundational Security Best Practices	RDS.14	RDS.14
AWS Foundational Security Best Practices	RDS.15	RDS.15
AWS Foundational Security Best Practices	RDS.16	RDS.16
AWS Foundational Security Best Practices	RDS.17	RDS.17
AWS Foundational Security Best Practices	RDS.18	RDS.18
AWS Foundational Security Best Practices	RDS.19	RDS.19
AWS Foundational Security Best Practices	RDS.20	RDS.20
AWS Foundational Security Best Practices	RDS.21	RDS.21
AWS Foundational Security Best Practices	RDS.22	RDS.22
AWS Foundational Security Best Practices	RDS.23	RDS.23
AWS Foundational Security Best Practices	RDS.24	RDS.24
AWS Foundational Security Best Practices	RDS.25	RDS.25
AWS Foundational Security Best Practices	Redshift.1	Redshift.1
AWS Foundational Security Best Practices	Redshift.2	Redshift.2
AWS Foundational Security Best Practices	Redshift.3	Redshift.3
AWS Foundational Security Best Practices	Redshift.4	Redshift.4
AWS Foundational Security Best Practices	Redshift.6	Redshift.6
AWS Foundational Security Best Practices	Redshift.7	Redshift.7
AWS Foundational Security Best Practices	Redshift.8	Redshift.8
AWS Foundational Security Best Practices	Redshift.9	Redshift.9
AWS Foundational Security Best Practices	Redshift.10	Redshift.10
AWS Foundational Security Best Practices	S3.1	S3.1
AWS Foundational Security Best Practices	S3.2	S3.2
AWS Foundational Security Best Practices	S3.3	S3.3
AWS Foundational Security Best Practices	S3.4	S3.4
AWS Foundational Security Best Practices	S3.5	S3.5
AWS Foundational Security Best Practices	S3.6	S3.6
AWS Foundational Security Best Practices	S3.8	S3.8
AWS Foundational Security Best Practices	S3.9	S3.9
AWS Foundational Security Best Practices	S3.10	S3.10
AWS Foundational Security Best Practices	S3.11	S3.11
AWS Foundational Security Best Practices	S3.12	S3.12
AWS Foundational Security Best Practices	S3.13	S3.13
AWS Foundational Security Best Practices	SageMaker.1	SageMaker.1
AWS Foundational Security Best Practices	SageMaker.2	SageMaker.2
AWS Foundational Security Best Practices	SageMaker.3	SageMaker.3
AWS Foundational Security Best Practices	SecretsManager.1	SecretsManager.1
AWS Foundational Security Best Practices	SecretsManager.2	SecretsManager.2
AWS Foundational Security Best Practices	SecretsManager.3	SecretsManager.3
AWS Foundational Security Best Practices	SecretsManager.4	SecretsManager.4
AWS Foundational Security Best Practices	SNS.1	SNS.1
AWS Foundational Security Best Practices	SNS.2	SNS.2
AWS Foundational Security Best Practices	SQS.1	SQS.1
AWS Foundational Security Best Practices	SSM.1	SSM.1
AWS Foundational Security Best Practices	SSM.2	SSM.2
AWS Foundational Security Best Practices	SSM.3	SSM.3
AWS Foundational Security Best Practices	SSM.4	SSM.4
AWS Foundational Security Best Practices	StepFunctions.1	StepFunctions.1
AWS Foundational Security Best Practices	WAF.1	WAF.1
AWS Foundational Security Best Practices	WAF.2	WAF.2
AWS Foundational Security Best Practices	WAF.3	WAF.3
AWS Foundational Security Best Practices	WAF.4	WAF.4
AWS Foundational Security Best Practices	WAF.6	WAF.6
AWS Foundational Security Best Practices	WAF.7	WAF.7
AWS Foundational Security Best Practices	WAF.8	WAF.8
AWS Foundational Security Best Practices	WAF.10	WAF.10

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Config

AWS API calls