AWS Config resources required for all controls AWS Config resources required for FSBP AWS Config resources required for CIS AWS Foundations Benchmark AWS Config resources required for NIST SP 800-53 Rev. 5 AWS Config resources required for PCI DSS AWS Config resources required for Service-Managed Standard: AWS Control Tower

AWS Config resources required to generate control findings

AWS Security Hub generates control findings by performing security checks against controls. Some controls use AWS Config rules and have associated AWS Config resources. For Security Hub to accurately report findings for controls that have a change triggered schedule type, you must enable recording for the following resources in AWS Config. The following section provides a list of required resources across standards and a list of required resources divided by standard.

You don't need to record resources for controls that have a periodic schedule type.

If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to open the associated AWS Config rule. To navigate to the AWS Config rule, you must also have an IAM; permission in the selected account to navigate to AWS Config.

Note

In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on controls, see Availability of controls by Region.

AWS Config resources required for all controls

For Security Hub to accurately report findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service	Required resources
AWS Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon API Gateway	`AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`
AWS Auto Scaling	`AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`
AWS CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CloudWatch	`AWS::CloudWatch::Alarm`
AWS CodeBuild	`AWS::CodeBuild::Project`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::EIP` `AWS::EC2::Instance` `AWS::EC2::LaunchTemplate` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::TransitGateway` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`
Amazon EFS	`AWS::EFS::AccessPoint`
Amazon EKS	`AWS::EKS::Cluster`
ElasticBeanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
AWS Key Management Service (AWS KMS)	`AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
AWS Lambda	`AWS::Lambda::Function`
AWS Network Firewall	`AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::PatchCompliance`
Amazon SageMaker	`AWS::SageMaker::NotebookInstance`
AWS Secrets Manager	`AWS::SecretsManager::Secret`
AWS WAF	`AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL`

AWS Config resources required for FSBP

For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see AWS Foundational Security Best Practices (FSBP) standard.

Service	Required resources
AWS Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon API Gateway	`AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`
AWS Auto Scaling	`AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`
AWS CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
AWS CodeBuild	`AWS::CodeBuild::Project`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::Instance` `AWS::EC2::LaunchTemplate` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::TransitGateway` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`
Amazon EFS	`AWS::EFS::AccessPoint`
Amazon EKS	`AWS::EKS::Cluster`
ElasticBeanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
AWS Key Management Service (AWS KMS)	`AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
AWS Lambda	`AWS::Lambda::Function`
AWS Network Firewall	`AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::PatchCompliance`
Amazon SageMaker	`AWS::SageMaker::NotebookInstance`
AWS Secrets Manager	`AWS::SecretsManager::Secret`
AWS WAF	`AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL`

AWS Config resources required for CIS AWS Foundations Benchmark

To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0, Security Hub either runs through the exact audit steps prescribed for the checks in Securing Amazon Web Services or uses specific AWS Config managed rules.

For more information about this standard, see Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0.

Required AWS Config resources for CIS v1.4.0

For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service	Required resources
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::NetworkAcl` `AWS::EC2::SecurityGroup`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBInstance`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`

Required AWS Config resources for CIS v1.2.0

For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Service	Required resources
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::SecurityGroup`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Config resources required for NIST SP 800-53 Rev. 5

For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.

Service	Required resources
AWS Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon API Gateway	`AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`
AWS Auto Scaling	`AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`
AWS CloudFormation	`AWS::CloudFormation::Stack`
Amazon CloudFront	`AWS::CloudFront::Distribution`
Amazon CloudWatch	`AWS::CloudWatch::Alarm`
AWS CodeBuild	`AWS::CodeBuild::Project`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::EIP` `AWS::EC2::Instance` `AWS::EC2::LaunchTemplate` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::TransitGateway` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`
Amazon EFS	`AWS::EFS::AccessPoint`
Amazon EKS	`AWS::EKS::Cluster`
ElasticBeanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
AWS Key Management Service (AWS KMS)	`AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
AWS Lambda	`AWS::Lambda::Function`
AWS Network Firewall	`AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::PatchCompliance`
Amazon SageMaker	`AWS::SageMaker::NotebookInstance`
AWS Secrets Manager	`AWS::SecretsManager::Secret`
AWS WAF	`AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL`

AWS Config resources required for PCI DSS

For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see Payment Card Industry Data Security Standard (PCI DSS).

Service	Required resources
AWS Auto Scaling	`AWS::AutoScaling::AutoScalingGroup`
AWS CodeBuild	`AWS::CodeBuild::Project`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::EIP` `AWS::EC2::Instance` `AWS::EC2::SecurityGroup`
AWS Identity and Access Management (IAM)	`AWS::IAM::Policy` `AWS::IAM::User`
AWS Lambda	`AWS::Lambda::Function`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::PatchCompliance`

AWS Config resources required for Service-Managed Standard: AWS Control Tower

For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see Service-Managed Standard: AWS Control Tower.

Service	Required resources
AWS Certificate Manager (ACM)	`AWS::ACM::Certificate`
Amazon API Gateway	`AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`
AWS Auto Scaling	`AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`
AWS CodeBuild	`AWS::CodeBuild::Project`
Amazon DynamoDB	`AWS::DynamoDB::Table`
Amazon Elastic Compute Cloud (EC2)	`AWS::EC2::Instance` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`
Amazon Elastic Container Registry (Amazon ECR)	`AWS::ECR::Repository`
Amazon Elastic Container Service (Amazon ECS)	`AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`
Amazon EFS	`AWS::EFS::AccessPoint`
Amazon EKS	`AWS::EKS::Cluster`
ElasticBeanstalk	`AWS::ElasticBeanstalk::Environment`
Elastic Load Balancing	`AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::LoadBalancer`
ElasticSearch	`AWS::Elasticsearch::Domain`
AWS Identity and Access Management (IAM)	`AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`
AWS Key Management Service (AWS KMS)	`AWS::KMS::Key`
Amazon Kinesis	`AWS::Kinesis::Stream`
AWS Lambda	`AWS::Lambda::Function`
AWS Network Firewall	`AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`
Amazon OpenSearch Service	`AWS::OpenSearch::Domain`
Amazon Relational Database Service (Amazon RDS)	`AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`
Amazon Redshift	`AWS::Redshift::Cluster`
Amazon Simple Storage Service (Amazon S3)	`AWS::S3::Account` `AWS::S3::Bucket`
Amazon Simple Notification Service (Amazon SNS)	`AWS::SNS::Topic`
Amazon Simple Queue Service (Amazon SQS)	`AWS::SQS::Queue`
Amazon EC2 Systems Manager (SSM)	`AWS::SSM::AssociationCompliance` `AWS::SSM::PatchCompliance`
AWS Secrets Manager	`AWS::SecretsManager::Secret`
AWS WAF	`AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How Security Hub uses AWS Config rules to run security checks

Schedule for running security checks