AWS Config resources required to generate control findings
AWS Security Hub generates control findings by performing security checks against controls. Some controls use AWS Config rules and have associated AWS Config resources. For Security Hub to accurately report findings for controls that have a change triggered schedule type, you must enable recording for the following resources in AWS Config. The following section provides a list of required resources across standards and a list of required resources divided by standard.
You don't need to record resources for controls that have a periodic schedule type.
If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to open the associated AWS Config rule. To navigate to the AWS Config rule, you must also have an IAM; permission in the selected account to navigate to AWS Config.
In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on controls, see Availability of controls by Region.
AWS Config resources required for all controls
For Security Hub to accurately report findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
Service | Required resources |
---|---|
AWS Certificate Manager (ACM) |
|
Amazon API Gateway |
|
AWS Auto Scaling |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
AWS CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon EFS |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
AWS Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon SageMaker |
|
AWS Secrets Manager |
|
AWS WAF |
|
AWS Config resources required for FSBP
For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see AWS Foundational Security Best Practices (FSBP) standard.
Service | Required resources |
---|---|
AWS Certificate Manager (ACM) |
|
Amazon API Gateway |
|
AWS Auto Scaling |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
AWS CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon EFS |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
AWS Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon SageMaker |
|
AWS Secrets Manager |
|
AWS WAF |
|
AWS Config resources required for CIS AWS Foundations Benchmark
To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS
Foundations Benchmark v1.2.0 and v1.4.0, Security Hub either runs through the exact audit steps prescribed for the checks in Securing
Amazon Web Services
For more information about this standard, see Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0.
Required AWS Config resources for CIS v1.4.0
For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
Service | Required resources |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
AWS Identity and Access Management (IAM) |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Simple Storage Service (Amazon S3) |
|
Required AWS Config resources for CIS v1.2.0
For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
Service | Required resources |
---|---|
Amazon Elastic Compute Cloud (EC2) |
|
AWS Identity and Access Management (IAM) |
|
AWS Config resources required for NIST SP 800-53 Rev. 5
For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
Service | Required resources |
---|---|
AWS Certificate Manager (ACM) |
|
Amazon API Gateway |
|
AWS Auto Scaling |
|
AWS CloudFormation |
|
Amazon CloudFront |
|
Amazon CloudWatch |
|
AWS CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon EFS |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
AWS Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
Amazon SageMaker |
|
AWS Secrets Manager |
|
AWS WAF |
|
AWS Config resources required for PCI DSS
For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see Payment Card Industry Data Security Standard (PCI DSS).
Service | Required resources |
---|---|
AWS Auto Scaling |
|
AWS CodeBuild |
|
Amazon Elastic Compute Cloud (EC2) |
|
AWS Identity and Access Management (IAM) |
|
AWS Lambda |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon EC2 Systems Manager (SSM) |
|
AWS Config resources required for Service-Managed Standard: AWS Control Tower
For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see Service-Managed Standard: AWS Control Tower.
Service | Required resources |
---|---|
AWS Certificate Manager (ACM) |
|
Amazon API Gateway |
|
AWS Auto Scaling |
|
AWS CodeBuild |
|
Amazon DynamoDB |
|
Amazon Elastic Compute Cloud (EC2) |
|
Amazon Elastic Container Registry (Amazon ECR) |
|
Amazon Elastic Container Service (Amazon ECS) |
|
Amazon EFS |
|
Amazon EKS |
|
ElasticBeanstalk |
|
Elastic Load Balancing |
|
ElasticSearch |
|
AWS Identity and Access Management (IAM) |
|
AWS Key Management Service (AWS KMS) |
|
Amazon Kinesis |
|
AWS Lambda |
|
AWS Network Firewall |
|
Amazon OpenSearch Service |
|
Amazon Relational Database Service (Amazon RDS) |
|
Amazon Redshift |
|
Amazon Simple Storage Service (Amazon S3) |
|
Amazon Simple Notification Service (Amazon SNS) |
|
Amazon Simple Queue Service (Amazon SQS) |
|
Amazon EC2 Systems Manager (SSM) |
|
AWS Secrets Manager |
|
AWS WAF |
|