AWS Config resources required to generate control findings - AWS Security Hub

AWS Config resources required to generate control findings

AWS Security Hub generates control findings by performing security checks against controls. Some controls use AWS Config rules and have associated AWS Config resources. For Security Hub to accurately report findings for controls that have a change triggered schedule type, you must enable recording for the following resources in AWS Config. The following section provides a list of required resources across standards and a list of required resources divided by standard.

You don't need to record resources for controls that have a periodic schedule type.

If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to open the associated AWS Config rule. To navigate to the AWS Config rule, you must also have an IAM; permission in the selected account to navigate to AWS Config.

Note

In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on controls, see Availability of controls by Region.

AWS Config resources required for all controls

For Security Hub to accurately report findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon EFS

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::PatchCompliance

Amazon SageMaker

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS Config resources required for FSBP

For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see AWS Foundational Security Best Practices (FSBP) standard.

Service Required resources

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon EFS

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::PatchCompliance

Amazon SageMaker

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS Config resources required for CIS AWS Foundations Benchmark

To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0, Security Hub either runs through the exact audit steps prescribed for the checks in Securing Amazon Web Services or uses specific AWS Config managed rules.

For more information about this standard, see Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0.

Required AWS Config resources for CIS v1.4.0

For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Required AWS Config resources for CIS v1.2.0

For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Config resources required for NIST SP 800-53 Rev. 5

For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.

Service Required resources

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon EFS

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::PatchCompliance

Amazon SageMaker

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS Config resources required for PCI DSS

For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see Payment Card Industry Data Security Standard (PCI DSS).

Service Required resources

AWS Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS CodeBuild

AWS::CodeBuild::Project

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

AWS Lambda

AWS::Lambda::Function

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::PatchCompliance

AWS Config resources required for Service-Managed Standard: AWS Control Tower

For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see Service-Managed Standard: AWS Control Tower.

Service Required resources

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon EFS

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Account

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::PatchCompliance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL