AWS Config resources required for CIS controls - AWS Security Hub

AWS Config resources required for CIS controls

To run security checks for the enabled controls on your environment's resources, Security Hub either runs through the exact audit steps prescribed for the checks in Securing Amazon Web Services or uses specific AWS Config managed rules.

If you don't enable all resources in AWS Config, a finding is generated for the control 2.5 – Ensure AWS Config is enabled. For other CIS controls, for Security Hub to accurately report findings, you must enable the following resources in AWS Config.

  • AWS CloudTrail trail

  • Amazon EC2 security group

  • Amazon EC2 VPC

  • IAM policy

  • IAM user

  • AWS KMS key

  • S3 bucket

If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to open the associated AWS Config rule. To navigate to the AWS Config rule, you must also have an IAM permission in the selected account to navigate to AWS Config.