AWS Config resources required to generate control findings
AWS Security Hub generates control findings by performing security checks against Security Hub controls. Some controls use AWS Config rules that evaluate compliance with specific resources. For Security Hub to generate findings for controls that have a change triggered schedule type, you must turn on recording for required resources in AWS Config. You don't need to record resources for most controls that have a periodic schedule type. However, some periodic controls require resource recording to detect changes in compliance.
This page provides a list of required resources across standards and a list of required resources divided by standard. The first table also lists which Security Hub controls use each resource.
If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to the associated AWS Config rule. To navigate to the AWS Config rule, your account must have IAM permissions to view AWS Config rules.
Note
In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on Security Hub controls, see Availability of controls by Region.
AWS Config resources required for all controls
For Security Hub to generate findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. This table also indicates which controls require a particular resource. A control may require more than one resource.
| Service | Required resource | Related controls |
|---|---|---|
| Amazon API Gateway | AWS::ApiGateway::Stage |
APIGateway.1 APIGateway.2 APIGateway.3 APIGateway.4 APIGateway.5 |
AWS::ApiGatewayV2::Stage |
APIGateway.1 APIGateway.9 |
|
| AWS AppSync | AWS::AppSync::GraphQLApi
|
AppSync.2 AppSync.5 |
| AWS Backup (AWS Backup) | AWS::Backup::RecoveryPoint
|
Backup.1 |
| AWS Certificate Manager (ACM) | AWS::ACM::Certificate
|
ACM.1 ACM.2 |
| Amazon CloudFront | AWS::CloudFront::Distribution
|
CloudFront.1 CloudFront.3 CloudFront.4 CloudFront.5 CloudFront.6 CloudFront.7 CloudFront.8 CloudFront.9 CloudFront.10 CloudFront.13 |
| Amazon CloudWatch | AWS::CloudWatch::Alarm
|
CloudWatch.15 CloudWatch.17 |
| AWS CodeBuild | AWS::CodeBuild::Project
|
CodeBuild.1 CodeBuild.2 CodeBuild.3 CodeBuild.4 |
| AWS Database Migration Service (AWS DMS) | AWS::DMS::Endpoint |
DMS.9 |
AWS::DMS::ReplicationInstance
|
DMS.6 |
|
AWS::DMS::ReplicationTask |
DMS.7 DMS.8 |
|
| Amazon DynamoDB | AWS::DynamoDB::Table
|
DynamoDB.2 DynamoDB.6 |
| Amazon Elastic Compute Cloud (EC2) | AWS::EC2::ClientVpnEndpoint |
EC2.51 |
AWS::EC2::EIP |
EC2.12 |
|
AWS::EC2::Instance |
EC2.4 EC2.8 EC2.9 EC2.17 EC2.24 EMR.1 SSM.1 |
|
AWS::EC2::LaunchTemplate |
EC2.25 |
|
AWS::EC2::NetworkAcl |
EC2.16 EC2.21 |
|
AWS::EC2::NetworkInterface |
EC2.22 |
|
AWS::EC2::SecurityGroup |
EC2.2 EC2.13 EC2.14 EC2.18 EC2.19 |
|
AWS::EC2::Subnet |
EC2.15 ElastiCache.7 Lambda.5 |
|
AWS::EC2::TransitGateway |
EC2.23 |
|
AWS::EC2::VPNConnection |
EC2.20 |
|
AWS::EC2::Volume |
EC2.3 |
|
| Amazon EC2 Auto Scaling | AWS::AutoScaling::AutoScalingGroup |
AutoScaling.1 AutoScaling.2 AutoScaling.6 AutoScaling.9 |
AWS::AutoScaling::LaunchConfiguration |
AutoScaling.3 Autoscaling.5 |
|
| Amazon EC2 Systems Manager (SSM) | AWS::SSM::AssociationCompliance |
SSM.3 |
AWS::SSM::ManagedInstanceInventory |
SSM.1 |
|
AWS::SSM::PatchCompliance |
SSM.2 |
|
| Amazon Elastic Container Registry (Amazon ECR) | AWS::ECR::Repository |
ECR.2 ECR.3 |
| Amazon Elastic Container Service (Amazon ECS) | AWS::ECS::Cluster |
ECS.12 |
AWS::ECS::Service |
ECS.2 ECS.10 |
|
AWS::ECS::TaskDefinition |
ECS.1 ECS.3 ECS.4 ECS.5 ECS.8 ECS.9 |
|
| Amazon Elastic File System (Amazon EFS) | AWS::EFS::AccessPoint
|
EFS.3 EFS.4 |
| Amazon Elastic Kubernetes Service (Amazon EKS) | AWS::EKS::Cluster |
EKS.2 |
| AWS Elastic Beanstalk | AWS::ElasticBeanstalk::Environment
|
ElasticBeanstalk.1 ElasticBeanstalk.2 ElasticBeanstalk.3 |
| Elastic Load Balancing | AWS::ElasticLoadBalancing::LoadBalancer |
ELB.2 ELB.3 ELB.5 ELB.7 ELB.8 ELB.9 ELB.10 ELB.14 |
AWS::ElasticLoadBalancingV2::LoadBalancer |
ELB.4 ELB.5 ELB.6 ELB.12 ELB.13 ELB.16 |
|
| ElasticSearch | AWS::Elasticsearch::Domain |
ES.3 ES.4 ES.5 ES.6 ES.7 ES.8 |
| Amazon EventBridge | AWS::Events::EventBus |
EventBridge.3 |
AWS::Events::Endpoint |
EventBridge.4 |
|
Amazon FSx |
AWS::FSx::FileSystem |
FSx.1 |
| AWS Identity and Access Management (IAM) | AWS::IAM::Group |
IAM.18 KMS.2 |
AWS::IAM::Policy |
IAM.1 IAM.21 KMS.1 |
|
AWS::IAM::Role |
IAM.18 KMS.2 |
|
AWS::IAM::User |
IAM.2 IAM.18 KMS.2 |
|
| AWS Key Management Service (AWS KMS) | AWS::KMS::Key |
KMS.3 |
| Amazon Kinesis | AWS::Kinesis::Stream |
Kinesis.1 |
| AWS Lambda | AWS::Lambda::Function |
Lambda.1 Lambda.2 Lambda.3 Lambda.5 |
| Amazon MSK | AWS::MSK::Cluster |
MSK.1 MSK.2 |
| Amazon MQ | AWS::AmazonMQ::Broker |
MQ.5 MQ.6 |
| AWS Network Firewall | AWS::NetworkFirewall::Firewall |
NetworkFirewall.1 NetworkFirewall.9 |
AWS::NetworkFirewall::FirewallPolicy |
NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 |
|
AWS::NetworkFirewall::RuleGroup |
NetworkFirewall.6 |
|
| Amazon OpenSearch Service | AWS::OpenSearch::Domain |
Opensearch.1 Opensearch.2 Opensearch.3 Opensearch.4 Opensearch.5 Opensearch.6 Opensearch.7 Opensearch.8 OpenSearch.10 |
| Amazon Relational Database Service (Amazon RDS) | AWS::RDS::DBCluster |
DocumentDB.1 DocumentDB.2 DocumentDB.4 DocumentDB.5 Neptune.1 Neptune.2 Neptune.4 Neptune.5 Neptune.7 Neptune.8 Neptune.9 RDS.7 RDS.12 RDS.14 RDS.15 RDS.16 RDS.24 RDS.27 RDS.34 RDS.35 |
AWS::RDS::DBClusterSnapshot |
DocumentDB.3 Neptune.3 Neptune.6 RDS.1 RDS.4 |
|
AWS::RDS::DBInstance |
RDS.2 RDS.3 RDS.5 RDS.6 RDS.8 RDS.9 RDS.10 RDS.11 RDS.13 RDS.17 RDS.18 RDS.23 RDS.25 |
|
AWS::RDS::DBSnapshot |
DocumentDB.3 RDS.1 RDS.4 |
|
AWS::RDS::EventSubscription |
RDS.19 RDS.20 RDS.21 RDS.22 |
|
| Amazon Redshift | AWS::Redshift::Cluster |
Redshift.1 Redshift.2 Redshift.3 Redshift.4 Redshift.6 Redshift.7 Redshift.8 Redshift.9 Redshift.10 |
| Amazon Route 53 | AWS::Route53::HostedZone |
Route53.2 |
| Amazon Simple Storage Service (Amazon S3) | AWS::S3::AccessPoint |
S3.19 |
AWS::S3::Bucket |
S3.2 S3.3 S3.5 S3.6 S3.7 S3.8 S3.9 S3.10 S3.11 S3.12 S3.13 S3.14 S3.15 S3.17 S3.20 |
|
| Amazon Simple Notification Service (Amazon SNS) | AWS::SNS::Topic
|
SNS.1 |
| Amazon Simple Queue Service (Amazon SQS) | AWS::SQS::Queue
|
SQS.1 |
| Amazon SageMaker | AWS::SageMaker::NotebookInstance
|
SageMaker.2 SageMaker.3 |
| AWS Secrets Manager | AWS::SecretsManager::Secret
|
SecretsManager.1 SecretsManager.2 |
| AWS Step Functions | AWS::StepFunctions::StateMachine
|
StepFunctions.1 |
| AWS WAF | AWS::WAF::Rule |
WAF.6 |
AWS::WAF::RuleGroup |
WAF.7 |
|
AWS::WAF::WebACL |
WAF.8 |
|
AWS::WAFRegional::Rule |
WAF.2 |
|
AWS::WAFRegional::RuleGroup |
WAF.3 |
|
AWS::WAFRegional::WebACL |
WAF.4 |
|
AWS::WAFv2::RuleGroup |
WAF.12 |
|
AWS::WAFv2::WebACL |
WAF.10 |
AWS Config resources required for FSBP standard
For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see AWS Foundational Security Best Practices (FSBP) standard.
| Service | Required resources |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager (ACM) |
|
|
Amazon CloudFront |
|
|
AWS CodeBuild |
|
|
AWS Database Migration Service (AWS DMS) |
|
|
Amazon DynamoDB |
|
| Amazon EC2 Systems Manager (SSM) |
|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
Amazon EC2 Auto Scaling |
|
|
Amazon Elastic Container Registry (Amazon ECR) |
|
|
Amazon Elastic Container Service (Amazon ECS) |
|
|
Amazon Elastic File System (Amazon EFS) |
|
|
Amazon EKS |
|
|
ElasticBeanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon FSx |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Key Management Service (AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
Amazon MSK |
|
|
AWS Network Firewall |
|
|
Amazon OpenSearch Service |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service (Amazon S3) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
|
Amazon SageMaker |
|
|
AWS Secrets Manager |
|
|
AWS Step Functions |
|
|
AWS WAF |
|
AWS Config resources required for CIS AWS Foundations Benchmark
To run security checks for enabled controls that apply to the Center for Internet
Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0, Security Hub either runs through
the exact audit steps prescribed for the checks in Securing
Amazon Web Services
For more information about this standard, see Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0.
Required AWS Config resources for CIS v1.4.0
For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
| Service | Required resources |
|---|---|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
AWS Identity and Access Management (IAM) |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Simple Storage Service (Amazon S3) |
|
Required AWS Config resources for CIS v1.2.0
For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.
| Service | Required resources |
|---|---|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
AWS Identity and Access Management (IAM) |
|
AWS Config resources required for NIST SP 800-53 Rev. 5
For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5.
| Service | Required resources |
|---|---|
|
Amazon API Gateway |
|
|
AWS AppSync |
|
|
AWS Backup |
|
|
AWS Certificate Manager (ACM) |
|
|
Amazon CloudFront |
|
|
Amazon CloudWatch |
|
|
AWS CodeBuild |
|
|
AWS Database Migration Service (AWS DMS) |
|
|
Amazon DynamoDB |
|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
Amazon EC2 Auto Scaling |
|
|
Amazon Elastic Container Registry (Amazon ECR) |
|
|
Amazon Elastic Container Service (Amazon ECS) |
|
|
Amazon Elastic File System (Amazon EFS) |
|
|
Amazon EKS |
|
|
ElasticBeanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
Amazon EventBridge |
|
|
Amazon FSx |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Key Management Service (AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
Amazon MSK |
|
|
Amazon MQ |
|
|
AWS Network Firewall |
|
|
Amazon OpenSearch Service |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Route 53 |
|
|
Amazon Simple Storage Service (Amazon S3) |
|
|
Amazon Simple Notification Service (Amazon SNS) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
| Amazon EC2 Systems Manager (SSM) |
|
|
Amazon SageMaker |
|
|
AWS Secrets Manager |
|
|
AWS WAF |
|
AWS Config resources required for PCI DSS
For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see Payment Card Industry Data Security Standard (PCI DSS).
| Service | Required resources |
|---|---|
|
AWS CodeBuild |
|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
Amazon EC2 Auto Scaling |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Lambda |
|
|
Amazon OpenSearch Service |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service (Amazon S3) |
|
| Amazon EC2 Systems Manager (SSM) |
|
AWS Config resources required for Service-Managed Standard: AWS Control Tower
For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see Service-Managed Standard: AWS Control Tower.
| Service | Required resources |
|---|---|
|
Amazon API Gateway |
|
|
AWS Certificate Manager (ACM) |
|
|
AWS CodeBuild |
|
|
Amazon DynamoDB |
|
|
Amazon Elastic Compute Cloud (EC2) |
|
|
Amazon EC2 Auto Scaling |
|
|
Amazon Elastic Container Registry (Amazon ECR) |
|
|
Amazon Elastic Container Service (Amazon ECS) |
|
|
Amazon Elastic File System (Amazon EFS) |
|
|
Amazon EKS |
|
|
ElasticBeanstalk |
|
|
Elastic Load Balancing |
|
|
ElasticSearch |
|
|
AWS Identity and Access Management (IAM) |
|
|
AWS Key Management Service (AWS KMS) |
|
|
Amazon Kinesis |
|
|
AWS Lambda |
|
|
AWS Network Firewall |
|
|
Amazon OpenSearch Service |
|
|
Amazon Relational Database Service (Amazon RDS) |
|
|
Amazon Redshift |
|
|
Amazon Simple Storage Service (Amazon S3) |
|
|
Amazon Simple Queue Service (Amazon SQS) |
|
| Amazon EC2 Systems Manager (SSM) |
|
|
AWS Secrets Manager |
|
|
AWS WAF |
|
