Required AWS Config resources for Security Hub control findings - AWS Security Hub
Required resources for all Security Hub controlsRequired resources for FSBP standardRequired resources for CIS AWS Foundations BenchmarkRequired resources for NIST SP 800-53 Rev. 5Required resources for PCI DSS v3.2.1Required resources for AWS Resource Tagging StandardRequired resources for Service-Managed Standard: AWS Control Tower

Required AWS Config resources for Security Hub control findings

AWS Security Hub generates control findings by performing security checks against controls. Some controls use AWS Config rules that evaluate compliance with specific resources. For Security Hub to generate findings for controls that have a change triggered schedule type, you must turn on recording for required resources in AWS Config. You don't need to record resources for most controls that have a periodic schedule type. However, some periodic controls require resource recording to detect changes in compliance.

This page provides a list of required resources across standards and a list of required resources divided by standard. The first table also lists which Security Hub controls use each resource.

If a finding is generated by a security check that is based on an AWS Config rule, the finding details include a Rules link to the associated AWS Config rule. To navigate to the AWS Config rule, your account must have AWS Identity and Access Management (IAM) permission to view AWS Config rules.

Security Hub controls can rely on managed AWS Config rules or custom Security Hub rules. Make sure there is no AWS Identity and Access Management (IAM) policy or policy managed in Organizations which prevents AWS Config from having permission to record your resources.

Security Hub control checks directly evaluate the configuration of a resource and don’t take Organizations policies into account. For more information about AWS Config recording, see List of AWS Config Managed Rules – Considerations in the AWS Config Developer Guide.

Note

In AWS Regions where a control isn't available, the corresponding resource isn't available in AWS Config. For a list of Regional limits on Security Hub controls, see Availability of controls by Region.

Required resources for all Security Hub controls

For Security Hub to generate findings for enabled Security Hub change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. This table also indicates which controls require a particular resource. A control may require more than one resource.

Service Required resource Related controls
Amazon API Gateway AWS::ApiGateway::Stage

APIGateway.1

APIGateway.2

APIGateway.3

APIGateway.4

APIGateway.5
AWS::ApiGatewayV2::Stage

APIGateway.1

APIGateway.9
AWS AppSync AWS::AppSync::GraphQLApi

AppSync.2

AppSync.4

AppSync.5
AWS::AppSync::ApiCache

AppSync.1

AppSync.6
AWS Backup (AWS Backup) AWS::Backup::BackupPlan

Backup.5
AWS::Backup::BackupVault

Backup.3
AWS::Backup::RecoveryPoint

Backup.1

Backup.2
AWS::Backup::ReportPlan

Backup.4
AWS Certificate Manager (ACM) AWS::ACM::Certificate

ACM.1

ACM.2

ACM.3
Amazon Athena AWS::Athena::DataCatalog Athena.2
AWS::Athena::WorkGroup

Athena.3

Athena.4
AWS CloudFormation AWS::CloudFormation::Stack

CloudFormation.2
Amazon CloudFront AWS::CloudFront::Distribution

CloudFront.1

CloudFront.3

CloudFront.4

CloudFront.5

CloudFront.6

CloudFront.7

CloudFront.8

CloudFront.9

CloudFront.10

CloudFront.13

CloudFront.14
AWS CloudTrail AWS::CloudTrail::Trail CloudTrail.9
Amazon CloudWatch AWS::CloudWatch::Alarm

CloudWatch.15

CloudWatch.17
AWS CodeArtifact AWS::CodeArtifact::Repository CodeArtifact.1
AWS CodeBuild AWS::CodeBuild::Project

CodeBuild.1

CodeBuild.2

CodeBuild.3

CodeBuild.4
AWS::CodeBuild::ReportGroup

CodeBuild.7
AWS DataSync AWS::DataSync::Task DataSync.1
Amazon Detective AWS::Detective::Graph Detective.1
AWS Database Migration Service (AWS DMS) AWS::DMS::Certificate

DMS.2
AWS::DMS::Endpoint

DMS.9

DMS.10

DMS.11

DMS.12
AWS::DMS::EventSubscription DMS.3
AWS::DMS::ReplicationInstance

DMS.4

DMS.6
AWS::DMS::ReplicationSubnetGroup DMS.5
AWS::DMS::ReplicationTask

DMS.7

DMS.8
Amazon DynamoDB AWS::DynamoDB::Table

DynamoDB.1

DynamoDB.2

DynamoDB.5

DynamoDB.6
Amazon Elastic Compute Cloud (EC2) AWS::EC2::ClientVpnEndpoint

EC2.51
AWS::EC2::CustomerGateway EC2.36
AWS::EC2::EIP

EC2.12

EC2.37
AWS::EC2::FlowLog EC2.48
AWS::EC2::Instance

EC2.4

EC2.8

EC2.9

EC2.17

EC2.24

EC2.38

EMR.1

SSM.1
AWS::EC2::InternetGateway

EC2.39
AWS::EC2::LaunchTemplate

EC2.25

EC2.170
AWS::EC2::NatGateway

EC2.40
AWS::EC2::NetworkAcl

EC2.16

EC2.21

EC2.41
AWS::EC2::NetworkInterface

EC2.22

EC2.35
AWS::EC2::RouteTable EC2.42
AWS::EC2::SecurityGroup

EC2.2

EC2.13

EC2.14

EC2.18

EC2.19

EC2.43
AWS::EC2::Subnet

EC2.15

EC2.44

ElastiCache.7
AWS::EC2::TransitGateway

EC2.23

EC2.52
AWS::EC2::TransitGatewayAttachment EC2.33
AWS::EC2::TransitGatewayRouteTable EC2.34
AWS::EC2::Volume

EC2.3

EC2.45
AWS::EC2::VPC

EC2.6

EC2.46
AWS::EC2::VPCEndpointService EC2.47
AWS::EC2::VPCPeeringConnection EC2.49
AWS::EC2::VPNConnection EC2.20

EC2.171
AWS::EC2::VPNGateway EC2.50
Amazon EC2 Auto Scaling AWS::AutoScaling::AutoScalingGroup

AutoScaling.1

AutoScaling.2

AutoScaling.6

AutoScaling.9

AutoScaling.10
AWS::AutoScaling::LaunchConfiguration

AutoScaling.3

Autoscaling.5
Amazon EC2 Systems Manager (SSM) AWS::SSM::AssociationCompliance

SSM.3
AWS::SSM::ManagedInstanceInventory

SSM.1
AWS::SSM::PatchCompliance

SSM.2
Amazon Elastic Container Registry (Amazon ECR) AWS::ECR::PublicRepository ECR.4
AWS::ECR::Repository

ECR.2

ECR.3
Amazon Elastic Container Service (Amazon ECS) AWS::ECS::Cluster

ECS.12

ECS.14
AWS::ECS::Service

ECS.2

ECS.10

ECS.13
AWS::ECS::TaskDefinition

ECS.1

ECS.3

ECS.4

ECS.5

ECS.8

ECS.9

ECS.15
AWS::ECS::TaskSet

ECS.16
Amazon Elastic File System (Amazon EFS) AWS::EFS::AccessPoint

EFS.3

EFS.4

EFS.5
AWS::EFS::FileSystem

EFS.7

EFS.8
Amazon Elastic Kubernetes Service (Amazon EKS) AWS::EKS::Cluster

EKS.2

EKS.6

EKS.8
AWS::EKS::IdentityProviderConfig EKS.7
AWS Elastic Beanstalk AWS::ElasticBeanstalk::Environment

ElasticBeanstalk.1

ElasticBeanstalk.2

ElasticBeanstalk.3
Elastic Load Balancing AWS::ElasticLoadBalancing::LoadBalancer

ELB.2

ELB.3

ELB.5

ELB.7

ELB.8

ELB.9

ELB.10

ELB.14
AWS::ElasticLoadBalancingV2::LoadBalancer

ELB.1

ELB.4

ELB.5

ELB.6

ELB.12

ELB.13

ELB.16
ElasticSearch AWS::Elasticsearch::Domain

ES.3

ES.4

ES.5

ES.6

ES.7

ES.8

ES.9
Amazon EventBridge AWS::Events::EventBus

EventBridge.2

EventBridge.3
AWS::Events::Endpoint

EventBridge.4
AWS Global Accelerator AWS::GlobalAccelerator::Accelerator

GlobalAccelerator.1
AWS Glue AWS::Glue::Job

Glue.1

Glue.2
AWS::Glue::MLTransform

Glue.3
Amazon GuardDuty AWS::GuardDuty::Detector

GuardDuty.4
AWS::GuardDuty::Filter

GuardDuty.2
AWS::GuardDuty::IPSet

GuardDuty.3
AWS Identity and Access Management (IAM) AWS::IAM::Group

IAM.27

KMS.2
AWS::IAM::Policy

IAM.1

IAM.21

KMS.1
AWS::IAM::Role

IAM.24

IAM.27

KMS.2
AWS::IAM::User

IAM.2

IAM.3

IAM.5

IAM.8

IAM.19

IAM.22

IAM.25

IAM.27

KMS.2
AWS Identity and Access Management Access Analyzer AWS::AccessAnalyzer::Analyzer

IAM.23
AWS IoT AWS::IoT::Authorizer

IoT.4
AWS::IoT::Dimension

IoT.3
AWS::IoT::MitigationAction

IoT.2
AWS::IoT::Policy

IoT.6
AWS::IoT::RoleAlias

IoT.5
AWS::IoT::SecurityProfile

IoT.1
Amazon Kinesis AWS::Kinesis::Stream

Kinesis.1

Kinesis.2

Kinesis.3
AWS Key Management Service (AWS KMS) AWS::KMS::Alias

S3.17
AWS::KMS::Key

KMS.3

KMS.5

S3.17
AWS Lambda AWS::Lambda::Function

Lambda.1

Lambda.2

Lambda.3

Lambda.5

Lambda.6
Amazon MSK AWS::MSK::Cluster

MSK.1

MSK.2
AWS::KafkaConnect::Connector

MSK.3
Amazon MQ AWS::AmazonMQ::Broker

MQ.2

MQ.3

MQ.4

MQ.5

MQ.6
AWS Network Firewall AWS::NetworkFirewall::Firewall

NetworkFirewall.1

NetworkFirewall.7

NetworkFirewall.9
AWS::NetworkFirewall::FirewallPolicy

NetworkFirewall.3

NetworkFirewall.4

NetworkFirewall.5

NetworkFirewall.8
AWS::NetworkFirewall::RuleGroup

NetworkFirewall.6
Amazon OpenSearch Service AWS::OpenSearch::Domain

Opensearch.1

Opensearch.2

Opensearch.3

Opensearch.4

Opensearch.5

Opensearch.6

Opensearch.7

Opensearch.8

Opensearch.9

Opensearch.10

Opensearch.11
Amazon Relational Database Service (Amazon RDS) AWS::RDS::DBCluster

DocumentDB.1

DocumentDB.2

DocumentDB.4

DocumentDB.5

Neptune.1

Neptune.2

Neptune.4

Neptune.5

Neptune.7

Neptune.8

Neptune.9

RDS.7

RDS.12

RDS.14

RDS.15

RDS.16

RDS.24

RDS.27

RDS.28

RDS.34

RDS.35

RDS.37
AWS::RDS::DBClusterSnapshot

DocumentDB.3

Neptune.3

Neptune.6

RDS.1

RDS.4

RDS.29
AWS::RDS::DBInstance

RDS.2

RDS.3

RDS.5

RDS.6

RDS.8

RDS.9

RDS.10

RDS.11

RDS.13

RDS.17

RDS.18

RDS.23

RDS.25

RDS.30

RDS.36
AWS::RDS::DBSecurityGroup

RDS.31
AWS::RDS::DBSnapshot

RDS.1

RDS.4

RDS.32
AWS::RDS::DBSubnetGroup

RDS.33
AWS::RDS::EventSubscription

RDS.19

RDS.20

RDS.21

RDS.22
Amazon Redshift AWS::Redshift::Cluster

Redshift.1

Redshift.2

Redshift.3

Redshift.4

Redshift.6

Redshift.7

Redshift.8

Redshift.9

Redshift.10

Redshift.11
AWS::Redshift::ClusterParameterGroup

Redshift.2
AWS::Redshift::ClusterSnapshot

Redshift.13
AWS::Redshift::ClusterSubnetGroup

Redshift.14
AWS::Redshift::EventSubscription

Redshift.12
Amazon Route 53 AWS::Route53::HostedZone

Route53.2
AWS::Route53::HealthCheck

Route53.1
Amazon Simple Storage Service (Amazon S3) AWS::S3::AccessPoint

S3.19
AWS::S3::AccountPublicAccessBlock

S3.2

S3.3
AWS::S3::Bucket

S3.2

S3.3

S3.5

S3.6

S3.7

S3.8

S3.9

S3.10

S3.11

S3.12

S3.13

S3.14

S3.15

S3.17

S3.20
AWS::S3::MultiRegionAccessPoint

S3.24
AWS Secrets Manager AWS::SecretsManager::Secret

SecretsManager.1

SecretsManager.2

SecretsManager.5
AWS Service Catalog AWS::ServiceCatalog::Portfolio

ServiceCatalog.1
Amazon Simple Email Service (Amazon SES) AWS::SES::ConfigurationSet

SES.2
AWS::SES::ContactList

SES.1
Amazon Simple Notification Service (Amazon SNS) AWS::SNS::Topic

SNS.1

SNS.3

SNS.4
Amazon Simple Queue Service (Amazon SQS) AWS::SQS::Queue

SQS.1

SQS.2
Amazon SageMaker AWS::SageMaker::NotebookInstance

SageMaker.2

SageMaker.3
AWS Step Functions AWS::StepFunctions::StateMachine

StepFunctions.1
AWS::StepFunctions::Activity

StepFunctions.2
AWS Transfer Family AWS::Transfer::Workflow

Transfer.1
AWS WAF AWS::WAF::Rule

WAF.6
AWS::WAF::RuleGroup

WAF.7
AWS::WAF::WebACL

WAF.1

WAF.8
AWS::WAFRegional::Rule

WAF.2
AWS::WAFRegional::RuleGroup

WAF.3
AWS::WAFRegional::WebACL

WAF.4
AWS::WAFv2::RuleGroup

WAF.12
AWS::WAFv2::WebACL

WAF.10

WAF.11
Amazon WorkSpaces AWS::WorkSpaces::WorkSpace

WorkSpaces.1

WorkSpaces.2

Required resources for FSBP standard

For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices v1.0.0 (FSBP) change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see AWS Foundational Security Best Practices v1.0.0 (FSBP) standard.

Service Required resources

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::ApiCache

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

AWS CodeBuild

AWS::CodeBuild::Project

AWS::CodeBuild::ReportGroup

AWS DataSync

AWS::DataSync::Task

AWS Database Migration Service (AWS DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::ClientVpnEndpoint

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

AWS::ECS::TaskSet

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

AWS::EFS::FileSystem

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Glue

AWS::Glue::Job

AWS::Glue::MLTransform

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

Amazon Kinesis

AWS::Kinesis::Stream

AWS Key Management Service (AWS KMS)

AWS::KMS::Key

AWS Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

AWS::KafkaConnect::Connector

AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccessPoint

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

AWS::S3::MultiRegionAccessPoint

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue

Amazon SageMaker

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS Step Functions

AWS::StepFunctions::StateMachine

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

Amazon WorkSpaces

AWS::WorkSpaces::WorkSpace

Required resources for CIS AWS Foundations Benchmark

To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub either runs through the exact audit steps prescribed for the checks in Securing Amazon Web Services or uses specific AWS Config managed rules.

For more information about this standard, see CIS AWS Foundations Benchmark.

Required resources for CIS v3.0.0

For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Amazon Elastic Compute Cloud (Amazon EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::User

AWS::IAM::Role

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

Required resources for CIS v1.4.0

For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::NetworkAcl

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBInstance

Amazon Simple Storage Service (Amazon S3)

AWS::S3::Bucket

Required resources for CIS v1.2.0

For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config.

Service Required resources

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::SecurityGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

Required resources for NIST SP 800-53 Rev. 5

For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use a AWS Config rule, you must record these resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see NIST SP 800-53 Rev. 5 in Security Hub.

Service Required resources

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS AppSync

AWS::AppSync::GraphQLApi

AWS Backup

AWS::Backup::RecoveryPoint

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CloudFormation

AWS::CloudFormation::Stack

Amazon CloudFront

AWS::CloudFront::Distribution

Amazon CloudWatch

AWS::CloudWatch::Alarm

AWS CodeBuild

AWS::CodeBuild::Project

AWS Database Migration Service (AWS DMS)

AWS::DMS::Endpoint

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationTask

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::ClientVpnEndpoint

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::LaunchTemplate

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

Amazon EventBridge

AWS::Events::Endpoint

AWS::Events::EventBus

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

Amazon MSK

AWS::MSK::Cluster

Amazon MQ

AWS::AmazonMQ::Broker

AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Route 53

AWS::Route53::HostedZone

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::AccessPoint

AWS::S3::Bucket

AWS Service Catalog

AWS::ServiceCatalog::Portfolio

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Amazon SageMaker

AWS::SageMaker::NotebookInstance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAF::Rule

AWS::WAF::RuleGroup

AWS::WAF::WebACL

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::RuleGroup

AWS::WAFv2::WebACL

Required resources for PCI DSS v3.2.1

For Security Hub to accurately report findings for enabled Payment Card Industry Data Security Standard (PCI DSS) controls that use a AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see PCI DSS v3.2.1 in Security Hub.

Service Required resources

AWS CodeBuild

AWS::CodeBuild::Project

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::EIP

AWS::EC2::Instance

AWS::EC2::SecurityGroup

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS Identity and Access Management (IAM)

AWS::IAM::Policy

AWS::IAM::User

AWS Lambda

AWS::Lambda::Function

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

Required resources for AWS Resource Tagging Standard

All controls in the AWS Resource Tagging Standard are change triggered and use a AWS Config rule. For Security Hub to accurately report findings for these controls, you must record the following resources in AWS Config. You only have to record resources for controls that have a schedule type of change triggered. For more information about this standard, see AWS Resource Tagging Standard.

Service Required resources
AWS AppSync

AWS::AppSync::GraphQLApi
Amazon Athena

AWS::Athena::DataCatalog

AWS::Athena::WorkGroup
AWS Certificate Manager (ACM)

AWS::ACM::Certificate
AWS Backup (AWS Backup)

AWS::Backup::BackupPlan

AWS::Backup::BackupVault

AWS::Backup::RecoveryPlan

AWS::Backup::ReportPlan
AWS CloudFormation

AWS::CloudFormation::Stack
Amazon CloudFront

AWS::CloudFront::Distribution
AWS CloudTrail

AWS::CloudTrail::Trail
AWS CodeArtifact

AWS::CodeArtifact::Repository
Amazon Detective

AWS::Detective::Graph
AWS Database Migration Service (AWS DMS)

AWS::DMS::Certificate

AWS::DMS::EventSubscription

AWS::DMS::ReplicationInstance

AWS::DMS::ReplicationSubnetGroup
Amazon DynamoDB

AWS::DynamoDB::Trail
Amazon Elastic Compute Cloud (EC2)

AWS::EC2::CustomerGateway

AWS::EC2::EIP

AWS::EC2::FlowLog

AWS::EC2::Instance

AWS::EC2::InternetGateway

AWS::EC2::NatGateway

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::RouteTable

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::TransitGateway

AWS::EC2::TransitGatewayAttachment

AWS::EC2::TransitGatewayRouteTable

AWS::EC2::Volume

AWS::EC2::VPC

AWS::EC2::VPCEndpointService

AWS::EC2::VPCPeeringConnection

AWS::EC2::VPNGateway
Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup
Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::PublicRepository
Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition
Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint
Amazon Elastic Kubernetes Service (Amazon EKS)

AWS::EKS::Cluster

AWS::EKS::IdentityProviderConfig
AWS Elastic Beanstalk (Elastic Beanstalk)

AWS::ElasticBeanstalk::Environment
ElasticSearch

AWS::Elasticsearch::Domain
Amazon EventBridge

AWS::Events::EventBus
AWS Global Accelerator

AWS::GlobalAccelerator::Accelerator
AWS Glue

AWS::Glue::Job
Amazon GuardDuty

AWS::GuardDuty::Detector

AWS::GuardDuty::Filter

AWS::GuardDuty::IPSet
AWS Identity and Access Management (IAM)

AWS::IAM::Role

AWS::IAM::User
AWS Identity and Access Management Access Analyzer (IAM Access Analyzer)

AWS::AccessAnalyzer::Analyzer
AWS IoT

AWS::IoT::Authorizer

AWS::IoT::Dimension

AWS::IoT::MitigationAction

AWS::IoT::Policy

AWS::IoT::RoleAlias

AWS::IoT::SecurityProfile
Amazon Kinesis

AWS::Kinesis::Stream
AWS Lambda

AWS::Lambda::Function
Amazon MQ

AWS::AmazonMQ::Broker
AWS Network Firewall

AWS::NetworkFirewall::Firewall

AWS::NetworkFirewall::FirewallPolicy
Amazon OpenSearch Service

AWS::OpenSearch::Domain
Amazon Relational Database Service

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSecurityGroup

AWS::RDS::DBSnapshot

AWS::RDS::DBSubnetGroup
Amazon Redshift

AWS::Redshift::Cluster

AWS::Redshift::ClusterSnapshot

AWS::Redshift::ClusterSubnetGroup

AWS::Redshift::EventSubscription
Amazon Route 53

AWS::Route53::HealthCheck
AWS Secrets Manager

AWS::SecretsManager::Secret
Amazon Simple Email Service (Amazon SES)

AWS::SES::ConfigurationSet

AWS::SES::ContactList
Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic
Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
AWS Step Functions

AWS::StepFunctions::Activity
AWS Transfer Family

AWS::Transfer::Workflow

Required resources for Service-Managed Standard: AWS Control Tower

For Security Hub to accurately report findings for enabled Service-Managed Standard: AWS Control Tower change triggered controls that use a AWS Config rule, you must record the following resources in AWS Config. For more information about this standard, see Service-Managed Standard: AWS Control Tower.

Service Required resources

Amazon API Gateway

AWS::ApiGateway::Stage

AWS::ApiGatewayV2::Stage

AWS Certificate Manager (ACM)

AWS::ACM::Certificate

AWS CodeBuild

AWS::CodeBuild::Project

Amazon DynamoDB

AWS::DynamoDB::Table

Amazon Elastic Compute Cloud (EC2)

AWS::EC2::Instance

AWS::EC2::NetworkAcl

AWS::EC2::NetworkInterface

AWS::EC2::SecurityGroup

AWS::EC2::Subnet

AWS::EC2::VPNConnection

AWS::EC2::Volume

Amazon EC2 Auto Scaling

AWS::AutoScaling::AutoScalingGroup

AWS::AutoScaling::LaunchConfiguration

Amazon Elastic Container Registry (Amazon ECR)

AWS::ECR::Repository

Amazon Elastic Container Service (Amazon ECS)

AWS::ECS::Cluster

AWS::ECS::Service

AWS::ECS::TaskDefinition

Amazon Elastic File System (Amazon EFS)

AWS::EFS::AccessPoint

Amazon EKS

AWS::EKS::Cluster

ElasticBeanstalk

AWS::ElasticBeanstalk::Environment

Elastic Load Balancing

AWS::ElasticLoadBalancing::LoadBalancer

AWS::ElasticLoadBalancingV2::LoadBalancer

ElasticSearch

AWS::Elasticsearch::Domain

AWS Identity and Access Management (IAM)

AWS::IAM::Group

AWS::IAM::Policy

AWS::IAM::Role

AWS::IAM::User

AWS Key Management Service (AWS KMS)

AWS::KMS::Alias

AWS::KMS::Key

Amazon Kinesis

AWS::Kinesis::Stream

AWS Lambda

AWS::Lambda::Function

AWS Network Firewall

AWS::NetworkFirewall::FirewallPolicy

AWS::NetworkFirewall::RuleGroup

Amazon OpenSearch Service

AWS::OpenSearch::Domain

Amazon Relational Database Service (Amazon RDS)

AWS::RDS::DBCluster

AWS::RDS::DBClusterSnapshot

AWS::RDS::DBInstance

AWS::RDS::DBSnapshot

AWS::RDS::EventSubscription

Amazon Redshift

AWS::Redshift::Cluster

Amazon Simple Storage Service (Amazon S3)

AWS::S3::AccountPublicAccessBlock

AWS::S3::Bucket

Amazon Simple Notification Service (Amazon SNS)

AWS::SNS::Topic

Amazon Simple Queue Service (Amazon SQS)

AWS::SQS::Queue
Amazon EC2 Systems Manager (SSM)

AWS::SSM::AssociationCompliance

AWS::SSM::ManagedInstanceInventory

AWS::SSM::PatchCompliance

AWS Secrets Manager

AWS::SecretsManager::Secret

AWS WAF

AWS::WAFRegional::Rule

AWS::WAFRegional::RuleGroup

AWS::WAFRegional::WebACL

AWS::WAFv2::WebACL