As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
# AWS Config Recursos necessários para descobertas de controle
No AWS Security Hub CSPM, alguns controles usam AWS Config regras vinculadas a serviços que detectam alterações de configuração em seus recursos. AWS Para que o Security Hub CSPM gere descobertas precisas para esses controles, você deve habilitar AWS Config e ativar o registro de recursos em. AWS Config Para obter informações sobre como o Security Hub CSPM usa AWS Config regras e como habilitar e configurar AWS Config, consulte. [Habilitando e configurando o AWS Config Security Hub CSPM](securityhub-setup-prereqs.md) Para obter informações detalhadas sobre os registros de recursos, consulte [Trabalho com o gravador de configurações](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) no *Guia do desenvolvedor do AWS Config *.
Para receber resultados de controle precisos, você deve ativar o registro de AWS Config recursos para controles habilitados com um tipo de agendamento *acionado por alteração*. Alguns controles com um tipo de programação *periódica* também exigem o registro de recursos. Esta página lista os recursos necessários para esses controles do CSPM do Security Hub.
Os controles CSPM do Security Hub podem se basear em AWS Config regras gerenciadas ou em regras personalizadas de CSPM do Security Hub. Certifique-se de que não haja políticas AWS Identity and Access Management (IAM) ou políticas AWS Organizations gerenciadas que AWS Config impeçam a permissão de registrar seus recursos. Os controles CSPM do Security Hub avaliam as configurações de recursos diretamente e não levam em conta AWS Organizations as políticas.
**nota**
Regiões da AWS Quando um controle não está disponível, o recurso correspondente não está disponível em AWS Config. Para obter uma lista desses limites, consulte [Limites regionais em controles do CSPM do Security Hub](regions-controls.md).
**Topics**
+ [Recursos obrigatórios para todos os controles do CSPM do Security Hub](#all-controls-config-resources)
+ [Recursos necessários para o padrão AWS Foundational Security Best Practices](#securityhub-standards-fsbp-config-resources)
+ [Recursos necessários para o CIS Foundations Benchmark AWS](#securityhub-standards-cis-config-resources)
+ [Recursos obrigatórios para o padrão NIST SP 800-53 Revisão 5](#nist-config-resources)
+ [Recursos obrigatórios para o padrão NIST SP 800-171 Revisão 2](#nist-800-171-config-resources)
+ [Recursos obrigatórios para o PCI DSS v3.2.1](#securityhub-standards-pci-config-resources)
+ [Recursos necessários para o padrão AWS de marcação de recursos](#tagging-config-resources)
## Recursos obrigatórios para todos os controles do CSPM do Security Hub
Para que o Security Hub CSPM gere descobertas para controles acionados por alterações que estejam habilitados e usem uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config Essa tabela também indica quais controles avaliam um tipo de recurso específico. Um único controle pode avaliar mais de um tipo de recurso.
- **AWS Amplify**
- **Resource types:** AWS::Amplify::App / **Controles relacionados:** Amplify.1
- **Resource types:** AWS::Amplify::Branch / **Controles relacionados:** Amplify.2
- **Amazon API Gateway**
- **Resource types:** AWS::ApiGateway::Stage / **Controles relacionados:** APIGateway1.
APIGateway2.
APIGateway3.
APIGateway4.
APIGateway5.
- **Resource types:** AWS::ApiGatewayV2::Stage / **Controles relacionados:** APIGateway1.
APIGateway9.
- **Resource types:** AWS::ApiGateway::DomainName / **Controles relacionados:** APIGateway1.1
- **AWS AppConfig**
- **Resource types:** AWS::AppConfig::Application / **Controles relacionados:** AppConfig1.
- **Resource types:** AWS::AppConfig::ConfigurationProfile / **Controles relacionados:** AppConfig2.
- **Resource types:** AWS::AppConfig::Environment / **Controles relacionados:** AppConfig3.
- **Resource types:** AWS::AppConfig::ExtensionAssociation / **Controles relacionados:** AppConfig4.
- **Amazon AppFlow**
- **Resource types:** AWS::AppFlow::Flow
- **Controles relacionados:** AppFlow1.
- **AWS App Runner**
- **Resource types:** AWS::AppRunner::Service / **Controles relacionados:** AppRunner1.
- **Resource types:** AWS::AppRunner::VpcConnector / **Controles relacionados:** AppRunner2.
- **AWS AppSync**
- **Resource types:** AWS::AppSync::GraphQLApi / **Controles relacionados:** AppSync2.
AppSync4.
AppSync5.
- **Resource types:** AWS::AppSync::ApiCache / **Controles relacionados:** AppSync1.
AppSync.6
- **AWS Backup**
- **Resource types:** AWS::Backup::BackupPlan / **Controles relacionados:** Backup.5
- **Resource types:** AWS::Backup::BackupVault / **Controles relacionados:** Backup.3
- **Resource types:** AWS::Backup::RecoveryPoint / **Controles relacionados:** Backup.1
Backup.2
- **Resource types:** AWS::Backup::ReportPlan / **Controles relacionados:** Backup.4
- **AWS Batch**
- **Resource types:** AWS::Batch::ComputeEnvironment / **Controles relacionados:** Batch.3
Batch.4
- **Resource types:** AWS::Batch::JobQueue / **Controles relacionados:** Batch.1
- **Resource types:** AWS::Batch::SchedulingPolicy / **Controles relacionados:** Batch.2
- **Amazon Bedrock AgentCore**
- **Resource types:** AWS::BedrockAgentCore::Gateway / **Controles relacionados:** BedrockAgentCore2.
- **Resource types:** AWS::BedrockAgentCore::Runtime / **Controles relacionados:** BedrockAgentCore1.
- **AWS Certificate Manager (ACM)**
- **Resource types:** AWS::ACM::Certificate
- **Controles relacionados:** ACM.1
ACM.2
ACM.3
- **Amazon Athena**
- **Resource types:** AWS::Athena::DataCatalog / **Controles relacionados:** Athena.2
- **Resource types:** AWS::Athena::WorkGroup / **Controles relacionados:** Athena.3
Athena.4
- **AWS CloudFormation**
- **Resource types:** AWS::CloudFormation::Stack
- **Controles relacionados:** CloudFormation2.
CloudFormation3.
CloudFormation4.
- **Amazon CloudFront **
- **Resource types:** AWS::CloudFront::Distribution
- **Controles relacionados:** CloudFront1.
CloudFront3.
CloudFront4.
CloudFront5.
CloudFront.6
CloudFront7.
CloudFront8.
CloudFront9.
CloudFront.10
CloudFront1.3
CloudFront1.4
CloudFront1.5
CloudFront1.6
CloudFront1.7
- **AWS CloudTrail**
- **Resource types:** AWS::CloudTrail::Trail / **Controles relacionados:** CloudTrail9.
- **Resource types:** AWS::CloudTrail::EventDataStore / **Controles relacionados:** CloudTrail1.1
- **Amazon CloudWatch**
- **Resource types:** AWS::CloudWatch::Alarm
- **Controles relacionados:** CloudWatch1.5
CloudWatch1.7
- **AWS CodeArtifact**
- **Resource types:** AWS::CodeArtifact::Repository
- **Controles relacionados:** CodeArtifact1.
- **AWS CodeBuild **
- **Resource types:** AWS::CodeBuild::Project / **Controles relacionados:** CodeBuild1.
CodeBuild2.
CodeBuild3.
CodeBuild4.
- **Resource types:** AWS::CodeBuild::ReportGroup / **Controles relacionados:** CodeBuild7.
- **Amazon CodeGuru Profiler**
- **Resource types:** AWS::CodeGuruProfiler::ProfilingGroup
- **Controles relacionados:** CodeGuruProfiler1.
- ** CodeGuru Revisor da Amazon**
- **Resource types:** AWS::CodeGuruReviewer::RepositoryAssociation
- **Controles relacionados:** CodeGuruReviewer1.
- **Amazon Cognito**
- **Resource types:** AWS::Cognito::IdentityPool / **Controles relacionados:** Cognito.2
- **Resource types:** AWS::Cognito::UserPool / **Controles relacionados:** Cognito.1
Cognito.3
Cognito.4
Cognito.5
Cognito.6
- **Amazon Connect**
- **Resource types:** AWS::CustomerProfiles::ObjectType / **Controles relacionados:** Connect.1
- **Resource types:** AWS::Connect::Instance / **Controles relacionados:** Connect.2
- **AWS DataSync**
- **Resource types:** AWS::DataSync::Task
- **Controles relacionados:** DataSync1.
DataSync2.
- **Amazon Detective**
- **Resource types:** AWS::Detective::Graph
- **Controles relacionados:** Detetive.1
- **AWS Database Migration Service (AWS DMS)**
- **Resource types:** AWS::DMS::Certificate / **Controles relacionados:** DMS.2
- **Resource types:** AWS::DMS::Endpoint / **Controles relacionados:** DMS.9
DMS.10
DMS.11
DMS.12
- **Resource types:** AWS::DMS::EventSubscription / **Controles relacionados:** DMS.3
- **Resource types:** AWS::DMS::ReplicationInstance / **Controles relacionados:** DMS.4
DMS.6
DMS.13
- **Resource types:** AWS::DMS::ReplicationSubnetGroup / **Controles relacionados:** DMS.5
- **Resource types:** AWS::DMS::ReplicationTask / **Controles relacionados:** DMS.7
DMS.8
- **Amazon DynamoDB **
- **Resource types:** AWS::DynamoDB::Table
- **Controles relacionados:** DynamoDB.1
DynamoDB.2
DynamoDB.5
DynamoDB.6
- **Amazon Elastic Compute Cloud (EC2)**
- **Resource types:** AWS::EC2::ClientVpnEndpoint / **Controles relacionados:** EC2.51
- **Resource types:** AWS::EC2::CustomerGateway / **Controles relacionados:** EC2.36
- **Resource types:** AWS::EC2::DHCPOptions / **Controles relacionados:** EC2.174
- **Resource types:** AWS::EC2::EIP / **Controles relacionados:** EC2.12
EC2.37
- **Resource types:** AWS::EC2::FlowLog / **Controles relacionados:** EC2.48
- **Resource types:** AWS::EC2::Instance / **Controles relacionados:** EC2.4
EC2.8
EC2.9
EC2.17
EC2.24
EC2.38
EMR.1
SSM.1
- **Resource types:** AWS::EC2::InternetGateway / **Controles relacionados:** EC2.39
- **Resource types:** AWS::EC2::LaunchTemplate / **Controles relacionados:** EC2.25
EC2.170
EC2.175
EC2.181
- **Resource types:** AWS::EC2::NatGateway / **Controles relacionados:** EC2.40
- **Resource types:** AWS::EC2::NetworkAcl / **Controles relacionados:** EC2.16
EC2.21
EC2.41
- **Resource types:** AWS::EC2::NetworkInterface / **Controles relacionados:** EC2.22
EC2.35
EC2.180
- **Resource types:** AWS::EC2::PrefixList / **Controles relacionados:** EC2.176
- **Resource types:** AWS::EC2::RouteTable / **Controles relacionados:** EC2.42
- **Resource types:** AWS::EC2::SecurityGroup / **Controles relacionados:** EC2.2
EC2.13
EC2.14
EC2.18
EC2.19
EC2.43
- **Resource types:** AWS::EC2::SnapshotBlockPublicAccess / **Controles relacionados:** EC2.182
- **Resource types:** AWS::EC2::SpotFleet / **Controles relacionados:** EC2.173
- **Resource types:** AWS::EC2::Subnet / **Controles relacionados:** EC2.15
EC2.44
ElastiCache7.
- **Resource types:** AWS::EC2::TrafficMirrorFilter / **Controles relacionados:** EC2.178
- **Resource types:** AWS::EC2::TrafficMirrorSession / **Controles relacionados:** EC2.177
- **Resource types:** AWS::EC2::TrafficMirrorTarget / **Controles relacionados:** EC2.179
- **Resource types:** AWS::EC2::TransitGateway / **Controles relacionados:** EC2.23
EC2.52
- **Resource types:** AWS::EC2::TransitGatewayAttachment / **Controles relacionados:** EC2.33
- **Resource types:** AWS::EC2::TransitGatewayRouteTable / **Controles relacionados:** EC2.34
- **Resource types:** AWS::EC2::Volume / **Controles relacionados:** EC2.3
EC2.45
- **Resource types:** AWS::EC2::VPC / **Controles relacionados:** EC2.6
EC2.46
- **Resource types:** AWS::EC2::VPCBlockPublicAccessOptions / **Controles relacionados:** EC2.172
- **Resource types:** AWS::EC2::VPCEndpointService / **Controles relacionados:** EC2.47
- **Resource types:** AWS::EC2::VPCPeeringConnection / **Controles relacionados:** EC2.49
- **Resource types:** AWS::EC2::VPNConnection / **Controles relacionados:** EC2.20 EC2.171
EC2.183
- **`AWS::EC2::VPNGateway`**
- **Resource types:** EC2.50
- **Amazon EC2 Auto Scaling**
- **Resource types:** AWS::AutoScaling::AutoScalingGroup / **Controles relacionados:** AutoScaling1.
AutoScaling2.
AutoScaling.6
AutoScaling9.
AutoScaling.10
- **Resource types:** AWS::AutoScaling::LaunchConfiguration / **Controles relacionados:** AutoScaling3.
Auto Scaling
- **Amazon EC2 Systems Manager (SSM)**
- **Resource types:** AWS::SSM::AssociationCompliance / **Controles relacionados:** SSM.3
- **Resource types:** AWS::SSM::ManagedInstanceInventory / **Controles relacionados:** SSM.1
- **Resource types:** AWS::SSM::PatchCompliance / **Controles relacionados:** SSM.2
- **Amazon Elastic Container Registry (Amazon ECR)**
- **Resource types:** AWS::ECR::PublicRepository / **Controles relacionados:** ECR.4
- **Resource types:** AWS::ECR::Repository / **Controles relacionados:** ECR.2
ECR.3
APROX. 5
- **Amazon Elastic Container Service (Amazon ECS)**
- **Resource types:** AWS::ECS::Cluster / **Controles relacionados:** ECS.12
ECS.14
- **Resource types:** AWS::ECS::CapacityProvider / **Controles relacionados:** ECS.19
- **Resource types:** AWS::ECS::Service / **Controles relacionados:** ECS.2
ECS.10
ECS.13
- **Resource types:** AWS::ECS::TaskDefinition / **Controles relacionados:** ECS.1
ECS.3
ECS.4
ECS.5
ECS.8
ECS.9
ECS.15
EKS.17
ECS.18
ECS.20
ECS.21
- **`AWS::ECS::TaskSet`**
- **Resource types:** ECS.16
- **Amazon Elastic File System (Amazon EFS)**
- **Resource types:** AWS::EFS::AccessPoint / **Controles relacionados:** EFS.3
EFS.4
EFS.5
- **Resource types:** AWS::EFS::FileSystem / **Controles relacionados:** EFS.7
EFS.8
- **Amazon Elastic Kubernetes Service (Amazon EKS)**
- **Resource types:** AWS::EKS::Cluster / **Controles relacionados:** eks.2
EKS.6
EKS.8
- **Resource types:** AWS::EKS::IdentityProviderConfig / **Controles relacionados:** EKS.7
- **Resource types:** AWS::EKS::Nodegroup / **Controles relacionados:** POR EXEMPLO. 9
- **AWS Elastic Beanstalk**
- **Resource types:** AWS::ElasticBeanstalk::Environment
- **Controles relacionados:** ElasticBeanstalk1.
ElasticBeanstalk2.
ElasticBeanstalk3.
- **Elastic Load Balancing**
- **Resource types:** AWS::ElasticLoadBalancing::LoadBalancer / **Controles relacionados:** ELB.1
ELB.3
ELB.5
ELB.7
ELB.1
ELB.9
ELB.10
ELB.14
- **Resource types:** AWS::ElasticLoadBalancingV2::Listener / **Controles relacionados:** ELB.17
ELB.18
- **Resource types:** AWS::ElasticLoadBalancingV2::LoadBalancer / **Controles relacionados:** ELB.1
ELB.4
ELB.5
ELB.6
ELB.12
ELB.13
ELB.16
- **ElasticSearch**
- **Resource types:** AWS::Elasticsearch::Domain
- **Controles relacionados:** ES.3
ES.4
ES.5
ES.6
ES.7
ES.8
ES.9
- **Amazon EMR**
- **Resource types:** AWS::EMR::SecurityConfiguration
- **Controles relacionados:** EMR.3
EMR.4
- **Amazon EventBridge**
- **Resource types:** AWS::Events::EventBus / **Controles relacionados:** EventBridge2.
EventBridge3.
- **Resource types:** AWS::Events::Endpoint / **Controles relacionados:** EventBridge4.
- **Amazon Fraud Detector**
- **Resource types:** AWS::FraudDetector::EntityType / **Controles relacionados:** FraudDetector1.
- **Resource types:** AWS::FraudDetector::Label / **Controles relacionados:** FraudDetector2.
- **Resource types:** AWS::FraudDetector::Outcome / **Controles relacionados:** FraudDetector3.
- **Resource types:** AWS::FraudDetector::Variable / **Controles relacionados:** FraudDetector4.
- **AWS Global Accelerator**
- **Resource types:** AWS::GlobalAccelerator::Accelerator
- **Controles relacionados:** GlobalAccelerator1.
- **AWS Glue**
- **Resource types:** AWS::Glue::Job / **Controles relacionados:** Glue.1
Cola.4
- **Resource types:** AWS::Glue::MLTransform / **Controles relacionados:** Glue.3
- **Amazon GuardDuty**
- **Resource types:** AWS::GuardDuty::Detector / **Controles relacionados:** GuardDuty4.
- **Resource types:** AWS::GuardDuty::Filter / **Controles relacionados:** GuardDuty2.
- **Resource types:** AWS::GuardDuty::IPSet / **Controles relacionados:** GuardDuty3.
- **AWS Identity and Access Management (IAM)**
- **Resource types:** AWS::IAM::Group / **Controles relacionados:** IAM.27
KMS.2
- **Resource types:** AWS::IAM::Policy / **Controles relacionados:** IAM.1
IAM.21
KMS.1
- **Resource types:** AWS::IAM::Role / **Controles relacionados:** IAM.24
IAM.27
KMS.2
- **Resource types:** AWS::IAM::User / **Controles relacionados:** IAM.2
IAM.3
IAM.5
IAM.8
IAM.19
IAM.22
IAM.25
IAM.27
KMS.2
- **AWS Identity and Access Management Access Analyzer**
- **Resource types:** AWS::AccessAnalyzer::Analyzer
- **Controles relacionados:** IAM.23
- **Amazon Interactive Video Service (Amazon IVS)**
- **Resource types:** AWS::IVS::PlaybackKeyPair / **Controles relacionados:** IVS.1
- **Resource types:** AWS::IVS::RecordingConfiguration / **Controles relacionados:** IVS.2
- **Resource types:** AWS::IVS::Channel / **Controles relacionados:** IVS.3
- **AWS IoT**
- **Resource types:** AWS::IoT::Authorizer / **Controles relacionados:** IoT.4
- **Resource types:** AWS::IoT::Dimension / **Controles relacionados:** IoT.3
- **Resource types:** AWS::IoT::MitigationAction / **Controles relacionados:** IoT.2
- **Resource types:** AWS::IoT::Policy / **Controles relacionados:** IoT.6
- **Resource types:** AWS::IoT::RoleAlias / **Controles relacionados:** IoT.5
- **Resource types:** AWS::IoT::SecurityProfile / **Controles relacionados:** IoT.1
- **AWS Eventos de IoT**
- **Resource types:** AWS::IoTEvents::AlarmModel / **Controles relacionados:** IoT TEvents 3.3
- **Resource types:** AWS::IoTEvents::DetectorModel / **Controles relacionados:** IoT TEvents 1.2
- **Resource types:** AWS::IoTEvents::Input / **Controles relacionados:** IoT TEvents 1.1
- **AWS IoT SiteWise**
- **Resource types:** AWS::IoTSiteWise::AssetModel / **Controles relacionados:** Eu sou TSite sábio.1
- **Resource types:** AWS::IoTSiteWise::Dashboard / **Controles relacionados:** Eu sou TSite sábio.2
- **Resource types:** AWS::IoTSiteWise::Gateway / **Controles relacionados:** Eu sou TSite sábio.3
- **Resource types:** AWS::IoTSiteWise::Portal / **Controles relacionados:** Eu sou TSite sábio.4
- **Resource types:** AWS::IoTSiteWise::Project / **Controles relacionados:** Eu sou TSite sábio.5
- **AWS IoT TwinMaker**
- **Resource types:** AWS::IoTTwinMaker::Entity / **Controles relacionados:** Io TTwin Maker.4
- **Resource types:** AWS::IoTTwinMaker::Scene / **Controles relacionados:** Io TTwin Maker.3
- **Resource types:** AWS::IoTTwinMaker::SyncJob / **Controles relacionados:** Io TTwin Maker. 1
- **Resource types:** AWS::IoTTwinMaker::Workspace / **Controles relacionados:** Io TTwin Maker.2
- **AWS IoT Wireless**
- **Resource types:** AWS::IoTWireless::MulticastGroup / **Controles relacionados:** IoT TWireless 1.1
- **Resource types:** AWS::IoTWireless::ServiceProfile / **Controles relacionados:** IoT TWireless 1.2
- **Resource types:** AWS::IoTWireless::FuotaTask / **Controles relacionados:** IoT TWireless 3.3
- **Amazon Keyspaces (para Apache Cassandra)**
- **Resource types:** AWS::Cassandra::Keyspace
- **Controles relacionados:** Keyspaces.1
- **Amazon Kinesis**
- **Resource types:** AWS::Kinesis::Stream
- **Controles relacionados:** Kinesis.1
Kinesis.2
Kinesis.3
- **AWS Key Management Service (AWS KMS)**
- **Resource types:** AWS::KMS::Alias / **Controles relacionados:** S3.17
- **Resource types:** AWS::KMS::Key / **Controles relacionados:** KMS.3
KMS.5
S3.17
- **AWS Lambda**
- **Resource types:** AWS::Lambda::Function
- **Controles relacionados:** Lambda.1
Lambda.2
Lambda.3
Lambda.5
Lambda.6
Lambda.7
- **Amazon MSK**
- **Resource types:** AWS::MSK::Cluster / **Controles relacionados:** MSK.1
MSK.2
MSK.4
MSK.6
- **Resource types:** AWS::KafkaConnect::Connector / **Controles relacionados:** MSK.3
MASCARA.5
- **Amazon MQ**
- **Resource types:** AWS::AmazonMQ::Broker
- **Controles relacionados:** MQ.2
MQ.3
MQ.4
MQ.5
MQ.6
- **AWS Network Firewall**
- **Resource types:** AWS::NetworkFirewall::Firewall / **Controles relacionados:** NetworkFirewall1.
NetworkFirewall7.
NetworkFirewall9.
NetworkFirewall.10
- **Resource types:** AWS::NetworkFirewall::FirewallPolicy / **Controles relacionados:** NetworkFirewall3.
NetworkFirewall4.
NetworkFirewall5.
NetworkFirewall8.
- **Resource types:** AWS::NetworkFirewall::RuleGroup / **Controles relacionados:** NetworkFirewall.6
- ** OpenSearch Serviço Amazon**
- **Resource types:** AWS::OpenSearch::Domain
- **Controles relacionados:** Opensearch.1
Opensearch.2
Opensearch.3
Opensearch.4
Opensearch.5
Opensearch.6
Opensearch.7
Opensearch.8
Opensearch.9
Opensearch.10
Opensearch.11
- **CA Privada da AWS**
- **Resource types:** AWS::ACMPCA::CertificateAuthority
- **Controles relacionados:** PCA.2
- **Amazon Relational Database Service (Amazon RDS)**
- **Resource types:** AWS::RDS::DBCluster / **Controles relacionados:** DocumentDB.1
DocumentDB.2
DocumentDB.4
DocumentDB.5
Neptune.1
Neptune.2
Neptune.4
Neptune.5
Neptune.7
Neptune.8
Neptune.9
RDS.7
RDS.12
RDS.14
RDS.15
RDS.16
RDS.24
RDS.27
RDS.28
RDS.34
RDS.35
RDS.37
RDS.47
REDS.48
- **Resource types:** AWS::RDS::DBClusterSnapshot / **Controles relacionados:** DocumentDB.3
Neptune.3
Neptune.6
RDS.1
RDS.4
RDS.29
- **Resource types:** AWS::RDS::DBInstance / **Controles relacionados:** RDS 2
RDS. 3
RDS.5
RDS.6
RDS.8
RDS.9
RDS.10
RDS.11
RDS.13
RDS.17
RDS. 3
RDS.23
RDS.25
RDS.30
RDS.36
RDS.40
- **Resource types:** AWS::RDS::DBSecurityGroup / **Controles relacionados:** RDS.31
- **Resource types:** AWS::RDS::DBSnapshot / **Controles relacionados:** RDS.1
RDS.4
RDS.32
- **Resource types:** AWS::RDS::DBSubnetGroup / **Controles relacionados:** RDS.33
- **Resource types:** AWS::RDS::EventSubscription / **Controles relacionados:** RDS.19
RDS.20
RDS.21
RDS.22
- **Resource types:** AWS::RDS::GlobalCluster / **Controles relacionados:** RDS.51
- **banco de dados de origem**
- **Resource types:** AWS::Redshift::Cluster / **Controles relacionados:** Redshift.1
Redshift.2
Redshift.3
Redshift.4
Redshift.6
Redshift.7
Redshift.8
Redshift.10
Redshift.11
Redshift.18
- **Resource types:** AWS::Redshift::ClusterParameterGroup / **Controles relacionados:** Redshift.2
Redshift.17
- **Resource types:** AWS::Redshift::ClusterSnapshot / **Controles relacionados:** Redshift.13
- **Resource types:** AWS::Redshift::ClusterSubnetGroup / **Controles relacionados:** Redshift.14
Redshift.16
- **Resource types:** AWS::Redshift::EventSubscription / **Controles relacionados:** Redshift.12
- **Amazon Route 53**
- **Resource types:** AWS::Route53::HostedZone / **Controles relacionados:** Route53.2
- **Resource types:** AWS::Route53::HealthCheck / **Controles relacionados:** Route53.1
- **Amazon Simple Storage Service (Amazon S3)**
- **Resource types:** AWS::S3::AccessPoint / **Controles relacionados:** S3.19
- **Resource types:** AWS::S3::AccountPublicAccessBlock / **Controles relacionados:** S3.2
S3.3
- **Resource types:** AWS::S3::Bucket / **Controles relacionados:** CloudTrail.6
CloudTrail7.
S3.2
S3.3
S3.5
S3.6
S3.7
S3.8
S3.9
S3.10
S3.11
S3.12
S3.13
S3.14
S3.15
S3.17
S3.20
- **Resource types:** AWS::S3::MultiRegionAccessPoint / **Controles relacionados:** S3.24
- **Resource types:** AWS::S3Express::DirectoryBucket / **Controles relacionados:** S3.25
- ** SageMaker Inteligência Artificial da Amazon **
- **Resource types:** AWS::SageMaker::AppImageConfig / **Controles relacionados:** SageMaker.6
- **Resource types:** AWS::SageMaker::Image / **Controles relacionados:** SageMaker7.
- **Resource types:** AWS::SageMaker::Model / **Controles relacionados:** SageMaker5.
SageMaker1.6
SageMaker1.9
- **Resource types:** AWS::SageMaker::NotebookInstance / **Controles relacionados:** SageMaker2.
SageMaker3.
- **Resource types:** AWS::SageMaker::FeatureGroup / **Controles relacionados:** SageMaker1.7
- **AWS Secrets Manager **
- **Resource types:** AWS::SecretsManager::Secret
- **Controles relacionados:** SecretsManager1.
SecretsManager2.
SecretsManager5.
- **AWS Service Catalog **
- **Resource types:** AWS::ServiceCatalog::Portfolio
- **Controles relacionados:** ServiceCatalog1.
- **Amazon Simple Email Service (Amazon SES) **
- **Resource types:** AWS::SES::ConfigurationSet / **Controles relacionados:** SES.2
SES.3
- **Resource types:** AWS::SES::ContactList / **Controles relacionados:** SES.1
- **Amazon Simple Notification Service (Amazon SNS) **
- **Resource types:** AWS::SNS::Topic
- **Controles relacionados:** SNS.1
SNS.3
SNS.4
- **Amazon Simple Queue Service (Amazon SQS) **
- **Resource types:** AWS::SQS::Queue
- **Controles relacionados:** SQS.1
SQS.2
SQ.3
- **AWS Step Functions**
- **Resource types:** AWS::StepFunctions::StateMachine / **Controles relacionados:** StepFunctions1.
- **Resource types:** AWS::StepFunctions::Activity / **Controles relacionados:** StepFunctions2.
- **AWS Systems Manager (SMS) **
- **Resource types:** AWS::SSM::Document
- **Controles relacionados:** SSM.5
- **AWS Transfer Family**
- **Resource types:** AWS::Transfer::Agreement / **Controles relacionados:** Transferência.4
- **Resource types:** AWS::Transfer::Certificate / **Controles relacionados:** Transferência.5
- **Resource types:** AWS::Transfer::Connector / **Controles relacionados:** Transferência.3
Transfer.6
- **Resource types:** AWS::Transfer::Profile / **Controles relacionados:** Transfer.7
- **Resource types:** AWS::Transfer::Workflow / **Controles relacionados:** Transfer.1
- **AWS WAF**
- **Resource types:** AWS::WAF::Rule / **Controles relacionados:** WAF.6
- **Resource types:** AWS::WAF::RuleGroup / **Controles relacionados:** WAF.7
- **Resource types:** AWS::WAF::WebACL / **Controles relacionados:** WAF.1
WAF.8
- **Resource types:** AWS::WAFRegional::Rule / **Controles relacionados:** WAF.2
- **Resource types:** AWS::WAFRegional::RuleGroup / **Controles relacionados:** WAF.3
- **Resource types:** AWS::WAFRegional::WebACL / **Controles relacionados:** WAF.4
- **Resource types:** AWS::WAFv2::RuleGroup / **Controles relacionados:** WAF.12
- **Resource types:** AWS::WAFv2::WebACL / **Controles relacionados:** WAF.10
WAF.11
- **Amazon WorkSpaces**
- **Resource types:** AWS::WorkSpaces::WorkSpace
- **Controles relacionados:** WorkSpaces1.
WorkSpaces2.
## Recursos necessários para o padrão AWS Foundational Security Best Practices
Para que o CSPM do Security Hub relate com precisão as descobertas de controles acionados por alterações que se aplicam ao padrão AWS Foundational Security Best Practices (v.1.0.0), esteja habilitado e use uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config Para obter informações sobre esse padrão, consulte [AWS Padrão básico de melhores práticas de segurança no Security Hub CSPM](fsbp-standard.md).
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::DomainName`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| Amazon Bedrock AgentCore | `AWS::BedrockAgentCore::Gateway`, `AWS::BedrockAgentCore::Runtime` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CodeBuild | `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup` |
| Amazon Cognito | `AWS::Cognito::IdentityPool`, `AWS::Cognito::UserPool` |
| AWS CloudTrail | `AWS::CloudTrail::EventDataStore` |
| Amazon Connect | `AWS::Connect::Instance` |
| AWS DataSync | `AWS::DataSync::Task` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::CapacityProvider`, `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::Nodegroup` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| AWS Glue | `AWS::Glue::Job`, `AWS::Glue::MLTransform` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Key` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| OpenSearch Serviço Amazon | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`, `AWS::RDS::GlobalCluster` |
| banco de dados de origem | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Redshift Sem Servidor | `AWS::RedshiftServerless::Workgroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`, `AWS::S3Express::DirectoryBucket` |
| SageMaker Inteligência Artificial da Amazon | `AWS::SageMaker::FeatureGroup`, `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Step Functions | `AWS::StepFunctions::StateMachine` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
| Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |
## Recursos necessários para o CIS Foundations Benchmark AWS
Para executar verificações de segurança para controles habilitados que se aplicam ao Center for Internet Security (CIS) AWS Foundations Benchmark, o Security Hub CSPM executa as etapas de auditoria exatas prescritas para as verificações ou usa regras gerenciadas específicas. AWS Config Para obter informações sobre esse padrão no CSPM do Security Hub , consulte [Referência do CIS AWS Foundations no Security Hub CSPM](cis-aws-foundations-benchmark.md).
### Recursos necessários para o CIS v5.0.0
Para que o Security Hub CSPM relate com precisão as descobertas dos controles acionados por alterações do CIS v5.0.0 habilitados que usam uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::FileSystem` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Recursos obrigatórios para o CIS v3.0.0
Para que o Security Hub CSPM relate com precisão as descobertas dos controles acionados por alterações do CIS v3.0.0 habilitados que usam uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Recursos necessários para o CIS v1.4.0
Para que o Security Hub CSPM relate com precisão as descobertas dos controles acionados por alterações do CIS v1.4.0 habilitados que usam uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### Recursos necessários para o CIS v1.2.0
Para que o Security Hub CSPM relate com precisão as descobertas dos controles acionados por alterações do CIS v1.2.0 habilitados que usam uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
## Recursos obrigatórios para o padrão NIST SP 800-53 Revisão 5
Para que o Security Hub CSPM relate com precisão as descobertas de controles acionados por alterações que se aplicam ao padrão NIST SP 800-53 Revisão 5, esteja habilitado e use uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config Para obter informações sobre esse padrão, consulte [NIST SP 800-53 Revisão 5 no CSPM do Security Hub](standards-reference-nist-800-53.md).
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| Amazon ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` |
| AWS Glue | `AWS::Glue::Job` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| OpenSearch Serviço Amazon | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` |
| banco de dados de origem | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| SageMaker Inteligência Artificial da Amazon | `AWS::SageMaker::NotebookInstance` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
## Recursos obrigatórios para o padrão NIST SP 800-171 Revisão 2
Para que o Security Hub CSPM relate com precisão as descobertas de controles acionados por alterações que se aplicam ao padrão NIST SP 800-171 Revisão 2, esteja habilitado e use uma AWS Config regra, você deve registrar os seguintes tipos de recursos em. AWS Config Para obter informações sobre esse padrão, consulte [NIST SP 800-171 Revisão 2 no CSPM do Security Hub](standards-reference-nist-800-171.md).
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| AWS Certificate Manager(ACM) | `AWS::ACM::Certificate` |
| Amazon API Gateway | `AWS::ApiGateway::Stage` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` |
| AWS Identity and Access Management(IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| AWS Systems Manager(SSM) | `AWS::SSM::PatchCompliance` |
| AWS WAF | `AWS::WAFv2::RuleGroup` |
## Recursos obrigatórios para o PCI DSS v3.2.1
Para que o CSPM do Security Hub relate com precisão as descobertas dos controles aplicáveis ao Payment Card Industry Data Security Standard (PCI DSS) v3.2.1, habilitados e que usam uma regra do AWS Config , é necessário registrar os tipos de recursos a seguir em AWS Config. Para obter informações sobre esse padrão, consulte [PCI DSS no CSPM do Security Hub](pci-standard.md).
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Lambda | `AWS::Lambda::Function` |
| OpenSearch Serviço Amazon | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot` |
| banco de dados de origem | `AWS::Redshift::Cluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
## Recursos necessários para o padrão AWS de marcação de recursos
Todos os controles que se aplicam ao padrão AWS Resource Tagging são acionados por alterações e usam uma AWS Config regra. Para que o Security Hub CSPM relate com precisão as descobertas desses controles, você deve registrar os seguintes tipos de recursos em. AWS Config Para obter informações sobre esse padrão, consulte [AWS Padrão de marcação de recursos no Security Hub CSPM](standards-tagging.md).
| AWS service (Serviço da AWS) | Resource types |
| --- | --- |
| AWS Amplify | `AWS::Amplify::App`, `AWS::Amplify::Branch` |
| Amazon AppFlow | `AWS::AppFlow::Flow` |
| AWS App Runner | `AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector` |
| AWS AppConfig | `AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| Amazon Athena | `AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup` |
| AWS Backup | `AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan` |
| AWS Batch | `AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CloudTrail | `AWS::CloudTrail::Trail` |
| AWS CodeArtifact | `AWS::CodeArtifact::Repository` |
| Amazon CodeGuru | `AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation` |
| Amazon Connect | `AWS::CustomerProfiles::ObjectType` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Certificate`, `AWS::DMS::EventSubscription`
`AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup` |
| AWS DataSync | `AWS::DataSync::Task` |
| Amazon Detective | `AWS::Detective::Graph` |
| Amazon DynamoDB | `AWS::DynamoDB::Trail` |
| Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::PublicRepository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EventBridge | `AWS::Events::EventBus` |
| Amazon Fraud Detector | `AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label`
`AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable` |
| AWS Global Accelerator | `AWS::GlobalAccelerator::Accelerator` |
| AWS Glue | `AWS::Glue::Job` |
| Amazon GuardDuty | `AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Identity and Access Management Access Analyzer (Analisador de acesso IAM) | `AWS::AccessAnalyzer::Analyzer` |
| AWS IoT | `AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile` |
| AWS IoT Eventos | `AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input` |
| AWS IoT SiteWise | `AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project` |
| AWS IoT TwinMaker | `AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace` |
| AWS IoT Sem fio | `AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile` |
| Amazon Interactive Video Service (Amazon IVS) | `AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration` |
| Amazon Keyspaces (para Apache Cassandra) | `AWS::Cassandra::Keyspace` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy` |
| OpenSearch Serviço Amazon | `AWS::OpenSearch::Domain` |
| Autoridade de Certificação Privada da AWS | `AWS::ACMPCA::CertificateAuthority` |
| Amazon Relational Database Service | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup` |
| banco de dados de origem | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription` |
| Amazon Route 53 | `AWS::Route53::HealthCheck` |
| SageMaker Inteligência Artificial da Amazon | `AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet`, `AWS::SES::ContactList` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Step Functions | `AWS::StepFunctions::Activity` |
| AWS Systems Manager (SMS) | `AWS::SSM::Document` |
| AWS Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow` |