本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 控制结果所需的 AWS Config 资源
在 S AWS ecurity Hub CSPM 中,某些控件使用服务相关 AWS Config 规则来检测资源中的配置更改。 AWS 要让 Security Hub CSPM 为这些控件生成准确的调查结果,您必须在中启用 AWS Config 并打开资源记录。 AWS Config有关 Security Hub CSPM 如何使用 AWS Config 规则以及如何启用和配置的信息 AWS Config,请参阅。[为 Security Hub CSPM 启用和配置 AWS Config](securityhub-setup-prereqs.md)有关资源记录的详细信息,请参阅《AWS Config 开发人员指南》**中的[使用配置记录器](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html)。
要获得准确的控制结果,您必须为已启用控件开启 AWS Config 资源记录,并使用*更改触发*的计划类型。某些具有*定期*计划类型的控件也需要资源记录。本页列出了这些 Security Hub CSPM 控件所需的资源。
Security Hub CSPM 控件可以依赖托管 AWS Config 规则或自定义 Security Hub CSPM 规则。确保没有任何 AWS Identity and Access Management (IAM) 策略或 AWS Organizations 托管策略会 AWS Config 阻止您获得记录资源的权限。Security Hub CSPM 控件直接评估资源配置,不考虑 AWS Organizations 策略。
**注意**
AWS 区域 如果控件不可用,则相应的资源在中不可用 AWS Config。有关这些限制的列表,请参阅[对 Security Hub CSPM 控件的区域限制](regions-controls.md)。
**Topics**
+ [所有 Security Hub CSPM 控件所需的资源](#all-controls-config-resources)
+ [AWS 基础安全最佳实践标准所需的资源](#securityhub-standards-fsbp-config-resources)
+ [CIS AWS 基金会基准测试所需的资源](#securityhub-standards-cis-config-resources)
+ [NIST SP 800-53 修订版 5 标准所需的资源](#nist-config-resources)
+ [NIST SP 800-171 修订版 2 标准所需的资源](#nist-800-171-config-resources)
+ [PCI DSS v3.2.1 所需的资源](#securityhub-standards-pci-config-resources)
+ [资源标签标准所需的 AWS 资源](#tagging-config-resources)
## 所有 Security Hub CSPM 控件所需的资源
要让 Security Hub CSPM 生成已启用的变更触发控件的发现结果并使用 AWS Config 规则,您必须在中记录以下类型的资源。 AWS Config此表还指出了哪些控件评估特定类型的资源。一个控件可以评估多种类型的资源。
- **AWS Amplify**
- **资源类型:** AWS::Amplify::App / **相关控件:** Amplify.1
- **资源类型:** AWS::Amplify::Branch / **相关控件:** Amplify.2
- **Amazon API Gateway**
- **资源类型:** AWS::ApiGateway::Stage / **相关控件:** APIGateway1.
APIGateway2.
APIGateway3.
APIGateway4.
APIGateway5.
- **资源类型:** AWS::ApiGatewayV2::Stage / **相关控件:** APIGateway1.
APIGateway.9
- **资源类型:** AWS::ApiGateway::DomainName / **相关控件:** APIGateway.11
- **AWS AppConfig**
- **资源类型:** AWS::AppConfig::Application / **相关控件:** AppConfig1.
- **资源类型:** AWS::AppConfig::ConfigurationProfile / **相关控件:** AppConfig2.
- **资源类型:** AWS::AppConfig::Environment / **相关控件:** AppConfig3.
- **资源类型:** AWS::AppConfig::ExtensionAssociation / **相关控件:** AppConfig4.
- **Amazon AppFlow**
- **资源类型:** AWS::AppFlow::Flow
- **相关控件:** AppFlow1.
- **AWS App Runner**
- **资源类型:** AWS::AppRunner::Service / **相关控件:** AppRunner1.
- **资源类型:** AWS::AppRunner::VpcConnector / **相关控件:** AppRunner2.
- **AWS AppSync**
- **资源类型:** AWS::AppSync::GraphQLApi / **相关控件:** AppSync2.
AppSync4.
AppSync5.
- **资源类型:** AWS::AppSync::ApiCache / **相关控件:** AppSync1.
AppSync.6
- **AWS Backup**
- **资源类型:** AWS::Backup::BackupPlan / **相关控件:** Backup.5
- **资源类型:** AWS::Backup::BackupVault / **相关控件:** Backup.3
- **资源类型:** AWS::Backup::RecoveryPoint / **相关控件:** Backup.1
Backup.2
- **资源类型:** AWS::Backup::ReportPlan / **相关控件:** Backup.4
- **AWS Batch**
- **资源类型:** AWS::Batch::ComputeEnvironment / **相关控件:** Batch.3
Batch.4
- **资源类型:** AWS::Batch::JobQueue / **相关控件:** Batch.1
- **资源类型:** AWS::Batch::SchedulingPolicy / **相关控件:** Batch.2
- **Amazon Bedrock AgentCore**
- **资源类型:** AWS::BedrockAgentCore::Gateway / **相关控件:** BedrockAgentCore2.
- **资源类型:** AWS::BedrockAgentCore::Runtime / **相关控件:** BedrockAgentCore1.
- **AWS Certificate Manager (ACM)**
- **资源类型:** AWS::ACM::Certificate
- **相关控件:** ACM.1
ACM.2
ACM.3
- **Amazon Athena**
- **资源类型:** AWS::Athena::DataCatalog / **相关控件:** Athena.2
- **资源类型:** AWS::Athena::WorkGroup / **相关控件:** Athena.3
Athena.4
- **AWS CloudFormation**
- **资源类型:** AWS::CloudFormation::Stack
- **相关控件:** CloudFormation2.
CloudFormation3.
CloudFormation4.
- **Amazon CloudFront **
- **资源类型:** AWS::CloudFront::Distribution
- **相关控件:** CloudFront1.
CloudFront3.
CloudFront4.
CloudFront5.
CloudFront.6
CloudFront.7
CloudFront.8
CloudFront.9
CloudFront.10
CloudFront.13
CloudFront.14
CloudFront.15
CloudFront.16
CloudFront.17
- **AWS CloudTrail**
- **资源类型:** AWS::CloudTrail::Trail / **相关控件:** CloudTrail.9
- **资源类型:** AWS::CloudTrail::EventDataStore / **相关控件:** CloudTrail.11
- **Amazon CloudWatch**
- **资源类型:** AWS::CloudWatch::Alarm
- **相关控件:** CloudWatch.15
CloudWatch.17
- **AWS CodeArtifact**
- **资源类型:** AWS::CodeArtifact::Repository
- **相关控件:** CodeArtifact1.
- **AWS CodeBuild **
- **资源类型:** AWS::CodeBuild::Project / **相关控件:** CodeBuild1.
CodeBuild2.
CodeBuild3.
CodeBuild4.
- **资源类型:** AWS::CodeBuild::ReportGroup / **相关控件:** CodeBuild.7
- **Amazon P CodeGuru rofiler**
- **资源类型:** AWS::CodeGuruProfiler::ProfilingGroup
- **相关控件:** CodeGuruProfiler1.
- **Amazon CodeGuru Reviewer**
- **资源类型:** AWS::CodeGuruReviewer::RepositoryAssociation
- **相关控件:** CodeGuruReviewer1.
- **Amazon Cognito**
- **资源类型:** AWS::Cognito::IdentityPool / **相关控件:** Cognito.2
- **资源类型:** AWS::Cognito::UserPool / **相关控件:** Cognito.1
Cognito.3
Cognito.4
Cognito.5
Cognito.6
- **Amazon Connect**
- **资源类型:** AWS::CustomerProfiles::ObjectType / **相关控件:** Connect.1
- **资源类型:** AWS::Connect::Instance / **相关控件:** Connect.2
- **AWS DataSync**
- **资源类型:** AWS::DataSync::Task
- **相关控件:** DataSync1.
DataSync2.
- **Amazon Detective**
- **资源类型:** AWS::Detective::Graph
- **相关控件:** Detective.1
- **AWS Database Migration Service (AWS DMS)**
- **资源类型:** AWS::DMS::Certificate / **相关控件:** DMS.2
- **资源类型:** AWS::DMS::Endpoint / **相关控件:** DMS.9
DMS.10
DMS.11
DMS.12
- **资源类型:** AWS::DMS::EventSubscription / **相关控件:** DMS.3
- **资源类型:** AWS::DMS::ReplicationInstance / **相关控件:** DMS.4
DMS.6
DMS.13
- **资源类型:** AWS::DMS::ReplicationSubnetGroup / **相关控件:** DMS.5
- **资源类型:** AWS::DMS::ReplicationTask / **相关控件:** DMS.7
DMS.8
- **Amazon DynamoDB **
- **资源类型:** AWS::DynamoDB::Table
- **相关控件:** DynamoDB.1
DynamoDB.2
DynamoDB.5
DynamodB.6
- **Amazon Elastic Compute Cloud (EC2)**
- **资源类型:** AWS::EC2::ClientVpnEndpoint / **相关控件:** EC2.51
- **资源类型:** AWS::EC2::CustomerGateway / **相关控件:** EC2.36
- **资源类型:** AWS::EC2::DHCPOptions / **相关控件:** EC2.174
- **资源类型:** AWS::EC2::EIP / **相关控件:** EC2.12
EC2.37
- **资源类型:** AWS::EC2::FlowLog / **相关控件:** EC2.48
- **资源类型:** AWS::EC2::Instance / **相关控件:** EC2.4
EC2.8
EC2.9
EC2.17
EC2.24
EC2.38
EMR.1
SSM.1
- **资源类型:** AWS::EC2::InternetGateway / **相关控件:** EC2.39
- **资源类型:** AWS::EC2::LaunchTemplate / **相关控件:** EC2.25
EC2.170
EC2.175
EC2.181
- **资源类型:** AWS::EC2::NatGateway / **相关控件:** EC2.40
- **资源类型:** AWS::EC2::NetworkAcl / **相关控件:** EC2.16
EC2.21
EC2.41
- **资源类型:** AWS::EC2::NetworkInterface / **相关控件:** EC2.22
EC2.35
EC2.180
- **资源类型:** AWS::EC2::PrefixList / **相关控件:** EC2.176
- **资源类型:** AWS::EC2::RouteTable / **相关控件:** EC2.42
- **资源类型:** AWS::EC2::SecurityGroup / **相关控件:** EC2.2
EC2.13
EC2.14
EC2.18
EC2.19
EC2.43
- **资源类型:** AWS::EC2::SnapshotBlockPublicAccess / **相关控件:** EC2.182
- **资源类型:** AWS::EC2::SpotFleet / **相关控件:** EC2.173
- **资源类型:** AWS::EC2::Subnet / **相关控件:** EC2.15
EC2.44
ElastiCache.7
- **资源类型:** AWS::EC2::TrafficMirrorFilter / **相关控件:** EC2.178
- **资源类型:** AWS::EC2::TrafficMirrorSession / **相关控件:** EC2.177
- **资源类型:** AWS::EC2::TrafficMirrorTarget / **相关控件:** EC2.179
- **资源类型:** AWS::EC2::TransitGateway / **相关控件:** EC2.23
EC2.52
- **资源类型:** AWS::EC2::TransitGatewayAttachment / **相关控件:** EC2.33
- **资源类型:** AWS::EC2::TransitGatewayRouteTable / **相关控件:** EC2.34
- **资源类型:** AWS::EC2::Volume / **相关控件:** EC2.3
EC2.45
- **资源类型:** AWS::EC2::VPC / **相关控件:** EC2.6
EC2.46
- **资源类型:** AWS::EC2::VPCBlockPublicAccessOptions / **相关控件:** EC2.172
- **资源类型:** AWS::EC2::VPCEndpointService / **相关控件:** EC2.47
- **资源类型:** AWS::EC2::VPCPeeringConnection / **相关控件:** EC2.49
- **资源类型:** AWS::EC2::VPNConnection / **相关控件:** EC2.20 EC2.171
EC2.183
- **`AWS::EC2::VPNGateway`**
- **资源类型:** EC2.50
- **Amazon EC2 Auto Scaling**
- **资源类型:** AWS::AutoScaling::AutoScalingGroup / **相关控件:** AutoScaling1.
AutoScaling2.
AutoScaling.6
AutoScaling.9
AutoScaling.10
- **资源类型:** AWS::AutoScaling::LaunchConfiguration / **相关控件:** AutoScaling3.
Autoscaling.5
- **Amazon EC2 Systems Manager (SSM)**
- **资源类型:** AWS::SSM::AssociationCompliance / **相关控件:** SSM.3
- **资源类型:** AWS::SSM::ManagedInstanceInventory / **相关控件:** SSM.1
- **资源类型:** AWS::SSM::PatchCompliance / **相关控件:** SSM.2
- **Amazon Elastic Container Registry (Amazon ECR)**
- **资源类型:** AWS::ECR::PublicRepository / **相关控件:** ECR.4
- **资源类型:** AWS::ECR::Repository / **相关控件:** ECR.2
ECR.3
ECR.5
- **Amazon Elastic Container Service(Amazon ECS)**
- **资源类型:** AWS::ECS::Cluster / **相关控件:** ECS.12
ECS.14
- **资源类型:** AWS::ECS::CapacityProvider / **相关控件:** ECS.19
- **资源类型:** AWS::ECS::Service / **相关控件:** ECS.2
ECS.10
ECS.13
- **资源类型:** AWS::ECS::TaskDefinition / **相关控件:** ECS.1
ECS.3
ECS.4
ECS.5
ECS.8
ECS.9
ECS.15
ECS.17
ECS.18
ECS.20
ECS.21
- **`AWS::ECS::TaskSet`**
- **资源类型:** ECS.16
- **Amazon Elastic File System (Amazon EFS)**
- **资源类型:** AWS::EFS::AccessPoint / **相关控件:** EFS.3
EFS.4
EFS.5
- **资源类型:** AWS::EFS::FileSystem / **相关控件:** EFS.7
EFS.8
- **Amazon Elastic Kubernetes Service (Amazon EKS)**
- **资源类型:** AWS::EKS::Cluster / **相关控件:** EKS.2
EKS.6
EKS.8
- **资源类型:** AWS::EKS::IdentityProviderConfig / **相关控件:** EKS.7
- **资源类型:** AWS::EKS::Nodegroup / **相关控件:** EKS.9
- **AWS Elastic Beanstalk**
- **资源类型:** AWS::ElasticBeanstalk::Environment
- **相关控件:** ElasticBeanstalk1.
ElasticBeanstalk2.
ElasticBeanstalk3.
- **Elastic Load Balancing**
- **资源类型:** AWS::ElasticLoadBalancing::LoadBalancer / **相关控件:** ELB.2
ELB.3
ELB.5
ELB.7
ELB.8
ELB.9
ELB.10
ELB.14
- **资源类型:** AWS::ElasticLoadBalancingV2::Listener / **相关控件:** ELB.17
ELB.18
- **资源类型:** AWS::ElasticLoadBalancingV2::LoadBalancer / **相关控件:** ELB.1
ELB.4
ELB.5
ELB.6
ELB.12
ELB.13
ELB.16
- **ElasticSearch**
- **资源类型:** AWS::Elasticsearch::Domain
- **相关控件:** ES.3
ES.4
ES.5
ES.6
ES.7
ES.8
ES.9
- **Amazon EMR**
- **资源类型:** AWS::EMR::SecurityConfiguration
- **相关控件:** EMR.3
EMR.4
- **Amazon EventBridge**
- **资源类型:** AWS::Events::EventBus / **相关控件:** EventBridge2.
EventBridge3.
- **资源类型:** AWS::Events::Endpoint / **相关控件:** EventBridge4.
- **Amazon Fraud Detector**
- **资源类型:** AWS::FraudDetector::EntityType / **相关控件:** FraudDetector1.
- **资源类型:** AWS::FraudDetector::Label / **相关控件:** FraudDetector2.
- **资源类型:** AWS::FraudDetector::Outcome / **相关控件:** FraudDetector3.
- **资源类型:** AWS::FraudDetector::Variable / **相关控件:** FraudDetector4.
- **AWS Global Accelerator**
- **资源类型:** AWS::GlobalAccelerator::Accelerator
- **相关控件:** GlobalAccelerator1.
- **AWS Glue**
- **资源类型:** AWS::Glue::Job / **相关控件:** Glue.1
胶水。4
- **资源类型:** AWS::Glue::MLTransform / **相关控件:** Glue.3
- **Amazon GuardDuty**
- **资源类型:** AWS::GuardDuty::Detector / **相关控件:** GuardDuty4.
- **资源类型:** AWS::GuardDuty::Filter / **相关控件:** GuardDuty2.
- **资源类型:** AWS::GuardDuty::IPSet / **相关控件:** GuardDuty3.
- **AWS Identity and Access Management (IAM)**
- **资源类型:** AWS::IAM::Group / **相关控件:** IAM.27
KMS.2
- **资源类型:** AWS::IAM::Policy / **相关控件:** IAM.1
IAM.21
KMS.1
- **资源类型:** AWS::IAM::Role / **相关控件:** IAM.24
IAM.27
KMS.2
- **资源类型:** AWS::IAM::User / **相关控件:** IAM.2
IAM.3
IAM.5
IAM.8
IAM.19
IAM.22
IAM.25
IAM.27
KMS.2
- **AWS Identity and Access Management Access Analyzer**
- **资源类型:** AWS::AccessAnalyzer::Analyzer
- **相关控件:** IAM.23
- **Amazon Interactive Video Service (Amazon IVS)**
- **资源类型:** AWS::IVS::PlaybackKeyPair / **相关控件:** IVS.1
- **资源类型:** AWS::IVS::RecordingConfiguration / **相关控件:** IVS.2
- **资源类型:** AWS::IVS::Channel / **相关控件:** IVS.3
- **AWS IoT**
- **资源类型:** AWS::IoT::Authorizer / **相关控件:** IoT.4
- **资源类型:** AWS::IoT::Dimension / **相关控件:** IoT.3
- **资源类型:** AWS::IoT::MitigationAction / **相关控件:** IoT.2
- **资源类型:** AWS::IoT::Policy / **相关控件:** IoT.6
- **资源类型:** AWS::IoT::RoleAlias / **相关控件:** IoT.5
- **资源类型:** AWS::IoT::SecurityProfile / **相关控件:** IoT.1
- **AWS IoT Events**
- **资源类型:** AWS::IoTEvents::AlarmModel / **相关控件:** Io TEvents .3
- **资源类型:** AWS::IoTEvents::DetectorModel / **相关控件:** Io TEvents 2
- **资源类型:** AWS::IoTEvents::Input / **相关控件:** Io TEvents .1
- **AWS 物联网 SiteWise**
- **资源类型:** AWS::IoTSiteWise::AssetModel / **相关控件:** Io TSite Wise.1
- **资源类型:** AWS::IoTSiteWise::Dashboard / **相关控件:** Io TSite Wise.2
- **资源类型:** AWS::IoTSiteWise::Gateway / **相关控件:** Io TSite Wise.3
- **资源类型:** AWS::IoTSiteWise::Portal / **相关控件:** Io TSite Wise.4
- **资源类型:** AWS::IoTSiteWise::Project / **相关控件:** Io TSite Wise.5
- **AWS 物联网 TwinMaker**
- **资源类型:** AWS::IoTTwinMaker::Entity / **相关控件:** Io TTwin Maker.4
- **资源类型:** AWS::IoTTwinMaker::Scene / **相关控件:** Io TTwin Maker.3
- **资源类型:** AWS::IoTTwinMaker::SyncJob / **相关控件:** Io TTwin Maker.1
- **资源类型:** AWS::IoTTwinMaker::Workspace / **相关控件:** Io TTwin Maker.2
- **AWS IoT Wireless**
- **资源类型:** AWS::IoTWireless::MulticastGroup / **相关控件:** Io TWireless .1
- **资源类型:** AWS::IoTWireless::ServiceProfile / **相关控件:** Io TWireless 2
- **资源类型:** AWS::IoTWireless::FuotaTask / **相关控件:** Io TWireless .3
- **Amazon Keyspaces(Apache Cassandra 兼容)**
- **资源类型:** AWS::Cassandra::Keyspace
- **相关控件:** Keyspaces.1
- **Amazon Kinesis**
- **资源类型:** AWS::Kinesis::Stream
- **相关控件:** Kinesis.1
Kinesis.2
Kinesis.3
- **AWS Key Management Service (AWS KMS)**
- **资源类型:** AWS::KMS::Alias / **相关控件:** S3.17
- **资源类型:** AWS::KMS::Key / **相关控件:** KMS.3
KMS.5
S3.17
- **AWS Lambda**
- **资源类型:** AWS::Lambda::Function
- **相关控件:** Lambda.1
Lambda.2
Lambda.3
Lambda.5
Lambda.6
Lambda.7
- **Amazon MSK**
- **资源类型:** AWS::MSK::Cluster / **相关控件:** MSK.1
MSK.2
MSK.4
MSK.6
- **资源类型:** AWS::KafkaConnect::Connector / **相关控件:** MSK.3
MSK.5
- **Amazon MQ**
- **资源类型:** AWS::AmazonMQ::Broker
- **相关控件:** MQ.2
MQ.3
MQ.4
MQ.5
MQ.6
- **AWS Network Firewall**
- **资源类型:** AWS::NetworkFirewall::Firewall / **相关控件:** NetworkFirewall1.
NetworkFirewall.7
NetworkFirewall.9
NetworkFirewall.10
- **资源类型:** AWS::NetworkFirewall::FirewallPolicy / **相关控件:** NetworkFirewall3.
NetworkFirewall4.
NetworkFirewall5.
NetworkFirewall.8
- **资源类型:** AWS::NetworkFirewall::RuleGroup / **相关控件:** NetworkFirewall.6
- **亚马逊 OpenSearch 服务**
- **资源类型:** AWS::OpenSearch::Domain
- **相关控件:** Opensearch.1
Opensearch.2
Opensearch.3
Opensearch.4
Opensearch.5
Opensearch.6
Opensearch.7
Opensearch.8
OpenSearch.9
Opensearch.10
Opensearch.11
- **AWS 私有 CA**
- **资源类型:** AWS::ACMPCA::CertificateAuthority
- **相关控件:** PCA.2
- **Amazon Relational Database Service (Amazon RDS)**
- **资源类型:** AWS::RDS::DBCluster / **相关控件:** DocumentDB.1
DocumentDB.2
DocumentDB.4
DocumentDB.5
Neptune.1
Neptune.2
Neptune.4
Neptune.5
Neptune.7
Neptune.8
Neptune.9
RDS.7
RDS.12
RDS.14
RDS.15
RDS.16
RDS.24
RDS.27
RDS.28
RDS.34
RDS.35
RDS.37
RDS.47
RDS.48
- **资源类型:** AWS::RDS::DBClusterSnapshot / **相关控件:** DocumentDB.3
Neptune.3
Neptune.6
RDS.1
RDS.4
RDS.29
- **资源类型:** AWS::RDS::DBInstance / **相关控件:** RDS.2
RDS.3
RDS.5
RDS.6
RDS.8
RDS.9
RDS.10
RDS.11
RDS.13
RDS.17
RDS.18
RDS.23
RDS.25
RDS.30
RDS.36
RDS.40
- **资源类型:** AWS::RDS::DBSecurityGroup / **相关控件:** RDS.31
- **资源类型:** AWS::RDS::DBSnapshot / **相关控件:** RDS.1
RDS.4
RDS.32
- **资源类型:** AWS::RDS::DBSubnetGroup / **相关控件:** RDS.33
- **资源类型:** AWS::RDS::EventSubscription / **相关控件:** RDS.19
RDS.20
RDS.21
RDS.22
- **资源类型:** AWS::RDS::GlobalCluster / **相关控件:** RDS.51
- **Amazon Redshift**
- **资源类型:** AWS::Redshift::Cluster / **相关控件:** Redshift.1
Redshift.2
Redshift.3
Redshift.4
Redshift.6
Redshift.7
Redshift.8
Redshift.10
Redshift.11
Redshift.18
- **资源类型:** AWS::Redshift::ClusterParameterGroup / **相关控件:** Redshift.2
Redshift.17
- **资源类型:** AWS::Redshift::ClusterSnapshot / **相关控件:** Redshift.13
- **资源类型:** AWS::Redshift::ClusterSubnetGroup / **相关控件:** Redshift.14
Redshift.16
- **资源类型:** AWS::Redshift::EventSubscription / **相关控件:** Redshift.12
- **Amazon Route 53**
- **资源类型:** AWS::Route53::HostedZone / **相关控件:** Route53.2
- **资源类型:** AWS::Route53::HealthCheck / **相关控件:** Route53.1
- **Amazon Simple Storage Service(Amazon S3)**
- **资源类型:** AWS::S3::AccessPoint / **相关控件:** S3.19
- **资源类型:** AWS::S3::AccountPublicAccessBlock / **相关控件:** S3.2
S3.3
- **资源类型:** AWS::S3::Bucket / **相关控件:** CloudTrail.6
CloudTrail.7
S3.2
S3.3
S3.5
S3.6
S3.7
S3.8
S3.9
S3.10
S3.11
S3.12
S3.13
S3.14
S3.15
S3.17
S3.20
- **资源类型:** AWS::S3::MultiRegionAccessPoint / **相关控件:** S3.24
- **资源类型:** AWS::S3Express::DirectoryBucket / **相关控件:** S3.25
- **亚马逊 SageMaker AI **
- **资源类型:** AWS::SageMaker::AppImageConfig / **相关控件:** SageMaker.6
- **资源类型:** AWS::SageMaker::Image / **相关控件:** SageMaker.7
- **资源类型:** AWS::SageMaker::Model / **相关控件:** SageMaker5.
SageMaker.16
SageMaker.19
- **资源类型:** AWS::SageMaker::NotebookInstance / **相关控件:** SageMaker2.
SageMaker3.
- **资源类型:** AWS::SageMaker::FeatureGroup / **相关控件:** SageMaker.17
- **AWS Secrets Manager **
- **资源类型:** AWS::SecretsManager::Secret
- **相关控件:** SecretsManager1.
SecretsManager2.
SecretsManager5.
- **AWS Service Catalog **
- **资源类型:** AWS::ServiceCatalog::Portfolio
- **相关控件:** ServiceCatalog1.
- **Amazon Simple Email Service (Amazon SES) **
- **资源类型:** AWS::SES::ConfigurationSet / **相关控件:** SES.2
SES.3
- **资源类型:** AWS::SES::ContactList / **相关控件:** SES.1
- **Amazon Simple Notification Service (Amazon SNS) **
- **资源类型:** AWS::SNS::Topic
- **相关控件:** SNS.1
SNS.3
SNS.4
- **Amazon Simple Queue Service (Amazon SQS) **
- **资源类型:** AWS::SQS::Queue
- **相关控件:** SQS.1
SQS.2
SQS.3
- **AWS Step Functions**
- **资源类型:** AWS::StepFunctions::StateMachine / **相关控件:** StepFunctions1.
- **资源类型:** AWS::StepFunctions::Activity / **相关控件:** StepFunctions2.
- **AWS Systems Manager (SSM) **
- **资源类型:** AWS::SSM::Document
- **相关控件:** SSM.5
- **AWS Transfer Family**
- **资源类型:** AWS::Transfer::Agreement / **相关控件:** 转账。4
- **资源类型:** AWS::Transfer::Certificate / **相关控件:** 转账.5
- **资源类型:** AWS::Transfer::Connector / **相关控件:** 转账。3
Transfer.6
- **资源类型:** AWS::Transfer::Profile / **相关控件:** Transfer.7
- **资源类型:** AWS::Transfer::Workflow / **相关控件:** Transfer.1
- **AWS WAF**
- **资源类型:** AWS::WAF::Rule / **相关控件:** WAF.6
- **资源类型:** AWS::WAF::RuleGroup / **相关控件:** WAF.7
- **资源类型:** AWS::WAF::WebACL / **相关控件:** WAF.1
WAF.8
- **资源类型:** AWS::WAFRegional::Rule / **相关控件:** WAF.2
- **资源类型:** AWS::WAFRegional::RuleGroup / **相关控件:** WAF.3
- **资源类型:** AWS::WAFRegional::WebACL / **相关控件:** WAF.4
- **资源类型:** AWS::WAFv2::RuleGroup / **相关控件:** WAF.12
- **资源类型:** AWS::WAFv2::WebACL / **相关控件:** WAF.10
WAF.11
- **Amazon WorkSpaces**
- **资源类型:** AWS::WorkSpaces::WorkSpace
- **相关控件:** WorkSpaces1.
WorkSpaces2.
## AWS 基础安全最佳实践标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 AWS 基础安全最佳实践标准 (v.1.0.0)、已启用并使用 AWS Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 AWS Config有关此标准的信息,请参阅 [AWS Security Hub CSPM 中的基础安全最佳实践标准](fsbp-standard.md)。
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::DomainName`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| Amazon Bedrock AgentCore | `AWS::BedrockAgentCore::Gateway`, `AWS::BedrockAgentCore::Runtime` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CodeBuild | `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup` |
| Amazon Cognito | `AWS::Cognito::IdentityPool`, `AWS::Cognito::UserPool` |
| AWS CloudTrail | `AWS::CloudTrail::EventDataStore` |
| Amazon Connect | `AWS::Connect::Instance` |
| AWS DataSync | `AWS::DataSync::Task` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry(Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service(Amazon ECS) | `AWS::ECS::CapacityProvider`, `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet` |
| Amazon Elastic File System(Amazon EFS) | `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem` |
| Amazon Elastic Kubernetes Service(Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::Nodegroup` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| AWS Glue | `AWS::Glue::Job`, `AWS::Glue::MLTransform` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Key` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| 亚马逊 OpenSearch 服务 | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`, `AWS::RDS::GlobalCluster` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Redshift Serverless | `AWS::RedshiftServerless::Workgroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`, `AWS::S3Express::DirectoryBucket` |
| 亚马逊 SageMaker AI | `AWS::SageMaker::FeatureGroup`, `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Step Functions | `AWS::StepFunctions::StateMachine` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
| Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |
## CIS AWS 基金会基准测试所需的资源
要对适用于互联网安全中心 (CIS) AWS 基金会基准测试的已启用控件进行安全检查,Security Hub CSPM 要么执行为检查规定的确切审计步骤,要么使用特定的 AWS Config 托管规则。有关 Security Hub CSPM 中此标准的更多信息,请参阅 [CIS AWS 基金会在 Security Hub CSPM 中的基准](cis-aws-foundations-benchmark.md)。
### CIS v5.0.0 所需的资源
为使 Security Hub CSPM 能够准确报告使用 AWS Config 规则的已启用 CIS v5.0.0 更改触发的控件的调查结果,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::FileSystem` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service(Amazon RDS) | `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::Bucket` |
### CIS v3.0.0 所需的资源
为了让 Security Hub CSPM 准确报告已启用 CIS v3.0.0 更改触发的使用 AWS Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service(Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::Bucket` |
### CIS v1.4.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.4.0 更改触发的使用 AWS Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| Amazon Relational Database Service(Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::Bucket` |
### CIS v1.2.0 所需的 资源
为了让 Security Hub CSPM 准确报告已启用 CIS v1.2.0 更改触发的使用 AWS Config 规则的控件的调查结果,您必须在中记录以下类型的资源。 AWS Config
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
## NIST SP 800-53 修订版 5 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-53 修订版 5 标准、已启用并使用 AWS Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 AWS Config有关此标准的信息,请参阅 [Security Hub CSPM 中的 NIST SP 800-53 修订版 5](standards-reference-nist-800-53.md)。
| AWS 服务 | 资源类型 |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry(Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service(Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System(Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service(Amazon EKS) | `AWS::EKS::Cluster` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| Amazon ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` |
| AWS Glue | `AWS::Glue::Job` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| 亚马逊 OpenSearch 服务 | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| 亚马逊 SageMaker AI | `AWS::SageMaker::NotebookInstance` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
## NIST SP 800-171 修订版 2 标准所需的资源
为了让 Security Hub CSPM 准确报告适用于 NIST SP 800-171 修订版 2 标准、已启用并使用 AWS Config 规则的变更触发控制的结果,您必须在中记录以下类型的资源。 AWS Config有关此标准的信息,请参阅 [Security Hub CSPM 中的 NIST SP 800-171 修订版 2](standards-reference-nist-800-171.md)。
| AWS 服务 | 资源类型 |
| --- | --- |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| Amazon API Gateway | `AWS::ApiGateway::Stage` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| AWS Systems Manager (SSM) | `AWS::SSM::PatchCompliance` |
| AWS WAF | `AWS::WAFv2::RuleGroup` |
## PCI DSS v3.2.1 所需的资源
为了使 Security Hub CSPM 能够为适用于支付卡行业数据安全标准(PCI DSS)v3.2.1、已启用并且使用 AWS Config 规则的控件准确报告调查发现,您必须在 AWS Config中记录以下类型的资源。有关此标准的信息,请参阅 [Security Hub CSPM 中的 PCI DSS](pci-standard.md)。
| AWS 服务 | 资源类型 |
| --- | --- |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| Amazon Elastic Compute Cloud(Amazon EC2) | `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Lambda | `AWS::Lambda::Function` |
| 亚马逊 OpenSearch 服务 | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot` |
| Amazon Redshift | `AWS::Redshift::Cluster` |
| Amazon Simple Storage Service(Amazon S3) | `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
## 资源标签标准所需的 AWS 资源
所有适用于 AWS 资源标记标准的控件都是触发变更的,并使用 AWS Config 规则。为了让 Security Hub CSPM 准确报告这些控件的调查结果,您必须在中记录以下类型的资源。 AWS Config有关此标准的信息,请参阅 [AWS Security Hub CSPM 中的资源标记标准](standards-tagging.md)。
| AWS 服务 | 资源类型 |
| --- | --- |
| AWS Amplify | `AWS::Amplify::App`, `AWS::Amplify::Branch` |
| Amazon AppFlow | `AWS::AppFlow::Flow` |
| AWS App Runner | `AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector` |
| AWS AppConfig | `AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| Amazon Athena | `AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup` |
| AWS Backup | `AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan` |
| AWS Batch | `AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CloudTrail | `AWS::CloudTrail::Trail` |
| AWS CodeArtifact | `AWS::CodeArtifact::Repository` |
| Amazon CodeGuru | `AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation` |
| Amazon Connect | `AWS::CustomerProfiles::ObjectType` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Certificate`, `AWS::DMS::EventSubscription`
`AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup` |
| AWS DataSync | `AWS::DataSync::Task` |
| Amazon Detective | `AWS::Detective::Graph` |
| Amazon DynamoDB | `AWS::DynamoDB::Trail` |
| Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| Amazon Elastic Container Registry(Amazon ECR) | `AWS::ECR::PublicRepository` |
| Amazon Elastic Container Service(Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System(Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service(Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EventBridge | `AWS::Events::EventBus` |
| Amazon Fraud Detector | `AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label`
`AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable` |
| AWS Global Accelerator | `AWS::GlobalAccelerator::Accelerator` |
| AWS Glue | `AWS::Glue::Job` |
| Amazon GuardDuty | `AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Identity and Access Management Access Analyzer (IAM 访问分析器) | `AWS::AccessAnalyzer::Analyzer` |
| AWS IoT | `AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile` |
| AWS IoT 活动 | `AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input` |
| AWS IoT SiteWise | `AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project` |
| AWS IoT TwinMaker | `AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace` |
| AWS IoT 无线 | `AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile` |
| Amazon Interactive Video Service (Amazon IVS) | `AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration` |
| Amazon Keyspaces(Apache Cassandra 兼容) | `AWS::Cassandra::Keyspace` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy` |
| 亚马逊 OpenSearch 服务 | `AWS::OpenSearch::Domain` |
| AWS 私有证书颁发机构 | `AWS::ACMPCA::CertificateAuthority` |
| Amazon Relational Database Service | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription` |
| Amazon Route 53 | `AWS::Route53::HealthCheck` |
| 亚马逊 SageMaker AI | `AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet`, `AWS::SES::ContactList` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Step Functions | `AWS::StepFunctions::Activity` |
| AWS Systems Manager (SSM) | `AWS::SSM::Document` |
| AWS Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow` |