本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 控制問題清單所需的 AWS Config 資源
在 AWS Security Hub CSPM 中,某些控制項使用服務連結 AWS Config 規則來偵測 AWS 資源中的組態變更。若要讓 Security Hub CSPM 產生這些控制項的準確調查結果,您必須在其中啟用 AWS Config 和開啟資源記錄 AWS Config。如需 Security Hub CSPM 如何使用 AWS Config 規則以及如何啟用和設定的詳細資訊 AWS Config,請參閱 [啟用和設定 AWS Config Security Hub CSPM](securityhub-setup-prereqs.md)。如需資源錄製的詳細資訊,請參閱《 *AWS Config 開發人員指南*》中的[使用組態記錄器](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html)。
若要接收準確的控制調查結果,您必須為具有*變更觸發*排程類型的已啟用控制項開啟 AWS Config 資源記錄。有些具有*定期*排程類型的控制項也需要資源記錄。此頁面列出這些 Security Hub CSPM 控制項所需的資源。
Security Hub CSPM 控制項可以依賴受管 AWS Config 規則或自訂 Security Hub CSPM 規則。請確定沒有任何 AWS Identity and Access Management (IAM) 政策或 AWS Organizations 受管政策 AWS Config 會阻止 擁有記錄 資源的許可。Security Hub CSPM 控制會直接評估資源組態,且不考慮 AWS Organizations 政策。
**注意**
在無法使用控制項 AWS 區域 的情況下,對應的資源無法使用 AWS Config。如需這些限制的清單,請參閱 [Security Hub CSPM 控制項的區域限制](regions-controls.md)。
**Topics**
+ [所有 Security Hub CSPM 控制項的必要資源](#all-controls-config-resources)
+ [AWS 基礎安全最佳實務標準的必要資源](#securityhub-standards-fsbp-config-resources)
+ [CIS AWS Foundations Benchmark 的必要資源](#securityhub-standards-cis-config-resources)
+ [NIST SP 800-53 修訂版 5 標準所需的資源](#nist-config-resources)
+ [NIST SP 800-171 修訂版 2 標準的必要資源](#nist-800-171-config-resources)
+ [PCI DSS 3.2.1 版的必要資源](#securityhub-standards-pci-config-resources)
+ [資源標記標準所需的 AWS 資源](#tagging-config-resources)
## 所有 Security Hub CSPM 控制項的必要資源
若要讓 Security Hub CSPM 為已啟用並使用 AWS Config 規則的變更觸發控制項產生調查結果,您必須在其中記錄下列類型的資源 AWS Config。此資料表也會指出哪些控制項會評估特定類型的資源。單一控制項可能會評估一種以上的資源類型。
- **AWS Amplify**
- **資源類型:** AWS::Amplify::App / **相關控制項:** Amplify.1
- **資源類型:** AWS::Amplify::Branch / **相關控制項:** Amplify.2
- **Amazon API Gateway**
- **資源類型:** AWS::ApiGateway::Stage / **相關控制項:** APIGateway.1
APIGateway.2
APIGateway.3
APIGateway.4
APIGateway.5
- **資源類型:** AWS::ApiGatewayV2::Stage / **相關控制項:** APIGateway.1
APIGateway.9
- **資源類型:** AWS::ApiGateway::DomainName / **相關控制項:** APIGateway.11
- **AWS AppConfig**
- **資源類型:** AWS::AppConfig::Application / **相關控制項:** AppConfig.1
- **資源類型:** AWS::AppConfig::ConfigurationProfile / **相關控制項:** AppConfig.2
- **資源類型:** AWS::AppConfig::Environment / **相關控制項:** AppConfig.3
- **資源類型:** AWS::AppConfig::ExtensionAssociation / **相關控制項:** AppConfig.4
- **Amazon AppFlow**
- **資源類型:** AWS::AppFlow::Flow
- **相關控制項:** AppFlow.1
- **AWS App Runner**
- **資源類型:** AWS::AppRunner::Service / **相關控制項:** AppRunner.1
- **資源類型:** AWS::AppRunner::VpcConnector / **相關控制項:** AppRunner.2
- **AWS AppSync**
- **資源類型:** AWS::AppSync::GraphQLApi / **相關控制項:** AppSync.2
AppSync.4
AppSync.5
- **資源類型:** AWS::AppSync::ApiCache / **相關控制項:** AppSync.1
AppSync.6
- **AWS Backup**
- **資源類型:** AWS::Backup::BackupPlan / **相關控制項:** 備份。5
- **資源類型:** AWS::Backup::BackupVault / **相關控制項:** 備份。3
- **資源類型:** AWS::Backup::RecoveryPoint / **相關控制項:** 備份。1
備份。2
- **資源類型:** AWS::Backup::ReportPlan / **相關控制項:** 備份。4
- **AWS Batch**
- **資源類型:** AWS::Batch::ComputeEnvironment / **相關控制項:** Batch.3
Batch.4
- **資源類型:** AWS::Batch::JobQueue / **相關控制項:** Batch.1
- **資源類型:** AWS::Batch::SchedulingPolicy / **相關控制項:** Batch.2
- **Amazon Bedrock AgentCore**
- **資源類型:** AWS::BedrockAgentCore::Gateway / **相關控制項:** BedrockAgentCore.2
- **資源類型:** AWS::BedrockAgentCore::Runtime / **相關控制項:** BedrockAgentCore.1
- **AWS Certificate Manager (ACM)**
- **資源類型:** AWS::ACM::Certificate
- **相關控制項:** ACM.1
ACM.2
ACM.3
- **Amazon Athena**
- **資源類型:** AWS::Athena::DataCatalog / **相關控制項:** Athena.2
- **資源類型:** AWS::Athena::WorkGroup / **相關控制項:** Athena.3
Athena.4
- **AWS CloudFormation**
- **資源類型:** AWS::CloudFormation::Stack
- **相關控制項:** CloudFormation.2
CloudFormation.3
CloudFormation.4
- **Amazon CloudFront **
- **資源類型:** AWS::CloudFront::Distribution
- **相關控制項:** CloudFront.1
CloudFront.3
CloudFront.4
CloudFront.5
CloudFront.6
CloudFront.7
CloudFront.8
CloudFront.9
CloudFront.10
CloudFront.13
CloudFront.14
CloudFront.15
CloudFront.16
CloudFront.17
- **AWS CloudTrail**
- **資源類型:** AWS::CloudTrail::Trail / **相關控制項:** CloudTrail.9
- **資源類型:** AWS::CloudTrail::EventDataStore / **相關控制項:** CloudTrail.11
- **Amazon CloudWatch**
- **資源類型:** AWS::CloudWatch::Alarm
- **相關控制項:** CloudWatch.15
CloudWatch.17
- **AWS CodeArtifact**
- **資源類型:** AWS::CodeArtifact::Repository
- **相關控制項:** CodeArtifact.1
- **AWS CodeBuild **
- **資源類型:** AWS::CodeBuild::Project / **相關控制項:** CodeBuild.1
CodeBuild.2
CodeBuild.3
CodeBuild.4
- **資源類型:** AWS::CodeBuild::ReportGroup / **相關控制項:** CodeBuild.7
- **Amazon CodeGuru Profiler**
- **資源類型:** AWS::CodeGuruProfiler::ProfilingGroup
- **相關控制項:** CodeGuruProfiler.1
- **Amazon CodeGuru Reviewer**
- **資源類型:** AWS::CodeGuruReviewer::RepositoryAssociation
- **相關控制項:** CodeGuruReviewer.1
- **Amazon Cognito**
- **資源類型:** AWS::Cognito::IdentityPool / **相關控制項:** Cognito.2
- **資源類型:** AWS::Cognito::UserPool / **相關控制項:** Cognito.1
Cognito.3
Cognito.4
Cognito.5
Cognito.6
- **Amazon Connect**
- **資源類型:** AWS::CustomerProfiles::ObjectType / **相關控制項:** Connect.1
- **資源類型:** AWS::Connect::Instance / **相關控制項:** Connect.2
- **AWS DataSync**
- **資源類型:** AWS::DataSync::Task
- **相關控制項:** DataSync.1
DataSync.2
- **Amazon Detective**
- **資源類型:** AWS::Detective::Graph
- **相關控制項:** Detective.1
- **AWS Database Migration Service (AWS DMS)**
- **資源類型:** AWS::DMS::Certificate / **相關控制項:** DMS.2
- **資源類型:** AWS::DMS::Endpoint / **相關控制項:** DMS.9
DMS.10
DMS.11
DMS.12
- **資源類型:** AWS::DMS::EventSubscription / **相關控制項:** DMS.3
- **資源類型:** AWS::DMS::ReplicationInstance / **相關控制項:** DMS.4
DMS.6
DMS.13
- **資源類型:** AWS::DMS::ReplicationSubnetGroup / **相關控制項:** DMS.5
- **資源類型:** AWS::DMS::ReplicationTask / **相關控制項:** DMS.7
DMS.8
- **Amazon DynamoDB **
- **資源類型:** AWS::DynamoDB::Table
- **相關控制項:** DynamoDB.1
DynamoDB.2
DynamoDB.5
DynamoDB.6
- **Amazon Elastic Compute Cloud (EC2)**
- **資源類型:** AWS::EC2::ClientVpnEndpoint / **相關控制項:** EC2.51
- **資源類型:** AWS::EC2::CustomerGateway / **相關控制項:** EC2.36
- **資源類型:** AWS::EC2::DHCPOptions / **相關控制項:** EC2.174
- **資源類型:** AWS::EC2::EIP / **相關控制項:** EC2.12
EC2.37
- **資源類型:** AWS::EC2::FlowLog / **相關控制項:** EC2.48
- **資源類型:** AWS::EC2::Instance / **相關控制項:** EC2.4
EC2.8
EC2.9
EC2.17
EC2.24
EC2.38
EMR.1
SSM.1
- **資源類型:** AWS::EC2::InternetGateway / **相關控制項:** EC2.39
- **資源類型:** AWS::EC2::LaunchTemplate / **相關控制項:** EC2.25
EC2.170
EC2.175
EC2.181
- **資源類型:** AWS::EC2::NatGateway / **相關控制項:** EC2.40
- **資源類型:** AWS::EC2::NetworkAcl / **相關控制項:** EC2.16
EC2.21
EC2.41
- **資源類型:** AWS::EC2::NetworkInterface / **相關控制項:** EC2.22
EC2.35
EC2.180
- **資源類型:** AWS::EC2::PrefixList / **相關控制項:** EC2.176
- **資源類型:** AWS::EC2::RouteTable / **相關控制項:** EC2.42
- **資源類型:** AWS::EC2::SecurityGroup / **相關控制項:** EC2.2
EC2.13
EC2.14
EC2.18
EC2.19
EC2.43
- **資源類型:** AWS::EC2::SnapshotBlockPublicAccess / **相關控制項:** EC2.182
- **資源類型:** AWS::EC2::SpotFleet / **相關控制項:** EC2.173
- **資源類型:** AWS::EC2::Subnet / **相關控制項:** EC2.15
EC2.44
ElastiCache.7
- **資源類型:** AWS::EC2::TrafficMirrorFilter / **相關控制項:** EC2.178
- **資源類型:** AWS::EC2::TrafficMirrorSession / **相關控制項:** EC2.177
- **資源類型:** AWS::EC2::TrafficMirrorTarget / **相關控制項:** EC2.179
- **資源類型:** AWS::EC2::TransitGateway / **相關控制項:** EC2.23
EC2.52
- **資源類型:** AWS::EC2::TransitGatewayAttachment / **相關控制項:** EC2.33
- **資源類型:** AWS::EC2::TransitGatewayRouteTable / **相關控制項:** EC2.34
- **資源類型:** AWS::EC2::Volume / **相關控制項:** EC2.3
EC2.45
- **資源類型:** AWS::EC2::VPC / **相關控制項:** EC2.6
EC2.46
- **資源類型:** AWS::EC2::VPCBlockPublicAccessOptions / **相關控制項:** EC2.172
- **資源類型:** AWS::EC2::VPCEndpointService / **相關控制項:** EC2.47
- **資源類型:** AWS::EC2::VPCPeeringConnection / **相關控制項:** EC2.49
- **資源類型:** AWS::EC2::VPNConnection / **相關控制項:** EC2.20 EC2.171
EC2.183
- **`AWS::EC2::VPNGateway`**
- **資源類型:** EC2.50
- **Amazon EC2 Auto Scaling**
- **資源類型:** AWS::AutoScaling::AutoScalingGroup / **相關控制項:** AutoScaling.1
AutoScaling.2
AutoScaling.6
AutoScaling.9
AutoScaling.10
- **資源類型:** AWS::AutoScaling::LaunchConfiguration / **相關控制項:** AutoScaling.3
Autoscaling.5
- **Amazon EC2 Systems Manager (SSM)**
- **資源類型:** AWS::SSM::AssociationCompliance / **相關控制項:** SSM.3
- **資源類型:** AWS::SSM::ManagedInstanceInventory / **相關控制項:** SSM.1
- **資源類型:** AWS::SSM::PatchCompliance / **相關控制項:** SSM.2
- **Amazon Elastic Container Registry (Amazon ECR)**
- **資源類型:** AWS::ECR::PublicRepository / **相關控制項:** ECR.4
- **資源類型:** AWS::ECR::Repository / **相關控制項:** ECR.2
ECR.3
ECR.5
- **Amazon Elastic Container Service (Amazon ECS)**
- **資源類型:** AWS::ECS::Cluster / **相關控制項:** ECS.12
ECS.14
- **資源類型:** AWS::ECS::CapacityProvider / **相關控制項:** ECS.19
- **資源類型:** AWS::ECS::Service / **相關控制項:** ECS.2
ECS.10
ECS.13
- **資源類型:** AWS::ECS::TaskDefinition / **相關控制項:** ECS.1
ECS.3
ECS.4
ECS.5
ECS.8
ECS.9
ECS.15
ECS.17
ECS.18
ECS.20
ECS.21
- **`AWS::ECS::TaskSet`**
- **資源類型:** ECS.16
- **Amazon Elastic File System (Amazon EFS)**
- **資源類型:** AWS::EFS::AccessPoint / **相關控制項:** EFS.3
EFS.4
EFS.5
- **資源類型:** AWS::EFS::FileSystem / **相關控制項:** EFS.7
EFS.8
- **Amazon Elastic Kubernetes Service (Amazon EKS)**
- **資源類型:** AWS::EKS::Cluster / **相關控制項:** EKS.2
EKS.6
EKS.8
- **資源類型:** AWS::EKS::IdentityProviderConfig / **相關控制項:** EKS.7
- **資源類型:** AWS::EKS::Nodegroup / **相關控制項:** EKS.9
- **AWS Elastic Beanstalk**
- **資源類型:** AWS::ElasticBeanstalk::Environment
- **相關控制項:** ElasticBeanstalk.1
ElasticBeanstalk.2
ElasticBeanstalk.3
- **Elastic Load Balancing**
- **資源類型:** AWS::ElasticLoadBalancing::LoadBalancer / **相關控制項:** ELB.2
ELB.3
ELB.5
ELB.7
ELB.8
ELB.9
ELB.10
ELB.14
- **資源類型:** AWS::ElasticLoadBalancingV2::Listener / **相關控制項:** ELB.17
ELB.18
- **資源類型:** AWS::ElasticLoadBalancingV2::LoadBalancer / **相關控制項:** ELB.1
ELB.4
ELB.5
ELB.6
ELB.12
ELB.13
ELB.16
- **ElasticSearch**
- **資源類型:** AWS::Elasticsearch::Domain
- **相關控制項:** ES.3
ES.4
ES.5
ES.6
ES.7
ES.8
ES.9
- **Amazon EMR**
- **資源類型:** AWS::EMR::SecurityConfiguration
- **相關控制項:** EMR.3
EMR.4
- **Amazon EventBridge**
- **資源類型:** AWS::Events::EventBus / **相關控制項:** EventBridge.2
EventBridge.3
- **資源類型:** AWS::Events::Endpoint / **相關控制項:** EventBridge.4
- **Amazon Fraud Detector**
- **資源類型:** AWS::FraudDetector::EntityType / **相關控制項:** FraudDetector.1
- **資源類型:** AWS::FraudDetector::Label / **相關控制項:** FraudDetector.2
- **資源類型:** AWS::FraudDetector::Outcome / **相關控制項:** FraudDetector.3
- **資源類型:** AWS::FraudDetector::Variable / **相關控制項:** FraudDetector.4
- **AWS Global Accelerator**
- **資源類型:** AWS::GlobalAccelerator::Accelerator
- **相關控制項:** GlobalAccelerator.1
- **AWS Glue**
- **資源類型:** AWS::Glue::Job / **相關控制項:** Glue.1
Glue.4
- **資源類型:** AWS::Glue::MLTransform / **相關控制項:** Glue.3
- **Amazon GuardDuty**
- **資源類型:** AWS::GuardDuty::Detector / **相關控制項:** GuardDuty.4
- **資源類型:** AWS::GuardDuty::Filter / **相關控制項:** GuardDuty.2
- **資源類型:** AWS::GuardDuty::IPSet / **相關控制項:** GuardDuty.3
- **AWS Identity and Access Management (IAM)**
- **資源類型:** AWS::IAM::Group / **相關控制項:** IAM.27
KMS.2
- **資源類型:** AWS::IAM::Policy / **相關控制項:** IAM.1
IAM.21
KMS.1
- **資源類型:** AWS::IAM::Role / **相關控制項:** IAM.24
IAM.27
KMS.2
- **資源類型:** AWS::IAM::User / **相關控制項:** IAM.2
IAM.3
IAM.5
IAM.8
IAM.19
IAM.22
IAM.25
IAM.27
KMS.2
- **AWS Identity and Access Management Access Analyzer**
- **資源類型:** AWS::AccessAnalyzer::Analyzer
- **相關控制項:** IAM.23
- **Amazon Interactive Video Service (Amazon IVS)**
- **資源類型:** AWS::IVS::PlaybackKeyPair / **相關控制項:** IVS.1
- **資源類型:** AWS::IVS::RecordingConfiguration / **相關控制項:** IVS.2
- **資源類型:** AWS::IVS::Channel / **相關控制項:** IVS.3
- **AWS IoT**
- **資源類型:** AWS::IoT::Authorizer / **相關控制項:** IoT.4
- **資源類型:** AWS::IoT::Dimension / **相關控制項:** IoT.3
- **資源類型:** AWS::IoT::MitigationAction / **相關控制項:** IoT.2
- **資源類型:** AWS::IoT::Policy / **相關控制項:** IoT.6
- **資源類型:** AWS::IoT::RoleAlias / **相關控制項:** IoT.5
- **資源類型:** AWS::IoT::SecurityProfile / **相關控制項:** IoT.1
- **AWS IoT 事件**
- **資源類型:** AWS::IoTEvents::AlarmModel / **相關控制項:** IoTEvents.3
- **資源類型:** AWS::IoTEvents::DetectorModel / **相關控制項:** IoTEvents.2
- **資源類型:** AWS::IoTEvents::Input / **相關控制項:** IoTEvents.1
- **AWS IoT SiteWise**
- **資源類型:** AWS::IoTSiteWise::AssetModel / **相關控制項:** IoTSiteWise.1
- **資源類型:** AWS::IoTSiteWise::Dashboard / **相關控制項:** IoTSiteWise.2
- **資源類型:** AWS::IoTSiteWise::Gateway / **相關控制項:** IoTSiteWise.3
- **資源類型:** AWS::IoTSiteWise::Portal / **相關控制項:** IoTSiteWise.4
- **資源類型:** AWS::IoTSiteWise::Project / **相關控制項:** IoTSiteWise.5
- **AWS IoT TwinMaker**
- **資源類型:** AWS::IoTTwinMaker::Entity / **相關控制項:** IoTTwinMaker.4
- **資源類型:** AWS::IoTTwinMaker::Scene / **相關控制項:** IoTTwinMaker.3
- **資源類型:** AWS::IoTTwinMaker::SyncJob / **相關控制項:** IoTTwinMaker.1
- **資源類型:** AWS::IoTTwinMaker::Workspace / **相關控制項:** IoTTwinMaker.2
- **AWS IoT Wireless**
- **資源類型:** AWS::IoTWireless::MulticastGroup / **相關控制項:** IoTWireless.1
- **資源類型:** AWS::IoTWireless::ServiceProfile / **相關控制項:** IoTWireless.2
- **資源類型:** AWS::IoTWireless::FuotaTask / **相關控制項:** IoTWireless.3
- **Amazon Keyspaces (適用於 Apache Cassandra)**
- **資源類型:** AWS::Cassandra::Keyspace
- **相關控制項:** 鍵空間。1
- **Amazon Kinesis**
- **資源類型:** AWS::Kinesis::Stream
- **相關控制項:** Kinesis.1
Kinesis.2
Kinesis.3
- **AWS Key Management Service (AWS KMS)**
- **資源類型:** AWS::KMS::Alias / **相關控制項:** S3.17
- **資源類型:** AWS::KMS::Key / **相關控制項:** KMS.3
KMS.5
S3.17
- **AWS Lambda**
- **資源類型:** AWS::Lambda::Function
- **相關控制項:** Lambda.1
Lambda.2
Lambda.3
Lambda.5
Lambda.6
Lambda.7
- **Amazon MSK**
- **資源類型:** AWS::MSK::Cluster / **相關控制項:** MSK.1
MSK.2
MSK.4
MSK.6
- **資源類型:** AWS::KafkaConnect::Connector / **相關控制項:** MSK.3
MSK.5
- **Amazon MQ**
- **資源類型:** AWS::AmazonMQ::Broker
- **相關控制項:** MQ.2
MQ.3
MQ.4
MQ.5
MQ.6
- **AWS Network Firewall**
- **資源類型:** AWS::NetworkFirewall::Firewall / **相關控制項:** NetworkFirewall.1
NetworkFirewall.7
NetworkFirewall.9
NetworkFirewall.10
- **資源類型:** AWS::NetworkFirewall::FirewallPolicy / **相關控制項:** NetworkFirewall.3
NetworkFirewall.4
NetworkFirewall.5
NetworkFirewall.8
- **資源類型:** AWS::NetworkFirewall::RuleGroup / **相關控制項:** NetworkFirewall.6
- **Amazon OpenSearch Service**
- **資源類型:** AWS::OpenSearch::Domain
- **相關控制項:** Opensearch.1
Opensearch.2
Opensearch.3
Opensearch.4
Opensearch.5
Opensearch.6
Opensearch.7
Opensearch.8
Opensearch.9
Opensearch.10
Opensearch.11
- **AWS 私有 CA**
- **資源類型:** AWS::ACMPCA::CertificateAuthority
- **相關控制項:** PCA.2
- **Amazon Relational Database Service (Amazon RDS)**
- **資源類型:** AWS::RDS::DBCluster / **相關控制項:** DocumentDB.1
DocumentDB.2
DocumentDB.4
DocumentDB.5
Neptune.1
Neptune.2
Neptune.4
Neptune.5
Neptune.7
Neptune.8
Neptune.9
RDS.7
RDS.12
RDS.14
RDS.15
RDS.16
RDS.24
RDS.27
RDS.28
RDS.34
RDS.35
RDS.37
RDS.47
RDS.48
- **資源類型:** AWS::RDS::DBClusterSnapshot / **相關控制項:** DocumentDB.3
Neptune.3
Neptune.6
RDS.1
RDS.4
RDS.29
- **資源類型:** AWS::RDS::DBInstance / **相關控制項:** RDS.2
RDS.3
RDS.5
RDS.6
RDS.8
RDS.9
RDS.10
RDS.11
RDS.13
RDS.17
RDS.18
RDS.23
RDS.25
RDS.30
RDS.36
RDS.40
- **資源類型:** AWS::RDS::DBSecurityGroup / **相關控制項:** RDS.31
- **資源類型:** AWS::RDS::DBSnapshot / **相關控制項:** RDS.1
RDS.4
RDS.32
- **資源類型:** AWS::RDS::DBSubnetGroup / **相關控制項:** RDS.33
- **資源類型:** AWS::RDS::EventSubscription / **相關控制項:** RDS.19
RDS.20
RDS.21
RDS.22
- **資源類型:** AWS::RDS::GlobalCluster / **相關控制項:** RDS.51
- **Amazon Redshift**
- **資源類型:** AWS::Redshift::Cluster / **相關控制項:** Redshift.1
Redshift.2
Redshift.3
Redshift.4
Redshift.6
Redshift.7
Redshift.8
Redshift.10
Redshift.11
Redshift.18
- **資源類型:** AWS::Redshift::ClusterParameterGroup / **相關控制項:** Redshift.2
Redshift.17
- **資源類型:** AWS::Redshift::ClusterSnapshot / **相關控制項:** Redshift.13
- **資源類型:** AWS::Redshift::ClusterSubnetGroup / **相關控制項:** Redshift.14
Redshift.16
- **資源類型:** AWS::Redshift::EventSubscription / **相關控制項:** Redshift.12
- **Amazon Route 53**
- **資源類型:** AWS::Route53::HostedZone / **相關控制項:** Route53.2
- **資源類型:** AWS::Route53::HealthCheck / **相關控制項:** Route53.1
- **Amazon Simple Storage Service (Amazon S3)**
- **資源類型:** AWS::S3::AccessPoint / **相關控制項:** S3.19
- **資源類型:** AWS::S3::AccountPublicAccessBlock / **相關控制項:** S3.2
S3.3
- **資源類型:** AWS::S3::Bucket / **相關控制項:** CloudTrail.6
CloudTrail.7
S3.2
S3.3
S3.5
S3.6
S3.7
S3.8
S3.9
S3.10
S3.11
S3.12
S3.13
S3.14
S3.15
S3.17
S3.20
- **資源類型:** AWS::S3::MultiRegionAccessPoint / **相關控制項:** S3.24
- **資源類型:** AWS::S3Express::DirectoryBucket / **相關控制項:** S3.25
- **Amazon SageMaker AI **
- **資源類型:** AWS::SageMaker::AppImageConfig / **相關控制項:** SageMaker.6
- **資源類型:** AWS::SageMaker::Image / **相關控制項:** SageMaker.7
- **資源類型:** AWS::SageMaker::Model / **相關控制項:** SageMaker.5
SageMaker.16
SageMaker.19
- **資源類型:** AWS::SageMaker::NotebookInstance / **相關控制項:** SageMaker.2
SageMaker.3
- **資源類型:** AWS::SageMaker::FeatureGroup / **相關控制項:** SageMaker.17
- **AWS Secrets Manager **
- **資源類型:** AWS::SecretsManager::Secret
- **相關控制項:** SecretsManager.1
SecretsManager.2
SecretsManager.5
- **AWS Service Catalog **
- **資源類型:** AWS::ServiceCatalog::Portfolio
- **相關控制項:** ServiceCatalog.1
- **Amazon Simple Email Service (Amazon SES) **
- **資源類型:** AWS::SES::ConfigurationSet / **相關控制項:** SES.2
SES.3
- **資源類型:** AWS::SES::ContactList / **相關控制項:** SES.1
- **Amazon Simple Notification Service (Amazon SNS) **
- **資源類型:** AWS::SNS::Topic
- **相關控制項:** SNS.1
SNS.3
SNS.4
- **Amazon Simple Queue Service (Amazon SQS) **
- **資源類型:** AWS::SQS::Queue
- **相關控制項:** SQS.1
SQS.2
SQS.3
- **AWS Step Functions**
- **資源類型:** AWS::StepFunctions::StateMachine / **相關控制項:** StepFunctions.1
- **資源類型:** AWS::StepFunctions::Activity / **相關控制項:** StepFunctions.2
- **AWS Systems Manager (SSM) **
- **資源類型:** AWS::SSM::Document
- **相關控制項:** SSM.5
- **AWS Transfer Family**
- **資源類型:** AWS::Transfer::Agreement / **相關控制項:** Transfer.4
- **資源類型:** AWS::Transfer::Certificate / **相關控制項:** Transfer.5
- **資源類型:** AWS::Transfer::Connector / **相關控制項:** Transfer.3
Transfer.6
- **資源類型:** AWS::Transfer::Profile / **相關控制項:** Transfer.7
- **資源類型:** AWS::Transfer::Workflow / **相關控制項:** Transfer.1
- **AWS WAF**
- **資源類型:** AWS::WAF::Rule / **相關控制項:** WAF.6
- **資源類型:** AWS::WAF::RuleGroup / **相關控制項:** WAF.7
- **資源類型:** AWS::WAF::WebACL / **相關控制項:** WAF.1
WAF.8
- **資源類型:** AWS::WAFRegional::Rule / **相關控制項:** WAF.2
- **資源類型:** AWS::WAFRegional::RuleGroup / **相關控制項:** WAF.3
- **資源類型:** AWS::WAFRegional::WebACL / **相關控制項:** WAF.4
- **資源類型:** AWS::WAFv2::RuleGroup / **相關控制項:** WAF.12
- **資源類型:** AWS::WAFv2::WebACL / **相關控制項:** WAF.10
WAF.11
- **Amazon WorkSpaces**
- **資源類型:** AWS::WorkSpaces::WorkSpace
- **相關控制項:** WorkSpaces.1
WorkSpaces.2
## AWS 基礎安全最佳實務標準的必要資源
若要讓 Security Hub CSPM 準確報告適用於 AWS 基礎安全最佳實務標準 (v.1.0.0) 的變更觸發控制項的問題清單,並啟用 並使用 AWS Config 規則,您必須在其中記錄下列類型的資源 AWS Config。如需此標準的資訊,請參閱 [AWS Security Hub CSPM 中的基礎安全最佳實務標準](fsbp-standard.md)。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::DomainName`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| Amazon Bedrock AgentCore | `AWS::BedrockAgentCore::Gateway`, `AWS::BedrockAgentCore::Runtime` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CodeBuild | `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup` |
| Amazon Cognito | `AWS::Cognito::IdentityPool`, `AWS::Cognito::UserPool` |
| AWS CloudTrail | `AWS::CloudTrail::EventDataStore` |
| Amazon Connect | `AWS::Connect::Instance` |
| AWS DataSync | `AWS::DataSync::Task` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SnapshotBlockPublicAccess`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::CapacityProvider`, `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::Nodegroup` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| AWS Glue | `AWS::Glue::Job`, `AWS::Glue::MLTransform` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Key` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`, `AWS::RDS::GlobalCluster` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Redshift Serverless | `AWS::RedshiftServerless::Workgroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`, `AWS::S3Express::DirectoryBucket` |
| Amazon SageMaker AI | `AWS::SageMaker::FeatureGroup`, `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Step Functions | `AWS::StepFunctions::StateMachine` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
| Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |
## CIS AWS Foundations Benchmark 的必要資源
若要針對適用於網際網路安全中心 (CIS) AWS 基準基準的已啟用控制項執行安全檢查,Security Hub CSPM 會執行針對檢查指定的確切稽核步驟,或使用特定 AWS Config 受管規則。如需 Security Hub CSPM 中此標準的資訊,請參閱 [Security Hub CSPM 中的 CIS AWS Foundations 基準](cis-aws-foundations-benchmark.md)。
### CIS v5.0.0 的必要資源
若要讓 Security Hub CSPM 準確報告使用 AWS Config 規則的已啟用 CIS v5.0.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源 AWS Config。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::FileSystem` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance`, `AWS::RDS::DBCluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### CIS v3.0.0 的必要資源
若要讓 Security Hub CSPM 準確報告使用 AWS Config 規則的已啟用 CIS v3.0.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源 AWS Config。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### CIS v1.4.0 的必要資源
若要讓 Security Hub CSPM 準確報告使用 AWS Config 規則的已啟用 CIS v1.4.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源 AWS Config。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBInstance` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
### CIS v1.2.0 的必要資源
若要讓 Security Hub CSPM 準確報告使用 AWS Config 規則的已啟用 CIS v1.2.0 變更觸發控制項的問題清單,您必須在 中記錄下列類型的資源 AWS Config。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::SecurityGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
## NIST SP 800-53 修訂版 5 標準所需的資源
若要讓 Security Hub CSPM 準確報告適用於 NIST SP 800-53 修訂版 5 標準的變更觸發控制項的問題清單,啟用並使用 AWS Config 規則,您必須在其中記錄下列類型的資源 AWS Config。如需此標準的資訊,請參閱 [Security Hub CSPM 中的 NIST SP 800-53 修訂版 5](standards-reference-nist-800-53.md)。
| AWS 服務 | 資源類型 |
| --- | --- |
| Amazon API Gateway | `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| AWS Backup | `AWS::Backup::RecoveryPoint` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask` |
| Amazon DynamoDB | `AWS::DynamoDB::Table` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::Repository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer` |
| Amazon ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EMR | `AWS::EMR::SecurityConfiguration` |
| Amazon EventBridge | `AWS::Events::Endpoint`, `AWS::Events::EventBus` |
| AWS Glue | `AWS::Glue::Job` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon Managed Streaming for Apache Kafka (Amazon MSK) | `AWS::MSK::Cluster` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup` |
| Amazon Route 53 | `AWS::Route53::HostedZone` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| AWS Service Catalog | `AWS::ServiceCatalog::Portfolio` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
| Amazon SageMaker AI | `AWS::SageMaker::NotebookInstance` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| AWS Transfer Family | `AWS::Transfer::Connector` |
| AWS WAF | `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL` |
## NIST SP 800-171 修訂版 2 標準的必要資源
若要讓 Security Hub CSPM 準確報告適用於 NIST SP 800-171 修訂版 2 標準、已啟用並使用 AWS Config 規則的變更觸發控制項調查結果,您必須在其中記錄下列類型的資源 AWS Config。如需此標準的資訊,請參閱 [Security Hub CSPM 中的 NIST SP 800-171 修訂版 2](standards-reference-nist-800-171.md)。
| AWS 服務 | 資源類型 |
| --- | --- |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| Amazon API Gateway | `AWS::ApiGateway::Stage` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| Amazon CloudWatch | `AWS::CloudWatch::Alarm` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`, `AWS::EC2::VPC`, `AWS::EC2::VPNConnection` |
| Elastic Load Balancing | `AWS::ElasticLoadBalancing::LoadBalancer` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Key Management Service (AWS KMS) | `AWS::KMS::Alias`, `AWS::KMS::Key` |
| AWS Network Firewall | `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::Bucket` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| AWS Systems Manager (SSM) | `AWS::SSM::PatchCompliance` |
| AWS WAF | `AWS::WAFv2::RuleGroup` |
## PCI DSS 3.2.1 版的必要資源
若要讓 Security Hub CSPM 準確報告適用於支付卡產業資料安全標準 (PCI DSS) v3.2.1 的控制項問題清單,啟用 並使用 AWS Config 規則,您必須在其中記錄下列類型的資源 AWS Config。如需此標準的資訊,請參閱 [Security Hub CSPM 中的 PCI DSS](pci-standard.md)。
| AWS 服務 | 資源類型 |
| --- | --- |
| AWS CodeBuild | `AWS::CodeBuild::Project` |
| Amazon Elastic Compute Cloud (Amazon EC2) | `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::SecurityGroup` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Policy`, `AWS::IAM::User` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| Amazon Relational Database Service (Amazon RDS) | `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot` |
| Amazon Redshift | `AWS::Redshift::Cluster` |
| Amazon Simple Storage Service (Amazon S3) | `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket` |
| Amazon EC2 Systems Manager (SSM) | `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance` |
## 資源標記標準所需的 AWS 資源
套用至 AWS 資源標記標準的所有控制項都會觸發變更並使用 AWS Config 規則。若要讓 Security Hub CSPM 準確報告這些控制項的問題清單,您必須在其中記錄下列類型的資源 AWS Config。如需此標準的資訊,請參閱 [AWS Security Hub CSPM 中的資源標記標準](standards-tagging.md)。
| AWS 服務 | 資源類型 |
| --- | --- |
| AWS Amplify | `AWS::Amplify::App`, `AWS::Amplify::Branch` |
| Amazon AppFlow | `AWS::AppFlow::Flow` |
| AWS App Runner | `AWS::AppRunner::Service`, `AWS::AppRunner::VpcConnector` |
| AWS AppConfig | `AWS::AppConfig::Application`, `AWS::AppConfig::ConfigurationProfile`, `AWS::AppConfig::Environment`, `AWS::AppConfig::ExtensionAssociation` |
| AWS AppSync | `AWS::AppSync::GraphQLApi` |
| Amazon Athena | `AWS::Athena::DataCatalog`, `AWS::Athena::WorkGroup` |
| AWS Backup | `AWS::Backup::BackupPlan`, `AWS::Backup::BackupVault`, `AWS::Backup::RecoveryPlan`, `AWS::Backup::ReportPlan` |
| AWS Batch | `AWS::Batch::ComputeEnvironment`, `AWS::Batch::JobQueue`, `AWS::Batch::SchedulingPolicy` |
| AWS Certificate Manager (ACM) | `AWS::ACM::Certificate` |
| AWS CloudFormation | `AWS::CloudFormation::Stack` |
| Amazon CloudFront | `AWS::CloudFront::Distribution` |
| AWS CloudTrail | `AWS::CloudTrail::Trail` |
| AWS CodeArtifact | `AWS::CodeArtifact::Repository` |
| Amazon CodeGuru | `AWS::CodeGuruProfiler::ProfilingGroup`, `AWS::CodeGuruReviewer::RepositoryAssociation` |
| Amazon Connect | `AWS::CustomerProfiles::ObjectType` |
| AWS Database Migration Service (AWS DMS) | `AWS::DMS::Certificate`, `AWS::DMS::EventSubscription`
`AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationSubnetGroup` |
| AWS DataSync | `AWS::DataSync::Task` |
| Amazon Detective | `AWS::Detective::Graph` |
| Amazon DynamoDB | `AWS::DynamoDB::Trail` |
| Amazon Elastic Compute Cloud (EC2) | `AWS::EC2::CustomerGateway`, `AWS::EC2::DHCPOptions`, `AWS::EC2::EIP`, `AWS::EC2::FlowLog`, `AWS::EC2::Instance`, `AWS::EC2::InternetGateway`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NatGateway`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::PrefixList`, `AWS::EC2::RouteTable`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TrafficMirrorFilter`, `AWS::EC2::TrafficMirrorSession`, `AWS::EC2::TrafficMirrorTarget`, `AWS::EC2::TransitGateway`, `AWS::EC2::TransitGatewayAttachment`, `AWS::EC2::TransitGatewayRouteTable`, `AWS::EC2::Volume`, `AWS::EC2::VPC`, `AWS::EC2::VPCEndpointService`, `AWS::EC2::VPCPeeringConnection`, `AWS::EC2::VPNGateway` |
| Amazon EC2 Auto Scaling | `AWS::AutoScaling::AutoScalingGroup` |
| Amazon Elastic Container Registry (Amazon ECR) | `AWS::ECR::PublicRepository` |
| Amazon Elastic Container Service (Amazon ECS) | `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition` |
| Amazon Elastic File System (Amazon EFS) | `AWS::EFS::AccessPoint` |
| Amazon Elastic Kubernetes Service (Amazon EKS) | `AWS::EKS::Cluster`, `AWS::EKS::IdentityProviderConfig` |
| AWS Elastic Beanstalk | `AWS::ElasticBeanstalk::Environment` |
| ElasticSearch | `AWS::Elasticsearch::Domain` |
| Amazon EventBridge | `AWS::Events::EventBus` |
| Amazon Fraud Detector | `AWS::FraudDetector::EntityType`, `AWS::FraudDetector::Label`
`AWS::FraudDetector::Outcome`, `AWS::FraudDetector::Variable` |
| AWS Global Accelerator | `AWS::GlobalAccelerator::Accelerator` |
| AWS Glue | `AWS::Glue::Job` |
| Amazon GuardDuty | `AWS::GuardDuty::Detector`, `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet` |
| AWS Identity and Access Management (IAM) | `AWS::IAM::Role`, `AWS::IAM::User` |
| AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) | `AWS::AccessAnalyzer::Analyzer` |
| AWS IoT | `AWS::IoT::Authorizer`, `AWS::IoT::Dimension`, `AWS::IoT::MitigationAction`, `AWS::IoT::Policy`, `AWS::IoT::RoleAlias`, `AWS::IoT::SecurityProfile` |
| AWS IoT 活動 | `AWS::IoTEvents::AlarmModel`, `AWS::IoTEvents::DetectorModel`, `AWS::IoTEvents::Input` |
| AWS IoT SiteWise | `AWS::IoTSiteWise::Dashboard`, `AWS::IoTSiteWise::Gateway`, `AWS::IoTSiteWise::Portal`, `AWS::IoTSiteWise::Project` |
| AWS IoT TwinMaker | `AWS::IoTTwinMaker::Entity`, `AWS::IoTTwinMaker::Scene`, `AWS::IoTTwinMaker::SyncJob`, `AWS::IoTTwinMaker::Workspace` |
| AWS IoT 無線 | `AWS::IoTWireless::FuotaTask`, `AWS::IoTWireless::MulticastGroup`, `AWS::IoTWireless::ServiceProfile` |
| Amazon Interactive Video Service (Amazon IVS) | `AWS::IVS::Channel`, `AWS::IVS::PlaybackKeyPair`, `AWS::IVS::RecordingConfiguration` |
| Amazon Keyspaces (適用於 Apache Cassandra) | `AWS::Cassandra::Keyspace` |
| Amazon Kinesis | `AWS::Kinesis::Stream` |
| AWS Lambda | `AWS::Lambda::Function` |
| Amazon MQ | `AWS::AmazonMQ::Broker` |
| AWS Network Firewall | `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy` |
| Amazon OpenSearch Service | `AWS::OpenSearch::Domain` |
| AWS 私有憑證授權單位 | `AWS::ACMPCA::CertificateAuthority` |
| Amazon Relational Database Service | `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSecurityGroup`, `AWS::RDS::DBSnapshot`, `AWS::RDS::DBSubnetGroup` |
| Amazon Redshift | `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterParameterGroup`, `AWS::Redshift::ClusterSnapshot`, `AWS::Redshift::ClusterSubnetGroup`, `AWS::Redshift::EventSubscription` |
| Amazon Route 53 | `AWS::Route53::HealthCheck` |
| Amazon SageMaker AI | `AWS::SageMaker::AppImageConfig`, `AWS::SageMaker::Image` |
| AWS Secrets Manager | `AWS::SecretsManager::Secret` |
| Amazon Simple Email Service (Amazon SES) | `AWS::SES::ConfigurationSet`, `AWS::SES::ContactList` |
| Amazon Simple Notification Service (Amazon SNS) | `AWS::SNS::Topic` |
| Amazon Simple Queue Service (Amazon SQS) | `AWS::SQS::Queue` |
| AWS Step Functions | `AWS::StepFunctions::Activity` |
| AWS Systems Manager (SSM) | `AWS::SSM::Document` |
| AWS Transfer Family | `AWS::Transfer::Agreement`, `AWS::Transfer::Certificate`, `AWS::Transfer::Connector`, `AWS::Transfer::Profile`, `AWS::Transfer::Workflow` |