AWS securityhub documentation change
Summary
Added documentation for tagging controls EC2.174-179 covering DHCP options, launch templates, and traffic mirroring resources
Security assessment
Tagging controls help with resource management but do not directly mitigate security vulnerabilities
Diff
diff --git a/securityhub/latest/userguide/ec2-controls.md b/securityhub/latest/userguide/ec2-controls.md index b6db3d884..008201fca 100644 --- a//securityhub/latest/userguide/ec2-controls.md +++ b//securityhub/latest/userguide/ec2-controls.md @@ -5 +5 @@ -[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic +[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes[EC2.174] EC2 DHCP option sets should be tagged[EC2.175] EC2 launch templates should be tagged[EC2.176] EC2 prefix lists should be tagged[EC2.177] EC2 traffic mirror sessions should be tagged[EC2.178] EC2 traffic mirror filters should be tagged[EC2.179] EC2 traffic mirror targets should be tagged @@ -731 +731 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -761 +761 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -791 +791 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -821 +821 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -851 +851 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -881 +881 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -911 +911 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -941 +941 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -971 +971 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1001 +1001 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1031 +1031 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1061 +1061 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1091 +1091 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1121 +1121 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1151 +1151 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1181 +1181 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1211 +1211 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1241 +1241 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | No default value +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value @@ -1295 +1295 @@ Parameter | Description | Type | Allowed custom values | Security Hub default va -`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList | List of tags that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions) | `No default value` +`requiredTagKeys` | List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | `No default value` @@ -1585,0 +1586,206 @@ To enable bi-directional BPA at the account level, see [Enable BPA bidirectional +## [EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes + +**Category:** Protect > Data Protection > Encryption of data-at-rest + +**Severity:** Medium + +**Resource type:** `AWS::EC2::SpotFleet` + +**AWS Config rule:** [ec2-spot-fleet-request-ct-encryption-at-rest](https://docs.aws.amazon.com/config/latest/developerguide/ec2-spot-fleet-request-ct-encryption-at-rest.html) + +**Schedule type:** Change triggered + +**Parameters:** None + +This control checks whether an Amazon EC2 Spot Fleet request enables encryption for all Amazon Elastic Block Store (Amazon EBS) volumes attached to EC2 instances. The control fails if the Spot Fleet request doesn't enable encryption for one or more EBS volumes specified in the request. + +For an additional layer of security, you should enable encryption for Amazon EBS volumes. Encryption operations then occur on the servers that host Amazon EC2 instances, which helps ensure the security of both data at rest and data in transit between an instance and its attached EBS storage. Amazon EBS encryption is a straightforward encryption solution for EBS resources associated with your EC2 instances. With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses AWS KMS keys when creating encrypted volumes. + +### Remediation + +There's no direct way to encrypt an existing, unencrypted Amazon EBS volume. You can encrypt a new volume only when you create it. + +However, if you enable encryption by default, Amazon EBS encrypts new volumes by using your default key for EBS encryption. If you don't enable encryption by default, you can enable encryption when you create an individual volume. In both cases, you can override the default key for EBS encryption and choose a customer managed AWS KMS key. For more information about EBS encryption, see [Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption.html) in the _Amazon EBS User Guide_. + +For information about creating an Amazon EC2 Spot Fleet request, see [Create a Spot Fleet](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-spot-fleet.html) in the _Amazon Elastic Compute Cloud User Guide_. + +## [EC2.174] EC2 DHCP option sets should be tagged + +**Category:** Identify > Inventory > Tagging + +**Severity:** Low + +**Resource type:** `AWS::EC2::DHCPOptions` + +**AWS Config rule:** [ec2-dhcp-options-tagged](https://docs.aws.amazon.com/config/latest/developerguide/ec2-dhcp-options-tagged.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub default value +---|---|---|---|--- +`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value + +This control checks whether an Amazon EC2 DHCP option set has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the option set doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the option set doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. + +A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). + +###### Note + +Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data. + +### Remediation + +For information about adding tags to an Amazon EC2 DHCP option set, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the _Amazon EC2 User Guide_. + +## [EC2.175] EC2 launch templates should be tagged + +**Category:** Identify > Inventory > Tagging + +**Severity:** Low + +**Resource type:** `AWS::EC2::LaunchTemplate` + +**AWS Config rule:** [ec2-launch-template-tagged](https://docs.aws.amazon.com/config/latest/developerguide/ec2-launch-template-tagged.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub default value +---|---|---|---|--- +`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value + +This control checks whether an Amazon EC2 launch template has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the launch template doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the launch template doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. + +A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). + +###### Note + +Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data. + +### Remediation + +For information about adding tags to an Amazon EC2 launch template, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the _Amazon EC2 User Guide_. + +## [EC2.176] EC2 prefix lists should be tagged + +**Category:** Identify > Inventory > Tagging + +**Severity:** Low + +**Resource type:** `AWS::EC2::PrefixList` + +**AWS Config rule:** [ec2-prefix-list-tagged](https://docs.aws.amazon.com/config/latest/developerguide/ec2-prefix-list-tagged.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub default value +---|---|---|---|--- +`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value + +This control checks whether an Amazon EC2 prefix list has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the prefix list doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the prefix list doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. + +A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html). + +###### Note + +Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data. + +### Remediation + +For information about adding tags to an Amazon EC2 prefix list, see [Tag your Amazon EC2 resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the _Amazon EC2 User Guide_. + +## [EC2.177] EC2 traffic mirror sessions should be tagged + +**Category:** Identify > Inventory > Tagging + +**Severity:** Low + +**Resource type:** `AWS::EC2::TrafficMirrorSession` + +**AWS Config rule:** [ec2-traffic-mirror-session-tagged](https://docs.aws.amazon.com/config/latest/developerguide/ec2-traffic-mirror-session-tagged.html) + +**Schedule type:** Change triggered + +**Parameters:** + +Parameter | Description | Type | Allowed custom values | Security Hub default value +---|---|---|---|--- +`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value + +This control checks whether an Amazon EC2 traffic mirror session has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the session doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the session doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix.