AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-05-31 · Documentation low

File: securityhub/latest/userguide/controls-config-resources.md

Summary

Added structured 'Topics' section for better document navigation

Security assessment

This is a structural improvement to enhance document organization without security-specific implications.

Diff

diff --git a/securityhub/latest/userguide/controls-config-resources.md b/securityhub/latest/userguide/controls-config-resources.md
index 4b3d4269b..f87d4d08e 100644
--- a//securityhub/latest/userguide/controls-config-resources.md
+++ b//securityhub/latest/userguide/controls-config-resources.md
@@ -5 +5 @@
-Required resources for all Security Hub controlsRequired resources for the FSBP standardRequired resources for CIS AWS Foundations BenchmarkRequired resources for NIST SP 800-53 Rev. 5Required resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging StandardRequired resources for Service-Managed Standard: AWS Control Tower
+Required resources for all Security Hub controlsRequired resources for the AWS Foundational Security Best Practices standardRequired resources for the CIS AWS Foundations BenchmarkRequired resources for the NIST SP 800-53 Revision 5 standardRequired resources for the NIST SP 800-171 Revision 2 standardRequired resources for PCI DSS v3.2.1Required resources for the AWS Resource Tagging standardRequired resources for the AWS Control Tower service-managed standard
@@ -18,0 +19,21 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
+###### Topics
+
+  * Required resources for all Security Hub controls
+
+  * Required resources for the AWS Foundational Security Best Practices standard
+
+  * Required resources for the CIS AWS Foundations Benchmark
+
+  * Required resources for the NIST SP 800-53 Revision 5 standard
+
+  * Required resources for the NIST SP 800-171 Revision 2 standard
+
+  * Required resources for PCI DSS v3.2.1
+
+  * Required resources for the AWS Resource Tagging standard
+
+  * Required resources for the AWS Control Tower service-managed standard
+
+
+
+
@@ -21 +42 @@ In AWS Regions where a control isn't available, the corresponding resource isn't
-For Security Hub to generate findings for enabled Security Hub change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. This table also indicates which controls evaluate a particular resource. A single control may evaluate more than one resource.
+For Security Hub to generate findings for change triggered controls that are enabled and use an AWS Config rule, you must record the following types of resources in AWS Config. This table also indicates which controls evaluate a particular type of resource. A single control might evaluate more than one type of resource.
@@ -23 +44 @@ For Security Hub to generate findings for enabled Security Hub change triggered
-Service | Required resource | Related controls  
+AWS service | Resource types | Related controls  
@@ -219 +240 @@ Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |  WorkSpaces.1 WorkSpaces.2
-## Required resources for the FSBP standard
+## Required resources for the AWS Foundational Security Best Practices standard
@@ -221 +242 @@ Amazon WorkSpaces | `AWS::WorkSpaces::WorkSpace` |  WorkSpaces.1 WorkSpaces.2
-For Security Hub to accurately report findings for enabled AWS Foundational Security Best Practices v1.0.0 (FSBP) change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. For more information about this standard, see [AWS Foundational Security Best Practices v1.0.0 (FSBP) standard](./fsbp-standard.html).
+For Security Hub to accurately report findings for change triggered controls that apply to the AWS Foundational Security Best Practices standard (v.1.0.0), are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [AWS Foundational Security Best Practices standard in Security Hub](./fsbp-standard.html).
@@ -223 +244 @@ For Security Hub to accurately report findings for enabled AWS Foundational Secu
-Service | Required resources  
+AWS service | Resource types  
@@ -225,2 +246,2 @@ Service | Required resources
-Amazon API Gateway |  `AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`  
-AWS AppSync |  `AWS::AppSync::ApiCache` `AWS::AppSync::GraphQLApi`  
+Amazon API Gateway |  `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage`  
+AWS AppSync |  `AWS::AppSync::ApiCache`, `AWS::AppSync::GraphQLApi`  
@@ -231 +252 @@ Amazon CloudFront |  `AWS::CloudFront::Distribution`
-AWS CodeBuild |  `AWS::CodeBuild::Project` `AWS::CodeBuild::ReportGroup`  
+AWS CodeBuild |  `AWS::CodeBuild::Project`, `AWS::CodeBuild::ReportGroup`  
@@ -235 +256 @@ AWS DataSync |  `AWS::DataSync::Task`
-AWS Database Migration Service (AWS DMS) |  `AWS::DMS::Endpoint` `AWS::DMS::ReplicationInstance` `AWS::DMS::ReplicationTask`  
+AWS Database Migration Service (AWS DMS) |  `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask`  
@@ -237,3 +258,3 @@ Amazon DynamoDB |  `AWS::DynamoDB::Table`
-Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance` `AWS::SSM::ManagedInstanceInventory` `AWS::SSM::PatchCompliance`  
-Amazon Elastic Compute Cloud (EC2) |  `AWS::EC2::ClientVpnEndpoint` `AWS::EC2::Instance` `AWS::EC2::LaunchTemplate` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::SpotFleet` `AWS::EC2::Subnet` `AWS::EC2::TransitGateway` `AWS::EC2::VPCBlockPublicAccessOptions` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`  
-Amazon EC2 Auto Scaling |  `AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`  
+Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance`  
+Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::SpotFleet`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPCBlockPublicAccessOptions`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume`  
+Amazon EC2 Auto Scaling |  `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration`  
@@ -241,5 +262,5 @@ Amazon Elastic Container Registry (Amazon ECR) |  `AWS::ECR::Repository`
-Amazon Elastic Container Service (Amazon ECS) |  `AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition` `AWS::ECS::TaskSet`  
-Amazon Elastic File System (Amazon EFS) |  `AWS::EFS::AccessPoint` `AWS::EFS::FileSystem`  
-Amazon EKS |  `AWS::EKS::Cluster`  
-ElasticBeanstalk |  `AWS::ElasticBeanstalk::Environment`  
-Elastic Load Balancing |  `AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::Listener` `AWS::ElasticLoadBalancingV2::LoadBalancer`  
+Amazon Elastic Container Service (Amazon ECS) |  `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`, `AWS::ECS::TaskSet`  
+Amazon Elastic File System (Amazon EFS) |  `AWS::EFS::AccessPoint`, `AWS::EFS::FileSystem`  
+Amazon Elastic Kubernetes Service (Amazon EKS) |  `AWS::EKS::Cluster`  
+AWS Elastic Beanstalk |  `AWS::ElasticBeanstalk::Environment`  
+Elastic Load Balancing |  `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer`  
@@ -248,2 +269,2 @@ Amazon EMR |  `AWS::EMR::SecurityConfiguration`
-AWS Glue |  `AWS::Glue::Job` `AWS::Glue::MLTransform`  
-AWS Identity and Access Management (IAM) |  `AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`  
+AWS Glue |  `AWS::Glue::Job`, `AWS::Glue::MLTransform`  
+AWS Identity and Access Management (IAM) |  `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User`  
@@ -253,2 +274,2 @@ AWS Lambda |  `AWS::Lambda::Function`
-Amazon MSK |  `AWS::MSK::Cluster` `AWS::KafkaConnect::Connector`  
-AWS Network Firewall |  `AWS::NetworkFirewall::Firewall` `AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`  
+Amazon Managed Streaming for Apache Kafka (Amazon MSK) |  `AWS::MSK::Cluster`, `AWS::KafkaConnect::Connector`  
+AWS Network Firewall |  `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup`  
@@ -256,2 +277,2 @@ Amazon OpenSearch Service |  `AWS::OpenSearch::Domain`
-Amazon Relational Database Service (Amazon RDS) |  `AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBProxy` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`  
-Amazon Redshift |  `AWS::Redshift::Cluster` `AWS::Redshift::ClusterSubnetGroup`  
+Amazon Relational Database Service (Amazon RDS) |  `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBProxy`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`  
+Amazon Redshift |  `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup`  
@@ -260,2 +281,2 @@ Amazon Route 53 |  `AWS::Route53::HostedZone`
-Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::AccessPoint` `AWS::S3::AccountPublicAccessBlock` `AWS::S3::Bucket` `AWS::S3::MultiRegionAccessPoint`  
-Amazon SageMaker AI |  `AWS::SageMaker::Model` `AWS::SageMaker::NotebookInstance`  
+Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`, `AWS::S3::MultiRegionAccessPoint`  
+Amazon SageMaker AI |  `AWS::SageMaker::Model`, `AWS::SageMaker::NotebookInstance`  
@@ -267 +288 @@ AWS Transfer Family |  `AWS::Transfer::Connector`
-AWS WAF |  `AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL` `AWS::WAFv2::RuleGroup` `AWS::WAFv2::WebACL`  
+AWS WAF |  `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL`  
@@ -270 +291 @@ Amazon WorkSpaces |  `AWS::WorkSpaces::WorkSpace`
-## Required resources for CIS AWS Foundations Benchmark
+## Required resources for the CIS AWS Foundations Benchmark
@@ -272 +293 @@ Amazon WorkSpaces |  `AWS::WorkSpaces::WorkSpace`
-To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub either runs through the exact audit steps prescribed for the checks in [Securing Amazon Web Services](https://www.cisecurity.org/benchmark/amazon_web_services/) or uses specific AWS Config managed rules. For more information about this standard, see [CIS AWS Foundations Benchmark](./cis-aws-foundations-benchmark.html).
+To run security checks for enabled controls that apply to the Center for Internet Security (CIS) AWS Foundations Benchmark, Security Hub either runs through the exact audit steps prescribed for the checks or uses specific AWS Config managed rules. For information about this standard in Security Hub, see [CIS AWS Foundations Benchmark in Security Hub](./cis-aws-foundations-benchmark.html).
@@ -276 +297 @@ To run security checks for enabled controls that apply to the Center for Interne
-For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v3.0.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -278 +299 @@ For Security Hub to accurately report findings for enabled CIS v3.0.0 change tri
-Service | Required resources  
+AWS service | Resource types  
@@ -280,2 +301,2 @@ Service | Required resources
-Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::Instance` `AWS::EC2::NetworkAcl` `AWS::EC2::SecurityGroup`  
-AWS Identity and Access Management (IAM) |  `AWS::IAM::Group` `AWS::IAM::User` `AWS::IAM::Role`  
+Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::Instance`, `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`  
+AWS Identity and Access Management (IAM) |  `AWS::IAM::Group`, `AWS::IAM::User`, `AWS::IAM::Role`  
@@ -287 +308 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v1.4.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -289 +310 @@ For Security Hub to accurately report findings for enabled CIS v1.4.0 change tri
-Service | Required resources  
+AWS service | Resource types  
@@ -291,2 +312,2 @@ Service | Required resources
-Amazon Elastic Compute Cloud (EC2) |  `AWS::EC2::NetworkAcl` `AWS::EC2::SecurityGroup`  
-AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy` `AWS::IAM::User`  
+Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::NetworkAcl`, `AWS::EC2::SecurityGroup`  
+AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy`, `AWS::IAM::User`  
@@ -298 +319 @@ Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::Bucket`
-For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config.
+For Security Hub to accurately report findings for enabled CIS v1.2.0 change triggered controls that use an AWS Config rule, you must record the following types of resources in AWS Config.
@@ -300 +321 @@ For Security Hub to accurately report findings for enabled CIS v1.2.0 change tri
-Service | Required resources  
+AWS service | Resource types  
@@ -302,2 +323,2 @@ Service | Required resources
-Amazon Elastic Compute Cloud (EC2) |  `AWS::EC2::SecurityGroup`  
-AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy` `AWS::IAM::User`  
+Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::SecurityGroup`  
+AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy`, `AWS::IAM::User`  
@@ -305 +326 @@ AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy` `AWS::IAM::User`
-## Required resources for NIST SP 800-53 Rev. 5
+## Required resources for the NIST SP 800-53 Revision 5 standard
@@ -307 +328 @@ AWS Identity and Access Management (IAM) |  `AWS::IAM::Policy` `AWS::IAM::User`
-For Security Hub to accurately report findings for enabled National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 change triggered controls that use an AWS Config rule, you must record these resources in AWS Config. You have to record resources only for controls that have a schedule type of _change triggered_. For more information about this standard, see [NIST SP 800-53 Rev. 5 in Security Hub](./nist-standard.html).
+For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-53 Revision 5 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-53 Revision 5 in Security Hub](./standards-reference-nist-800-53.html).
@@ -309 +330 @@ For Security Hub to accurately report findings for enabled National Institute of
-Service | Required resources  
+AWS service | Resource types  
@@ -311 +332 @@ Service | Required resources
-Amazon API Gateway |  `AWS::ApiGateway::Stage` `AWS::ApiGatewayV2::Stage`  
+Amazon API Gateway |  `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Stage`  
@@ -319 +340 @@ AWS CodeBuild |  `AWS::CodeBuild::Project`
-AWS Database Migration Service (AWS DMS) |  `AWS::DMS::Endpoint` `AWS::DMS::ReplicationInstance` `AWS::DMS::ReplicationTask`  
+AWS Database Migration Service (AWS DMS) |  `AWS::DMS::Endpoint`, `AWS::DMS::ReplicationInstance`, `AWS::DMS::ReplicationTask`  
@@ -321,2 +342,2 @@ Amazon DynamoDB |  `AWS::DynamoDB::Table`
-Amazon Elastic Compute Cloud (EC2) |  `AWS::EC2::ClientVpnEndpoint` `AWS::EC2::EIP` `AWS::EC2::Instance` `AWS::EC2::LaunchTemplate` `AWS::EC2::NetworkAcl` `AWS::EC2::NetworkInterface` `AWS::EC2::SecurityGroup` `AWS::EC2::Subnet` `AWS::EC2::TransitGateway` `AWS::EC2::VPNConnection` `AWS::EC2::Volume`  
-Amazon EC2 Auto Scaling |  `AWS::AutoScaling::AutoScalingGroup` `AWS::AutoScaling::LaunchConfiguration`  
+Amazon Elastic Compute Cloud (Amazon EC2) |  `AWS::EC2::ClientVpnEndpoint`, `AWS::EC2::EIP`, `AWS::EC2::Instance`, `AWS::EC2::LaunchTemplate`, `AWS::EC2::NetworkAcl`, `AWS::EC2::NetworkInterface`, `AWS::EC2::SecurityGroup`, `AWS::EC2::Subnet`, `AWS::EC2::TransitGateway`, `AWS::EC2::VPNConnection`, `AWS::EC2::Volume`  
+Amazon EC2 Auto Scaling |  `AWS::AutoScaling::AutoScalingGroup`, `AWS::AutoScaling::LaunchConfiguration`  
@@ -324 +345 @@ Amazon Elastic Container Registry (Amazon ECR) |  `AWS::ECR::Repository`
-Amazon Elastic Container Service (Amazon ECS) |  `AWS::ECS::Cluster` `AWS::ECS::Service` `AWS::ECS::TaskDefinition`  
+Amazon Elastic Container Service (Amazon ECS) |  `AWS::ECS::Cluster`, `AWS::ECS::Service`, `AWS::ECS::TaskDefinition`  
@@ -326,4 +347,4 @@ Amazon Elastic File System (Amazon EFS) |  `AWS::EFS::AccessPoint`
-Amazon EKS |  `AWS::EKS::Cluster`  
-ElasticBeanstalk |  `AWS::ElasticBeanstalk::Environment`  
-Elastic Load Balancing |  `AWS::ElasticLoadBalancing::LoadBalancer` `AWS::ElasticLoadBalancingV2::Listener` `AWS::ElasticLoadBalancingV2::LoadBalancer`  
-ElasticSearch |  `AWS::Elasticsearch::Domain`  
+Amazon Elastic Kubernetes Service (Amazon EKS) |  `AWS::EKS::Cluster`  
+AWS Elastic Beanstalk |  `AWS::ElasticBeanstalk::Environment`  
+Elastic Load Balancing |  `AWS::ElasticLoadBalancing::LoadBalancer`, `AWS::ElasticLoadBalancingV2::Listener`, `AWS::ElasticLoadBalancingV2::LoadBalancer`  
+Amazon ElasticSearch |  `AWS::Elasticsearch::Domain`  
@@ -331 +352 @@ Amazon EMR |  `AWS::EMR::SecurityConfiguration`
-Amazon EventBridge |  `AWS::Events::Endpoint` `AWS::Events::EventBus`  
+Amazon EventBridge |  `AWS::Events::Endpoint`, `AWS::Events::EventBus`  
@@ -333,2 +354,2 @@ AWS Glue |  `AWS::Glue::Job`
-AWS Identity and Access Management (IAM) |  `AWS::IAM::Group` `AWS::IAM::Policy` `AWS::IAM::Role` `AWS::IAM::User`  
-AWS Key Management Service (AWS KMS) |  `AWS::KMS::Alias` `AWS::KMS::Key`  
+AWS Identity and Access Management (IAM) |  `AWS::IAM::Group`, `AWS::IAM::Policy`, `AWS::IAM::Role`, `AWS::IAM::User`  
+AWS Key Management Service (AWS KMS) |  `AWS::KMS::Alias`, `AWS::KMS::Key`  
@@ -337 +358 @@ AWS Lambda |  `AWS::Lambda::Function`
-Amazon MSK |  `AWS::MSK::Cluster`  
+Amazon Managed Streaming for Apache Kafka (Amazon MSK) |  `AWS::MSK::Cluster`  
@@ -339 +360 @@ Amazon MQ |  `AWS::AmazonMQ::Broker`
-AWS Network Firewall |  `AWS::NetworkFirewall::Firewall` `AWS::NetworkFirewall::FirewallPolicy` `AWS::NetworkFirewall::RuleGroup`  
+AWS Network Firewall |  `AWS::NetworkFirewall::Firewall`, `AWS::NetworkFirewall::FirewallPolicy`, `AWS::NetworkFirewall::RuleGroup`  
@@ -341,2 +362,2 @@ Amazon OpenSearch Service |  `AWS::OpenSearch::Domain`
-Amazon Relational Database Service (Amazon RDS) |  `AWS::RDS::DBCluster` `AWS::RDS::DBClusterSnapshot` `AWS::RDS::DBInstance` `AWS::RDS::DBSnapshot` `AWS::RDS::EventSubscription`  
-Amazon Redshift |  `AWS::Redshift::Cluster` `AWS::Redshift::ClusterSubnetGroup`  
+Amazon Relational Database Service (Amazon RDS) |  `AWS::RDS::DBCluster`, `AWS::RDS::DBClusterSnapshot`, `AWS::RDS::DBInstance`, `AWS::RDS::DBSnapshot`, `AWS::RDS::EventSubscription`  
+Amazon Redshift |  `AWS::Redshift::Cluster`, `AWS::Redshift::ClusterSubnetGroup`  
@@ -344 +365 @@ Amazon Route 53 |  `AWS::Route53::HostedZone`
-Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::AccountPublicAccessBlock` `AWS::S3::AccessPoint` `AWS::S3::Bucket`  
+Amazon Simple Storage Service (Amazon S3) |  `AWS::S3::AccessPoint`, `AWS::S3::AccountPublicAccessBlock`, `AWS::S3::Bucket`  
@@ -348 +369 @@ Amazon Simple Queue Service (Amazon SQS) |  `AWS::SQS::Queue`
-Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance` `AWS::SSM::ManagedInstanceInventory` `AWS::SSM::PatchCompliance`  
+Amazon EC2 Systems Manager (SSM)  |  `AWS::SSM::AssociationCompliance`, `AWS::SSM::ManagedInstanceInventory`, `AWS::SSM::PatchCompliance`  
@@ -352 +373,21 @@ AWS Transfer Family |  `AWS::Transfer::Connector`
-AWS WAF |  `AWS::WAF::Rule` `AWS::WAF::RuleGroup` `AWS::WAF::WebACL` `AWS::WAFRegional::Rule` `AWS::WAFRegional::RuleGroup` `AWS::WAFRegional::WebACL` `AWS::WAFv2::RuleGroup` `AWS::WAFv2::WebACL`  
+AWS WAF |  `AWS::WAF::Rule`, `AWS::WAF::RuleGroup`, `AWS::WAF::WebACL`, `AWS::WAFRegional::Rule`, `AWS::WAFRegional::RuleGroup`, `AWS::WAFRegional::WebACL`, `AWS::WAFv2::RuleGroup`, `AWS::WAFv2::WebACL`  
+  
+## Required resources for the NIST SP 800-171 Revision 2 standard
+
+For Security Hub to accurately report findings for change triggered controls that apply to the NIST SP 800-171 Revision 2 standard, are enabled, and use an AWS Config rule, you must record the following types of resources in AWS Config. For information about this standard, see [NIST SP 800-171 Revision 2 in Security Hub](./standards-reference-nist-800-171.html).
+