I want to centralize AWS Security Hub findings and security scores from multiple AWS Regions to a single aggregation Region. How can I do this?
Short description
Security Hub provides you with a detailed view of your security state and helps check your environment against security standards and best practices. You can use cross-Region aggregation to aggregate findings, insights, control compliance statuses, and security scores from multiple Regions to a single aggregation Region.
Resolution
Following these instructions to enable cross-Region aggregation.
Prepare your environment
- Start the AWS Config configuration recorder in all Regions that you want to enable Security Hub.
- Enable Security Hub in the same Region as your aggregation and linked Regions.
If you are using AWS Organizations, note the following:
- To aggregate findings with AWS Organization member accounts, AWS Config and Security Hub must be enabled in the same linked Regions as the member accounts.
- You can delegate a member account as your Security Hub administrator for each Region.
Enable cross-Region aggregation
You can enable cross-Region aggregation using either the AWS Management Console or the AWS Command Line Interface (AWS CLI).
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
AWS Management Console
- Open the Security Hub console with the Security Hub administrator account in your aggregation Region. Note: If the Region is disabled, make sure that you enable the Region.
- In the navigation pane, choose Settings, and then choose Regions.
- Choose Configure finding aggregation, and then choose your aggregation Region.
- In Available Regions, choose the Regions that you want to aggregate findings from.
- Choose Link future Regions to automatically link aggregate data from new AWS Regions, and then choose Save.
AWS CLI
Run the AWS CLI command create-findings-aggregator similar to the following:
aws securityhub create-finding-aggregator --region <aggregation Region> --region-linking-mode ALL_REGIONS | ALL_REGIONS_EXCEPT_SPECIFIED | SPECIFIED_REGIONS --regions <Region list>
After enabling cross-Region aggregation, Security Hub starts aggregating findings and security scores from the linked Regions.
You can view the cross-Region configuration with the Security Hub administrator account from any Region. However, you can update the configuration only from the aggregation Region. For more information, see Enabling cross-Region aggregation.
Related information
Effects of an administrator-member relationship
Designating a Security Hub administrator account