How can I aggregate my Security Hub findings and security scores from multiple AWS Regions?

Last updated: 2022-05-25

I want to centralize AWS Security Hub findings and security scores from multiple AWS Regions to a single aggregation Region. How can I do this?

Short description

Security Hub provides you with a detailed view of your security state and helps check your environment against security standards and best practices. You can use cross-Region aggregation to aggregate findings, insights, control compliance statuses, and security scores from multiple Regions to a single aggregation Region.

Resolution

Following these instructions to enable cross-Region aggregation.

Prepare your environment

  1. Start the AWS Config configuration recorder in all Regions that you want to enable Security Hub.
  2. Enable Security Hub in the same Region as your aggregation and linked Regions.

If you are using AWS Organizations, note the following:

  • To aggregate findings with AWS Organization member accounts, AWS Config and Security Hub must be enabled in the same linked Regions as the member accounts.
  • You can delegate a member account as your Security Hub administrator for each Region.

Enable cross-Region aggregation

You can enable cross-Region aggregation using either the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

AWS Management Console

  1. Open the Security Hub console with the Security Hub administrator account in your aggregation Region.
    Note:
    If the Region is disabled, make sure that you enable the Region.
  2. In the navigation pane, choose Settings, and then choose Regions.
  3. Choose Configure finding aggregation, and then choose your aggregation Region.
  4. In Available Regions, choose the Regions that you want to aggregate findings from.
  5. Choose Link future Regions to automatically link aggregate data from new AWS Regions, and then choose Save.

AWS CLI

Run the AWS CLI command create-findings-aggregator similar to the following:

aws securityhub create-finding-aggregator --region <aggregation Region> --region-linking-mode ALL_REGIONS | ALL_REGIONS_EXCEPT_SPECIFIED | SPECIFIED_REGIONS --regions <Region list>

After enabling cross-Region aggregation, Security Hub starts aggregating findings and security scores from the linked Regions.

You can view the cross-Region configuration with the Security Hub administrator account from any Region. However, you can update the configuration only from the aggregation Region. For more information, see Enabling cross-Region aggregation.