Central configuration and cross-Region aggregation - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Central configuration and cross-Region aggregation

Central configuration is an opt-in feature in Security Hub that you can use if you integrate with Amazon Organizations. If you use central configuration, the delegated administrator account can configure the Security Hub service, standards, and controls for accounts and organizational units (OU) in the organization. To configure accounts and OUs, the delegated administrator creates Security Hub configuration policies. Configuration policies can be used to define whether Security Hub is enabled or disabled, and which standards and controls are enabled. The delegated administrator associates configuration policies with specific accounts, OUs, or the root (the entire organization).

The delegated administrator can create and manage configuration policies for the organization only from the aggregation Region. In addition, configuration policies take effect in the aggregation Region and all linked Regions. You can't create a configuration policy that applies only in some linked Regions and not others. In central configuration, the aggregation Region is called the home Region. The same Region must serve as the home Region for purposes of central configuration and as the aggregation Region for purposes of cross-Region aggregation. For information about cross-Region aggregation, see Cross-Region aggregation.

To use central configuration, you must designate a home Region and at least one linked Region.

Changing your cross-Region aggregation settings can impact your configuration policies. When you add a linked Region, your configuration policies take effect in that Region. If the Region is an opt-in Region, the Region must be enabled in order for your configuration policies to take effect there. Conversely, when you remove a linked Region, configuration policies no longer take effect in that Region. In that Region, accounts maintain the settings they had when the linked Region was removed. You can change those settings, but must do so separately in each account and Region.

If you remove or change the home Region, your configuration policies and policy associations are deleted. You can no longer use central configuration or create configuration policies in any Region. Accounts maintain the settings they had before the home Region was changed or removed. You can change those settings at any time, but since you no longer use central configuration, settings must be modified separately in each account and Region. You can use central configuration and create configuration policies again if you designate a new home Region.

For more information about central configuration, see How central configuration works.