Updating the cross-Region aggregation configuration
You can update the cross-Region aggregation configuration to change the linked Amazon Web Services Regions for the current aggregation Region. You can also change whether to automatically aggregate findings, insights, control statuses, and security scores from new Regions.
Changes to cross-Region aggregation aren't implemented for an opt-in Region until the Region is enabled in an Amazon Web Services account. Regions that Amazon introduced on or after to March 20, 2019 are opt-in Regions.
When you stop aggregating data from a linked Region, Security Hub does not remove any existing aggregated data from the aggregation Region.
You cannot use the update process to change the aggregation Region. To change the aggregation Region, you must do the following:
-
Stop cross-Region aggregation. See Stopping cross-Region aggregation.
-
Change to the Region that you want to be the new aggregation Region.
-
Enable cross-Region aggregation. See Enabling cross-Region aggregation.
Updating the cross-Region aggregation configuration (console)
You must update the cross-Region aggregation configuration from the current aggregation Region.
In Amazon Web Services Regions other than the aggregation Region, the Finding aggregation panel displays a message that you must edit the configuration in the aggregation Region. Choose this message to display a link to navigate to the aggregation Region.
To change the linked Regions for the current aggregation Region
Open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/
. -
Change to the current aggregation Region.
-
In the Security Hub navigation menu, choose Settings, then choose Regions.
-
Under Finding aggregation, choose Edit.
-
Under Linked Regions, update the selected linked Regions.
-
If needed, change whether Link future Regions is selected. This setting determines whether Security Hub automatically links new Regions as it adds support for them and you opt into them.
-
Choose Save.
Updating the cross-Region aggregation configuration (Security Hub API, Amazon CLI)
You can use the Security Hub API or Amazon CLI to update the cross-Region aggregation configuration. You must update cross-Region aggregation from the current aggregation Region.
You can change the Region linking mode. If the linking mode is
ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS, you
can change the list of excluded or included Regions.
When you change the list of excluded or included Regions, you must provide the
full list with the updates. For example, suppose you currently aggregate findings
from US East (Ohio), and want to also aggregate findings from
US West (Oregon). When you call UpdateFindingAggregator, you provide a
Regions list that contains both US East (Ohio) and
US West (Oregon).
To update cross-Region aggregation (Security Hub API, Amazon CLI)
-
Security Hub API: Use the
UpdateFindingAggregatorAPI operation. To identify the finding aggregator, you must provide the finding aggregator ARN. To obtain the finding aggregator ARN, useListFindingAggregators.You provide the Region linking mode and the updated list of excluded or included Regions.
-
Amazon CLI: At the command line, run the
update-finding-aggregatorcommand. Separate each Region with a space.aws securityhub update-finding-aggregator --region<aggregation Region>--finding-aggregator-arn<finding aggregator ARN>--region-linking-mode ALL_REGIONS | ALL_REGIONS_EXCEPT_SPECIFIED | SPECIFIED_REGIONS --regions<Region list>In the following example, the cross-Region aggregation configuration is changed to aggregation for selected Regions. The command is run from the current aggregation Region, which is US East (N. Virginia). The linked Regions are US West (N. California) and US West (Oregon).
aws securityhub update-finding-aggregator --region us-east-1 --finding-aggregator-arn arn:aws-cn:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 --region-linking-mode SPECIFIED_REGIONS --regions us-west-1 us-west-2