Regional limits for Security Hub CSPM - Amazon Security Hub
Cross-Region aggregation restrictionsAvailability of integrations by RegionAvailability of standards by RegionAvailability of controls by Region
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Regional limits for Security Hub CSPM

Some Amazon Security Hub Cloud Security Posture Management (CSPM) features are available in only certain Amazon Web Services Regions. The following sections specify these Regional limits. For a complete list of all the Regions where Security Hub CSPM is currently available, see Amazon Security Hub endpoints and quotas in the Amazon Web Services General Reference.

Cross-Region aggregation restrictions

In Amazon GovCloud (US) Regions, cross-Region aggregation is available for findings, finding updates, and insights across Amazon GovCloud (US) Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions.

In the China Regions, cross-Region aggregation is available for findings, finding updates, and insights across the China Regions only. Specifically, you can aggregate findings, finding updates, and insights only between the China (Beijing) and China (Ningxia) Regions.

You can't use a Region that's disabled by default as your aggregation Region. For a list of Regions that are disabled by default, see Enable or disable Amazon Web Services Regions in your account in the Amazon Account Management Reference Guide.

Availability of integrations by Region

Some integrations aren't available in all Amazon Web Services Regions. On the Security Hub CSPM console, an integration doesn't appear on the Integrations page if it isn't available in the Region that you're currently signed in to.

Integrations supported in the China (Beijing) and China (Ningxia) Regions

In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following integrations with Amazon Web Services services:

  • Amazon Firewall Manager

  • Amazon GuardDuty

  • Amazon Identity and Access Management Access Analyzer

  • Amazon Inspector

  • Amazon IoT Device Defender

  • Amazon Systems Manager Explorer

  • Amazon Systems Manager OpsCenter

  • Amazon Systems Manager Patch Manager

In the China (Beijing) and China (Ningxia) Regions, Security Hub CSPM supports only the following third-party integrations:

  • Cloud Custodian

  • FireEye Helix

  • Helecloud

  • IBM QRadar

  • PagerDuty

  • Palo Alto Networks Cortex XSOAR

  • Palo Alto Networks VM-Series

  • Prowler

  • RSA Archer

  • Splunk Enterprise

  • Splunk Phantom

  • ThreatModeler

Integrations supported in the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions

In the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions, Security Hub CSPM supports only the following integrations with Amazon Web Services services:

  • Amazon Config

  • Amazon Detective

  • Amazon Firewall Manager

  • Amazon GuardDuty

  • Amazon Health

  • IAM Access Analyzer

  • Amazon Inspector

  • Amazon IoT Device Defender

In the Amazon GovCloud (US-East) and Amazon GovCloud (US-West) Regions, Security Hub CSPM supports only the following third-party integrations:

  • Atlassian Jira Service Management

  • Atlassian Jira Service Management Cloud

  • Atlassian OpsGenie

  • Caveonix Cloud

  • Cloud Custodian

  • Cloud Storage Security Antivirus for Amazon S3

  • CrowdStrike Falcon

  • FireEye Helix

  • Forcepoint CASB

  • Forcepoint DLP

  • Forcepoint NGFW

  • Fugue

  • Kion

  • MicroFocus ArcSight

  • NETSCOUT Cyber Investigator

  • PagerDuty

  • Palo Alto Networks – Prisma Cloud Compute

  • Palo Alto Networks – Prisma Cloud Enterprise

  • Palo Alto Networks – VM-Series (available only in Amazon GovCloud (US-West))

  • Prowler

  • Rackspace Technology – Cloud Native Security

  • Rapid7 InsightConnect

  • RSA Archer

  • SecureCloudDb

  • ServiceNow ITSM

  • Slack

  • ThreatModeler

  • Vectra AI Cognito Detect

Availability of standards by Region

The Amazon Control Tower service-managed standard is available only in Amazon Web Services Regions that Amazon Control Tower supports, including Amazon GovCloud (US) Regions. For a list of Regions that Amazon Control Tower currently supports, see How Amazon Web Services Regions Work With Amazon Control Tower in the Amazon Control Tower User Guide.

The Amazon Resource Tagging standard isn't available in the following Regions: Asia Pacific (Taipei), Asia Pacific (Thailand), and Mexico (Central).

Other security standards are available in all the Regions where Security Hub CSPM is currently available.

Availability of controls by Region

Some Security Hub CSPM controls aren't available in all Regions. For a list of controls that aren't available in each Region, see Regional limits on Security Hub CSPM controls.

On the Security Hub CSPM console, a control doesn't appear in the list of controls if it isn't available in the Region that you're currently signed in to. The exception is an aggregation Region. If you set an aggregation Region and sign in to that Region, the console shows controls that are available in the aggregation Region or one or more linked Regions.