Table Of Contents


User Guide

First time using the AWS CLI? See the User Guide for help getting started.

Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . securityhub ]



Enables Security Hub for your account in the current Region or the Region you specify in the request.

When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.

When you use the EnableSecurityHub operation to enable Security Hub, you also automatically enable the following standards.

  • CIS Amazon Web Services Foundations
  • Amazon Web Services Foundational Security Best Practices

You do not enable the Payment Card Industry Data Security Standard (PCI DSS) standard.

To not enable the automatically enabled standards, set EnableDefaultStandards to false .

After you enable Security Hub, to enable a standard, use the BatchEnableStandards operation. To disable a standard, use the BatchDisableStandards operation.

To learn more, see the setup information in the Security Hub User Guide .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.


[--tags <value>]
[--enable-default-standards | --no-enable-default-standards]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]


--tags (map)

The tags to add to the hub resource when you enable Security Hub.

key -> (string)

value -> (string)

Shorthand Syntax:


JSON Syntax:

{"string": "string"

--enable-default-standards | --no-enable-default-standards (boolean)

Whether to enable the security standards that Security Hub has designated as automatically enabled. If you do not provide a value for EnableDefaultStandards , it is set to true . To not enable the automatically enabled standards, set EnableDefaultStandards to false .

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.


To enable AWS Security Hub

The following enable-security-hub example enables AWS Security Hub for the requesting account. It configures Security Hub to enable the default standards. For the hub resource, it assigns the value Security to the tag Department.

aws securityhub enable-security-hub \
    --enable-default-standards \
    --tags '{"Department": "Security"}'

This command produces no output.

For more information, see Enabling Security Hub in the AWS Security Hub User Guide.