Stopping cross-Region aggregation - AWS Security Hub
Deleting the finding aggregator (console)

Stopping cross-Region aggregation

If you don't want AWS Security Hub to aggregate data, you can delete your finding aggregator. Alternatively, you can keep your finding aggregator but not link any AWS Regions to the aggregation Region by updating the existing aggregator to the NO_REGIONS linking mode.

To change your aggregation Region, you must delete your current finding aggregator and create a new one.

When you delete your finding aggregator, Security Hub stops aggregating data. It doesn't remove any existing aggregated data from the aggregation Region.

Deleting the finding aggregator (console)

You can delete your finding aggregator from the current aggregation Region only.

In Regions other than the aggregation Region, the Finding aggregation panel on the Security Hub console displays a message that you must edit the configuration in the aggregation Region. Choose this message to display a link to switch to the aggregation Region.

Security Hub console
To stop cross-Region aggregation (console)

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Change to the current aggregation Region.

  3. In the Security Hub navigation menu, choose Settings, then choose Regions.

  4. Under Finding aggregation, choose Edit.

  5. Under Aggregation Region, choose No aggregation Region.

  6. Choose Save.

  7. On the confirmation dialog, in the confirmation field, type Confirm.

  8. Choose Confirm.

Security Hub API

Use the DeleteFindingAggregator operation of the Security Hub API. If you're using the AWS CLI, run the delete-finding-aggregator command.

To identify the finding aggregator to delete, provide the finding aggregator ARN. To obtain the finding aggregator ARN, use the ListFindingAggregators operation or list-finding-aggregators command.

The following example deletes the finding aggregator. The command is run from the current aggregation Region, which is US East (N. Virginia). This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$aws securityhub delete-finding-aggregator arn:aws:securityhub:us-east-1:222222222222:finding-aggregator/123e4567-e89b-12d3-a456-426652340000 --region us-east-1