Supported Regions - AWS Security Hub

Supported Regions

To view the Regions that AWS Security Hub is available in, see Security Hub Service Endpoints.

AWS Organizations integration not supported in all Regions

The China (Beijing) and China (Ningxia) Regions do not support the Security Hub integration with Organizations.

Integrations not supported in all Regions

Some integrations are not available in all Regions. If an integration is not supported, it is not listed on the Integrations page.

The China (Beijing) and China (Ningxia) Regions only support the following integrations with AWS services:

  • Amazon GuardDuty

  • IAM Access Analyzer

  • Systems Manager Patch Manager

The China (Beijing) and China (Ningxia) Regions only support the following third-party integrations:

  • Cloud Custodian

  • FireEye Helix

  • Helecloud

  • IBM QRadar

  • PagerDuty

  • Palo Alto Networks Cortex XSOAR

  • Palo Alto Networks VM-Series

  • Prowler

  • RSA Archer

  • Splunk Enterprise

  • Splunk Phantom

  • ThreatModeler

Controls that are not supported in all Regions

The following Regions do not support all of the Security Hub controls. For each Region, the list provides the controls that are not supported.

US East (Ohio)

The following controls are not supported in US East (Ohio).

US West (N. California)

The following controls are not supported in US West (N. California).

US West (Oregon)

The following controls are not supported in US West (Oregon).

Africa (Cape Town)

The following controls are not supported in Africa (Cape Town).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.12 – Ensure no root account access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and Websocket API logging should be enabled

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at-rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

Asia Pacific (Hong Kong)

The following controls are not supported in Asia Pacific (Hong Kong).

Asia Pacific (Mumbai)

The following controls are not supported in Asia Pacific (Mumbai).

Asia Pacific (Osaka)

The following controls are not supported in Asia Pacific (Osaka).

Asia Pacific (Seoul)

The following controls are not supported in Asia Pacific (Seoul).

Asia Pacific (Singapore)

The following controls are not supported in Asia Pacific (Singapore).

Asia Pacific (Sydney)

The following controls are not supported in Asia Pacific (Sydney).

Asia Pacific (Tokyo)

The following controls are not supported in Asia Pacific (Tokyo).

Canada (Central)

The following controls are not supported in Canada (Central).

China (Beijing)

The following controls are not supported in China (Beijing).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use latest runtimes

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.10] IAM authentication should be configured for RDS instances

[SageMaker.1] SageMaker notebook instances should not have direct internet access

China (Ningxia)

The following controls are not supported in China (Ningxia).

CIS AWS Foundations Benchmark standard

1.13 – Ensure MFA is enabled for the "root" account

1.14 – Ensure hardware MFA is enabled for the "root" account

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.4] Hardware MFA should be enabled for the root user

[PCI.IAM.5] Virtual MFA should be enabled for the root user

[PCI.Lambda.1] Lambda functions should prohibit public access

[PCI.Lambda.2] Lambda functions should be in a VPC

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.6] Hardware MFA should be enabled for the root user

[Lambda.1] Lambda function policies should prohibit public access

[Lambda.2] Lambda functions should use latest runtimes

[RDS.7] RDS clusters should have deletion protection enabled

[RDS.9] Database logging should be enabled

[RDS.10] IAM authentication should be configured for RDS instances

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

Europe (Frankfurt)

The following controls are not supported in Europe (Frankfurt).

Europe (Ireland)

The following controls are not supported in Europe (Ireland).

Europe (London)

The following controls are not supported in Europe (London).

Europe (Milan)

The following controls are not supported in Europe (Milan).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[APIGateway.1] API Gateway REST and Websocket API logging should be enabled

[CloudFront.1] CloudFront distributions should have a default root object configured

[CloudFront.2] CloudFront distributions should have origin access identity enabled

[CloudFront.3] CloudFront distributions should require encryption in transit

[CloudFront.4] CloudFront distributions should have origin failover configured

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at-rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EC2.8] EC2 instances should use IMDSv2

[EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS

[EFS.2] Amazon EFS volumes should be in backup plans

[ELB.4] Application load balancers should be configured to drop HTTP headers

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[EMR.1] Amazon EMR cluster master nodes should not have public IP addresses

[ES.3] Amazon Elasticsearch Service domains should encrypt data sent between nodes

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[KMS.3] AWS KMS keys should not be unintentionally deleted

[RDS.1] RDS snapshots should be private

[RDS.9] Database logging should be enabled

[Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit

[Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

Europe (Paris)

The following controls are not supported in Europe (Paris).

Europe (Stockholm)

The following controls are not supported in Europe (Stockholm).

Middle East (Bahrain)

The following controls are not supported in Middle East (Bahrain).

South America (São Paulo)

The following controls are not supported in South America (São Paulo).

AWS GovCloud (US-East)

The following controls are not supported in AWS GovCloud (US-East).

AWS GovCloud (US-West)

The following controls are not supported in AWS GovCloud (US-West).