Supported Regions - AWS Security Hub

Supported Regions

To view the Regions that AWS Security Hub is available in, see Security Hub Service Endpoints.

Integrations not supported in all Regions

Some integrations are not available in all Regions. If an integration is not supported, it is not listed on the Integrations page.

Controls that are not supported in all Regions

The following Regions do not support all of the Security Hub controls. For each Region, the list provides the controls that are not supported.

Africa (Cape Town)

The following controls are not supported in Africa (Cape Town).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.12 – Ensure no root account access key exists

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.IAM.1] IAM root user access key should not exist

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at-rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EFS.1] Amazon EFS should be configured to encrypt file data at-rest using AWS KMS

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[IAM.4] IAM root user access key should not exist

[RDS.1] RDS snapshots should be private

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

Europe (Milan)

The following controls are not supported in Europe (Milan).

CIS AWS Foundations Benchmark standard

1.4 – Ensure access keys are rotated every 90 days or less

1.20 - Ensure a support role has been created to manage incidents with AWS Support

4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389

Payment Card Industry Data Security Standard (PCI DSS)

[PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[PCI.DMS.1] AWS Database Migration Service replication instances should not be public

[PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable

[PCI.EC2.3] Unused EC2 security groups should be removed

[PCI.EC2.4] Unused EC2 EIPs should be removed

[PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22

[PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[PCI.GuardDuty.1] GuardDuty should be enabled

[PCI.RDS.1] RDS snapshots should prohibit public access

[PCI.S3.6] S3 Block Public Access setting should be enabled

[PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

[PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

AWS Foundational Security Best Practices standard

[ACM.1] Imported ACM certificates should be renewed after a specified time period

[CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

[CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

[DMS.1] Database Migration Service replication instances should not be public

[EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

[EC2.3] Attached EBS volumes should be encrypted at-rest

[EC2.4] Stopped EC2 instances should be removed after a specified time period

[EFS.1] Amazon EFS should be configured to encrypt file data at-rest using AWS KMS

[ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS

[GuardDuty.1] GuardDuty should be enabled

[IAM.3] IAM users' access keys should be rotated every 90 days or less

[RDS.1] RDS snapshots should be private

[S3.1] S3 Block Public Access setting should be enabled

[SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

[SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements

[SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT

Middle East (Bahrain)

The following controls are not supported in Middle East (Bahrain).

AWS GovCloud (US-East)

The following controls are not supported in AWS GovCloud (US-East).

AWS GovCloud (US-West)

The following controls are not supported in AWS GovCloud (US-West).