[ aws . securityhub ]



Enables Security Hub for your account in the current Region or the Region you specify in the request.

When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.

When you use the EnableSecurityHub operation to enable Security Hub, you also automatically enable the following standards.

  • CIS Amazon Web Services Foundations

  • Amazon Web Services Foundational Security Best Practices

You do not enable the Payment Card Industry Data Security Standard (PCI DSS) standard.

To not enable the automatically enabled standards, set EnableDefaultStandards to false .

After you enable Security Hub, to enable a standard, use the BatchEnableStandards operation. To disable a standard, use the BatchDisableStandards operation.

To learn more, see the setup information in the Security Hub User Guide .

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


[--tags <value>]
[--enable-default-standards | --no-enable-default-standards]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]


--tags (map)

The tags to add to the hub resource when you enable Security Hub.

key -> (string)

value -> (string)

Shorthand Syntax:


JSON Syntax:

{"string": "string"

--enable-default-standards | --no-enable-default-standards (boolean)

Whether to enable the security standards that Security Hub has designated as automatically enabled. If you do not provide a value for EnableDefaultStandards , it is set to true . To not enable the automatically enabled standards, set EnableDefaultStandards to false .

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.


To enable AWS Security Hub

The following enable-security-hub example enables AWS Security Hub for the requesting account. It configures Security Hub to enable the default standards. For the hub resource, it assigns the value Security to the tag Department.

aws securityhub enable-security-hub \
    --enable-default-standards \
    --tags '{"Department": "Security"}'

This command produces no output.

For more information, see Enabling Security Hub in the AWS Security Hub User Guide.