AWS Security Hub Setup

Enable Cloudgeni to scan your AWS infrastructure by connecting to AWS Security Hub. This integration provides comprehensive coverage of your AWS resources and security findings.

Prerequisites

AWS account with administrative access - AWS Security Hub enabled in your target regions - Cloudgeni account (free trial available) - Time estimate: 10-15 minutes

Step 1: Enable AWS Security Hub

Enable Security Hub in AWS Console

Log into your AWS Console 2. Navigate to AWS Security Hub service 3. Click “Enable Security Hub” if not already enabled 4. Select security standards you want to enable: - ✅ AWS Foundational Security Standard - ✅ CIS AWS Foundations Benchmark - ✅ PCI DSS (if applicable) - ✅ NIST Cybersecurity Framework (if applicable) 5. Click “Enable Security Hub”

Security Hub is free for the first 30 days, then charges based on security checks and finding ingestion.

Step 2: Create IAM Role for Cloudgeni

Set up Cloudgeni IAM Permissions

Cloudgeni needs read-only access to Security Hub and related services:

Go to IAM > Roles > Create role
Select “Another AWS account”
Enter Cloudgeni’s AWS Account ID: 123456789012
Check “Require external ID” and enter: cloudgeni-{your-org-id}
Click “Next” and attach these policies:
- SecurityAudit (AWS managed policy)
- CloudgeniBotSecurityHubReadOnly (create custom policy below)

Custom Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:GetFindings",
        "securityhub:GetInsights",
        "securityhub:GetComplianceDetails",
        "securityhub:ListStandardsControlAssociations",
        "config:GetComplianceDetailsByConfigRule",
        "config:GetConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}

Name the role: CloudgeniSecurityHubRole
Copy the Role ARN for the next step

Step 3: Configure Cloudgeni Integration

Add AWS Integration in Cloudgeni

Log into your Cloudgeni dashboard
Navigate to “Integrations” > “Add Integration”
Select “AWS Security Hub”
Enter your configuration:
- Integration Name: AWS Production (or your environment name)
- AWS Account ID: Your 12-digit AWS account ID
- IAM Role ARN: The role ARN from Step 2
- External ID: cloudgeni-{your-org-id} (same as Step 2)
- Regions: Select regions where Security Hub is enabled
Click “Test Connection” to verify
Click “Save Integration”

Start with one region to test, then add additional regions once confirmed working.

Step 4: Verify Integration and Run First Scan

Test AWS Scanning

In Cloudgeni, go to “Cloud Infrastructure” > “AWS”
Click “Scan Now” to trigger initial scan
Wait 2-5 minutes for scan completion
Review the results:
- Security findings from Security Hub
- Compliance status by framework
- Resource inventory by service
- Risk prioritization by severity

Expected Results:

EC2 instances with security group findings
S3 buckets with access control issues
IAM policies with excessive permissions
Unencrypted resources (RDS, EBS, etc.)

Sample Findings

S3.8: S3 bucket public read access
EC2.2: Security group allows unrestricted SSH
IAM.1: Root user access keys detected
RDS.3: RDS instance not encrypted

Multi-Region Setup

Enable Multiple AWS Regions

For comprehensive coverage, enable Security Hub in all regions where you have resources: High Priority Regions: - us-east-1 (N. Virginia) - Global services - us-west-2 (Oregon) - Primary workloads - eu-west-1 (Ireland) - European operations - Your primary deployment regions Setup Process: 1. Enable Security Hub in each target region 2. Update your Cloudgeni integration to include all regions 3. Run a scan to verify findings from all regions

Security Hub charges per region, so enable only regions with active resources.

Troubleshooting

Common Setup Issues

Connection Test Fails: - Verify IAM role ARN is correct - Check external ID matches exactly

Ensure Security Hub is enabled in specified regions - Confirm custom policy is attached to role No Findings Returned: - Wait 24-48 hours for Security Hub to populate findings - Check that security standards are enabled - Verify you have resources in the scanned regions Permission Errors: - Ensure SecurityAudit policy is attached - Verify custom policy JSON is valid - Check role trust relationship allows Cloudgeni account Integration Shows “Disconnected”: - Re-test connection in Cloudgeni dashboard - Check AWS CloudTrail for access denied errors - Verify role hasn’t been modified or deleted

What’s Next?

Azure Integration

Add Azure Defender for multi-cloud coverage

Understanding Findings

Learn how to interpret and prioritize security findings

Automated Remediation

Set up AI-powered fix generation and deployment

Compliance Reporting

Generate compliance reports for audits

Need Help?

Having Issues?

IAM permission problems? Contact hello@cloudgeni.ai with your role ARN - No findings appearing? Check our AWS Troubleshooting Guide - Multi-account setup? See our AWS Organizations Integration - Cost concerns? Review AWS Security Hub Pricing

Getting Started

Features

Integrations

CLI

Scanning & Findings

Remediation

Compliance

Examples

Troubleshooting

Support

Prerequisites

Step 1: Enable AWS Security Hub

Step 2: Create IAM Role for Cloudgeni

Step 3: Configure Cloudgeni Integration

Step 4: Verify Integration and Run First Scan

Sample Findings

Multi-Region Setup

Troubleshooting

What’s Next?

Azure Integration

Understanding Findings

Automated Remediation

Compliance Reporting

Need Help?

Having Issues?

Getting Started

Features

Integrations

CLI

Scanning & Findings

Remediation

Compliance

Examples

Troubleshooting

Support

Prerequisites

​Step 1: Enable AWS Security Hub

​Step 2: Create IAM Role for Cloudgeni

​Step 3: Configure Cloudgeni Integration

​Step 4: Verify Integration and Run First Scan

Sample Findings

​Multi-Region Setup

​Troubleshooting

​What’s Next?

Azure Integration

Understanding Findings

Automated Remediation

Compliance Reporting

​Need Help?

Having Issues?

Step 1: Enable AWS Security Hub

Step 2: Create IAM Role for Cloudgeni

Step 3: Configure Cloudgeni Integration

Step 4: Verify Integration and Run First Scan

Multi-Region Setup

Troubleshooting

What’s Next?

Need Help?