Skip to main content
Enable Cloudgeni to scan your AWS infrastructure by connecting to AWS Security Hub. This integration provides comprehensive coverage of your AWS resources and security findings.

Prerequisites

  • AWS account with administrative access
  • AWS Security Hub enabled in your target regions
  • Cloudgeni account (free trial available)
  • Time estimate: 10-15 minutes

Step 1: Enable AWS Security Hub

  1. Log into your AWS Console
  2. Navigate to AWS Security Hub service
  3. Click “Enable Security Hub” if not already enabled
  4. Select security standards you want to enable:
    • AWS Foundational Security Standard
    • CIS AWS Foundations Benchmark
    • PCI DSS (if applicable)
    • NIST Cybersecurity Framework (if applicable)
  5. Click “Enable Security Hub”
Security Hub is free for the first 30 days, then charges based on security checks and finding ingestion.

Step 2: Create IAM Role for Cloudgeni

Cloudgeni needs read-only access to Security Hub and related services:
  1. Go to IAM > Roles > Create role
  2. Select “Another AWS account”
  3. Enter Cloudgeni’s AWS Account ID: 123456789012
  4. Check “Require external ID” and enter: cloudgeni-{your-org-id}
  5. Click “Next” and attach these policies:
    • SecurityAudit (AWS managed policy)
    • CloudgeniBotSecurityHubReadOnly (create custom policy below)
Custom Policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "securityhub:GetFindings",
        "securityhub:GetInsights",
        "securityhub:GetComplianceDetails",
        "securityhub:ListStandardsControlAssociations",
        "config:GetComplianceDetailsByConfigRule",
        "config:GetConfigurationRecorder"
      ],
      "Resource": "*"
    }
  ]
}
  1. Name the role: CloudgeniSecurityHubRole
  2. Copy the Role ARN for the next step

Step 3: Configure Cloudgeni Integration

  1. Log into your Cloudgeni dashboard
  2. Navigate to “Integrations” > “Add Integration”
  3. Select “AWS Security Hub”
  4. Enter your configuration:
    • Integration Name: AWS Production (or your environment name)
    • AWS Account ID: Your 12-digit AWS account ID
    • IAM Role ARN: The role ARN from Step 2
    • External ID: cloudgeni-{your-org-id} (same as Step 2)
    • Regions: Select regions where Security Hub is enabled
  5. Click “Test Connection” to verify
  6. Click “Save Integration”
Start with one region to test, then add additional regions once confirmed working.

Step 4: Verify Integration and Run First Scan

  1. In Cloudgeni, go to “Cloud Infrastructure” > “AWS”
  2. Click “Scan Now” to trigger initial scan
  3. Wait 2-5 minutes for scan completion
  4. Review the results:
    • Security findings from Security Hub
    • Compliance status by framework
    • Resource inventory by service
    • Risk prioritization by severity
Expected Results:
  • EC2 instances with security group findings
  • S3 buckets with access control issues
  • IAM policies with excessive permissions
  • Unencrypted resources (RDS, EBS, etc.)

Sample Findings

  • S3.8: S3 bucket public read access
  • EC2.2: Security group allows unrestricted SSH
  • IAM.1: Root user access keys detected
  • RDS.3: RDS instance not encrypted

Multi-Region Setup

For comprehensive coverage, enable Security Hub in all regions where you have resources:High Priority Regions:
  • us-east-1 (N. Virginia) - Global services
  • us-west-2 (Oregon) - Primary workloads
  • eu-west-1 (Ireland) - European operations
  • Your primary deployment regions
Setup Process:
  1. Enable Security Hub in each target region
  2. Update your Cloudgeni integration to include all regions
  3. Run a scan to verify findings from all regions
Security Hub charges per region, so enable only regions with active resources.

Troubleshooting

Connection Test Fails:
  • Verify IAM role ARN is correct
  • Check external ID matches exactly
  • Ensure Security Hub is enabled in specified regions
  • Confirm custom policy is attached to role
No Findings Returned:
  • Wait 24-48 hours for Security Hub to populate findings
  • Check that security standards are enabled
  • Verify you have resources in the scanned regions
Permission Errors:
  • Ensure SecurityAudit policy is attached
  • Verify custom policy JSON is valid
  • Check role trust relationship allows Cloudgeni account
Integration Shows “Disconnected”:
  • Re-test connection in Cloudgeni dashboard
  • Check AWS CloudTrail for access denied errors
  • Verify role hasn’t been modified or deleted

What’s Next?

Azure Integration

Add Azure Defender for multi-cloud coverage

Understanding Findings

Learn how to interpret and prioritize security findings

Automated Remediation

Set up AI-powered fix generation and deployment

Compliance Reporting

Generate compliance reports for audits

Need Help?

Having Issues?

I