# Understanding cross-Region aggregation in Security Hub
Cross-Region aggregation allows you to aggregate findings, resources, and trends from multiple AWS Regions into a single home Region. You can then manage all this data from the home Region.
Suppose you set US East (N. Virginia) as the home Region, and US West (Oregon) and US West (N. California) as the linked Regions. When you view the Findings page in US East (N. Virginia), you see the findings from all three Regions. Updates to those findings are also reflected in all three Regions.
## Types of data that are aggregated
When cross-Region aggregation is enabled with one or more linked Regions, Security Hub replicates the following data from the linked Regions to the home Region. This occurs in every account that has cross-Region aggregation enabled.
+ Findings
+ Resources
+ Trends
In addition to new data in the previous list, Security Hub also replicates updates to this data between the linked Regions and the home Region. Updates that occur in a linked Region are replicated to the home Region. Updates that occur in the home Region are replicated back to the linked Region. If there are conflicting updates in the home Region and the linked Region, then the most recent update is used.
Any findings that existed in a region at the time that it becomes a linked region will not be replicated to the home Region unless there is an update to the finding. Once a Region is linked to a home Region there will be a difference in findings between the home Region and the linked Region until findings in the linked Region are updated or they age out.
Any resources that existed in a region at the time that it becomes a linked region will be replicated to the home Region, typically within 24-48 hours after the Region becomes linked to a home Region.
When removing a linked region, any findings or resources for that region will remain in the home region until the finding or resource ages out.
Trends data is based on findings and resources that are present within the region that the trend is for. Trends data in a home Region will reflect the current state of findings and resources that have been synched to the home Region.
![\[When cross-Region aggregation is enabled, Security Hub CSPM replicates new and updated findings between the linked Regions and home Region.\]](http://docs.aws.amazon.com/securityhub/latest/userguide/images/security-hub-region-aggregation-diagram.png)
Cross-Region aggregation does not add to the cost of Security Hub. You are not charged when Security Hub replicates new data or updates.
In the home Region, the Summary page provides a view of your active findings and resources across linked Regions.
Security Hub only aggregates data from Regions where an account has Security Hub enabled. Security Hub is not automatically enabled for an account based on the cross-Region aggregation configuration.
It's possible to have cross-Region aggregation enabled without any linked Regions selected. In this case, no data replication occurs.
## Aggregation for administrator and member accounts
Standalone accounts and administrator accounts can configure cross-Region aggregation. If configured by an administrator, the presence of the administrator account is essential for cross-Region aggregation to work in administered accounts. If the administrator account is removed or disassociated from a member account, cross-Region aggregation for the member account will either stop, or if the member account had a cross-Region aggregation configuration before being associated with an administrator, that aggregation configuration will again be in effect for the account.
When an administrator account enables cross-Region aggregation, Security Hub replicates the data that the administrator account generates in all linked Regions to the home Region. In addition, Security Hub identifies the member accounts that are associated with that administrator, and each member account inherits the cross-Region aggregation settings of the administrator. Security Hub replicates the data that a member account generates in all linked Regions to the home Region.
The administrator can access and manage security findings from all member accounts within the administered regions. Additionally, the administrator can view resource inventory from all member accounts within the administered regions.
As a Security Hub member account, you must be signed in to the home Region to view aggregated data from your account from all linked Regions. Member accounts don't have permissions to view data from other member accounts and are not permitted to call the `CreateAggregatorV2`, `DeleteAggregatorV2`, and `GetAggregatorV2` APIs.
## Automation rules and cross-Region aggregation
When cross-Region aggregation is enabled automation rules can only be created in the defined home region. Any rule that you define applies to all linked regions unless your rule criteria applies to specific regions. You must create separate automation rules for any region that is not a linked region.
Any rules that were created in the home Region, prior to enabling cross-Region aggregation, automatically become applicable in linked Regions. Rules previously created in linked Regions will no longer apply once an aggregator is created. Rules defined in linked Regions will resume applying once the aggregator is deleted or the region is no longer linked.
# Enabling cross-Region aggregation
You must enable cross-Region aggregation from the AWS Region that you want to designate as the home Region.
To enable cross-Region aggregation, you create a Security Hub resource called a finding aggregator. The finding aggregator resource specifies your home Region and linked Regions (if any).
You can't use an AWS Region that is disabled by default as your home Region. For a list of Regions that are disabled by default, see Enabling a Region in the AWS General Reference.
When you enable cross-Region aggregation, you choose to specify one or more linked Regions if you wish. Enabling cross-Region aggregation does not enable Security Hub in that region. To enable Security Hub in a region refer to Creating a policy as the delegated administrator to manage member accounts in the Security Hub user guide.
**To enable cross-Region aggregation (console)**
1. From the administrator account or in a standalone account open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home)
1. Using the AWS Region selector, sign in to the Region that you want to use as the aggregation Region.
1. In the Security Hub navigation menu, choose **Settings** and then **General**.
1. In the Cross-Region aggregation section choose **Configure**.
1. By default, the home Region is set to **No aggregation Region**.
1. Under **Home Region**, select the option to designate the current Region as the home Region.
1. Optionally, for **Linked Regions**, select the Regions to aggregate data from.
1. Choose **Save**.
# Reviewing cross-Region aggregation settings
You can view the current cross-Region aggregation configuration in AWS Security Hub from any AWS Region in the administrator account or in a standalone account. Member accounts cannot view cross-Region aggregation configuration. The configuration includes the home Region, and the linked Regions (if any).
Follow the steps to view your current cross-Region aggregation settings
**To view cross-Region aggregation settings (console)**
1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. On the navigation pane, choose **Settings** and then the **General**.
1. If cross-Region aggregation is not enabled, then the General page displays the option to enable cross-Region aggregation. Only administrator accounts and standalone accounts can enable cross-Region aggregation.
1. If cross-Region aggregation is enabled, then the Regions tab displays the following information:
+ The home Region
+ Whether to automatically aggregate findings, resources, and trends from new Regions that Security Hub supports and that you opt into
+ The list of linked Regions (if any are selected)
# Updating cross-Region aggregation settings
You can update your current cross-Region aggregation settings in AWS Security Hub by changing the linked Regions or the current home Region.
Changes to cross-Region aggregation aren't implemented for an opt-in Region until you enable the Region in your AWS account. Regions that AWS introduced on or after to March 20, 2019 are opt-in Regions.
When you stop aggregating data from a linked Region, AWS Security Hub doesn't remove any existing aggregated data from that Region that is accessible in the home Region.
You can't use the update procedures in this section to change the home Region. To change the home Region, you must do the following:
1. Delete the current cross-Region aggregation configuration. For instructions, see [Deleting cross-Region aggregation](sh-finding-aggregation-delete.md).
1. Change to the Region that you want to be the new home Region.
1. Enable cross-Region aggregation. For instructions, see [Deleting cross-Region aggregation](sh-finding-aggregation-delete.md).
You must update the cross-Region aggregation configuration from the current home Region.
**To change the linked Regions (console)**
1. From the administrator account or in a standalone account open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. Sign in to the current aggregation Region.
1. In the Security Hub navigation menu, choose **Settings**, then choose **General**.
1. For Cross-Region aggregation, choose **Edit**.
1. For **Linked Regions**, update the selected linked Regions.
1. Choose **Save**.
# Deleting cross-Region aggregation
If you don't want AWS Security Hub to aggregate data, you can delete your finding aggregator. Alternatively, you can keep your finding aggregator but not link any AWS Regions to the home Region by updating the existing aggregator to have no linked regions selected.
To change your home Region, you must delete your current finding aggregator and create a new one.
When you delete your finding aggregator, Security Hub stops aggregating data. It doesn't remove any existing aggregated data from the home Region.
**Deleting the finding aggregator (console)**
You can delete your finding aggregator from the current home Region only.
In Regions other than the home Region, the Finding aggregation panel on the Security Hub console displays a message that you must edit the configuration in the home Region. Choose this message to display a link to switch to the home Region.
**To stop cross-Region aggregation (console)**
1. Open the AWS Security Hub console at [https://console.aws.amazon.com/securityhub/v2/home](https://console.aws.amazon.com/securityhub/v2/home).
1. Ensure that you're signed in to your current home Region.
1. In the Security Hub navigation menu, choose **Settings**, then choose **General**.
1. Under Cross-Region aggregation, choose **Edit**.
1. Under **Aggregation Region**, choose **No aggregation Region**.
1. Choose **Save**.
1. On the confirmation dialog, in the confirmation field, type **Confirm**.
1. Choose **Confirm**.