Enable Security Hub in the aggregator account and enable cross-region aggregation if you want findings from multiple regions consolidated into one region
In a multi-account organization, designate an administrator account and use the organization integration to automatically enroll member accounts so their findings are forwarded
Call GetFindings with a Filters object to query findings by ProductName, ComplianceStatus, SeverityLabel, WorkflowStatus, and RecordState; combine with SortCriteria for ordered results
Paginate results using the NextToken in the response; each page returns up to 100 findings by default
Update finding workflow status (NOTIFIED, SUPPRESSED, RESOLVED) via BatchUpdateFindings to reflect investigation state without modifying the original product finding
Create Security Hub Insights (saved filter queries) for recurring views like all open critical findings from a specific product, and subscribe an EventBridge rule to the findings import event for automation
Known gotchas
Security Hub normalizes findings to the AWS Security Finding Format (ASFF); custom products sending findings must conform to this schema or the findings will be rejected
Finding deduplication is per-product per-resource; the same vulnerability detected by two different products creates two separate findings that must be correlated manually
Disabling a Security Hub integration does not delete historical findings; archive or delete them explicitly if a clean state is required
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp