GuardDuty findings exist in a region, but that region does not appear in Security Hub cross‑Region view

Your setup (Delegated Admin + Aggregation) is architecturally correct. To answer your specific question: Yes, Security Hub must be enabled in each region for findings to be generated and then aggregated. While "auto-enable" in AWS Organizations is designed to handle this, there are two reasons why me-south-1 might be missing:

1. The "Opt-in Region" Factor

Regions like me-south-1 (Bahrain) are "Opt-in" regions. Even with organization-wide auto-enable, you must ensure that the region itself is enabled at the account level for all member accounts.

• Check: Go to the AWS Billing/Account console and verify that "Middle East (Bahrain)" is status Enabled for the accounts in question. If the region is disabled at the account level, Security Hub cannot be "auto-enabled" there.

2. Ongoing Regional Disruption

Even if configured correctly, there is currently a major infrastructure event in me-south-1. As of March 2026, AWS has confirmed significant API error rates and connectivity issues in Bahrain due to physical data center disruptions.

see->

Operational issue - Multiple services (Bahrain)

Increased Connectivity Issues and API Error Rates

Mar 03 8:40 AM PST We are providing an update on the ongoing service disruptions affecting the AWS Middle East (Bahrain) Region (ME-SOUTH-1). We continue to make progress on recovery efforts across multiple workstreams. With the immediate phase of this event now better understood, we are moving to a more targeted communication model. Going forward, updates will be delivered directly to affected customers through the AWS Personal Health Dashboard. Customers who require assistance with this event are encouraged to contact AWS Support through the AWS Management Console or the AWS Support Center.

source: https://health.aws.amazon.com/health/status

So, I’m not 100% sure but the fact that you can see findings locally in the GuardDuty console in me-south-1, but the region itself does not even appear in your Delegated Admin's Security Hub list, strongly suggests that this is not a configuration error on your part, but a result of the current major infrastructure disruption in the Bahrain region.

Based on your last comment:

While me-south-1 and ap-east-1 are Opt-in regions , the fact that ap-south-1 is also missing I suggests a broader configuration gap rather than just account-level region activation. Please verify the following:

• Regional Security Hub Activation: Confirm that Security Hub is explicitly enabled in every affected region (e.g., ap-south-1) for every member account. "Organization auto-enable" often only applies to new accounts joining the organization, not existing ones in every region.
• Regional Membership Status: In the Delegated Administrator (DA) account, switch your console to ap-south-1. Check the "Accounts" tab to ensure the member accounts show a status of "Enabled" specifically within that region. If they are not associated there, findings won't flow to the DA.
• Finding Aggregator Scope: In your home region (eu-west-1), verify that the finding aggregator is configured to include "All regions" or that ap-south-1 is specifically checked as a linked region.
• GuardDuty-Security Hub Integration: Ensure the GuardDuty findings are actually reaching the local Security Hub in the member account before aggregation.

You can use CLI or AWS CloudShell to quickly verify if Security Hub is actually active in the missing regions without local setup:

# Replace <region> with ap-south-1, etc.
aws securityhub describe-hub --region <region> --profile <member-account>

like this example (was not able to test it in my sandbox):

for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do
    echo -n "Region $region: "
    status=$(aws securityhub describe-hub --region $region 2>&1)
    if [[ $status == *"HubArn"* ]]; then
        echo "ENABLED"
    elif [[ $status == *"is not subscribed"* ]]; then
        echo "NOT ENABLED"
    else
        echo "ERROR (Check Opt-in status or permissions)"
    fi
done

see also this re:Post:

• https://repost.aws/knowledge-center/security-hub-finding-region

and please this links:

• https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html

Root cause is that me-south-1 is an "opt-in" region. me-south-1 (Bahrain) must be manually enabled per account. This creates two cascading considerations:

1. Security Hub cannot be auto-enabled in opt-in regions via Organization auto-enable The auto-enable setting only works for regions that are enabled by default. For opt-in regions like me-south-1, each member account needs the region explicitly opted-in first, and then Security Hub must be enabled in it separately. Central configuration via Delegated Admin does not cover this automatically.

2. For a linked region to send findings, Security Hub must actually be enabled there The docs confirm: "You can't use a Region that's disabled by default as your aggregation Region." Beyond that, for an opt-in region to appear as a linked region and forward findings, it needs to be active and have Security Hub enabled in that specific account.

Try this, if its possible:

1. Confirm me-south-1 is opted-in on the affected member account — via Console > Account Settings > Regions, or: aws account list-regions --region-opt-status-contains ENABLED
   --query "Regions[?RegionName=='me-south-1']"
2. Check if Security Hub is actually enabled in me-south-1 on that member account: aws securityhub describe-hub --region me-south-1 --profile <member-account>
3. If not, enable it manually: aws securityhub enable-security-hub --region me-south-1 --profile <member-account>
4. From the Delegated Admin, explicitly add the account as a member for me-south-1: aws securityhub create-members
   --account-details '[{"AccountId":"<member-account-id>","Email":"<email>"}]'
   --region me-south-1
   --profile <delegated-admin>
5. Confirm the finding aggregator in eu-west-1 includes me-south-1 as a linked region.