diff --git a/README.md b/README.md
index 59d29e0..af14d86 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,16 @@ aws_config = {
 }
 ```
 
+## AWS Security Hub
+
+This module enables the following standards by default:
+
+- `AWS Foundational Security Best Practices v1.0.0`
+- `CIS AWS Foundations Benchmark v1.4.0`
+- `PCI DSS v3.2.1`
+
+You are able to control the enabled standards via `var.aws_security_hub_standards_arns`.
+
 ## Monitoring IAM Activity
 
 This module offers the capability of monitoring IAM activity of both the Root user and AWS SSO roles. To enable this feature, you have to provide the ARN of the SNS Topic that should receive events in case any activity is detected.
diff --git a/data.tf b/data.tf
index 6602773..3fa575c 100644
--- a/data.tf
+++ b/data.tf
@@ -2,3 +2,5 @@ data "aws_cloudwatch_log_group" "cloudtrail" {
   count = var.monitor_iam_activity_sso ? 1 : 0
   name  = "aws-controltower/CloudTrailLogs"
 }
+
+data "aws_region" "current" {}
diff --git a/locals.tf b/locals.tf
index 13c6a9d..9b4fb43 100644
--- a/locals.tf
+++ b/locals.tf
@@ -16,4 +16,12 @@ locals {
       SSO = "{ $.readOnly IS FALSE  && $.userIdentity.sessionContext.sessionIssuer.userName = \"AWSReservedSSO_*\" && $.eventName != \"ConsoleLogin\" }"
     } : {}
   )
+
+  security_hub_standards_arns_default = [
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
+    "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
+  ]
+
+  security_hub_standards_arns = var.aws_security_hub_standards_arns != null ? var.aws_security_hub_standards_arns : local.security_hub_standards_arns_default
 }
diff --git a/main.tf b/main.tf
index a1374cc..8452e3f 100644
--- a/main.tf
+++ b/main.tf
@@ -54,3 +54,9 @@ resource "aws_iam_account_password_policy" "default" {
   require_symbols                = var.account_password_policy.require_symbols
   require_uppercase_characters   = var.account_password_policy.require_uppercase_characters
 }
+
+resource "aws_securityhub_standards_subscription" "default" {
+  for_each = toset(local.security_hub_standards_arns)
+
+  standards_arn = each.value
+}
diff --git a/variables.tf b/variables.tf
index 5ed2d88..0b6cb8f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -49,6 +49,12 @@ variable "aws_kms_key_arn" {
   description = "The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volumes"
 }
 
+variable "aws_security_hub_standards_arns" {
+  type        = list(string)
+  default     = null
+  description = "A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled"
+}
+
 variable "monitor_iam_activity_sns_topic_arn" {
   type        = string
   default     = null