Skip to content

AWS Security Hub

Prowler provides the ability of sending the findings of scanning your AWS account to AWS Security Hub. You will receive the findings in AWS Security Hub for the AWS account scanned.

This feature can be configured in the Integrations tab.

Enable AWS Security Hub

To enable the integration you have to perform the following steps, in at least one AWS region of a given AWS account, to enable AWS Security Hub and Prowler as a partner integration.

Since AWS Security Hub is a region based service, you will need to enable it in the region or regions you require. You can configure it using the AWS Management Console or the AWS CLI.

Note

Take into account that enabling this integration will incur in costs in AWS Security Hub, please refer to its pricing here for more information.

Using the AWS Management Console

Enable AWS Security Hub

If you have currently AWS Security Hub enabled you can skip to the next section.

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. When you open the Security Hub console for the first time make sure that you are in the region you want to enable, then choose Go to Security Hub.

  3. On the next page, the Security standards section lists the security standards that Security Hub supports. Select the check box for a standard to enable it, and clear the check box to disable it.

  4. Choose Enable Security Hub.

Enable Prowler Integration

If you have already configured AWS Security Hub for the Prowler Open Source scanner, you can skip to the next section.

Once AWS Security Hub is enabled you will need to enable Prowler as partner integration to allow Prowler to send findings to your AWS Security Hub.

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Select the Integrations tab in the right-side menu bar.

  3. Search for Prowler in the text search box and the Prowler integration will appear.

  4. Once there, click on Accept Findings to allow AWS Security Hub to receive findings from Prowler.

  5. A new modal will appear to confirm that you are enabling the Prowler integration.

  6. Right after click on Accept Findings, you will see that the integration is enabled in AWS Security Hub.

Using the AWS CLI

To enable AWS Security Hub and the Prowler integration you have to run the following commands using the AWS CLI:

aws securityhub enable-security-hub --region <region>
Note

For this command to work you will need the securityhub:EnableSecurityHub permission and set the AWS region where you want to enable AWS Security Hub.

Once AWS Security Hub is enabled you will need to enable Prowler as partner integration to allow Prowler to send findings to your AWS Security Hub. You have to run the following commands using the AWS CLI:

aws securityhub enable-import-findings-for-product --region eu-west-1 --product-arn arn:aws:securityhub:<region>::product/prowler/prowler
Note

You will need to set the AWS region where you want to enable the integration and also the AWS region also within the ARN. For this command to work you will need the securityhub:securityhub:EnableImportFindingsForProduct permission.

Configure Integration

The last steps to finish the configuration of the AWS Security Hub integration are the following:

  1. In Prowler SaaS, go to the Integrations tab.

  2. Click on the AWS Security Hub row and select the AWS account you want to enable the integration. Then, click on Enable.

  3. If AWS Security Hub and the Prowler integration is configured in at least one AWS region, the modal will allow you to enable the integration. Click on Save to enable it.

Next time your AWS account is scanned you will see the findings in AWS Security Hub.

Note

You can check the next scan scheduled time just below of the AWS Security Hub connection status under the Connection column.

Send Failed Findings Only

When using the AWS Security Hub integration you can send only the FAIL findings generated by Prowler. Therefore, the AWS Security Hub usage costs eventually would be lower.

You can enable it selecting the Send Failed Findings Only checkbox when configuring or editing the integration.

Check Integration

The AWS Security Hub automatically detects new AWS regions to send the findings generated if you enable AWS Security Hub and Prowler as a partner integration in a new region.

From the Integrations tab, you can click on the Check button to verify which regions are correctly enabled for the integration.

Delete Integration

To delete the AWS Security Hub integration go to the Integrations tab, click in the AWS Security Hub row and then click on the Delete button.

A modal will appear to confirm the deletion of the integration. Just click on the Remove button to delete the integration.

See you Prowler findings in AWS Security Hub

Once configured the AWS Security Hub in your next scan you will receive the Prowler findings in the AWS regions configured. To review those findings in AWS Security Hub:

  1. Open the AWS Security Hub console at https://console.aws.amazon.com/securityhub/.

  2. Select the Findings tab in the right-side menu bar.

  3. Use the search box filters and use the Product Name filter with the value Prowler to see the findings sent from Prowler.

  4. Then, you can click on the check Title to see the details and the history of a finding.

As you can see in the related requirements section, in the detailed view of the findings, Prowler also sends compliance information related to every finding.