About UsEnabling AWS Security Hub for Prowler Integration
To enable the integration, follow these steps in at least one AWS region within your AWS account. Since AWS Security Hub is a region-based service, it must be activated in each region where security findings need to be collected. Configuration Options AWS Security Hub can be enabled using either of the following methods:Enabling this integration incurs costs in AWS Security Hub. Refer to this information for details.
Using the AWS Management Console
Enabling AWS Security Hub for Prowler Integration
If AWS Security Hub is already enabled, you can proceed to the next section.- Enable AWS Security Hub via Console: Open the AWS Security Hub console: https://console.aws.amazon.com/securityhub/.
-
Ensure you are in the correct AWS region, then select “Go to Security Hub”.
- In the “Security Standards” section, review the supported security standards. Select the checkbox for each standard you want to enable, or clear it to disable a standard.
-
Choose “Enable Security Hub”.
Enabling Prowler Integration in AWS Security Hub
If the Prowler integration is already enabled in AWS Security Hub, you can proceed to the next section and begin sending findings. Once AWS Security Hub is activated, Prowler must be enabled as partner integration to allow security findings to be sent to it.- Enabling AWS Security Hub via Console Open the AWS Security Hub console: https://console.aws.amazon.com/securityhub/.
-
Select the “Integrations” tab from the right-side menu bar.
- Search for “Prowler” in the text search box and the Prowler integration will appear.
-
Click “Accept Findings” to authorize AWS Security Hub to receive findings from Prowler.
-
A new modal will appear to confirm that the integration with Prowler is being enabled.
-
Click “Accept Findings”, to authorize AWS Security Hub to receive findings from Prowler.
Using AWS CLI
To enable AWS Security Hub and integrate Prowler, execute the following AWS CLI commands: Step 1: Enable AWS Security Hub Run the following command to activate AWS Security Hub in the desired region:This command requires the
securityhub:EnableSecurityHub permission. Ensure you set the correct AWS region where you want to enable AWS Security Hub.Specify the AWS region where you want to enable the integration. Ensure the region is correctly set within the ARN value. This command requires the
securityhub:securityhub:EnableImportFindingsForProduct permission.Sending Findings to AWS Security Hub
Once AWS Security Hub is enabled, findings can be sent using the following commands: For all regions:It is recommended to send only fails to Security Hub and that is possible adding
--status FAIL to the command. You can use, instead of the --status FAIL argument, the --send-sh-only-fails argument to save all the findings in the Prowler outputs but just to send FAIL findings to AWS Security Hub.Since Prowler perform checks to all regions by default you may need to filter by region when running Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling aws securityhub enable-security-hub --region <region> and run Prowler with the option -f/--region <region> (if no region is used it will try to push findings in all regions hubs). Prowler will send findings to the Security Hub on the region where the scanned resource is located.To have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.Viewing Prowler Findings in AWS Security Hub
After enabling AWS Security Hub, findings from Prowler will be available in the configured AWS regions. Reviewing Prowler Findings in AWS Security Hub:- Enabling AWS Security Hub via Console Open the AWS Security Hub console: https://console.aws.amazon.com/securityhub/.
-
Select the “Findings” tab from the right-side menu bar.
- Use the search box filters and apply the “Product Name” filter with the value Prowler to display findings sent by Prowler.
-
Click the check “Title” to access its detailed view, including its history and status.
Compliance Information
As outlined in the Requirements section, the detailed view includes compliance details for each finding reported by Prowler.Sending Findings to Security Hub with IAM Role Assumption
Multi-Account AWS Auditing
When auditing a multi-account AWS environment, Prowler allows you to send findings to a Security Hub in another account by assuming an IAM role from that target account.Using an IAM Role to Send Findings
To send findings to Security Hub, use the-R flag in the Prowler command:
The specified IAM role must have the necessary permissions to send findings to Security Hub. For details on the required permissions, refer to the IAM policy: prowler-additions-policy.json
Sending Only Failed Findings to AWS Security Hub
When using AWS Security Hub integration, Prowler allows sending only failed findings (FAIL), helping reduce AWS Security Hub usage costs. To enable this, add the --status FAIL flag to the Prowler command:
--status FAIL, the --send-sh-only-fails argument to store all findings in Prowler outputs while sending only FAIL findings to AWS Security:
Skipping Updates for Findings in Security Hub
By default, Prowler archives any findings in Security Hub that were not detected in the latest scan. To prevent older findings from being archived, use the--skip-sh-update option: