From 504b27b47ace36f41ae88413e575bd316fbb89d0 Mon Sep 17 00:00:00 2001
From: Joaquin Rinaudo <jmrinaudo@gmail.com>
Date: Thu, 16 Sep 2021 15:15:15 +0200
Subject: [PATCH] #711 fix Security Hub management account

* Filter by AWS account Id to avoid importing findings from other accounts.
---
 include/securityhub_integration | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/securityhub_integration b/include/securityhub_integration
index cf03cb0a..74a1c35d 100644
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -47,7 +47,7 @@ resolveSecurityHubPreviousFails(){
     local check="$1"
     NEW_TIMESTAMP=$(get_iso8601_timestamp)
 
-    FILTER="{\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}]}"
+    FILTER="{\"GeneratorId\":[{\"Value\": \"prowler-$check\",\"Comparison\":\"EQUALS\"}],\"RecordState\":[{\"Value\": \"ACTIVE\",\"Comparison\":\"EQUALS\"}],\"AwsAccountId\":[{\"Value\": \"$ACCOUNT_NUM\",\"Comparison\":\"EQUALS\"}]}"
 
     NEW_FINDING_IDS=$(echo -n "${SECURITYHUB_NEW_FINDINGS_IDS[@]}" | jq -cRs 'split(" ")')
     SECURITY_HUB_PREVIOUS_FINDINGS=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT get-findings --filters "${FILTER}" | jq -c --argjson ids "$NEW_FINDING_IDS" --arg updated_at $NEW_TIMESTAMP  '[ .Findings[] | select( .Id| first(select($ids[] == .)) // false | not) | .RecordState = "ARCHIVED" | .UpdatedAt = $updated_at ]')