Enable Security Hub official integration

2026-02-10 06:45:08 +00:00 · 2020-10-29 22:40:38 +01:00
parent d6760f15b7
commit ae1d7be7f2
4 changed files with 40 additions and 13 deletions
--- a/README.md
+++ b/README.md
@@ -336,7 +336,19 @@ export HEX_LIMIT=3.0

 ## Security Hub integration

-Since version v2.3, Prowler supports natively sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and now from Prowler. It is as simple as running the command below (for all regions):
+Since October 30th 2020 (version v2.3RC5), Prowler supports natively and as **official integration** sending findings to [AWS Security Hub](https://aws.amazon.com/security-hub). This integration allows Prowler to import its findings to AWS Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions and from Prowler for free. 
+
+Before sending findings to Prowler, you need to perform next steps:
+1. Since Security Hub is a region based service, enable it in the region or regions you require. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-security-hub --region <region>`.
+2. Enable Prowler as partner integration integration. Use the AWS Management Console or using the AWS CLI with this command if you have enough permissions: 
+    - `aws securityhub enable-import-findings-for-product --region <region> --product-arn arn:aws:securityhub:<region>::product/prowler/prowler` (change region also inside the ARN).
+    - Using the AWS Management Console:
+    ![Screenshot 2020-10-29 at 10 26 02 PM](https://user-images.githubusercontent.com/3985464/97634660-5ade3400-1a36-11eb-9a92-4a45cc98c158.png)
+3. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
+    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+
+Once it is enabled, it is as simple as running the command below (for all regions):

 ```sh
 ./prowler -M json-asff -S
@@ -345,15 +357,15 @@ or for only one filtered region like eu-west-1:
 ```sh
 ./prowler -M json-asff -q -S -f eu-west-1
 ```
-> Note: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command.
+> Note 1: It is recommended to send only fails to Security Hub and that is possible adding `-q` to the command. 

-There are two requirements:
+> Note 2: Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration, as shown in the example above. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).

-1. Since Security Hub is a region based service, it will send findings to each region and needs to have a hub enabled. Since Prowler perform checks to all regions by defaults you may need to filter by region when runing Security Hub integration. Remember to enable Security Hub in the region or regions you need by calling `aws securityhub enable-security-hub --region <region>` and run Prowler with the option `-f <region>` (if no region is used it will try to push findings in all regions hubs).
-2. As mentioned in section "Custom IAM Policy", to allow Prowler to import its findings to AWS Security Hub you need to add the policy below to the role or user running Prowler:
-    - [iam/prowler-security-hub.json](iam/prowler-security-hub.json)
+> Note 3: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.

->Note: to have updated findings in Security Hub you have to run Prowler periodically. Once a day or every certain amount of hours.
+Once you run findings for first time you will be able to see Prowler findings in Findings section:
+
+![Screenshot 2020-10-29 at 10 29 05 PM](https://user-images.githubusercontent.com/3985464/97634676-66c9f600-1a36-11eb-9341-70feb06f6331.png)

 ### Security Hub in GovCloud regions

@@ -362,6 +374,12 @@ To use Prowler and Security Hub integration in GovCloud there is an additional r
 ./prowler -r us-gov-west-1 -f us-gov-west-1 -S -M csv,json-asff -q
 ```

+### Security Hub in China regions
+
+To use Prowler and Security Hub integration in China regions there is an additional requirement, usage of `-r` is needed to point the API queries to the right API endpoint. Here is a sample command that sends only failed findings to Security Hub in region `cn-north-1`:
+```
+./prowler -r cn-north-1 -f cn-north-1 -q -S -M csv,json-asff
+```

 ## Whitelist or remove FAIL from resources

--- a/include/outputs
+++ b/include/outputs
@@ -275,7 +275,7 @@ generateJsonAsffOutput(){
  -n '{
      "SchemaVersion": "2018-10-08",
      "Id": "prowler-\($TITLE_ID)-\($ACCOUNT_NUM)-\($REPREGION)-\($UNIQUE_ID)",
-      "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION):\($ACCOUNT_NUM):product/\($ACCOUNT_NUM)/default",
+      "ProductArn": "arn:\($AWS_PARTITION):securityhub:\($REPREGION)::product/prowler/prowler",
      "RecordState": "ACTIVE",
      "ProductFields": {
          "ProviderName": "Prowler",
--- a/include/securityhub_integration
+++ b/include/securityhub_integration
@@ -23,11 +23,20 @@ checkSecurityHubCompatibility(){
    exit $EXITCODE
  fi
  for regx in $REGIONS; do
-    SECURITY_HUB_ENABLED=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT describe-hub)
+    SECURITY_HUB_ENABLED=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT describe-hub 2>/dev/null)
    if [[ -z "${SECURITY_HUB_ENABLED}" ]]; then
-      echo -e "\n$RED ERROR!$NORMAL Security Hub is not enabled in $regx. Enable it by calling '$AWSCLI securityhub --region $regx $PROFILE_OPT enable-security-hub'\n"
-      EXITCODE=1
-      exit $EXITCODE
+      if [[ -z "${PROWLER_PRODUCT_SUBSCRIPTION_ENABLED}" ]]; then
+        echo -e "\n$RED ERROR!$NORMAL Security Hub is not enabled in $regx. Enable it running '$AWSCLI securityhub --region $regx $PROFILE_OPT enable-security-hub'. More info: https://github.com/toniblyx/prowler/#security-hub-integration\n"
+        EXITCODE=1
+        exit $EXITCODE
+      fi
+    else
+      PROWLER_PRODUCT_SUBSCRIPTION_ENABLED=$($AWSCLI securityhub --region "$regx" $PROFILE_OPT list-enabled-products-for-import --output text | grep "prowler/prowler" )
+      if [[ -z "${PROWLER_PRODUCT_SUBSCRIPTION_ENABLED}" ]]; then
+        echo -e "\n$RED ERROR!$NORMAL Security Hub is enabled in $regx but Prowler integration does not accept findings. Enable it running '$AWSCLI securityhub --region $regx $PROFILE_OPT enable-import-findings-for-product --product-arn arn:aws:securityhub:$regx::product/prowler/prowler'. More info: https://github.com/toniblyx/prowler/#security-hub-integration\n"
+        EXITCODE=1
+        exit $EXITCODE
+      fi
    fi
  done
 }
--- a/2
+++ b/2
@@ -32,7 +32,7 @@ OPTRED="[1;31m"
 OPTNORMAL="[0;39m"

 # Set the defaults variables
-PROWLER_VERSION=2.3.0RC4
+PROWLER_VERSION=2.3.0RC5
 PROWLER_DIR=$(dirname "$0")

 REGION=""