search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
9.99k stars 1.47k forks source link

Specify a central security-hub aws account when sending findings #4372

Closed jmello-pagseguro closed 1 week ago

jmello-pagseguro commented 1 week ago

New feature motivation

Hello everyone, I'm running prowler to get findings in multiple AWS Accounts using assume-role but now I'm trying to send those findins to Security-Hub but I need to send all of them to a specific account. I already use the parameter --role to specify each account i'm running the checks but will be interesting if we have a way to send all findings of all accounts to a centralized and specific "master" account only.

Solution Proposed

Implement a way to send all findings of all aws accounts to a only one security-hub on a specific account.

Describe alternatives you've considered

Perform all checks in multiple aws accounts but send findings to a specific one security-hub.

Additional context

No response

jfagoagas commented 1 week ago

Hello @jmello-pagseguro, thanks for creating the issue here.

To continue the conversation we had in Slack, as far as I can tell the above feature is not supported by AWS Security Hub right? At least it wasn't, so you have to send each finding to their correspondent AWS Security Hub region and then aggregate all the account’s region findings in one region to view all at once.

Regarding accounts you can delegate administrators in Security Hub to manage your organisation but I’m not sure if all the findings can be sent to single account since they are theoretically restricted by their ARN.

The AWS CLI documentation about the call batch-import-findings states the following:

Maybe your use case can fit into the second but I'm not sure how it works internally in AWS.

jfagoagas commented 1 week ago

We are closing this issue since the behaviour described above is not supported by AWS Security Hub, as discussed with the issue owner in the Prowler Community Slack at https://prowler-workspace.slack.com/archives/C0451NDLC4X/p1720027104962509.