search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.02k stars 1.47k forks source link

SecurityHub import fails with AccessDenied if finding is in another region #618

Closed DenSpirit closed 4 years ago

DenSpirit commented 4 years ago

Even with policy allowing BatchImportFindings, API call can fail if we are trying to import finding from one region to Security Hub in another region, e.g. missing VPC flow logs in ap-south-1 being imported into us-east-1 Security Hub. Region-locking prowler (-r switch) does not seem to help, because some checks are global. This can be important if AccessDenied events are monitored by some CloudWatch alerts, and because of that we can't run prowler frequently without disturbing the team.

toniblyx commented 4 years ago

Thanks for your feedback @DenSpirit, have you tested running prowler from a region (in an EC2 in that region) where is the same as your Security Hub? You can filter also region by -f to just do that region and avoid any other region that you don't need to check.

For the access denied you can use -f along with your own group of checks and/or whitelisting -w see README for more information. If you don't have permissions to check a particular service, resource or region you can avoid it.

DenSpirit commented 4 years ago

@toniblyx Thank you very much for response. It appears I was using the wrong switch to region-lock Prowler (-r instead of -f). I am running Prowler in us-east-1, same region as where I have Security Hub enabled. I'll restart it now and get back to you with results.

UPD 04.06.2020 17:40: by AccessDenied I mean that prowler is getting denied access not on checks, but on sending them to Security Hub:

An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: arn:aws:sts::xxx:assumed-role/xxx/xxx is not authorized to perform: securityhub:BatchImportFindings

even when in policy BatchImportFindings is explicitly allowed. When I contacted AWS Support about that, they told me that resource region in finding body (Findings[].Resources[].Region) must be equal to Security Hub region the finding is being imported into, otherwise this error is raised.

toniblyx commented 4 years ago

@marcjay what do you think about this issue?

marcjay commented 4 years ago

Interesting! I wasn't aware that Security Hub had this restriction, though it makes sense, though means you can't consolidate all your findings if you're multi-regional into one 'Security Hub' environment.

I've raised #621 which should resolve this - forcing the finding to be imported to it's associated region. @DenSpirit please could I possibly ask you to try that sechub-import-to-finding-region-618 branch to see if it resolves your issue?