“Supercharge Your AWS Security with Prowler and Security Hub Integration”
Maintaining robust security in your AWS environment is crucial. Continuous assessment and vulnerability scanning are essential practices, but juggling multiple tools and managing findings can be overwhelming. Here’s where the powerful duo of Prowler and AWS Security Hub comes in.
In this blog post, we’ll explore how to integrate Prowler, a security tool designed for AWS environments, with AWS SecurityHub to enhance your cloud security posture.
What is Prowler?
Prowler is an open-source security assessment tool specifically designed for AWS environments. It leverages CIS Benchmarks and other security best practices to scan your resources and identify potential vulnerabilities, misconfigurations, and compliance issues.
What is AWS Security Hub?
Security Hub acts as a central security information and event management (SIEM) platform for your AWS accounts. It aggregates findings from various security tools like Prowler, GuardDuty, and Inspector, providing a unified view of your security posture.
Why Integrate Prowler with Security Hub?
Here’s why integrating Prowler with Security Hub takes your security to the next level:
- Centralized Findings: Consolidate Prowler findings with other security services in Security Hub, offering a holistic view of your security posture.
- Enhanced Visibility: Easily filter, analyze, and prioritize Prowler findings within Security Hub’s intuitive interface.
- Streamlined Remediation: Leverage Security Hub’s automation capabilities to trigger remediation workflows based on Prowler findings.
- Compliance Reporting: Generate compliance reports for CIS Benchmarks and other standards directly from Security Hub, simplifying audits.
Integrate Prowler to Security Hub:
First, and foremost, step is to Accept findings in Security Hub from Prowler. To do that, open the Security Hub dashboard from the console. Then click on Integrations.
After that, search for prowler,
Only one integration option will appear. Click on Accept findings.
Again, click on Accept findings,
Status will be green, saying “Accepting findings”.
Now, create a workflow from which you can run the prowler command in the Github Action runner. You can use the below code.
name: Prowler for AWS Organization to Security Hub (Daily 7 AM)
on:
schedule:
- cron: '0 7 * * *' # Runs daily at 7 AM UTC
env:
awsRegion: us-east-1
githubToken: ${{ secrets.ADEX_GITHUB_TOKEN }}
awsIamRoleSessionDuration: 7200
permissions:
id-token: write
contents: read
pull-requests: write
jobs:
run-prowler:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: 'pypy3.10'
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ secrets.******* }}:role/Github-OIDC-role
role-session-name: OIDCSession
aws-region: ${{ env.awsRegion }}
role-duration-seconds: ${{ env.awsIamRoleSessionDuration }}
- name: Install Prowler
run: |
pip install prowler
prowler -v
- name: Run Prowler and send findings to Security Hub
run: |
prowler aws --security-hub
continue-on-error: true
- name: Message
run: |
echo "Prowler run completed"From line 7–10, 12–15 and 28–34, I have configured the AWS configuration with our organization’s way. You can replace that code according to your choice and organization’s workflow.
This workflow runs every day exactly at 7AM UTC.
Check out my other blogs about Prowler and AWS:
