Send findings to the SecurityHub (cross account)

[tomas-balaz]

Hi team,

is it possible to run the prowler container in AWS account_A, assume a role to scan account_B, and then send findings to the SecurityHub in the account_A (or another account, e.g., account_C)?

Thanks for the answers

[toniblyx]

Hi @tomas-balaz, when Prowler sends findings to Security Hub it does it from the account that is scanning.
If you scan account A with proper credentials like with prowler -S -f eu-west-1 will send to the Security Hub in that account and that region. If you assume a role in othre account (account B) it will send findings to that account and region like with prowler -S -R arn:aws:iam::123456789012:role/ProwlerScanRole -f eu-west-1 being 123456789012 account B.

If you want to have all centralized in Security Hub in the same account and region you need to set that up in Security Hub:

• Admin-member configuration https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html
• Cross-Region aggregation https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html

For more Prowler info on that see https://docs.prowler.cloud/en/latest/tutorials/aws/securityhub/