Prowler does not work in the central SecurityHub account (AWS Support confirmed bug)

[joerg]

Hi,

I followed up on #711 with AWS support and was able to find and confirm the underlying issue at hand. It seems that the SecurityHub API basically always throws a AccessDeniedException if something is wrong, which is why I initially posted in #711.
The issue we get only on our central SecurityHub account of the organization is this suspicious and actually non-saying error message:
An error occurred (AccessDeniedException) when calling the BatchImportFindings operation: User: <redacted> is not authorized to perform: securityhub:BatchImportFindings on resource: arn:aws:securityhub:ap-southeast-2::product/prowler/prowler

So I started logging debug infos from this call https://github.com/toniblyx/prowler/blob/master/include/securityhub_integration#L77 and what was suspicious to me was that Prowler tried importing issues of other accounts. So I explicitly asked AWS support if a call to the batch-import-findings API with any other account ID but the one prowler runs in is valid/accepted and they confirmed that a finding JSON is only valid if the account ID is the current one. The error in case of a different and thus invalid account ID sadly is an AccessDeniedException.

Here the answer from AWS support:

[toniblyx]

Thanks @joerg for your work on debugging this issue. So the issue is because Prowler is sending to account A in region X a finding from account B in region X. In order to get better insight, would you mind to send me a message in Twitter (open DMs) or an email? We can try to see it together and find a fix asap.

[joerg]

Thanks a lot for the support via mail. It seem that this issue will be fixed with #873 .

[w0rmr1d3r]

The Pr has been merged @joerg !
Can you try again to see if it has been fixed?

Thank you!

[toniblyx]

He has confirmed that it works (off line via email) so I'm closing this issue. Thanks.