---
title: Implement Prowler + Security Hub on AWS (Production Checklist)
description: Production checklist for Prowler and AWS Security Hub — multi-account setup, scheduled scans, finding workflows, and remediation patterns on AWS.
url: https://www.factualminds.com/blog/prowler-security-hub-aws/
datePublished: 2026-06-21T00:00:00.000Z
dateModified: 2026-06-21T00:00:00.000Z
author: palaniappan-p
category: Security & Compliance
tags: how-to-guide, prowler, security-hub, aws, compliance
---

# Implement Prowler + Security Hub on AWS (Production Checklist)

> Production checklist for Prowler and AWS Security Hub — multi-account setup, scheduled scans, finding workflows, and remediation patterns on AWS.

Prowler plus AWS Security Hub gives you continuous posture visibility across accounts. As of **June 2026**, Security Hub Essentials bills per protected resource with unlimited checks and findings — validate your region coverage and delegated admin configuration before scheduling production scans.

Engagement shape we commonly see: a **regulated SaaS**, 6–12 AWS accounts, Security Hub enabled but Prowler running ad hoc, 150+ open findings with no owner tags. The gap is production wiring — scheduled scans, ASFF ingestion, and Config conformance packs — not another detection tool.

This checklist covers the production wiring — not a one-off scan — so findings flow to owners and auditors see deployed controls, not exported spreadsheets.

## Architecture Overview

```
┌─────────────┐     ┌──────────────┐     ┌─────────────────┐
│  Prowler    │────▶│ Security Hub │────▶│ EventBridge/SNS │
│ (scheduled) │     │  (org admin) │     │  → ticketing    │
└─────────────┘     └──────┬───────┘     └─────────────────┘
                           │
                           ▼
                    ┌──────────────┐
                    │ AWS Config   │
                    │ conformance  │
                    └──────────────┘
```

## Prerequisites

- AWS Organizations with all accounts enrolled
- Security Hub delegated administrator account designated
- CIS AWS Foundations Benchmark v3.x and AWS Foundational Security Best Practices enabled
- IAM roles: Prowler scan role per account (read-only + Security Hub write)
- Terraform or CDK for repeatable deployment

## Implementation Steps

### 1. Enable Security Hub Organization-Wide

- Designate admin account in Organizations
- Auto-enable standards for new accounts
- Enable cross-region aggregation if multi-region

### 2. Deploy Prowler Scan Infrastructure

**Options:**

| Pattern                    | When                                               |
| -------------------------- | -------------------------------------------------- |
| ECS Fargate scheduled task | Weekly full scan, large accounts                   |
| Lambda + container image   | Daily lightweight scan                             |
| GitHub Actions OIDC        | Scan from CI against sandbox/prod read-only role   |
| Prowler Cloud (SaaS)       | Managed scheduling if self-host ops burden is high |

Store results in S3; push ASFF findings to Security Hub via `prowler aws -M json-asff -B <bucket>` or native integration.

### 3. Integrate Native AWS Sources

Enable in Security Hub admin:

- GuardDuty
- Inspector v2
- IAM Access Analyzer
- Macie (if data classification required)
- Firewall Manager (if WAF/Network Firewall org policies)

Deduplicate overlapping controls before SLA assignment.

### 4. Finding Workflow

- **CRITICAL/HIGH** → PagerDuty or on-call within 4h
- **MEDIUM** → sprint backlog, 30-day SLA
- **LOW** → quarterly hygiene batch
- Use Security Hub custom insights for: unassigned findings, aged > 30 days, by account owner

### 5. Config Conformance Packs

Deploy packs aligned to your framework:

- `Operational-Best-Practices-for-CIS-AWS-Foundations-Benchmark`
- PCI DSS or HIPAA packs if applicable
- Custom Config rules for org-specific policies

Link Config remediation to Systems Manager Automation where auto-fix is safe.

### 6. Evidence for Audits

- Security Hub export to S3 (daily)
- Config compliance timeline
- Change tickets linked to remediation PRs
- AWS Audit Manager assessment (optional, for SOC 2)

## What to Do This Week

- [ ] Security Hub enabled org-wide with delegated admin
- [ ] CIS + FSBP standards active in all regions in scope
- [ ] Prowler scheduled; last run < 7 days
- [ ] Findings ingested to Security Hub (verify ASFF record count)
- [ ] GuardDuty + Inspector integrated
- [ ] Custom insights for aged and unassigned findings
- [ ] EventBridge → SNS/Slack/PagerDuty on new CRITICAL
- [ ] Config conformance packs deployed
- [ ] IaC modules for top 10 recurring failures
- [ ] Quarterly drill: sample finding → fix → re-scan → close

## Common Stall Points (and Fixes)

| Stall                         | Fix                                             |
| ----------------------------- | ----------------------------------------------- |
| Findings without owner        | Account tags + Security Hub workflow automation |
| Same finding reopens weekly   | Fix root cause in IaC, not console-only         |
| Scan role too permissive      | Dedicated read-only role; no admin for scanner  |
| Multi-region gaps             | Enable standards in every in-use region         |
| Audit asks for "proof of fix" | Link Config timeline + merged Terraform PR      |

## When to Add Implementation Help

Platform teams often stall at step 5–6 — conformance packs and audit evidence. **FactualMinds Scanner Remediation Sprint** delivers steps 4–6 in two weeks with Terraform handoff.

## What This Post Doesn't Cover

Checkov CI/CD gates, custom OPA policies, and Wiz/Orca CNAPP integration — see [Prowler vs Checkov](/compare/prowler-vs-checkov-aws/) for the shift-left complement to runtime scanning.

## Related Reading

- [Who remediates Prowler findings?](/blog/prowler-remediation-aws/)
- [Prowler vs Checkov](/compare/prowler-vs-checkov-aws/)
- [Security Hub compliance monitoring setup](/blog/how-to-set-up-aws-security-hub-compliance-monitoring/)
- [SOC 2: Prowler vs Security Hub vs consultant](/compare/soc-2-prowler-security-hub/)
- [AWS Cloud Security](/services/aws-cloud-security/)
- [Security baseline playbook (GitHub)](https://github.com/palpalani/aws-open-guide/blob/main/use-cases/security-baseline.md)

## FAQ

### How often should Prowler run in production?
Weekly full scans via ECS Fargate or Lambda are typical for production estates. Daily lightweight scans work for high-churn environments. The critical requirement is findings land in Security Hub within 24 hours and aged findings trigger workflow automation — not scan frequency alone.

### What IAM permissions does Prowler need?
A dedicated read-only role per account with Security Hub ASFF write permissions. Avoid using admin credentials for the scanner — scope to SecurityAudit-equivalent read plus securityhub:BatchImportFindings. Store scan artifacts in S3 with bucket encryption.

### Which Security Hub standards should I enable with Prowler?
Enable CIS AWS Foundations Benchmark v3.x and AWS Foundational Security Best Practices in all in-scope regions. Add PCI DSS or HIPAA conformance packs via AWS Config if your framework requires them. Deduplicate overlapping controls before assigning SLAs.

### When should I add implementation help for Prowler + Security Hub?
When you stall at Config conformance pack deployment, audit evidence collection, or finding backlogs age beyond 30 days despite active scanning. Steps 4–6 in this checklist — workflow, conformance packs, evidence — are where most platform teams lose quarters.

---

*Source: https://www.factualminds.com/blog/prowler-security-hub-aws/*