Implement Prowler + Security Hub on AWS (Production Checklist)
Quick summary: Production checklist for Prowler and AWS Security Hub — multi-account setup, scheduled scans, finding workflows, and remediation patterns on AWS.
Key Takeaways
- Production checklist for Prowler and AWS Security Hub — multi-account setup, scheduled scans, finding workflows, and remediation patterns on AWS
- Prowler plus AWS Security Hub gives you continuous posture visibility across accounts
- Engagement shape we commonly see: a regulated SaaS, 6–12 AWS accounts, Security Hub enabled but Prowler running ad hoc, 150+ open findings with no owner tags
- Architecture Overview Prerequisites - AWS Organizations with all accounts enrolled - Security Hub delegated administrator account designated - CIS AWS Foundations Benchmark v3
- Enable Security Hub Organization-Wide - Designate admin account in Organizations - Auto-enable standards for new accounts - Enable cross-region aggregation if multi-region 2
Table of Contents
Prowler plus AWS Security Hub gives you continuous posture visibility across accounts. As of June 2026, Security Hub Essentials bills per protected resource with unlimited checks and findings — validate your region coverage and delegated admin configuration before scheduling production scans.
Engagement shape we commonly see: a regulated SaaS, 6–12 AWS accounts, Security Hub enabled but Prowler running ad hoc, 150+ open findings with no owner tags. The gap is production wiring — scheduled scans, ASFF ingestion, and Config conformance packs — not another detection tool.
This checklist covers the production wiring — not a one-off scan — so findings flow to owners and auditors see deployed controls, not exported spreadsheets.
Architecture Overview
┌─────────────┐ ┌──────────────┐ ┌─────────────────┐
│ Prowler │────▶│ Security Hub │────▶│ EventBridge/SNS │
│ (scheduled) │ │ (org admin) │ │ → ticketing │
└─────────────┘ └──────┬───────┘ └─────────────────┘
│
▼
┌──────────────┐
│ AWS Config │
│ conformance │
└──────────────┘Prerequisites
- AWS Organizations with all accounts enrolled
- Security Hub delegated administrator account designated
- CIS AWS Foundations Benchmark v3.x and AWS Foundational Security Best Practices enabled
- IAM roles: Prowler scan role per account (read-only + Security Hub write)
- Terraform or CDK for repeatable deployment
Implementation Steps
1. Enable Security Hub Organization-Wide
- Designate admin account in Organizations
- Auto-enable standards for new accounts
- Enable cross-region aggregation if multi-region
2. Deploy Prowler Scan Infrastructure
Options:
| Pattern | When |
|---|---|
| ECS Fargate scheduled task | Weekly full scan, large accounts |
| Lambda + container image | Daily lightweight scan |
| GitHub Actions OIDC | Scan from CI against sandbox/prod read-only role |
| Prowler Cloud (SaaS) | Managed scheduling if self-host ops burden is high |
Store results in S3; push ASFF findings to Security Hub via prowler aws -M json-asff -B <bucket> or native integration.
3. Integrate Native AWS Sources
Enable in Security Hub admin:
- GuardDuty
- Inspector v2
- IAM Access Analyzer
- Macie (if data classification required)
- Firewall Manager (if WAF/Network Firewall org policies)
Deduplicate overlapping controls before SLA assignment.
4. Finding Workflow
- CRITICAL/HIGH → PagerDuty or on-call within 4h
- MEDIUM → sprint backlog, 30-day SLA
- LOW → quarterly hygiene batch
- Use Security Hub custom insights for: unassigned findings, aged > 30 days, by account owner
5. Config Conformance Packs
Deploy packs aligned to your framework:
Operational-Best-Practices-for-CIS-AWS-Foundations-Benchmark- PCI DSS or HIPAA packs if applicable
- Custom Config rules for org-specific policies
Link Config remediation to Systems Manager Automation where auto-fix is safe.
6. Evidence for Audits
- Security Hub export to S3 (daily)
- Config compliance timeline
- Change tickets linked to remediation PRs
- AWS Audit Manager assessment (optional, for SOC 2)
What to Do This Week
- Security Hub enabled org-wide with delegated admin
- CIS + FSBP standards active in all regions in scope
- Prowler scheduled; last run < 7 days
- Findings ingested to Security Hub (verify ASFF record count)
- GuardDuty + Inspector integrated
- Custom insights for aged and unassigned findings
- EventBridge → SNS/Slack/PagerDuty on new CRITICAL
- Config conformance packs deployed
- IaC modules for top 10 recurring failures
- Quarterly drill: sample finding → fix → re-scan → close
Common Stall Points (and Fixes)
| Stall | Fix |
|---|---|
| Findings without owner | Account tags + Security Hub workflow automation |
| Same finding reopens weekly | Fix root cause in IaC, not console-only |
| Scan role too permissive | Dedicated read-only role; no admin for scanner |
| Multi-region gaps | Enable standards in every in-use region |
| Audit asks for “proof of fix” | Link Config timeline + merged Terraform PR |
When to Add Implementation Help
Platform teams often stall at step 5–6 — conformance packs and audit evidence. FactualMinds Scanner Remediation Sprint delivers steps 4–6 in two weeks with Terraform handoff.
What This Post Doesn’t Cover
Checkov CI/CD gates, custom OPA policies, and Wiz/Orca CNAPP integration — see Prowler vs Checkov for the shift-left complement to runtime scanning.
Related Reading
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.
