chore(contrib): update aws-multi-account-securityhub deployment (#5263)

contrib/aws/multi-account-securityhub/README.md

@@ -12,7 +12,11 @@ Originally based on [org-multi-account](https://github.com/prowler-cloud/prowler
 
 ## Architecture Explanation
 
- The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+The solution is designed to be very simple. Prowler is run via an ECS Task definition that launches a single Fargate container. This Task Definition is executed on a schedule using an EventBridge Rule.
+
+## Prerequisites
+
+This solution assumes that you have a VPC architecture with two redundant subnets that can reach the AWS API endpoints (e.g. PrivateLink, NAT Gateway, etc.).
 
 ## CloudFormation Templates
 
@@ -59,9 +63,9 @@ The logs that are generated and sent to Cloudwatch are error logs, and assessmen
 
 ## Instructions
  1. Create a Private ECR Repository in the account that will host the Prowler container. The Audit account is recommended, but any account can be used.
- 2.  Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
- 3. Follow the steps from "View Push Commands" to build and upload the container image. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template.
- 4.  Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
+ 2. Configure the .awsvariables file. Note the ROLE name chosen as it will be the CrossAccountRole.
+ 3. Follow the steps from "View Push Commands" to build and upload the container image. Substitute step 2 with the build command provided in the Dockerfile. You need to have Docker and AWS CLI installed, and use the cli to login to the account first.  After upload note the Image URI, as it is required for the CF-Prowler-ECS template. Ensure that you pay attention to the architecture while performing the docker build command. A common mistake is not specifying the architecture and then building on Apple silicon. Your task will fail with  *exec /home/prowler/.local/bin/prowler: exec format error*. 
+ 4. Make sure SecurityHub is enabled in every account in AWS Organizations, and that the SecurityHub integration is enabled as explained in [Prowler - Security Hub Integration](https://github.com/prowler-cloud/prowler#security-hub-integration)
  5. Deploy **CF-Prowler-CrossAccountRole.yml** in the Master Account as a single stack. You will have to choose the CrossAccountRole name (ProwlerXA-Role by default) and the ProwlerTaskRoleName (ProwlerECSTask-Role by default)
  6. Deploy **CF-Prowler-CrossAccountRole.yml** in every Member Account as a StackSet. Choose the same CrossAccountName and ProwlerTaskRoleName as the previous step.
  7. Deploy **CF-Prowler-IAM.yml** in the account that will host the Prowler container (the same from step 1).  The following template parameters must be provided:
@@ -91,4 +95,4 @@ If you permission find errors in the CloudWatch logs, the culprit might be a [Se
 ## Upgrading Prowler
 
 Prowler version is controlled by the PROWLERVER argument in the Dockerfile, change it to the desired version and follow the ECR Push Commands to update the container image.
-Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.
+Old images can be deleted from the ECR Repository after the new image is confirmed to work. They will show as "untagged" as only one image can hold the "latest" tag.

contrib/aws/multi-account-securityhub/run-prowler-securityhub.sh

@@ -68,7 +68,7 @@ for accountId in ${ACCOUNTS_IN_ORGS}; do
         # Run Prowler
         echo -e "Assessing AWS Account: ${accountId}, using Role: ${ROLE} on $(date)"
         # Pipe stdout to /dev/null to reduce unnecessary Cloudwatch logs
-        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" -q -S -f "${REGION}" > /dev/null
+        prowler aws -R arn:"${PARTITION}":iam::"${accountId}":role/"${ROLE}" --security-hub --send-sh-only-fails -f "${REGION}" > /dev/null
         TOTAL_SEC=$((SECONDS - START_TIME))
         printf "Completed AWS Account: ${accountId} in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60))
         echo ""

contrib/aws/multi-account-securityhub/templates/CF-Prowler-CrossAccountRole.yml

@@ -60,24 +60,42 @@ Resources:
                 Effect: Allow
                 Resource: "*"
                 Action:
-                  - ds:ListAuthorizedApplications
+                  - account:Get*
+                  - appstream:Describe*
+                  - appstream:List*
+                  - backup:List*
+                  - cloudtrail:GetInsightSelectors
+                  - codeartifact:List*
+                  - codebuild:BatchGet*
+                  - cognito-idp:GetUserPoolMfaConfig
+                  - dlm:Get*
+                  - drs:Describe*
+                  - ds:Describe*
+                  - ds:Get*
+                  - ds:List*
+                  - dynamodb:GetResourcePolicy
                   - ec2:GetEbsEncryptionByDefault
+                  - ec2:GetSnapshotBlockPublicAccessState
+                  - ec2:GetInstanceMetadataDefaults
                   - ecr:Describe*
+                  - ecr:GetRegistryScanningConfiguration
                   - elasticfilesystem:DescribeBackupPolicy
                   - glue:GetConnections
-                  - glue:GetSecurityConfiguration
+                  - glue:GetSecurityConfiguration*
                   - glue:SearchTables
-                  - lambda:GetFunction
+                  - lambda:GetFunction*
+                  - logs:FilterLogEvents
+                  - lightsail:GetRelationalDatabases
+                  - macie2:GetMacieSession
                   - s3:GetAccountPublicAccessBlock
                   - shield:DescribeProtection
                   - shield:GetSubscriptionState
                   - ssm:GetDocument
+                  - ssm-incidents:List*
                   - support:Describe*
                   - tag:GetTagKeys
-        - PolicyName: Prowler-Security-Hub
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
+                  - wellarchitected:List*
+
               - Sid: AllowProwlerSecurityHub
                 Effect: Allow
                 Resource: "*"

contrib/aws/multi-account-securityhub/templates/CF-Prowler-ECS.yml

@@ -62,7 +62,7 @@ Resources:
               awslogs-stream-prefix: ecs
       Cpu: 1024
       ExecutionRoleArn: !Ref ECSExecutionRole
-      Memory: 2048
+      Memory: 8192
       NetworkMode: awsvpc
       TaskRoleArn: !Ref ProwlerTaskRole
       Family: SecurityHubProwlerTask

contrib/aws/multi-account-securityhub/templates/CF-Prowler-IAM.yml

@@ -97,9 +97,15 @@ Outputs:
   ECSExecutionRoleARN:
     Description: ARN of the ECS Task Execution Role
     Value: !GetAtt ECSExecutionRole.Arn
+    Export:
+      Name: ECSExecutionRoleArn
   ProwlerTaskRoleARN:
     Description: ARN of the ECS Prowler Task Role
     Value: !GetAtt ProwlerTaskRole.Arn
+    Export:
+      Name: ProwlerTaskRoleArn
   ECSEventRoleARN:
     Description: ARN of the Eventbridge Task Role
     Value: !GetAtt ECSEventRole.Arn
+    Export:
+      Name: ECSEventRoleARN