prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

[Bug]: Receiving error message "User is not authorised to perform: securityhub:BatchImportFindings"

Open MaeveScarry opened this issue 2 years ago • 3 comments

Hi @toniblyx,

Please can you help me with the following:

1 - I am running a Prowler scan locally, using the following script (image 1) in one account, across 5 different regions. 2 - The Prowler scan for all regions, except for us-east-1 runs smoothly. However, with us-east-1 I get the attached error message (image 2) for many findings. 3 - Looking in AWS CloudTrail I also see the following (image 3) for BatchImportFindings event types. 4 - Whether I aggregate Security Hub findings in us-east-1 or one of the other regions, I still receive these errors in the us-east-1 region. 5 - Security Hub is enabled in all of the regions I am using and I am using a full admin role with all of the necessary permissions.

I am running Prowler from:

  • Resource: Workstation
  • OS: Mac, M1 Chip
  • AWS-CLI Version: aws-cli/2.7.21
  • Prowler Version: Prowler 2.11.0-21July2022

Please can you help me to understand what the issue is and how I can resolve this?

Many thanks, Maeve

Images:

Image 1: Prowler - image 1

Please note that 'region-1' etc are placeholders for the other regions that I'm using.

Image 2:

Prowler - image 2

Image 3: Prowler - image 3

MaeveScarry avatar Aug 10 '22 11:08 MaeveScarry

Hi @MaeveScarry, thank you for reaching out! Please make sure that you don't have any SCP blocking that region from sending findings to SecurityHub, if that is not the case, could you send us the logs by running prowler with bash -x ./prowler ... in the us-east-1 region? thanks.

sergargar avatar Aug 18 '22 12:08 sergargar

Hi @sergargar - massive apologies for my delayed response.

Please see the attached images of the logs. I've had to redact sensitive information. There were lots of logs, but I've chosen to send a few that I think would be most helpful.

I've also checked and there are no SCPs blocking the region.

Many thanks

AWSimage1 (1)

AWSimage2 AWSimage3 AWSimage4

maevescarrymp avatar Sep 08 '22 10:09 maevescarrymp

Hi @maevescarrymp, thank you for the logs. It seems that you are receiving the findings in Security-Hub (us-east-1) despite the errors, right? I think that is failing when archiving previous fails in SecurityHub that are no longer fails. Could you test it by removing first all SHub findings in us-east-1 region?

sergargar avatar Sep 08 '22 12:09 sergargar

Hi @MaeveScarry, feel free to reopen this issue if you still have problems related to it. Thank you!

sergargar avatar Oct 03 '22 08:10 sergargar