chore(securityhub): improve logging for Security Hub integration (#8608)

MrCloudSec · web-flow · commit 837c65ba238e · 2025-09-30T10:36:42.000-04:00
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
@@ -11,6 +11,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Documentation for renaming checks [(#8717)](https://github.com/prowler-cloud/prowler/pull/8717)
 - Add explicit "name" field for each compliance framework and include "FRAMEWORK" and "NAME" in CSV output [(#7920)](https://github.com/prowler-cloud/prowler/pull/7920)
 - Equality validation for CheckID, filename and classname [(#8690)](https://github.com/prowler-cloud/prowler/pull/8690)
+- Improve logging for Security Hub integration [(#8608)](https://github.com/prowler-cloud/prowler/pull/8608)
 
 ### Changed
 
diff --git a/prowler/__main__.py b/prowler/__main__.py
@@ -13,6 +13,7 @@
     html_file_suffix,
     json_asff_file_suffix,
     json_ocsf_file_suffix,
+    orange_color,
 )
 from prowler.lib.banner import print_banner
 from prowler.lib.check.check import (
@@ -916,9 +917,14 @@ def streaming_callback(findings_batch):
             )
             # Send the findings to Security Hub
             findings_sent_to_security_hub = security_hub.batch_send_to_security_hub()
-            print(
-                f"{Style.BRIGHT}{Fore.GREEN}\n{findings_sent_to_security_hub} findings sent to AWS Security Hub!{Style.RESET_ALL}"
-            )
+            if findings_sent_to_security_hub == 0:
+                print(
+                    f"{Style.BRIGHT}{orange_color}\nNo findings sent to AWS Security Hub.{Style.RESET_ALL}"
+                )
+            else:
+                print(
+                    f"{Style.BRIGHT}{Fore.GREEN}\n{findings_sent_to_security_hub} findings sent to AWS Security Hub!{Style.RESET_ALL}"
+                )
 
             # Resolve previous fails of Security Hub
             if not args.skip_sh_update:
@@ -928,9 +934,14 @@ def streaming_callback(findings_batch):
                 findings_archived_in_security_hub = (
                     security_hub.archive_previous_findings()
                 )
-                print(
-                    f"{Style.BRIGHT}{Fore.GREEN}\n{findings_archived_in_security_hub} findings archived in AWS Security Hub!{Style.RESET_ALL}"
-                )
+                if findings_archived_in_security_hub == 0:
+                    print(
+                        f"{Style.BRIGHT}{orange_color}\nNo findings archived in AWS Security Hub.{Style.RESET_ALL}"
+                    )
+                else:
+                    print(
+                        f"{Style.BRIGHT}{Fore.GREEN}\n{findings_archived_in_security_hub} findings archived in AWS Security Hub!{Style.RESET_ALL}"
+                    )
 
     # Display summary table
     if not args.only_logs:
diff --git a/prowler/providers/aws/lib/security_hub/security_hub.py b/prowler/providers/aws/lib/security_hub/security_hub.py
@@ -165,8 +165,11 @@ def __init__(
                 aws_account_id,
                 aws_partition,
             )
-        if findings and self._enabled_regions:
-            self._findings_per_region = self.filter(findings, send_only_fails)
+        if findings:
+            if not self._enabled_regions:
+                logger.error("No enabled regions found in Security Hub.")
+            else:
+                self._findings_per_region = self.filter(findings, send_only_fails)
 
     def filter(
         self,
@@ -185,6 +188,7 @@ def filter(
         """
 
         findings_per_region = {}
+        disabled_regions_logged = set()
         try:
             # Create a key per audited region
             for region in self._enabled_regions.keys():
@@ -193,6 +197,12 @@ def filter(
             for finding in findings:
                 # We don't send findings to not enabled regions
                 if finding.Resources[0].Region not in findings_per_region:
+                    # Only log once per disabled region
+                    if finding.Resources[0].Region not in disabled_regions_logged:
+                        logger.warning(
+                            f"Skipping findings in region {finding.Resources[0].Region} because it is not enabled in Security Hub."
+                        )
+                        disabled_regions_logged.add(finding.Resources[0].Region)
                     continue
 
                 if (
