Prowler, AWS Security Hub, and AWS Config conformance packs all tell you about your security posture, and plenty of teams run all three without knowing why. They overlap, but they're built for different jobs. If your goal is CPS 234 audit evidence, picking the right one for each task saves money and produces cleaner evidence.
Practitioner guidance, not legal or audit advice.
The one-line verdict
| Tool | Best at | Use it for |
|---|---|---|
| Prowler | Deep, open-source, multi-framework scanning + triage | Point-in-time assessments, CI gates, ThreatScore triage |
| Security Hub | Continuous aggregation + standards scoring | Ongoing posture score, finding aggregation across accounts |
| Config conformance packs | Compliance-over-time history | The CPS 234 evidence trail — did a control hold across the period |
Prowler — the assessment engine
Open source, 1,000+ checks, maps to 40+ frameworks, and runs anywhere (laptop, CI, hosted). Its edge is depth and portability: no AWS service to enable, runs as a CI gate, and ThreatScore gives you risk-weighted triage. It's the right tool for a point-in-time assessment and for failing a pipeline on new criticals.
Its weakness for audit: a Prowler scan is a snapshot. Run it weekly and you have snapshots; you don't natively have a continuous compliance timeline.
Security Hub — the aggregator
Turn it on with FSBP and CIS standards and it continuously evaluates your environment, aggregates findings across accounts/regions, and gives a security score you can trend. It's the right surface for "what's our posture right now, everywhere" and for routing findings into your response workflow (it's the source for the incident-notification path).
Its weakness: it tells you the current state and a trend, but it's not designed as the per-control evidence timeline an auditor wants.
Config conformance packs — the evidence trail
This is the one teams underuse. AWS Config records configuration over time, and the APRA CPG 234 conformance pack evaluates rules continuously. The output is exactly what a CPS 234 audit needs: "was this control compliant across the review period," with timestamps. When an auditor asks you to prove S3 encryption held across Q2, the Config compliance timeline is the answer — neither Prowler nor Security Hub gives you that as cleanly.
How to actually use all three
You don't pick one — you use each for its job:
- Config conformance pack running continuously — your evidence backbone. Always on, always recording.
- Security Hub for the live posture score and finding aggregation — your dashboard and the trigger source for incident response.
- Prowler for assessments and CI — deeper checks, ThreatScore triage, and a gate that blocks bad deploys.
The mistake is running Prowler ad-hoc, ignoring Config's history, and treating Security Hub's score as the audit evidence. The clean setup: Config = evidence, Security Hub = monitoring, Prowler = assessment + gate.
Sorting out which tool produces which piece of your CPS 234 evidence is one of the first things a readiness assessment untangles. The full mapping is in the CPS 234 → AWS Controls cheatsheet.
Primary sources: Security Hub FSBP standard · AWS Config conformance packs · Prowler (GitHub)