Amazon Macie Findings

Risk level: (depends on finding severity)

Identify Amazon Macie findings and take all the necessary actions to protect business-critical and sensitive information such as credit cards, financial records or Personally Identifiable Information (PII), stored within Amazon S3. Amazon Macie generates a finding each time it detects a potential policy violation for an Amazon Simple Storage Service (Amazon S3) bucket or it discovers sensitive data in an S3 object. A security finding is a detailed report of a potential policy abuse or sensitive data that Amazon Macie found. Each finding provides a severity rating, information about the affected AWS cloud resource, and additional details such as when and how Macie found the issue.

This rule can help you work with the AWS Well-Architected Framework

Security

Amazon Macie is a data security service that utilizes machine learning to automatically discover, classify, and protect critical data within AWS cloud. Macie can help you with governance, compliance and audit standards. For example, the service can enable you to comply with General Data Protection Regulation (GDPR) regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII). Through Amazon Macie findings you can achieve preventive security, safeguard your sensitive data, automate compliance (including GDPR compliance), and avoid inadvertent data leaks.

Audit

To verify your AWS cloud account for Amazon Macie security findings, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie.

03 In the navigation panel, under Amazon Macie, choose Findings to access the page with the security findings identified within the current AWS cloud region.

04 On the Findings page, select All from the filter dropdown list, to view all the security findings identified by the Amazon Macie in the selected AWS region. If no findings are found in the verified region, the following confirmation message is shown: "You don't have any findings.". If one or more findings are displayed, there are Amazon Macie security findings that need to be solved within the current AWS region.

05 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) with custom query filters to describe the identifiers (IDs) of the Amazon Macie findings generated for the selected AWS cloud region:

aws macie2 list-findings
	--region ap-southeast-2
	--query 'findingIds'

02 The command output should return the ID(s) of the security finding(s) or an empty array (i.e. []) if there are no active security findings identified:

[
    "abcdabcd-1234-1234-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-1234abcd1234",
    "1234abcd-1234-abcd-1234-abcd1234abcd"
]

If the array returned by the list-findings command output contains the identifier (ID) of one or more findings, as shown in the example above, there are Amazon Macie security findings that need to be resolved within the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To access, analyze, and resolve any Amazon Macie security findings identified within your AWS cloud account, perform the following operations:

Note: As an example, this section demonstrates how to analyze and resolve an Amazon Macie policy finding detected for an Amazon S3 bucket that is not encrypted using S3 Server-Side Encryption (S3 SSE). A policy finding is a detailed report of a potential policy violation for an S3 bucket. Macie generates these findings as part of its ongoing monitoring activities for your Amazon S3 data.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie.

03 In the navigation panel, under Amazon Macie, choose Findings.

04 On the Findings page, select All from the filter dropdown list, to view all the security findings identified by the Amazon Macie within the selected AWS region.

05 Click on the security finding that you want to analyze and resolve, to access the information generated for the selected Amazon Macie finding.

06 Once the finding description panel is open, review the selected entry by checking the most important attributes:

For main section:
1. Finding type – the type of the security finding, e.g. "Policy:IAMUser/S3BucketEncryptionDisabled". For example, if default encryption was enabled for an S3 bucket when you enabled Macie for your AWS account, and default encryption is later disabled for the bucket, then Amazon Macie generates a "Policy:IAMUser/S3BucketEncryptionDisabled" finding for the S3 bucket.
2. Finding ID – the identifier (ID) of the security finding.
3. Description – a detailed description of the finding, e.g. "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn't encrypted using server-side encryption."
For Overview section:
1. Severity – the severity label associated with the security finding, e.g. "Medium". Possible values are High, Medium, and Low.
2. Region – the AWS cloud region where Amazon Macie generated the finding.
3. Account ID – the ID number of the AWS account where the potential security issue described by the selected finding was found.
4. Resource – the direct link to the affected AWS cloud resource.
For Resources affected (S3 bucket) section:
1. Bucket name – the name of the affected Amazon S3 bucket.
2. Public access – the permissions settings that determine whether the bucket is publicly accessible.
3. Encryption type – the S3 Server-Side Encryption algorithm used to encrypt data stored within the specified (affected) bucket. If encryption is disabled for the specified bucket, the Encryption type value is set to NONE.
4. Owner – the display name and account identifier for the user who owns the affected bucket.

07 Based on the information reviewed at the previous step you can analyze the security finding and make a plan to implement the recommended fix. In this case, the remediation consists of enabling S3 Server-Side Encryption (S3 SSE) for the Amazon S3 bucket specified within the Amazon Macie finding details. To enable and configure Server-Side Encryption for the affected Amazon S3 bucket, follow the steps outlined in this conformity rule.

08 Repeat steps no. 5 – 7 for each Amazon Macie security finding identified within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run get-findings command (OSX/Linux/UNIX) using the ID of the Amazon Macie security finding that you want to examine as identifier parameter (see Audit section part II to identify the right entry), to retrieve the information available for the selected security finding:

aws macie2 get-findings
	--region ap-southeast-2
	--finding-ids abcdabcd-1234-abcd-1234-abcd1234abcd
	--query 'findings[*]'

02 The command output should return all the information available for the selected Amazon Macie finding:


[
    {
        "category": "POLICY",
        "count": 1,
        "archived": false,
        "title": "Encryption is disabled for the S3 bucket",
        "description": "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn’t encrypted using server-side encryption.",
        "severity": {
            "score": 2,
            "description": "Medium"
        },
        "region": "ap-southeast-2",
        "partition": "aws",
        "resourcesAffected": {
            "s3Bucket": {
                "name": "cc-candidate-data-bucket",
                "tags": [
                    {
                        "value": "HR",
                        "key": "Division"
                    },
                    {
                        "value": "Recruiting",
                        "key": "Team"
                    }
                ],
                "publicAccess": {
                    "effectivePermission": "NOT_PUBLIC"
                },
                "defaultServerSideEncryption": {
                    "encryptionType": "NONE"
                },
                "arn": "arn:aws:s3:::cc-candidate-data-bucket",
                "owner": {
                    "displayName": "cc-data-manager",
                    "id": "abcdabcdabcdabcdabcdabcdabcdabcd"
                },
                "createdAt": "2020-12-23T10:00:00.000Z"
            }
        },
        "policyDetails": {
            "action": {
                "apiCallDetails": {
                    "api": "PutBucketAcl",
                    "firstSeen": "2020-12-23T10:00:00.000Z",
                    "apiServiceName": "s3.amazonaws.com",
                    "lastSeen": "2020-12-23T10:00:00.000Z"
                },
                "actionType": "AWS_API_CALL"
            },
            "actor": {
                "userIdentity": {
                    "type": "AssumedRole",
                    "assumedRole": {
                        "sessionContext": {
                            "sessionIssuer": {
                                "userName": "RoleToBeAssumed",
                                "type": "Role",
                                "principalId": "ABCDABCDABCDABCDABCD",
                                "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
                                "accountId": "123456789012"
                            },
                            "attributes": {
                                "creationDate": "2020-12-20T11:00:00.000Z",
                                "mfaAuthenticated": false
                            }
                        },
                        "accountId": "123456789012",
                        "principalId": "ABCDABCDABCDABCDABCD:AssumedRoleSessionName",
                        "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
                        "accessKeyId": "ABCD1234ABCD1234ABCD"
                    }
                }
            }
        },
        "updatedAt": "2020-12-23T10:00:00.000Z",
        "schemaVersion": "1.0",
        "type": "Policy:IAMUser/S3BucketEncryptionDisabled",
        "id": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "createdAt": "2020-12-23T10:00:00.000Z",
        "accountId": "123456789012"
    }
]

03 For the get-findings command output returned at the previous step, review each security finding by analyzing its properties:

"type" - the type of the security finding, e.g. "Policy:IAMUser/S3BucketEncryptionDisabled". For example, if default encryption was enabled for an S3 bucket when you enabled Macie for your AWS account, and default encryption is later disabled for the bucket, then Amazon Macie generates a "Policy:IAMUser/S3BucketEncryptionDisabled" finding for the bucket.
"id" - the identifier (ID) of the security finding.
"title" - the title of the finding, e.g. "Encryption is disabled for the S3 bucket"
"description" - a detailed description of the finding, e.g. "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn't encrypted using server-side encryption."
"severity.description" - the severity label associated with the security finding, e.g. "Medium". Possible values are "High", "Medium", and "Low".
"region" - the AWS cloud region where Amazon Macie generated the finding, e.g. "ap-southeast-2".
"accountId" - the ID number of the AWS account where the potential security issue described by the selected finding was found.
"resourcesAffected.s3Bucket.name" - the name of the affected Amazon S3 bucket.
"resourcesAffected.s3Bucket.publicAccess" - the permissions settings that determine whether the bucket is publicly accessible.
"resourcesAffected.s3Bucket.defaultServerSideEncryption" - the S3 Server-Side Encryption algorithm used to encrypt data stored within the specified (affected) bucket. If encryption is disabled for the specified bucket, the "defaultServerSideEncryption.encryptionType" property value is set to "NONE".
"resourcesAffected.s3Bucket.owner" - the display name and account identifier for the user who owns the affected bucket.

04 Based on the information reviewed at the previous step you can analyze the security finding and make a plan to implement the recommended fix. In this case, the remediation consists of enabling S3 Server-Side Encryption (S3 SSE) for the Amazon S3 bucket specified within the Amazon Macie finding details. To enable and configure Server-Side Encryption for the affected Amazon S3 bucket, follow the steps outlined in this conformity rule.

05 Repeat steps no. 1 – 4 for each Amazon Macie security finding identified in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

AWS Official Documentation
Amazon Macie
What Is Amazon Macie Classic?
Concepts and Terminology
Analyzing Amazon Macie findings
Types of Amazon Macie findings
Viewing findings on the Amazon Macie console
Severity scoring for Amazon Macie findings

AWS Command Line Interface (CLI) Documentation
macie2
list-findings
get-findings

Publication date Dec 30, 2020

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Amazon Macie Findings

Risk level:

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Maciev2 rules