Amazon Macie Discovery Jobs

Risk Level: Medium (should be achieved)

Rule ID: Macie2-003

Ensure there are Amazon Macie sensitive data discovery jobs created within each AWS cloud region in order to automate discovery, logging, and reporting of sensitive data stored in Amazon S3 buckets. A Macie data discovery job analyzes the objects available in your S3 buckets to determine whether the objects contain sensitive data, and it provides detailed reports of the data that it finds, and the analysis that it performs.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Sustainability

Security

Amazon Macie is a fully managed data security and data privacy service that uses Machine Learning (ML) and pattern matching to discover and protect sensitive and critical data within AWS cloud. With Macie you can classify and safeguard your sensitive data, automate compliance (including GDPR compliance), detect unauthorized user access, and avoid inadvertent data leaks through customizable alerts. For example, Amazon Macie can help you to comply with General Data Protection Regulation (GDPR) regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII).

Audit

To determine if there are Amazon Macie data discovery jobs created and configured within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie. If you are being redirected to the Amazon Macie product page and the Get started button is displayed, the Amazon Macie service is not enabled within the selected AWS region. If you are being redirected to the service Summary page, Amazon Macie is enabled, and you can continue the Audit process with the next step.

03 In the left navigation panel, under Amazon Macie, choose Jobs to access the data discovery jobs created with Amazon Macie within the current AWS region. If there are no jobs listed in the Jobs section, there are no Amazon Macie data discovery jobs created to discover and report sensitive data in the selected AWS region.

04 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run get-usage-statistics command (OSX/Linux/UNIX) to retrieve the aggregated usage data available for your Amazon Macie account in the selected AWS region:

aws macie2 get-usage-statistics
  --region us-east-1

02 The command output should return the requested usage data:

An error occurred (UnauthorizedException) when calling the GetUsageStatistics operation: Macie is not enabled.

If the get-usage-statistics command output returns the following error message: "An error occurred (UnauthorizedException) when calling the GetUsageStatistics operation: Macie is not enabled.", as shown in the output example above, the Macie service is not enabled in the selected AWS region. If the command output returns your Macie account aggregated usage data, Amazon Macie is enabled, and you can continue the Audit process with the next step.

03 Run list-classification-jobs command (OSX/Linux/UNIX) with custom query filters to list the data classification (discovery) jobs created with Amazon Macie within the selected AWS region:

aws macie2 list-classification-jobs
  --region us-east-1
  --query 'items'

04 The command output should return the information available for one or more classification jobs:

[]

If the list-classification-jobs command output returns an empty array (i.e. []), as shown in the example above, there are no Amazon Macie data classification jobs defined to discover and report sensitive data in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To define Amazon Macie data discovery jobs for your sensitive data and benefit from data classification, help with regulatory compliance, and protection from leaks, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie. If the cloud service is not enabled, choose Get started to set up Amazon Macie within the selected AWS region.

03 On the Get started page, choose Enable Macie to enable the Macie service.

04 To set up a repository for sensitive data discovery results, under Settings, choose Discovery results.

05 Select Configure now to configure an Amazon S3 bucket for long-term retention of your sensitive data discovery results.

06 On the Repository for sensitive data discovery results page, perform the following operations:

Choose Create bucket to create a new Amazon S3 bucket.
Provide a unique name for the new S3 bucket in the Create a bucket box.
Choose Advanced and set Block all public access to Yes to block anonymous access to the bucket. (Optional) You can also provide a location prefix in the Data discovery result prefix box.
For KMS encryption, choose Select a key from your account, and select the name (alias) of the KMS key that you want to use for data encryption, from the KMS key alias dropdown list.
Choose Save to apply the changes.

07 In the left navigation panel, select Jobs, and choose Create job to create a new data discovery job in the selected AWS region.

08 On the Create setup page, perform the following operations:

For Step 1 Choose S3 buckets, choose Select specific buckets, and select the S3 bucket(s) that you want to analyze for sensitive data. Choose Next to continue.
For Step 2 Review S3 buckets, review the selected S3 buckets, then choose Next to continue the setup process.
For Step 3 Refine the scope, specify how often you want the new discovery job to run. You can also specify the depth and scope of the job's analysis. Choose Next to continue the process.
(Optional) For Step 4 Select custom data identifiers, choose the custom data identifiers that your new job can use. A custom data identifier is a set of criteria that you define to detect sensitive data. Select each custom data identifier that you want the job to use in addition to the managed data identifier that Macie provides. Choose Next to continue.
For Step 5 Enter a name and description, provide a name and, optionally, a description for the new job. Choose Next to continue.
For Step 6 Review and create, review the job configuration details, then choose Submit to create your new Amazon Macie data discovery job.

09 To view and analyze the Amazon Macie findings, follow the steps outlined in this conformity rule.

10 Repeat steps no. 2 – 9 to enable Amazon Macie and create data discovery jobs for each supported AWS region.

Using AWS CLI

01 If Amazon Macie is not enabled, run enable-macie command (OSX/Linux/UNIX) to enable the service for a given AWS region. A finding publishing frequency can be provided to specify the frequency of which the findings are published:

aws macie2 enable-macie
  --region us-east-1
  --finding-publishing-frequency "ONE_HOUR"
  --status ENABLED

02 Define the policy that enables the selected IAM users and/or roles to manage the KMS key required to encrypt/decrypt your Amazon Macie repository data. Create a new policy document (JSON format), name the file macie-data-key-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "macie-data-key-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow Amazon Macie to use the key",
      "Effect": "Allow",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Encrypt"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:role/role-name"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:role/role-name"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::aws-account-id:role/role-name"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

03 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. macie-data-key-policy.json) as value for the --policy parameter, to create your new Amazon KMS key:

aws kms create-key
  --region us-east-1
  --description 'KMS key for Macie repository data encryption'
  --policy file://macie-data-key-policy.json
  --query 'KeyMetadata.Arn'

04 The command output should return the ARN of the new KMS key:

"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"

05 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new key. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/MacieDataKMSKey
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd

06 Run create-bucket command (OSX/Linux/UNIX) to create the Amazon S3 bucket that will serve as the repository for the Macie data discovery results within the selected AWS region:

aws s3api create-bucket
  --region us-east-1
  --bucket cc-discovery-results-repository
  --acl private

07 The command output should return the name of the newly created S3 bucket:

{
  "Location": "/cc-discovery-results-repository"
}

08 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):

aws s3api put-public-access-block
  --region us-east-1
  --bucket cc-discovery-results-repository
  --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

09 Define the access policy for the newly created Amazon S3 bucket. Save the following bucket policy to a JSON file named macie-repository-policy.json (replace the highlighted details, i.e. the bucket and the KMS key ARNs, with your own details):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Deny non-HTTPS access",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::cc-discovery-results-repository/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    },
    {
      "Sid": "Deny incorrect encryption header. This is optional",
      "Effect": "Deny",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-discovery-results-repository/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id":
          "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
        }
      }
    },
    {
      "Sid": "Deny unencrypted object uploads. This is optional",
      "Effect": "Deny",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-discovery-results-repository/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "aws:kms"
        }
      }
    },
    {
      "Sid": "Allow Macie to upload objects to the bucket",
      "Effect": "Allow",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::cc-discovery-results-repository/*"
    },
    {
      "Sid": "Allow Macie to use the getBucketLocation operation",
      "Effect": "Allow",
      "Principal": {
        "Service": "macie.amazonaws.com"
      },
      "Action": "s3:GetBucketLocation",
      "Resource": "arn:aws:s3:::cc-discovery-results-repository"
    }
  ]
}

10 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket (the command does not produce an output):

aws s3api put-bucket-policy
  --region us-east-1
  --bucket cc-discovery-results-repository
  --policy file://macie-repository-policy.json

11 Run put-classification-export-configuration command (OSX/Linux/UNIX) to update the configuration settings for storing Macie data discovery results and configure the Amazon S3 bucket created at the previous steps as the data repository in the selected AWS region:

aws macie2 put-classification-export-configuration
  --region us-east-1
  --configuration "s3Destination={bucketName=cc-discovery-results-repository,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd}"

12 The command output should return the updated configuration settings:

{
  "configuration": {
    "s3Destination": {
      "bucketName": "cc-discovery-results-repository",
      "kmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
    }
  }
}

13 Create the required data discovery job definition and save the definition to a JSON file named cc-macie-job-definition.json. The data discovery job definition contains the names of the S3 buckets to analyze for sensitive data, the ID of the AWS account that owns the buckets, and the scope of the analysis (optional):

{
  "bucketDefinitions": [
    {
      "accountId": "123456789012",
      "buckets": [
        "cc-prod-web-data",
        "cc-project5-data"
      ]
    }
  ],
  "scoping": {}
}

14 To create a new Amazon Macie data discovery job in the selected AWS region, run create-classification-job command (OSX/Linux/UNIX) using the job definition created at the previous step (i.e. cc-macie-job-definition.json):

aws macie2 create-classification-job
  --job-type ONE_TIME
  --name cc-s3-data-discovery-job
  --s3-job-definition file://cc-macie-job-definition.json

15 The command output should return the identifiers of the newly created data discovery job:

{
  "jobArn": "arn:aws:macie2:us-east-1:123456789012:classification-job/1234abcd1234abcd1234abcd1234abcd",
  "jobId": "1234abcd1234abcd1234abcd1234abcd"
}

16 To view and analyze the Amazon Macie findings, follow the steps outlined in this conformity rule.

17 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for each supported AWS region.

References

Publication date Sep 9, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Amazon Macie Discovery Jobs

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Macie2 rules