01 Run get-findings command (OSX/Linux/UNIX) using the ID of the Amazon Macie security finding that you want to examine as identifier parameter (see Audit section part II to identify the right entry), to retrieve the information available for the selected security finding:
aws macie2 get-findings
--region ap-southeast-2
--finding-ids abcdabcd-1234-abcd-1234-abcd1234abcd
--query 'findings[*]'
02 The command output should return all the information available for the selected Amazon Macie finding:
[
{
"category": "POLICY",
"count": 1,
"archived": false,
"title": "Encryption is disabled for the S3 bucket",
"description": "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn’t encrypted using server-side encryption.",
"severity": {
"score": 2,
"description": "Medium"
},
"region": "ap-southeast-2",
"partition": "aws",
"resourcesAffected": {
"s3Bucket": {
"name": "cc-candidate-data-bucket",
"tags": [
{
"value": "HR",
"key": "Division"
},
{
"value": "Recruiting",
"key": "Team"
}
],
"publicAccess": {
"effectivePermission": "NOT_PUBLIC"
},
"defaultServerSideEncryption": {
"encryptionType": "NONE"
},
"arn": "arn:aws:s3:::cc-candidate-data-bucket",
"owner": {
"displayName": "cc-data-manager",
"id": "abcdabcdabcdabcdabcdabcdabcdabcd"
},
"createdAt": "2020-12-23T10:00:00.000Z"
}
},
"policyDetails": {
"action": {
"apiCallDetails": {
"api": "PutBucketAcl",
"firstSeen": "2020-12-23T10:00:00.000Z",
"apiServiceName": "s3.amazonaws.com",
"lastSeen": "2020-12-23T10:00:00.000Z"
},
"actionType": "AWS_API_CALL"
},
"actor": {
"userIdentity": {
"type": "AssumedRole",
"assumedRole": {
"sessionContext": {
"sessionIssuer": {
"userName": "RoleToBeAssumed",
"type": "Role",
"principalId": "ABCDABCDABCDABCDABCD",
"arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"accountId": "123456789012"
},
"attributes": {
"creationDate": "2020-12-20T11:00:00.000Z",
"mfaAuthenticated": false
}
},
"accountId": "123456789012",
"principalId": "ABCDABCDABCDABCDABCD:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accessKeyId": "ABCD1234ABCD1234ABCD"
}
}
}
},
"updatedAt": "2020-12-23T10:00:00.000Z",
"schemaVersion": "1.0",
"type": "Policy:IAMUser/S3BucketEncryptionDisabled",
"id": "abcdabcd-1234-abcd-1234-abcd1234abcd",
"createdAt": "2020-12-23T10:00:00.000Z",
"accountId": "123456789012"
}
]
03 For the get-findings command output returned at the previous step, review each security finding by analyzing its properties:
- "type" - the type of the security finding, e.g. "Policy:IAMUser/S3BucketEncryptionDisabled". For example, if default encryption was enabled for an S3 bucket when you enabled Macie for your AWS account, and default encryption is later disabled for the bucket, then Amazon Macie generates a "Policy:IAMUser/S3BucketEncryptionDisabled" finding for the bucket.
- "id" - the identifier (ID) of the security finding.
- "title" - the title of the finding, e.g. "Encryption is disabled for the S3 bucket"
- "description" - a detailed description of the finding, e.g. "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn't encrypted using server-side encryption."
- "severity.description" - the severity label associated with the security finding, e.g. "Medium". Possible values are "High", "Medium", and "Low".
- "region" - the AWS cloud region where Amazon Macie generated the finding, e.g. "ap-southeast-2".
- "accountId" - the ID number of the AWS account where the potential security issue described by the selected finding was found.
- "resourcesAffected.s3Bucket.name" - the name of the affected Amazon S3 bucket.
- "resourcesAffected.s3Bucket.publicAccess" - the permissions settings that determine whether the bucket is publicly accessible.
- "resourcesAffected.s3Bucket.defaultServerSideEncryption" - the S3 Server-Side Encryption algorithm used to encrypt data stored within the specified (affected) bucket. If encryption is disabled for the specified bucket, the "defaultServerSideEncryption.encryptionType" property value is set to "NONE".
- "resourcesAffected.s3Bucket.owner" - the display name and account identifier for the user who owns the affected bucket.
04 Based on the information reviewed at the previous step you can analyze the security finding and make a plan to implement the recommended fix. In this case, the remediation consists of enabling S3 Server-Side Encryption (S3 SSE) for the Amazon S3 bucket specified within the Amazon Macie finding details. To enable and configure Server-Side Encryption for the affected Amazon S3 bucket, follow the steps outlined in this conformity rule.
05 Repeat steps no. 1 – 4 for each Amazon Macie security finding identified in the selected AWS region.
06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.