Gain insight into S3 bucket policy and sensitive data vulnerabilities by summarizing Amazon Macie findings data for each S3 bucket included in a Macie job. Take all the necessary actions to protect business-critical and sensitive information such as credit cards, financial records, or Personally Identifiable Information (PII), stored within Amazon S3. Amazon Macie generates a finding each time it detects a potential policy violation for an Amazon Simple Storage Service (Amazon S3) bucket or it discovers sensitive data in an S3 object. For S3 buckets storing large amounts of user data, a statistical summary of the findings in each category acts as a useful starting point to conduct further analysis of your sensitive S3 resources. Where needed, Macie findings can then be analyzed and resolved in depth on an individual basis.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon Macie is a data security service that utilizes machine learning to automatically discover, classify, and protect critical data within AWS cloud. Macie can help you with governance, compliance and audit standards. For example, the service can enable you to comply with General Data Protection Regulation (GDPR) regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII). Through Amazon Macie findings you can achieve preventive security, safeguard your sensitive data, automate compliance (including GDPR compliance), and avoid inadvertent data leaks.
Audit
To verify your AWS cloud account for Amazon Macie security findings, perform the following operations:
Remediation / Resolution
To access, analyze, and resolve any Amazon Macie security findings identified within your AWS cloud account, perform the following operations:
Note 1: As an example, this section demonstrates how to analyze and resolve an Amazon Macie finding detected for an Amazon S3 bucket that is not encrypted using S3 Server-Side Encryption (S3 SSE). This is an example of a policy finding, which is a detailed report of a potential policy violation for an S3 bucket. Macie can also generate sensitive data findings, which provide insight into sensitive information stored inside an S3 bucket. Macie generates these findings as part of its ongoing monitoring activities for your Amazon S3 data.Note 2: For a fuller explanation of all the different types of Macie findings, the severity scoring system in Amazon Macie, how to locate sensitive data with Macie findings, or managing finding suppression, please refer to the AWS documentation.
Note 3: As an example, the remediation process required to resolve the Macie security finding consists of enabling S3 Server-Side Encryption (S3-SSE) for the Amazon S3 bucket specified within the security finding details.
References
- AWS Official Documentation
- Amazon Macie
- Analyzing Amazon Macie findings
- Types of Amazon Macie findings
- Reviewing findings on the Amazon Macie console
- Severity scoring for Amazon Macie findings
- Locating sensitive data with Amazon Macie findings
- Suppressing Amazon Macie findings
- Amazon Macie concepts and terminology
- AWS Command Line Interface (CLI) Documentation
- macie2
- get-finding-statistics
- list-findings
- get-findings
- CloudFormation Documentation:
- AWS::S3::Bucket
- Terraform Documentation:
- AWS Provider