Amazon Macie Finding Statistics for S3

Risk Level: High

Rule ID: S3-029

Gain insight into S3 bucket policy and sensitive data vulnerabilities by summarizing Amazon Macie findings data for each S3 bucket included in a Macie job. Take all the necessary actions to protect business-critical and sensitive information such as credit cards, financial records, or Personally Identifiable Information (PII), stored within Amazon S3. Amazon Macie generates a finding each time it detects a potential policy violation for an Amazon Simple Storage Service (Amazon S3) bucket or it discovers sensitive data in an S3 object. For S3 buckets storing large amounts of user data, a statistical summary of the findings in each category acts as a useful starting point to conduct further analysis of your sensitive S3 resources. Where needed, Macie findings can then be analyzed and resolved in depth on an individual basis.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon Macie is a data security service that utilizes machine learning to automatically discover, classify, and protect critical data within AWS cloud. Macie can help you with governance, compliance and audit standards. For example, the service can enable you to comply with General Data Protection Regulation (GDPR) regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII). Through Amazon Macie findings you can achieve preventive security, safeguard your sensitive data, automate compliance (including GDPR compliance), and avoid inadvertent data leaks.

Audit

To verify your AWS cloud account for Amazon Macie security findings, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie.

03 In the left-hand navigation panel for Amazon Macie, under Findings, select By bucket to access the list of Macie findings identified within the current AWS region, grouped by S3 bucket.

04 If no findings are found in the verified region, the following confirmation message is shown: No result(s) match the current filter criteria. If one or more findings are detected by Amazon Macie, the console will display a list of impacted S3 buckets hosted in your AWS region.

05 Click on the name of the bucket you want to investigate further. This will open up a panel showing a further breakdown of the number of security findings associated with the selected bucket by type, severity, and job identifier. For an explanation of the different types of findings that could be generated by Amazon Macie, please visit the AWS guide on Types of Amazon Macie findings. For more information about the severity scoring system, please visit the AWS guide on the Severity scoring for Amazon Macie findings.

06 You can investigate the breakdown in more detail by opening out any of the individual statistics into a new browser window.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run the get-finding-statistics command (OSX/Linux/UNIX) with custom query filters to summarize the Amazon Macie findings results, grouped by S3 bucket:

aws macie2 get-finding-statistics
  --region ap-southeast-2
  --group-by resourcesAffected.s3Bucket.name

02 The command output should return a summary of the total count of Macie findings per S3 bucket, available in the specified region:

{
  "countsByGroup": [
    {
      "count": 101,
      "groupKey": "sample-bucket-1"
    },
    {
      "count": 202,
      "groupKey": "sample-bucket-2"
    },
  ]
}

If the results returned by the get-finding-statistics command output contain data for individual S3 buckets, there are Amazon Macie security findings that need to be resolved for that S3 bucket, in the selected AWS region.

03 For a deeper analysis, run the get-finding-statistics command (OSX/Linux/UNIX) with the --group-by parameter set to type and the --finding-criteria set for the specified S3 bucket, to show the breakdown of the finding types available for the specified S3 bucket:

aws macie2 get-finding-statistics
  --region ap-southeast-2
  --group-by type
  --finding-criteria criterion={resourcesAffected.s3Bucket.name={eq=sample-bucket-1}}

04 The command response should return the security findings identified for the chosen S3 bucket, broken down by finding type:

{
  "countsByGroup": [
    {
      "count": 1,
      "groupKey": "Policy:IAMUser/S3BucketEncryptionDisabled"
    },
    {
      "count": 50,
      "groupKey": "SensitiveData:S3Object/Credentials"
    },
    {
      "count": 25,
      "groupKey": "SensitiveData:S3Object/Multiple"
    },
    {
      "count": 25,
      "groupKey": "SensitiveData:S3Object/Financial"
    },
    {
      "count": 1,
      "groupKey": "SensitiveData:S3Object/Financial"
    }
  ]
}

05 To start to investigate specific findings, you can run a list-findings command (OSX/Linux/UNIX) using the filter to capture only the results for a specific S3 bucket:

aws macie2 list-findings
  --region ap-southeast-2
  --finding-criteria criterion={resourcesAffected.s3Bucket.name={eq=sample-bucket-1}}

The command output should return the ID(s) of the available security finding(s) or an empty array (i.e. []) if there are no active security findings identified in the selected AWS region:

[
  "abcdabcd-1234-1234-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-1234abcd1234",
  "1234abcd-1234-abcd-1234-abcd1234abcd"
]

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To access, analyze, and resolve any Amazon Macie security findings identified within your AWS cloud account, perform the following operations:

Note 1: As an example, this section demonstrates how to analyze and resolve an Amazon Macie finding detected for an Amazon S3 bucket that is not encrypted using S3 Server-Side Encryption (S3 SSE). This is an example of a policy finding, which is a detailed report of a potential policy violation for an S3 bucket. Macie can also generate sensitive data findings, which provide insight into sensitive information stored inside an S3 bucket. Macie generates these findings as part of its ongoing monitoring activities for your Amazon S3 data.

Note 2: For a fuller explanation of all the different types of Macie findings, the severity scoring system in Amazon Macie, how to locate sensitive data with Macie findings, or managing finding suppression, please refer to the AWS documentation.

Note 3: As an example, the remediation process required to resolve the Macie security finding consists of enabling S3 Server-Side Encryption (S3-SSE) for the Amazon S3 bucket specified within the security finding details.

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enable S3-SSE using the AWS-Managed Key",
  "Resources": {
    "EncryptedS3Bucket": {
      "Properties": {
        "BucketName": "cc-candidate-data-bucket",
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:alias/aws/s3"
              }
            }
          ]
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable S3-SSE using the AWS-Managed Key
Resources:
  EncryptedS3Bucket:
    Properties:
      BucketName: cc-candidate-data-bucket
        BucketEncryption:
        ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
          SSEAlgorithm: aws:kms
          KMSMasterKeyID: arn:aws:kms:us-east-1:123456789012:alias/aws/s3
  Type: AWS::S3::Bucket

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "sse-encrypted-bucket" {
  bucket = "cc-candidate-data-bucket"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "arn:aws:kms:us-east-1:123456789012:alias/aws/s3"
        sse_algorithm = "aws:kms"
      }
    }
  }

}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Macie console at https://console.aws.amazon.com/macie.

03 In the navigation panel, under Amazon Macie, choose Findings.

04 On the Findings page, select All from the filter dropdown list, to view all the security findings identified by the Amazon Macie within the selected AWS region.

05 Click on the security finding that you want to analyze and resolve, to access the information generated for the selected Amazon Macie finding.

06 Once the finding description panel is open, review the selected entry by checking the most important attributes:

For main section:
1. Finding type – the type of the security finding, e.g. "Policy:IAMUser/S3BucketEncryptionDisabled". For example, if default encryption was enabled for an S3 bucket when you enabled Macie for your AWS account, and default encryption is later disabled for the bucket, then Amazon Macie generates a "Policy:IAMUser/S3BucketEncryptionDisabled" finding for the S3 bucket.
2. Finding ID – the identifier (ID) of the security finding.
3. Description – a detailed description of the finding, e.g. "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn't encrypted using server-side encryption."
For Overview section:
1. Severity – the severity label associated with the security finding, e.g. "Medium". Possible values are High, Medium, and Low.
2. Region – the AWS cloud region where Amazon Macie generated the finding.
3. Account ID – the ID number of the AWS account where the potential security issue described by the selected finding was found.
4. Resource – the direct link to the affected AWS cloud resource.
For Resources affected (S3 bucket) section:
1. Bucket name – the name of the affected Amazon S3 bucket.
2. Public access – the permissions settings that determine whether the bucket is publicly accessible.
3. Encryption type – the S3 Server-Side Encryption algorithm used to encrypt data stored within the specified (affected) bucket. If encryption is disabled for the specified bucket, the Encryption type value is set to NONE.
4. Owner – the display name and account identifier for the user who owns the affected bucket.

07 Based on the information reviewed at the previous step you can analyze the security finding and make a plan to implement the recommended fix. In this case, the remediation consists of enabling S3 Server-Side Encryption (S3 SSE) for the Amazon S3 bucket specified within the Amazon Macie finding details. To enable and configure Server-Side Encryption for the affected Amazon S3 bucket, follow the steps outlined in the S3 Server-Side Encryption conformity rule.

08 Repeat steps no. 5 – 7 for each Amazon Macie security finding identified within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run get-findings command (OSX/Linux/UNIX) using the ID of the Amazon Macie security finding that you want to examine as the identifier parameter (see CLI Audit section step no. 5 to identify a specific finding ID), to retrieve the information available for the selected security finding:

aws macie2 get-findings
  --region ap-southeast-2
  --finding-ids abcdabcd-1234-abcd-1234-abcd1234abcd
  --query 'findings[*]'

02 The command output should return all the information available for the selected Amazon Macie finding:

[
  {
    "category": "POLICY",
    "count": 1,
    "archived": false,
    "title": "Encryption is disabled for the S3 bucket",
    "description": "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn’t encrypted using
    server-side encryption.",
    "severity": {
      "score": 2,
      "description": "Medium"
    },
    "region": "ap-southeast-2",
    "partition": "aws",
    "resourcesAffected": {
      "s3Bucket": {
        "name": "cc-candidate-data-bucket",
        "tags": [
          {
            "value": "HR",
            "key": "Division"
          },
          {
            "value": "Recruiting",
            "key": "Team"
          }
        ],
        "publicAccess": {
          "effectivePermission": "NOT_PUBLIC"
        },
        "defaultServerSideEncryption": {
          "encryptionType": "NONE"
        },
        "arn": "arn:aws:s3:::cc-candidate-data-bucket",
        "owner": {
          "displayName": "cc-data-manager",
          "id": "abcdabcdabcdabcdabcdabcdabcdabcd"
        },
        "createdAt": "2020-12-23T10:00:00.000Z"
      }
    },
    "policyDetails": {
      "action": {
        "apiCallDetails": {
          "api": "PutBucketAcl",
          "firstSeen": "2020-12-23T10:00:00.000Z",
          "apiServiceName": "s3.amazonaws.com",
          "lastSeen": "2020-12-23T10:00:00.000Z"
        },
        "actionType": "AWS_API_CALL"
      },
      "actor": {
        "userIdentity": {
          "type": "AssumedRole",
          "assumedRole": {
            "sessionContext": {
              "sessionIssuer": {
                "userName": "RoleToBeAssumed",
                "type": "Role",
                "principalId": "ABCDABCDABCDABCDABCD",
                "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
                "accountId": "123456789012"
              },
              "attributes": {
                "creationDate": "2020-12-20T11:00:00.000Z",
                "mfaAuthenticated": false
              }
            },
            "accountId": "123456789012",
            "principalId": "ABCDABCDABCDABCDABCD:AssumedRoleSessionName",
            "arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
            "accessKeyId": "ABCD1234ABCD1234ABCD"
          }
        }
      }
    },
    "updatedAt": "2020-12-23T10:00:00.000Z",
    "schemaVersion": "1.0",
    "type": "Policy:IAMUser/S3BucketEncryptionDisabled",
    "id": "abcdabcd-1234-abcd-1234-abcd1234abcd",
    "createdAt": "2020-12-23T10:00:00.000Z",
    "accountId": "123456789012"
  }
]

03 For the get-findings command output returned at the previous step, review each security finding by analyzing its properties:

"type" - the type of the security finding, e.g. "Policy:IAMUser/S3BucketEncryptionDisabled". For example, if default encryption was enabled for an S3 bucket when you enabled Macie for your AWS account, and default encryption is later disabled for the bucket, then Amazon Macie generates a "Policy:IAMUser/S3BucketEncryptionDisabled" finding for the bucket.
"id" - the identifier (ID) of the security finding.
"title" - the title of the finding, e.g. "Encryption is disabled for the S3 bucket"
"description" - a detailed description of the finding, e.g. "Encryption is disabled for the Amazon S3 bucket. The data in the bucket isn't encrypted using server-side encryption."
"severity.description" - the severity label associated with the security finding, e.g. "Medium". Possible values are "High", "Medium", and "Low".
"region" - the AWS cloud region where Amazon Macie generated the finding, e.g. "ap-southeast-2".
"accountId" - the ID number of the AWS account where the potential security issue described by the selected finding was found.
"resourcesAffected.s3Bucket.name" - the name of the affected Amazon S3 bucket.
"resourcesAffected.s3Bucket.publicAccess" - the permissions settings that determine whether the bucket is publicly accessible.
"resourcesAffected.s3Bucket.defaultServerSideEncryption" - the S3 Server-Side Encryption algorithm used to encrypt data stored within the specified (affected) bucket. If encryption is disabled for the specified bucket, the "defaultServerSideEncryption.encryptionType" property value is set to "NONE".
"resourcesAffected.s3Bucket.owner" - the display name and account identifier for the user who owns the affected bucket.

04 Based on the information reviewed at the previous step you can analyze the security finding and make a plan to implement the recommended fix. In this case, the remediation consists of enabling S3 Server-Side Encryption (S3 SSE) for the Amazon S3 bucket specified within the Amazon Macie finding details. To enable and configure Server-Side Encryption for the affected Amazon S3 bucket, follow the steps outlined in the S3 Server-Side Encryption conformity rule.

05 Repeat steps no. 1 – 4 for each Amazon Macie security finding identified in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
macie2
get-finding-statistics
list-findings
get-findings

CloudFormation Documentation:
AWS::S3::Bucket

Terraform Documentation:
AWS Provider

Publication date Sep 12, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Amazon Macie Finding Statistics for S3

Risk Level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related S3 rules