Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon Macie In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Macie-001

Ensure that Amazon Macie service is currently in use in order to classify and protect sensitive information such as credit cards, financial records or Personally Identifiable Information (PII), available in your AWS account. AWS Macie is a data security service that utilizes machine learning to automatically discover, classify and protect critical data within AWS cloud. Once enabled and configured, Macie will scan your S3 buckets to identify sensitive information, bring this data to your attention and analyze access patterns and user behavior to prevent any data leakage. Macie can also help you with governance, compliance and audit standards. For example, the service can enable you to comply with General Data Protection Regulation (GDPR)regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII).
The main features of the AWS Macie service are:
Data security automation – analyzes, classifies and processes data to understand access patterns, recorded user authentications, data access locations and times of access.
Data visibility – reveal useful data storage insights and provide immediate data protection without the need for manual input.
Data security and monitoring – continuously monitors usage log data to detect anomalies and automatically reports issues using AWS CloudWatch Events and/or AWS Lambda.
Data research and reporting – allows administrative configuration for reporting and alert management.
IMPORTANT: When Amazon Macie makes the first initial scan of your data it will generate a big first time one-off charge. Based on this behavior, Cloud Conformity strongly recommends that you consult the AWS Macie pricing guide, evaluate the size of your data, and do the necessary calculations to estimate the initial cost before you enable the service.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With Amazon Macie you can classify and safeguard your sensitive data, automate compliance (including GDPR compliance), detect unauthorized user access and avoid inadvertent data leaks through customizable alerts.


Audit

To determine if AWS Macie service is currently enabled in your AWS account, perform the following:

Note: Checking Amazon Macie service status using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Macie home page at https://us-east-1.console.aws.amazon.com/macie/home for US East/N. Virginia region or at https://us-west-2.console.aws.amazon.com/macie/home for US West/Oregon region. If you are being redirected to the Get Started page, i.e.

Get Started

the Amazon Macie service is not currently enabled within the selected region, therefore your cloud-based data does not benefit from classification, regulatory compliance and protection from leaks.

Remediation / Resolution

To enable and configure AWS Macie, you need to perform the following actions:

Note 1: Currently, Macie is supported in the following regions: US East (N. Virginia) and US West (Oregon).
Note 2: Enabling and configuring Amazon Macie service using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Before enabling the service, you must meet the following requirements:

  1. Create two IAM roles (a customer setup role and a customer service role) that provides Macie with access to your AWS account. The recommended way to create these IAM roles and the required access policies is to launch the AWS CloudFormation stack templates provided by Amazon Web Services, made publicly available at the following URLs:
  2. Make sure that AWS CloudTrail is enabled within your account. If the CloudTrail service is not enabled, you must turn it on by creating a trail. To create the required trail, perform the following:
    • Navigate to CloudTrail dashboard at https://console.aws.amazon.com/cloudtrail/ and click Create trail to start the setup process.
    • Provide a name for the new trail in the Trail name box.
    • Create an AWS S3 bucket by selecting Yes next to Create a new S3 bucket and provide a name for it within S3 bucket box or specify an existing bucket where you want to deliver the log files by selecting No next to Create a new S3 bucket and choose the existing bucket name from the same box. By default, log files from all AWS regions are delivered to the S3 bucket specified at this point.
    • Leave the remaining trail configuration options at their default settings and click Create to build the new CloudTrail trail.

03 Navigate to Amazon Macie home page at https://us-east-1.redirection.macie.aws.amazon.com/ for US East/N. Virginia region or at https://us-west-2.redirection.macie.aws.amazon.com/ for US West/Oregon region.

04 Click GET STARTED to initiate the Macie service setup process.

05 On Enable Amazon Macie page, grant the necessary permissions to access your CloudTrail data by selecting the checkbox available in the Permissions section.

06 Click Enable Macie to enable the service and complete the setup process.

07 To classify and protect your cloud-based data, AWS Macie analyzes and process information from CloudTrail and S3. Since AWS CloudTrail integration was enabled automatically during the installation process and Macie uses the trail created at step no. 2, we can move further with the service configuration and integrate Macie with AWS S3 (i.e. select one or more S3 buckets that Macie needs to monitor). For AWS S3 integration, perform the following actions:

  1. In the left navigation panel, select Integrations.
  2. On the Integrations page, select Services tab and choose your AWS account ID from the Select an account dropdown list. Once your account is selected, the dashboard will list the AWS services available for integration with Macie.
  3. Choose Amazon S3 service and click Add button.
  4. On Amazon S3 page, inside the Edit section, select the S3 buckets that you want Macie to analyze, then click Review and Save button to access the review section of the configuration.
  5. On the review section, check again the names of the specified S3 buckets and select S3 object-level logging is enabled for all selected buckets and prefixes checkbox to confirm enabling the object level logging.
  6. Click Save to apply the changes and enable Macie-S3 integration. Once the integration is active, the service will create a trail and an S3 bucket to store logs about S3 data events. You can start now to customize the classification of your data with AWS Macie.

08 Repeat steps no. 3 – 7 to enable Amazon Macie service for other supported AWS regions.

References

Publication date Nov 2, 2017