01 If Amazon Macie is not enabled, run enable-macie command (OSX/Linux/UNIX) to enable the service for a given AWS region. A finding publishing frequency can be provided to specify the frequency of which the findings are published:
aws macie2 enable-macie
--region us-east-1
--finding-publishing-frequency "ONE_HOUR"
--status ENABLED
02 Define the policy that enables the selected IAM users and/or roles to manage the KMS key required to encrypt/decrypt your Amazon Macie repository data. Create a new policy document (JSON format), name the file macie-data-key-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "macie-data-key-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow Amazon Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
03 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. macie-data-key-policy.json) as value for the --policy parameter, to create your new Amazon KMS key:
aws kms create-key
--region us-east-1
--description 'KMS key for Macie repository data encryption'
--policy file://macie-data-key-policy.json
--query 'KeyMetadata.Arn'
04 The command output should return the ARN of the new KMS key:
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
05 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new key. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/MacieDataKMSKey
--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
06 Run create-bucket command (OSX/Linux/UNIX) to create the Amazon S3 bucket that will serve as the repository for the Macie data discovery results within the selected AWS region:
aws s3api create-bucket
--region us-east-1
--bucket cc-discovery-results-repository
--acl private
07 The command output should return the name of the newly created S3 bucket:
{
"Location": "/cc-discovery-results-repository"
}
08 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):
aws s3api put-public-access-block
--region us-east-1
--bucket cc-discovery-results-repository
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
09 Define the access policy for the newly created Amazon S3 bucket. Save the following bucket policy to a JSON file named macie-repository-policy.json (replace the highlighted details, i.e. the bucket and the KMS key ARNs, with your own details):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cc-discovery-results-repository/*
",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository/*
",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id":
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository/*
",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository/*
"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
"
}
]
}
10 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket (the command does not produce an output):
aws s3api put-bucket-policy
--region us-east-1
--bucket cc-discovery-results-repository
--policy file://macie-repository-policy.json
11 Run put-classification-export-configuration command (OSX/Linux/UNIX) to update the configuration settings for storing Macie data discovery results and configure the Amazon S3 bucket created at the previous steps as the data repository in the selected AWS region:
aws macie2 put-classification-export-configuration
--region us-east-1
--configuration "s3Destination={bucketName=cc-discovery-results-repository,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd}"
12 The command output should return the updated configuration settings:
{
"configuration": {
"s3Destination": {
"bucketName": "cc-discovery-results-repository",
"kmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
}
}
}
13 Create the required data discovery job definition and save the definition to a JSON file named cc-macie-job-definition.json. The data discovery job definition contains the names of the S3 buckets to analyze for sensitive data, the ID of the AWS account that owns the buckets, and the scope of the analysis (optional):
{
"bucketDefinitions": [
{
"accountId": "123456789012",
"buckets": [
"cc-prod-web-data",
"cc-project5-data"
]
}
],
"scoping": {}
}
14 To create a new Amazon Macie data discovery job in the selected AWS region, run create-classification-job command (OSX/Linux/UNIX) using the job definition created at the previous step (i.e. cc-macie-job-definition.json):
aws macie2 create-classification-job
--job-type ONE_TIME
--name cc-s3-data-discovery-job
--s3-job-definition file://cc-macie-job-definition.json
15 The command output should return the identifiers of the newly created data discovery job:
{
"jobArn": "arn:aws:macie2:us-east-1:123456789012:classification-job/1234abcd1234abcd1234abcd1234abcd",
"jobId": "1234abcd1234abcd1234abcd1234abcd"
}
16 To view and analyze the Amazon Macie findings, follow the steps outlined in this conformity rule.
17 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for each supported AWS region.