01 Define the policy that enables the selected IAM users and/or roles to manage the new KMS key, and to encrypt/decrypt your Amazon Macie repository data using the KMS API. Create a new policy document (JSON format), name the file macie-repository-key-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "macie-data-repo-key-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow Amazon Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id
:role/role-name
"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. macie-repository-key-policy.json) as value for the --policy parameter, to create your new KMS key:
aws kms create-key
--region us-east-1
--description 'KMS key for encrypting Amazon Macie repository data'
--policy file://macie-repository-key-policy.json
--query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new KMS key:
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new key. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/MacieDataEncryptionKey
--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
05 Run create-bucket command (OSX/Linux/UNIX) to create the Amazon S3 bucket that will serve as the repository for your Macie data discovery results within the selected AWS region:
aws s3api create-bucket
--region us-east-1
--bucket cc-discovery-results-repository
--acl private
Note: for creating S3 buckets outside the us-east-1 region, you will need to define the region as us-east-1 and the LocationConstraint as your chosen region:
aws s3api create-bucket
--region us-east-1
--bucket cc-discovery-results-repository
--acl private
--create-bucket-configuration LocationConstraint=eu-west-1
06 The command output should return the name of the newly created S3 bucket:
{
"Location": "/cc-discovery-results-repository"
}
07 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new S3 bucket (the command should not produce an output):
aws s3api put-public-access-block
--region us-east-1
--bucket cc-discovery-results-repository
--public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
08 Define the access policy for the newly created Amazon S3 bucket. Save the following bucket policy to a JSON file named repository-bucket-policy.json (replace the highlighted details, i.e. the ARNs for the bucket and the KMS key, with your own details):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny non-HTTPS access",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "Deny incorrect encryption header. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption-aws-kms-key-id":
"arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd
"
}
}
},
{
"Sid": "Deny unencrypted object uploads. This is optional",
"Effect": "Deny",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "Allow Macie to upload objects to the bucket",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
/*"
},
{
"Sid": "Allow Macie to use the getBucketLocation operation",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::cc-discovery-results-repository
"
}
]
}
09 Run put-bucket-policy command (OSX/Linux/UNIX) to attach the bucket policy defined at the previous step to your new Amazon S3 bucket (the command does not produce an output):
aws s3api put-bucket-policy
--region us-east-1
--bucket cc-discovery-results-repository
--policy file://repository-bucket-policy.json
10 Run put-classification-export-configuration command (OSX/Linux/UNIX) to update the configuration settings for storing Macie data discovery results and set up the Amazon S3 bucket created at the previous steps as data repository in the selected AWS region:
aws macie2 put-classification-export-configuration
--region us-east-1
--configuration "s3Destination={bucketName=cc-discovery-results-repository,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd}"
11 The command output should return the updated configuration settings:
{
"configuration": {
"s3Destination": {
"bucketName": "cc-discovery-results-repository",
"kmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
}
}
}
12 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for each supported AWS region.