Detections
Analytics

2.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary

Information

Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets.

Using a cloud service or third-party software to continuously monitor and automate the process of data discovery and classification for S3 buckets through machine learning and pattern matching is a strong defense in protecting that information.

Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Perform the steps below to enable and configure Amazon Macie:

From Console:

 -

Log on to the Macie console at https://console.aws.amazon.com/macie/

 -

Click Get started

 -

Click Enable Macie

Set up a repository for sensitive data discovery results:

 -

In the left pane, under Settings, click Discovery results

 -

Make sure Create bucket is selected.

 -

Create a bucket and enter a name for it. The name must be unique across all S3 buckets, and it must start with a lowercase letter or a number.

 -

Click Advanced

 -

For block all public access, make sure Yes is selected.

 -

For KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric customer master key (CMK) that is in the same region as the S3 bucket.

 -

Click Save

Create a job to discover sensitive data:

 -

In the left pane, click S3 buckets Macie displays a list of all the S3 buckets for your account.

 -

Check the box for each bucket that you want Macie to analyze as part of the job.

 -

Click Create job

 -

Click Quick create

 -

For the Name and Description step, enter a name and, optionally, a description of the job.

 -

Click Next

 -

For the Review and create step, click Submit

Review your findings:

 -

In the left pane, click Findings

 -

To view the details of a specific finding, choose any field other than the check box for the finding.

If you are using a third-party tool to manage and protect your S3 data, follow the vendor documentation for implementing and configuring that tool.

Impact:

There is a cost associated with using Amazon Macie, and there is typically a cost associated with third-party tools that perform similar processes and provide protection.

See Also

https://workbench.cisecurity.org/benchmarks/19631

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-11, 800-53|SI-12, CSCv7|5.1

Plugin: amazon_aws

Control ID: a27e036005014a51fb9f1c3b8422214d80be52ae7f59fd08d2d8088c09efb901