Information
Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets.
Using a cloud service or third-party software to continuously monitor and automate the process of data discovery and classification for S3 buckets through machine learning and pattern matching is a strong defense in protecting that information.
Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Perform the steps below to enable and configure Amazon Macie:
From Console:
-
Log on to the Macie console at https://console.aws.amazon.com/macie/
-
Click Get started
-
Click Enable Macie
Set up a repository for sensitive data discovery results:
-
In the left pane, under Settings, click Discovery results
-
Make sure Create bucket is selected.
-
Create a bucket and enter a name for it. The name must be unique across all S3 buckets, and it must start with a lowercase letter or a number.
-
Click Advanced
-
For block all public access, make sure Yes is selected.
-
For KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric customer master key (CMK) that is in the same region as the S3 bucket.
-
Click Save
Create a job to discover sensitive data:
-
In the left pane, click S3 buckets Macie displays a list of all the S3 buckets for your account.
-
Check the box for each bucket that you want Macie to analyze as part of the job.
-
Click Create job
-
Click Quick create
-
For the Name and Description step, enter a name and, optionally, a description of the job.
-
Click Next
-
For the Review and create step, click Submit
Review your findings:
-
In the left pane, click Findings
-
To view the details of a specific finding, choose any field other than the check box for the finding.
If you are using a third-party tool to manage and protect your S3 data, follow the vendor documentation for implementing and configuring that tool.
Impact:
There is a cost associated with using Amazon Macie, and there is typically a cost associated with third-party tools that perform similar processes and provide protection.