lacework-global-74
Discover, classify, and secure all data in Amazon S3 when required (Manual)
Profile Applicability
• Level 2
Description
It is important to discover, monitor, classify and protect sensitive data in Amazon S3 buckets. Macie along with other third party tools can automatically provide an inventory of Amazon S3 buckets.
Rationale
Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Impact
There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.
Audit
Perform the following steps to determine if Macie is running:
From Console
Login to the Macie console at https://console.aws.amazon.com/macie/
In the left hand pane click on By job under findings.
Confirm that you have a Job setup for your S3 Buckets
When you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below.
If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.
Remediation
Perform the steps below to enable and configure Amazon Macie
From Console
Log on to the Macie console at
https://console.aws.amazon.com/macie/
.Click
Get started
.Click
Enable Macie
.
Setup a repository for sensitive data discovery results
In the Left pane, under Settings, click
Discovery results
.Select
Create bucket
.Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
Click
Advanced
.Block all public access, select
Yes
.Key Management Service (KMS) encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric customer-managed KMS key that is in the same Region as the S3 bucket.
Click
Save
.
Create a job to discover sensitive data
In the left pane, click
S3 buckets
. Macie displays a list of all the S3 buckets for your account.Select the
checkbox
for each bucket that you want Macie to analyze as part of the job.Click
Create job
.Click
Quick create
.For the Name and description step, enter a name and, optionally, a description of the job.
Then click
Next
.For the Review and create step, click
Submit
.
Review your findings
In the left pane, click
Findings
.To view the details of a specific finding, choose any field other than the checkbox for the finding.
If you are using a third party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.
References
https://aws.amazon.com/macie/getting-started/
https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html
https://docs.aws.amazon.com/macie/latest/user/data-classification.html