Amazon Macie integration with
Amazon EventBridge
Amazon EventBridge, formerly Amazon CloudWatch Events, is a serverless event bus service. EventBridge delivers a stream of
real-time data from applications and services, and routes that data to targets such as
AWS Lambda functions, Amazon Simple Notification Service (Amazon SNS) topics, and Amazon Kinesis streams. To learn more about
EventBridge, see the Amazon EventBridge User
Guide.
With EventBridge, you can automate monitoring and processing of certain types of events. This
includes events that Amazon Macie publishes automatically for new policy findings and sensitive
data findings. This also includes events that Macie publishes automatically for subsequent
occurrences of existing policy findings. For details about how and when Macie publishes
these events, see Configuring publication settings
for findings.
By using EventBridge and the events that Macie publishes for findings, you can monitor and process
findings in near real time. You can then act upon findings by using other applications and
services. For example, you might use EventBridge to send specific types of new findings to an
AWS Lambda function. The Lambda function might then process and send the data to your security
incident and event management (SIEM) system.
In addition to automated monitoring and processing, use of EventBridge enables longer-term retention
of your findings data. Macie stores findings for 90 days. With EventBridge, you can send findings
data to your preferred storage platform and store the data for as long as you like.
Using Amazon EventBridge
With Amazon EventBridge, you create rules to specify which events you want to monitor and which
targets you want to perform automated actions for those events. A target is a destination that EventBridge sends events to.
To automate monitoring and processing tasks for findings, you can create an EventBridge rule that
automatically detects Amazon Macie finding events and sends those events to another
application or service for processing or other action. You can tailor the rule to send
only those events that meet certain criteria. To do this, specify criteria that derive
from the Amazon EventBridge event schema for Amazon Macie
findings.
For example, you can create a rule that sends specific types of new findings to an AWS Lambda
function. The Lambda function can then perform tasks such as: process and send the data
to your SIEM system; automatically apply a certain type of server-side encryption to an
S3 object; or, restrict access to an S3 object by changing the object's access control
list (ACL). Or you can create a rule that automatically sends new high-severity findings
to an Amazon SNS topic, which then notifies your incident response team of the
finding.
In addition to invoking Lambda functions and notifying Amazon SNS topics, EventBridge supports other
types of targets and actions, such as relaying events to Amazon Kinesis streams, activating
AWS Step Functions state machines, and invoking the AWS Systems Manager run command. For information about
supported targets, see Amazon EventBridge targets
in the Amazon EventBridge User Guide.
Creating Amazon EventBridge rules for
finding events
The following procedures explain how to use the Amazon EventBridge console and the AWS Command Line Interface
(AWS CLI) to create an EventBridge rule for Amazon Macie findings. The rule detects events
that use the event schema and pattern for Macie findings, and sends those events to an
AWS Lambda function for processing.
AWS Lambda is a compute service that you can use to run code without provisioning or
managing servers. You package your code and upload it to AWS Lambda as a Lambda function. AWS Lambda then runs the function when the
function is invoked. A function can be invoked manually by you, automatically in
response to events, or in response to requests from applications or services. For
information about creating and invoking Lambda functions, see the AWS Lambda Developer Guide.
- Console
-
This procedure explains how to use the Amazon EventBridge console to create a rule
that automatically sends all Macie finding events to a Lambda function for
processing. The rule uses default settings for rules that run when specific
events are received. For details about rule settings or to learn how to
create a rule that uses custom settings, see Creating rules
that react to events in the Amazon EventBridge
User Guide.
You can also create a rule that uses a custom pattern to detect and act upon only a
subset of Macie finding events. This subset can be based on specific
fields that Macie includes in a finding event. To learn about the
available fields, see EventBridge event schema for
findings. To learn how
to create this type of rule, see Content filtering in event patterns in the Amazon EventBridge User Guide.
Before you create this rule, create the Lambda function that you want the
rule to use as a target. When you create the rule, you'll need to specify
this function as the target for the rule.
To create an event rule by using the console
Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.
-
In the navigation pane, under Events, choose
Rules.
-
In the Rules section, choose Create
rule.
-
On the Define rule detail page, do the
following:
-
For Name, enter a name for the
rule.
-
(Optional) For Description, enter a
brief description of the rule.
-
For Event bus, ensure that
default is selected and
Enable the rule on the selected event
bus is turned on.
-
For Rule type, choose Rule
with an event pattern.
-
When you finish, choose Next.
-
On the Build event pattern page, do the
following:
-
For Event source, choose
AWS events or EventBridge
partner.
-
(Optional) For Sample event, review a sample finding event for
Macie to learn what an event might contain. To do this,
choose AWS events. Then, for
Sample events, choose
Macie Finding.
-
For Event pattern, choose
Event pattern form. Then enter the
following settings:
-
For Event source, choose
AWS services.
-
For AWS service, enter
Macie.
-
For Event type, enter
Macie Finding.
-
When you finish, choose Next.
-
On the Select targets page, do the
following:
-
For Target types, choose
AWS service.
-
For Select a target, enter Lambda function.
Then, for Function, choose the Lambda
function that you want to send finding events to.
-
For Configure version/alias, enter
version and alias settings for the target Lambda
function.
-
(Optional) For Additional settings, enter custom settings to
specify which event data you want to send to the Lambda
function. You can also specify how to handle events that
aren't delivered to the function successfully.
-
When you finish, choose Next.
-
On the Configure tags page, optionally enter
one or more tags to assign to the rule. Then choose
Next.
-
On the Review and create page, review the rule’s settings and
verify that they're correct.
To change a setting, choose Edit in the
section that contains the setting, and then enter the correct
setting. You can also use the navigation tabs to go to the page that
contains a setting.
-
When you finish verifying the settings, choose
Create rule.
- AWS CLI
-
This procedure explains how to use the AWS CLI to create an EventBridge rule that sends all Macie
finding events to a Lambda function for processing. The rule uses default
settings for rules that run when specific events are received. In the
procedure, the commands are formatted for Microsoft Windows. For Linux,
macOS, or Unix, replace the caret (^) line-continuation character with a
backslash (\).
Before you create this rule, create the Lambda function that you want the
rule to use as a target. When you create the function, note the Amazon
Resource Name (ARN) of the function. You'll need to enter this ARN when you
specify the target for the rule.
To create an event rule by using the AWS CLI
-
Create a rule that detects events for all the findings that Macie publishes to EventBridge. To
do this, use the EventBridge put-rule
command. For example:
C:\>
aws events put-rule ^
--name MacieFindings
^
--event-pattern "{\"source\":[\"aws.macie\"]}"
Where MacieFindings
is the name that
you want for the rule.
If the command runs successfully, EventBridge responds with the ARN of
the rule. Note this ARN. You'll need to enter it in step 3.
You can also create a rule that uses a custom pattern to detect and act upon only a
subset of Macie finding events. This subset can be based on
specific fields that Macie includes in a finding event. To learn
about the available fields, see EventBridge event schema for
findings. To
learn how to create this type of rule, see Content filtering in event patterns in the
Amazon EventBridge User
Guide.
-
Specify the Lambda function to use as a target for the rule. To do
this, use the EventBridge put-targets command. For example:
C:\>
aws events put-targets ^
--rule MacieFindings
^
--targets Id=1,Arn=arn:aws:lambda:regionalEndpoint:accountID:function:my-findings-function
Where MacieFindings
is the name that
you specified for the rule in step 1, and the value for the
Arn
parameter is the ARN of the function that you
want the rule to use as a target.
-
Add permissions that allow the rule to invoke the target Lambda
function. To do this, use the Lambda add-permission command. For example:
C:\>
aws lambda add-permission ^
--function-name my-findings-function
^
--statement-id Sid
^
--action lambda:InvokeFunction ^
--principal events.amazonaws.com ^
--source-arn arn:aws:events:regionalEndpoint:accountId:rule:MacieFindings
Where:
-
my-findings-function
is the
name of the Lambda function that you want the rule to use as
a target.
-
Sid
is a statement identifier
that you define to describe the statement in the Lambda
function policy.
-
source-arn
is the ARN of the EventBridge
rule.
If the command runs successfully, you receive output similar to
the following:
{
"Statement": "{\"Sid\":\"sid\",
\"Effect\":\"Allow\",
\"Principal\":{\"Service\":\"events.amazonaws.com\"},
\"Action\":\"lambda:InvokeFunction\",
\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:function:my-findings-function\",
\"Condition\":
{\"ArnLike\":
{\"AWS:SourceArn\":
\"arn:aws:events:us-east-1:111122223333:rule/MacieFindings\"}}}"
}
The Statement
value is a JSON string version of the
statement that was added to the Lambda function policy.