Processing Macie findings with Amazon EventBridge - Amazon Macie

Processing Macie findings with Amazon EventBridge

Amazon EventBridge, formerly Amazon CloudWatch Events, is a serverless event bus service. EventBridge delivers a stream of real-time data from applications and services, and routes that data to targets such as AWS Lambda functions, Amazon Simple Notification Service (Amazon SNS) topics, and Amazon Kinesis streams. To learn more about EventBridge, see the Amazon EventBridge User Guide.

With EventBridge, you can automate monitoring and processing of certain types of events. This includes events that Amazon Macie publishes automatically for new policy findings and sensitive data findings. This also includes events that Macie publishes automatically for subsequent occurrences of existing policy findings. For details about how and when Macie publishes these events, see Configuring publication settings for findings.

By using EventBridge and the events that Macie publishes for findings, you can monitor and process findings in near real time. You can then act upon findings by using other applications and services. For example, you might use EventBridge to send specific types of new findings to an AWS Lambda function. The Lambda function might then process and send the data to your security incident and event management (SIEM) system. If you integrate AWS User Notifications with Macie, you can also use the events to be notified of findings automatically through delivery channels that you specify.

In addition to automated monitoring and processing, use of EventBridge enables longer-term retention of your findings data. Macie stores findings for 90 days. With EventBridge, you can send findings data to your preferred storage platform and store the data for as long as you like.

Note

For long-term retention, also configure Macie to store your sensitive data discovery results in an S3 bucket. A sensitive data discovery result is a record that logs details about the analysis that Macie performed on an S3 object to determine whether the object contains sensitive data. To learn more, see Storing and retaining sensitive data discovery results.

Working with Amazon EventBridge

With Amazon EventBridge, you create rules to specify which events you want to monitor and which targets you want to perform automated actions for those events. A target is a destination that EventBridge sends events to.

To automate monitoring and processing tasks for findings, you can create an EventBridge rule that automatically detects Amazon Macie finding events and sends those events to another application or service for processing or other action. You can tailor the rule to send only those events that meet certain criteria. To do this, specify criteria that derive from the Amazon EventBridge event schema for Macie findings.

For example, you can create a rule that sends specific types of new findings to an AWS Lambda function. The Lambda function can then perform tasks such as: process and send the data to your SIEM system; automatically apply a certain type of server-side encryption to an S3 object; or, restrict access to an S3 object by changing the object's access control list (ACL). Or you can create a rule that automatically sends new high-severity findings to an Amazon SNS topic, which then notifies your incident response team of the finding.

In addition to invoking Lambda functions and notifying Amazon SNS topics, EventBridge supports other types of targets and actions, such as relaying events to Amazon Kinesis streams, activating AWS Step Functions state machines, and invoking the AWS Systems Manager run command. For information about supported targets, see Event bus targets in the Amazon EventBridge User Guide.

Creating Amazon EventBridge rules for Macie findings

The following procedures explain how to use the Amazon EventBridge console and the AWS Command Line Interface (AWS CLI) to create an EventBridge rule for Amazon Macie findings. The rule detects EventBridge events that use the event schema and pattern for Macie findings, and it sends those events to an AWS Lambda function for processing.

AWS Lambda is a compute service that you can use to run code without provisioning or managing servers. You package your code and upload it to AWS Lambda as a Lambda function. AWS Lambda then runs the function when the function is invoked. A function can be invoked manually by you, automatically in response to events, or in response to requests from applications or services. For information about creating and invoking Lambda functions, see the AWS Lambda Developer Guide.

Console

Follow these steps to use the Amazon EventBridge console to create a rule that automatically sends all Macie finding events to a Lambda function for processing. The rule uses default settings for rules that run when specific events are received. For details about rule settings or to learn how to create a rule that uses custom settings, see Creating rules that react to events in the Amazon EventBridge User Guide.

Tip

You can also create a rule that uses a custom pattern to detect and act upon only a subset of Macie finding events. This subset can be based on specific fields that Macie includes in a finding event. To learn about the available fields, see Amazon EventBridge event schema for Macie findings. To learn about using custom patterns in rules, see Creating event patterns in the Amazon EventBridge User Guide.

Before you create this rule, create the Lambda function that you want the rule to use as a target. When you create the rule, you'll need to specify this function as the target for the rule.

To create an event rule by using the console
  1. Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.

  2. In the navigation pane, under Buses, choose Rules.

  3. In the Rules section, choose Create rule.

  4. On the Define rule detail page, do the following:

    • For Name, enter a name for the rule.

    • (Optional) For Description, enter a brief description of the rule.

    • For Event bus, ensure that default is selected and Enable the rule on the selected event bus is turned on.

    • For Rule type, choose Rule with an event pattern.

  5. When you finish, choose Next.

  6. On the Build event pattern page, do the following:

    • For Event source, choose AWS events or EventBridge partner events.

    • (Optional) For Sample event, review a sample finding event for Macie to learn what an event might contain. To do this, choose AWS events. Then, for Sample events, choose Macie Finding.

    • For Creation method, choose Use pattern form.

    • For Event pattern, enter the following settings:

      • For Event source, choose AWS services.

      • For AWS service, choose Macie.

      • For Event type, choose Macie Finding.

  7. When you finish, choose Next.

  8. On the Select targets page, do the following:

    • For Target types, choose AWS service.

    • For Select a target, choose Lambda function. Then, for Function, choose the Lambda function that you want to send finding events to.

    • For Configure version/alias, enter version and alias settings for the target Lambda function.

    • (Optional) For Additional settings, enter custom settings to specify which event data you want to send to the Lambda function. You can also specify how to handle events that aren't delivered to the function successfully.

  9. When you finish, choose Next.

  10. On the Configure tags page, optionally enter one or more tags to assign to the rule. Then choose Next.

  11. On the Review and create page, review the rule’s settings and verify that they're correct.

    To change a setting, choose Edit in the section that contains the setting, and then enter the correct setting. You can also use the navigation tabs to go to the page that contains a setting.

  12. When you finish verifying the settings, choose Create rule.

AWS CLI

Follow these steps to use the AWS CLI to create an EventBridge rule that sends all Macie finding events to a Lambda function for processing. The rule uses default settings for rules that run when specific events are received. In this procedure, the commands are formatted for Microsoft Windows. For Linux, macOS, or Unix, replace the caret (^) line-continuation character with a backslash (\).

Before you create this rule, create the Lambda function that you want the rule to use as a target. When you create the function, note the Amazon Resource Name (ARN) of the function. You'll need to enter this ARN when you specify the target for the rule.

To create an event rule by using the AWS CLI
  1. Create a rule that detects events for all the findings that Macie publishes to EventBridge. To do this, run the EventBridge put-rule command. For example:

    C:\> aws events put-rule ^ --name MacieFindings ^ --event-pattern "{\"source\":[\"aws.macie\"]}"

    Where MacieFindings is the name that you want for the rule.

    Tip

    You can also create a rule that uses a custom pattern (event-pattern) to detect and act upon only a subset of Macie finding events. This subset can be based on specific fields that Macie includes in a finding event. To learn about the available fields, see Amazon EventBridge event schema for Macie findings. To learn about using custom patterns in rules, see Creating event patterns in the Amazon EventBridge User Guide.

    If the command runs successfully, EventBridge responds with the ARN of the rule. Note this ARN. You'll need to enter it in step 3.

  2. Specify the Lambda function to use as a target for the rule. To do this, run the EventBridge put-targets command. For example:

    C:\> aws events put-targets ^ --rule MacieFindings ^ --targets Id=1,Arn=arn:aws:lambda:regionalEndpoint:accountID:function:my-findings-function

    Where MacieFindings is the name that you specified for the rule in step 1, and the value for the Arn parameter is the ARN of the function that you want the rule to use as a target.

  3. Add permissions that allow the rule to invoke the target Lambda function. To do this, run the Lambda add-permission command. For example:

    C:\> aws lambda add-permission ^ --function-name my-findings-function ^ --statement-id Sid ^ --action lambda:InvokeFunction ^ --principal events.amazonaws.com ^ --source-arn arn:aws:events:regionalEndpoint:accountId:rule:MacieFindings

    Where:

    • my-findings-function is the name of the Lambda function that you want the rule to use as a target.

    • Sid is a statement identifier that you define to describe the statement in the Lambda function policy.

    • source-arn is the ARN of the EventBridge rule.

    If the command runs successfully, you receive output similar to the following:

    { "Statement": "{\"Sid\":\"sid\", \"Effect\":\"Allow\", \"Principal\":{\"Service\":\"events.amazonaws.com\"}, \"Action\":\"lambda:InvokeFunction\", \"Resource\":\"arn:aws:lambda:us-east-1:111122223333:function:my-findings-function\", \"Condition\": {\"ArnLike\": {\"AWS:SourceArn\": \"arn:aws:events:us-east-1:111122223333:rule/MacieFindings\"}}}" }

    The Statement value is a JSON string version of the statement that was added to the Lambda function policy.