Processing Macie findings with
Amazon EventBridge
Amazon EventBridge, formerly Amazon CloudWatch Events, is a serverless event bus service. EventBridge delivers a stream of
real-time data from applications and services, and routes that data to targets such as
AWS Lambda functions, Amazon Simple Notification Service (Amazon SNS) topics, and Amazon Kinesis streams. To learn more about
EventBridge, see the Amazon EventBridge User
Guide.
With EventBridge, you can automate monitoring and processing of certain types of events. This
includes events that Amazon Macie publishes automatically for new policy findings and sensitive
data findings. This also includes events that Macie publishes automatically for subsequent
occurrences of existing policy findings. For details about how and when Macie publishes
these events, see Configuring publication settings
for findings.
By using EventBridge and the events that Macie publishes for findings, you can monitor and process
findings in near real time. You can then act upon findings by using other applications and
services. For example, you might use EventBridge to send specific types of new findings to an
AWS Lambda function. The Lambda function might then process and send the data to your security
incident and event management (SIEM) system. If you integrate AWS User Notifications with Macie, you can
also use the events to be notified of findings automatically through delivery channels that
you specify.
In addition to automated monitoring and processing, use of EventBridge enables longer-term retention
of your findings data. Macie stores findings for 90 days. With EventBridge, you can send findings
data to your preferred storage platform and store the data for as long as you like.
For long-term retention, also configure Macie to store your sensitive data discovery results
in an S3 bucket. A sensitive data discovery result is a record that logs
details about the analysis that Macie performed on an S3 object to determine whether the
object contains sensitive data. To learn more, see Storing and retaining
sensitive data discovery results.
Working with Amazon EventBridge
With Amazon EventBridge, you create rules to specify which events you want to monitor and which
targets you want to perform automated actions for those events. A target is a destination that EventBridge sends events to.
To automate monitoring and processing tasks for findings, you can create an EventBridge rule that
automatically detects Amazon Macie finding events and sends those events to another
application or service for processing or other action. You can tailor the rule to send
only those events that meet certain criteria. To do this, specify criteria that derive
from the Amazon EventBridge event schema for Macie
findings.
For example, you can create a rule that sends specific types of new findings to an AWS Lambda
function. The Lambda function can then perform tasks such as: process and send the data
to your SIEM system; automatically apply a certain type of server-side encryption to an
S3 object; or, restrict access to an S3 object by changing the object's access control
list (ACL). Or you can create a rule that automatically sends new high-severity findings
to an Amazon SNS topic, which then notifies your incident response team of the
finding.
In addition to invoking Lambda functions and notifying Amazon SNS topics, EventBridge supports other
types of targets and actions, such as relaying events to Amazon Kinesis streams, activating
AWS Step Functions state machines, and invoking the AWS Systems Manager run command. For information about
supported targets, see Event bus targets
in the Amazon EventBridge User Guide.
Creating Amazon EventBridge rules for
Macie findings
The following procedures explain how to use the Amazon EventBridge console and the AWS Command Line Interface
(AWS CLI) to create an EventBridge rule for Amazon Macie findings. The rule detects EventBridge
events that use the event schema and pattern for Macie findings, and it sends those
events to an AWS Lambda function for processing.
AWS Lambda is a compute service that you can use to run code without provisioning or
managing servers. You package your code and upload it to AWS Lambda as a Lambda function. AWS Lambda then runs the function when the
function is invoked. A function can be invoked manually by you, automatically in
response to events, or in response to requests from applications or services. For
information about creating and invoking Lambda functions, see the AWS Lambda Developer Guide.
- Console
-
Follow these steps to use the Amazon EventBridge console to create a rule that automatically sends
all Macie finding events to a Lambda function for processing. The rule uses
default settings for rules that run when specific events are received. For
details about rule settings or to learn how to create a rule that uses
custom settings, see Creating rules
that react to events in the Amazon EventBridge
User Guide.
You can also create a rule that uses a custom pattern to detect and act upon only a
subset of Macie finding events. This subset can be based on specific
fields that Macie includes in a finding event. To learn about the
available fields, see Amazon EventBridge event schema for Macie
findings. To learn about
using custom patterns in rules, see Creating
event patterns in the Amazon EventBridge User
Guide.
Before you create this rule, create the Lambda function that you want the
rule to use as a target. When you create the rule, you'll need to specify
this function as the target for the rule.
To create an event rule by using the console
Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.
-
In the navigation pane, under Buses, choose
Rules.
-
In the Rules section, choose Create
rule.
-
On the Define rule detail page, do the
following:
-
For Name, enter a name for the
rule.
-
(Optional) For Description, enter a
brief description of the rule.
-
For Event bus, ensure that
default is selected and
Enable the rule on the selected event
bus is turned on.
-
For Rule type, choose Rule
with an event pattern.
-
When you finish, choose Next.
-
On the Build event pattern page, do the
following:
-
For Event source, choose
AWS events or EventBridge partner
events.
-
(Optional) For Sample event, review a
sample finding event for Macie to learn what an event might
contain. To do this, choose AWS
events. Then, for Sample
events, choose Macie
Finding.
-
For Creation method, choose
Use pattern form.
-
For Event pattern, enter the
following settings:
-
For Event source, choose
AWS services.
-
For AWS service, choose
Macie.
-
For Event type, choose
Macie Finding.
-
When you finish, choose Next.
-
On the Select targets page, do the
following:
-
For Target types, choose
AWS service.
-
For Select a target, choose
Lambda function. Then, for
Function, choose the Lambda function
that you want to send finding events to.
-
For Configure version/alias, enter
version and alias settings for the target Lambda
function.
-
(Optional) For Additional settings,
enter custom settings to specify which event data you want
to send to the Lambda function. You can also specify how to
handle events that aren't delivered to the function
successfully.
-
When you finish, choose Next.
-
On the Configure tags page, optionally enter
one or more tags to assign to the rule. Then choose
Next.
-
On the Review and create page, review the
rule’s settings and verify that they're correct.
To change a setting, choose Edit in the
section that contains the setting, and then enter the correct
setting. You can also use the navigation tabs to go to the page that
contains a setting.
-
When you finish verifying the settings, choose Create
rule.
- AWS CLI
-
Follow these steps to use the AWS CLI to create an EventBridge rule that sends all Macie finding
events to a Lambda function for processing. The rule uses default settings
for rules that run when specific events are received. In this procedure, the
commands are formatted for Microsoft Windows. For Linux, macOS, or Unix,
replace the caret (^) line-continuation character with a backslash
(\).
Before you create this rule, create the Lambda function that you want the
rule to use as a target. When you create the function, note the Amazon
Resource Name (ARN) of the function. You'll need to enter this ARN when you
specify the target for the rule.
To create an event rule by using the AWS CLI
-
Create a rule that detects events for all the findings that Macie publishes to EventBridge. To
do this, run the EventBridge put-rule
command. For example:
C:\>
aws events put-rule ^
--name MacieFindings
^
--event-pattern "{\"source\":[\"aws.macie\"]}"
Where MacieFindings
is the name that
you want for the rule.
You can also create a rule that uses a custom pattern (event-pattern
) to
detect and act upon only a subset of Macie finding events. This
subset can be based on specific fields that Macie includes in a
finding event. To learn about the available fields, see Amazon EventBridge event schema for Macie
findings. To learn
about using custom patterns in rules, see Creating event patterns in the Amazon EventBridge User Guide.
If the command runs successfully, EventBridge responds with the ARN of the rule. Note this
ARN. You'll need to enter it in step 3.
-
Specify the Lambda function to use as a target for the rule. To do this, run the EventBridge
put-targets command. For example:
C:\>
aws events put-targets ^
--rule MacieFindings
^
--targets Id=1,Arn=arn:aws:lambda:regionalEndpoint:accountID:function:my-findings-function
Where MacieFindings
is the name that
you specified for the rule in step 1, and the value for the
Arn
parameter is the ARN of the function that you
want the rule to use as a target.
-
Add permissions that allow the rule to invoke the target Lambda function. To do this,
run the Lambda add-permission command. For example:
C:\>
aws lambda add-permission ^
--function-name my-findings-function
^
--statement-id Sid
^
--action lambda:InvokeFunction ^
--principal events.amazonaws.com ^
--source-arn arn:aws:events:regionalEndpoint:accountId:rule:MacieFindings
Where:
-
my-findings-function
is the
name of the Lambda function that you want the rule to use as
a target.
-
Sid
is a statement identifier
that you define to describe the statement in the Lambda
function policy.
-
source-arn
is the ARN of the EventBridge
rule.
If the command runs successfully, you receive output similar to
the following:
{
"Statement": "{\"Sid\":\"sid\",
\"Effect\":\"Allow\",
\"Principal\":{\"Service\":\"events.amazonaws.com\"},
\"Action\":\"lambda:InvokeFunction\",
\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:function:my-findings-function\",
\"Condition\":
{\"ArnLike\":
{\"AWS:SourceArn\":
\"arn:aws:events:us-east-1:111122223333:rule/MacieFindings\"}}}"
}
The Statement
value is a JSON string version of the
statement that was added to the Lambda function policy.