Choosing publication destinations Changing the publication frequency

Configuring publication settings for Macie findings

To support integration with other applications, services, and systems, Amazon Macie automatically publishes both policy findings and sensitive data findings to Amazon EventBridge as events. For information about how you can use EventBridge to monitor and process findings, see Processing findings with Amazon EventBridge.

You can configure Macie to automatically publish findings to AWS Security Hub too, using destination options that you specify in the publication settings for your account. With these options, you can configure Macie to publish only policy findings, only sensitive data findings, or both policy and sensitive data findings to Security Hub. You can also configure Macie to stop publishing any findings to Security Hub. For information about how you can use Security Hub to evaluate and process findings, see Evaluating findings with AWS Security Hub.

For policy findings, the timing with which Macie publishes a finding to another AWS service depends on whether the finding is new and the publication frequency that you specify for your account. For sensitive data findings, the timing is always immediate—Macie publishes a sensitive data finding immediately after it finishes processing the finding. Unlike policy findings, Macie treats all sensitive data findings as new (unique).

Note that Macie doesn't publish policy or sensitive data findings that are archived automatically by a suppression rule. In other words, Macie doesn't publish suppressed findings to other AWS services.

Choosing publication destinations for findings

You can configure Amazon Macie to automatically publish policy and sensitive data findings to AWS Security Hub in addition to Amazon EventBridge. By default, Macie publishes only new and updated policy findings to Security Hub. To change or extend the default configuration, adjust the publication destination settings for your account.

When you adjust your destination settings, you choose the categories of findings that you want Macie to publish to Security Hub—only policy findings, only sensitive data findings, or both policy and sensitive data findings. You can also choose to stop publishing any category of finding to Security Hub.

If you change your destination settings, your change applies only to the current AWS Region. If you're the Macie administrator for an organization, your change applies only to your account. It doesn't apply to any member accounts in your organization. For more information, see Managing multiple accounts.

To choose publication destinations for findings

Follow these steps to change your destination settings by using the Amazon Macie console. To do this programmatically, use the PutFindingsPublicationConfiguration operation of the Amazon Macie API.

Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
In the navigation pane, choose Settings.
In the Publication of findings section, under Destinations, choose from the following options:
- Publish policy findings to Security Hub – Select this check box to start publishing new and updated policy findings to Security Hub automatically. To stop publishing new and updated policy findings to Security Hub, clear this check box.
  
  If you select this check box and you have existing policy findings, Macie doesn't publish them to Security Hub. Instead, Macie publishes only those policy findings that it creates or updates after you save your change.
- Publish sensitive data findings to Security Hub – Select this check box to start publishing new sensitive data findings to Security Hub automatically. To stop publishing new sensitive data findings to Security Hub, clear this check box.
  
  If you select this check box and you have existing sensitive data findings, Macie doesn't publish them to Security Hub. Instead, Macie publishes only those sensitive data findings that it creates after you save your change.
Choose Save.

If you chose to publish any category of finding to Security Hub, make sure that you also enable Security Hub in the current Region and configure it to accept findings from Macie. Otherwise, you won't be able to access the findings in Security Hub. To learn how to accept findings in Security Hub, see Enabling and managing integrations in the AWS Security Hub User Guide.

Changing the publication frequency for findings

In Amazon Macie, each finding has a unique identifier. Macie uses this identifier to determine when to publish a finding to another AWS service:

New findings – When Macie creates a new policy or sensitive data finding, it assigns a unique identifier to the finding as part of processing the finding. Immediately after Macie finishes processing the finding, it publishes the finding to Amazon EventBridge as a new event. Depending on the publication settings for your account, Macie also publishes the finding as a new finding in AWS Security Hub.
Updated findings – When Macie detects a subsequent occurrence of an existing policy finding, it updates the existing finding by adding details about the subsequent occurrence and incrementing the count of occurrences. Macie also publishes these updates to the existing EventBridge event and, depending on the publication settings for your account, the existing Security Hub finding. By default, Macie publishes updates every 15 minutes as part of a recurring publication cycle. This means any policy findings that are updated after the most recent publication cycle will be held, updated again as necessary, and included in the next publication cycle (approximately 15 minutes later).

You can change the frequency with which Macie publishes updates to existing policy findings in other AWS services. For example, you might configure Macie to publish the updates every hour. If you do this and a publication occurs at 12:00, any updates that occur after 12:00 are published at 13:00.

If you change the frequency, your change applies only to the current AWS Region. If you're the Macie administrator for an organization, your change also applies to all member accounts in your organization. For more information, see Managing multiple accounts.

To change the publication frequency for updated findings

Follow these steps to change the publication frequency by using the Amazon Macie console. To do this programmatically, use the UpdateMacieSession operation of the Amazon Macie API.

Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
In the navigation pane, choose Settings.
In the Publication of findings section, under Update frequency for policy findings, choose how often you want Macie to publish updates to policy findings in other AWS services.
Choose Save.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Monitoring and processing findings

Evaluating findings with AWS Security Hub