Configuring publication settings for Amazon Macie findings - Amazon Macie

Configuring publication settings for Amazon Macie findings

To support integration with other applications, services, and systems, Amazon Macie automatically publishes both policy findings and sensitive data findings to Amazon EventBridge as events (formerly called Amazon CloudWatch Events). For information about how you can use EventBridge to monitor and process findings, see EventBridge integration.

You can configure Macie to automatically publish findings to AWS Security Hub too, using destination options that you specify in the publication settings for your account. With these options, you can configure Macie to publish only policy findings, only sensitive data findings, or both policy and sensitive data findings to Security Hub. You can also configure Macie to stop publishing any findings to Security Hub. For information about how you can use Security Hub to monitor and process findings, see Security Hub integration.

For policy findings, the timing with which Macie publishes a finding to another AWS service depends on whether the finding is new and on the publication frequency that you specify for your account. For sensitive data findings, the timing is always immediate—Macie publishes a sensitive data finding immediately after it finishes processing the finding. Unlike policy findings, Macie treats all sensitive data findings as new (unique) because they derive from individual sensitive data discovery jobs.

Note that Macie doesn't publish policy or sensitive data findings that are archived automatically by a suppression rule. In other words, Macie doesn't publish suppressed findings to other AWS services.

Choosing publication destinations for findings

You can configure Macie to automatically publish policy and sensitive data findings to Security Hub in addition to EventBridge. By default, Macie publishes only new and updated policy findings to Security Hub. To change or extend the default configuration, adjust the publication destination settings for your account.

When you adjust your destination settings, you choose the categories of findings that you want Macie to publish to Security Hub—only sensitive data findings, only policy findings, or both sensitive data and policy findings. You can also choose to stop publishing any category of finding to Security Hub.

If you change your destination settings, your change applies only to the current AWS Region. If you're the Macie administrator for an organization, your change applies only to your account. It doesn't apply to any associated member accounts. For more information, see Managing multiple accounts.

To choose publication destinations for findings

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Settings.

  3. In the Publication of findings section, under Destinations, choose from the following options:

    • Publish policy findings to – Select the Security Hub check box to automatically publish new and updated policy findings to Security Hub. To stop publishing new and updated policy findings to Security Hub, clear this check box.

    • Publish sensitive data findings to – Select the Security Hub check box to automatically publish sensitive data findings to Security Hub. To stop publishing sensitive data findings to Security Hub, clear this check box.

  4. Choose Save.

If you chose to publish any category of finding to Security Hub, make sure that you also enable Security Hub in the current Region and configure it to accept the findings that Macie publishes. Otherwise, you won't be able to access the findings in Security Hub. To learn how to accept findings in Security Hub, see Managing product integrations in the AWS Security Hub User Guide.

Determining the publication frequency for findings

In Macie, each finding has a unique identifier. Macie uses this identifier to determine when to publish a finding to another AWS service:

  • New findings – When Macie creates a new policy or sensitive data finding, it assigns a unique identifier to the finding as part of processing the finding. Immediately after Macie finishes processing the finding, it publishes the finding as a new EventBridge event. Depending on the publication settings for your account, Macie also publishes the finding as a new finding in Security Hub.

  • Updated findings – When Macie detects a subsequent occurrence of an existing policy finding, it updates the existing finding by adding details about the subsequent occurrence and incrementing the count of occurrences. Macie also publishes these updates to the existing EventBridge event and, depending on the publication settings for your account, the existing Security Hub finding. Macie does this only for policy findings. Sensitive data findings, unlike policy findings, are all treated as new (unique) because they derive from individual sensitive data discovery jobs.

    By default, Macie publishes updated findings every 15 minutes as part of a recurring publication cycle. This means that any policy findings that are updated after the most recent publication cycle will be held, updated again as necessary, and included in the next publication cycle (approximately 15 minutes later). You can change this schedule by choosing a different publication frequency. For example, if you configure Macie to publish updated findings every hour and a publication occurs at 12:00, then any updates that occur after 12:00 are published at 13:00.

Note that neither of these cases applies to findings that are archived automatically by a suppression rule. Macie doesn't publish suppressed findings to other AWS services.

Changing the publication frequency for findings

You can change the schedule that Macie uses to publish updates to existing policy findings in other AWS services. By default, Macie publishes updated findings every 15 minutes. If you change this schedule, your change applies only to the current AWS Region. If you're the Macie administrator for an organization, your change also applies to all associated member accounts in the Region. For more information, see Managing multiple accounts.

To change the publication frequency for updated findings

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Settings.

  3. In the Publication of findings section, under Update frequency for policy findings, choose how often you want Macie to publish updated policy findings to other AWS services.

  4. Choose Save.