Creating sample findings Reviewing sample findings Suppressing sample findings

Working with Macie sample findings

To explore and learn about the different types of findings that Amazon Macie can generate, you can create sample findings. Sample findings use example data and placeholder values to demonstrate the kinds of information that each type of finding might contain.

For example, the Policy:IAMUser/S3BucketPublic sample finding contains details about a fictitious Amazon Simple Storage Service (Amazon S3) bucket. The finding's details include example data about an actor and action that changed the access control list (ACL) for the bucket and made the bucket publicly accessible. Similarly, the SensitiveData:S3Object/Multiple sample finding contains details about a fictitious Microsoft Excel workbook. The finding's details include example data about the types and location of sensitive data in the workbook.

In addition to familiarizing yourself with the information that different types of findings might contain, you can use sample findings to test integration with other applications, services, and systems. Depending on the suppression rules for your account, Macie can publish sample findings to Amazon EventBridge as events. By using the example data in sample findings, you can develop and test automated solutions for monitoring and processing these events. Depending on the publication settings for your account, Macie can also publish sample findings to AWS Security Hub. This means that you can also use sample findings to develop and test solutions for monitoring and processing Macie findings in Security Hub. For information about publishing findings to these services, see Monitoring and processing findings.

Creating sample findings

You can create sample findings by using the Amazon Macie console or the Amazon Macie API. If you use the console, Macie automatically generates one sample finding for each type of finding that Macie supports. If you use the API, you can create a sample for each type, or only certain types that you specify.

Reviewing sample findings

To help you identify sample findings, Amazon Macie sets the value for the Sample field of each sample finding to True. In addition, the name of the affected S3 bucket is the same for all sample findings: macie-sample-finding-bucket. If you review sample findings by using Findings pages on the Amazon Macie console, Macie also displays the [SAMPLE] prefix in the Finding type field for each sample finding.

Console

Follow these steps to review sample findings by using the Amazon Macie console.

To review sample findings

Open the Amazon Macie console at https://console.aws.amazon.com/macie/.
In the navigation pane, choose Findings.
On the Findings page, do any of the following:
- In the Finding type column, locate findings whose type begins with [SAMPLE], as shown in the following image.
- By using the Filter criteria box above the table, filter the table to display only sample findings. To do this, place your cursor in the box. In the list of fields that appears, choose Sample. Then choose True, and then choose Apply. This applies the following filter condition to the table:
To review the details of a specific sample finding, choose the finding. The details panel displays information for the finding.

You can also download and save the details of one or more sample findings as a JSON file. To do this, select the check box for each sample finding that you want to download and save. Then choose Export (JSON) on the Actions menu at the top of the Findings page. In the window that appears, choose Download. For detailed descriptions of the JSON fields that a finding can include, see Findings in the Amazon Macie API Reference.

API

To review sample findings programmatically, first use the ListFindings operation of the Amazon Macie API to retrieve the unique identifier (findingId) for each sample finding that you created. Then use the GetFindings operation to retrieve the details of those findings.

When you submit the ListFindings request, you can specify filter criteria to include only sample findings in the results. To do this, add a filter condition where the value for the sample field is true. If you're using the AWS CLI, run the list-findings command and use the finding-criteria parameter to specify the filter condition. For example:


C:\> aws macie2 list-findings --finding-criteria={\"criterion\":{\"sample\":{\"eq\":[\"true\"]}}}

If your request succeeds, Macie returns a findingIds array. The array lists the unique identifier for each sample finding for your account in the current AWS Region.

To then retrieve the details of the sample findings, specify these unique identifiers in a GetFindings request or, for the AWS CLI, when you run the get-findings command.

Suppressing sample findings

Like other findings, Amazon Macie stores sample findings for 90 days. After you finish reviewing and experimenting with the samples, you can optionally archive them by creating a suppression rule. If you do this, the sample findings stop appearing by default on the console and their status changes to archived.

To archive sample findings by using the Amazon Macie console, configure the rule to archive findings where the value for the Sample field is True. To archive sample findings by using the Amazon Macie API, configure the rule to archive findings where the value for the sample field is true.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Severity scoring for findings

Reviewing findings