Suppressing Amazon Macie findings - Amazon Macie

Suppressing Amazon Macie findings

To streamline your analysis of findings, you can create and use suppression rules. A suppression rule is a set of attribute-based filter criteria that defines cases where you want Amazon Macie to archive findings automatically. Suppression rules are helpful in situations where you've reviewed a class of findings and don't want to be notified of them again.

For example, you might decide to allow S3 buckets to contain mailing addresses, if the bucket's objects use a certain type of encryption and the buckets don't allow public access. In this case, you can create a suppression rule that specifies filter criteria for the following fields: Sensitive data detection type, S3 bucket encryption type, and S3 bucket public access permission. The rule suppresses future findings that meet the filter criteria.

If you suppress findings by using a suppression rule, Macie continues to generate findings for subsequent occurrences of sensitive data and potential policy violations that meet the rule's criteria. However, Macie automatically changes the status of the findings to archived. This means that the findings don't appear by default on the Amazon Macie console, but they persist in Macie until they expire. (Macie stores your findings for 30 days.)

In addition to changing the status of suppressed findings, Macie stops publishing the findings as Amazon EventBridge events (formerly called Amazon CloudWatch Events). For policy findings, Macie also stops publishing the findings to AWS Security Hub. Macie does, however, continue to create and store sensitive data discovery results for sensitive data findings that you suppress. This helps ensure that you have an immutable history of sensitive data findings for data privacy and protection audits or investigations that you perform.

To create and manage suppression rules, you can use the Amazon Macie console or the Amazon Macie API. The following topics explain how. For the API, the topics explain how to perform these tasks with the AWS Command Line Interface (AWS CLI). You can also perform these tasks by sending HTTPS requests directly to Macie, or by using a current version of another AWS command line tool or an AWS SDK. For information about AWS tools and SDKs, see Tools to Build on AWS.

Creating suppression rules

Before you create a suppression rule, it's important to note that you can't restore (unarchive) findings that you suppress using a suppression rule. You can, however, view suppressed findings on the Amazon Macie console and access suppressed findings with the Amazon Macie API.

When you create a suppression rule, you specify filter criteria, a name, and, optionally, a description for the rule. You can create a suppression rule using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to create a suppression rule by using the Amazon Macie console.

To create a suppression rule

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

    Tip

    To use an existing suppression or filter rule as a starting point, choose the rule from the Saved rules list.

    You can also streamline creation of a rule by first pivoting and drilling down on findings by a predefined logical group. If you do this, Macie automatically creates and applies the appropriate filter conditions, which can be a helpful starting point for creating a rule. To do this, choose By bucket, By type, or By job in the navigation pane (under Findings), and then choose an item in the table. In the details panel, choose the link for the field to pivot on.

  3. In the filter bar, add filter conditions that specify attributes of the findings that you want the rule to suppress.

    
         The filter bar above the table on the Findings page.

    To learn how to add filter conditions, see Creating and applying filters to findings.

  4. When you finish adding filter conditions for the rule, choose Suppress findings above the filter bar.

  5. Under Suppression rule, enter a name and, optionally, a description for the rule.

  6. Choose Save.

AWS CLI

To create a suppression rule by using the AWS CLI, run the create-findings-filter command and specify the appropriate values for the required parameters. For the action parameter, specify ARCHIVE to ensure that Macie suppresses findings that meet the criteria of the rule.

For the criterion parameter, specify a map of conditions that define the filter criteria for the rule. In the map, each condition should specify a field, an operator, and one or more values for the field. The type and number of values depends on the field and operator that you choose. For information about the fields, operators, and types of values that you can use in a condition, see Fields for filtering findings, Using operators in conditions, and Specifying values for fields.

The following examples create a suppression rule that returns all sensitive data findings that are in the current AWS Region and report occurrences of mailing addresses (and no other types of sensitive data) in S3 objects.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws macie2 create-findings-filter \ --action ARCHIVE \ --name my_suppression_rule \ --finding-criteria '{"criterion":{"classificationDetails.result.sensitiveData.detections.type":{"eqExactMatch":["ADDRESS"]}}}'

This example is formatted for Microsoft Windows, and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 create-findings-filter ^ --action ARCHIVE ^ --name my_suppression_rule ^ --finding-criteria={\"criterion\":{\"classificationDetails.result.sensitiveData.detections.type\":{\"eqExactMatch\":[\"ADDRESS\"]}}}

Where:

  • my_suppression_rule is the custom name for the rule.

  • criterion is a map of filter conditions for the rule:

    • classificationDetails.result.sensitiveData.detections.type is the JSON name of the Sensitive data detection type field.

    • eqExactMatch specifies the equals exact match operator.

    • ADDRESS is an enumerated value for the Sensitive data detection type field.

If the command runs successfully, you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a3c5608-aa2f-4940-b347-d1451example", "id": "8a3c5608-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the suppression rule that was created, and id is the unique identifier for the rule.

For additional examples of filter criteria, see Filtering findings programmatically with the Amazon Macie API.

Viewing suppressed findings

By default, Macie doesn't display suppressed findings on the Amazon Macie console. However, you can view these findings on the console by changing your filter settings. The following procedure explains how.

To view suppressed findings on the console

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings. The Findings page displays findings that Macie created or updated for your account in the current AWS Region during the past 30 days. By default, this doesn't include findings that were suppressed by a suppression rule.

  3. In the filter bar, do one of the following:

    • To display only suppressed findings, choose Current, and then choose Archived.

    • To display both suppressed and current findings, choose Current, and then choose All.

You can also access suppressed findings by using the Amazon Macie API. To retrieve a list of suppressed findings, use the ListFindings operation and include a filter condition that specifies true for the archived field. For an example of how to do this using the AWS CLI, see Filtering findings programmatically. To retrieve the details of one or more suppressed findings, use the GetFindings operation and specify the unique identifier for each finding to retrieve.

Changing suppression rules

You can change the settings for a suppression rule at any time using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to change the settings for an existing suppression rule by using the Amazon Macie console.

To change a suppression rule

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. In the Saved rules list, choose the edit icon ( A box with a pencil. ) next to the suppression rule that you want to change.

  4. Do any of the following:

    • To change the name of the rule, enter a new name in the Name box under Suppression rule.

    • To change the description of the rule, enter a new description in the Description box under Suppression rule.

    • To change the filter criteria of the rule, use the filter bar to enter conditions that specify attributes of the findings that you want the rule to suppress. To learn how, see Creating and applying filters to findings.

  5. When you finish making changes, choose Save.

AWS CLI

To change a suppression rule by using the AWS CLI, run the update-findings-filter command and use the supported parameters to specify a new value for each setting that you want to change. For the id parameter, specify the unique identifier for the rule to change. You can get this identifier by running the list-findings-filters command to retrieve a list of suppression and filter rules for your account.

The following example changes the name of an existing suppression rule.

C:\> aws macie2 update-findings-filter --id 8a3c5608-aa2f-4940-b347-d1451example --name mailing_addresses_only

Where:

  • 8a3c5608-aa2f-4940-b347-d1451example is the unique identifier for the rule.

  • mailing_addresses_only is the new name for the rule.

If the command runs successfully, you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a3c5608-aa2f-4940-b347-d1451example", "id": "8a3c5608-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Similarly, the following example converts a filter rule to a suppression rule by changing the value for the action parameter from NOOP to ARCHIVE.

C:\> aws macie2 update-findings-filter --id 8a1c3508-aa2f-4940-b347-d1451example --action ARCHIVE

Where:

  • 8a1c3508-aa2f-4940-b347-d1451example is the unique identifier for the rule.

  • ARCHIVE is the new action for Macie to perform on findings that meet the criteria of the rule—suppress the findings.

If the command runs successfully, you receive output similar to the following:

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a1c3508-aa2f-4940-b347-d1451example", "id": "8a1c3508-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Deleting suppression rules

You can delete a suppression rule at any time using the Amazon Macie console or the Amazon Macie API. If you delete a suppression rule, Macie stops suppressing new and subsequent occurrences of findings that meet the criteria of the rule and aren't suppressed by other rules. Note, however, that Macie might continue to suppress findings that it's currently processing and meet the rule's criteria.

After you delete a suppression rule, new and subsequent occurrences of findings that met the rule's criteria have a status of current. This means that they appear by default on the Amazon Macie console. In addition, Macie publishes these findings as Amazon EventBridge events. For policy findings, Macie also publishes the findings to AWS Security Hub.

Console

Follow these steps to delete a suppression rule by using the Amazon Macie console.

To delete a suppression rule

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. In the Saved rules list, choose the edit icon ( A box with a pencil. ) next to the suppression rule that you want to delete.

  4. Under Suppression rule, choose Delete.

AWS CLI

To delete a suppression rule by using the AWS CLI, run the delete-findings-filter command. For the id parameter, specify the unique identifier for the suppression rule to delete. You can get this identifier by running the list-findings-filters command to retrieve a list of suppression and filter rules for your account.

The following example deletes the suppression rule whose unique identifier is 8a3c5608-aa2f-4940-b347-d1451example.

C:\> aws macie2 delete-findings-filter --id 8a3c5608-aa2f-4940-b347-d1451example

If the command runs successfully, Macie returns an empty HTTP 200 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.