Suppressing Amazon Macie findings - Amazon Macie

Suppressing Amazon Macie findings

To streamline your analysis of findings, you can create and use suppression rules. A suppression rule is a set of attribute-based filter criteria that defines cases where you want Amazon Macie to archive findings automatically. Suppression rules are helpful in situations where you've reviewed a class of findings and don't want to be notified of them again.

For example, you might decide to allow S3 buckets to contain mailing addresses, if the buckets don't allow public access and they encrypt new objects by default. In this case, you can create a suppression rule that specifies filter criteria for the following fields: Sensitive data detection type, S3 bucket public access permission, and S3 bucket default encryption. The rule suppresses future findings that match the filter criteria.

If you suppress findings with a suppression rule, Macie continues to generate findings for subsequent occurrences of sensitive data and potential policy violations that match the rule's criteria. However, Macie automatically changes the status of the findings to archived. This means that the findings don't appear by default on the Amazon Macie console, but they persist in Macie until they expire. (Macie stores findings for 90 days.)

In addition to changing the status of suppressed findings, Macie doesn't publish the findings to Amazon EventBridge as events or to AWS Security Hub. Macie does, however, continue to create and store sensitive data discovery results that correlate to sensitive data findings that you suppress. This helps ensure that you have an immutable history of sensitive data findings for data privacy and protection audits or investigations that you perform.

To create and manage suppression rules, you can use the Amazon Macie console or the Amazon Macie API. The following topics explain how. For the API, the topics include examples of how to perform these tasks using the AWS Command Line Interface (AWS CLI). You can also perform these tasks by using a current version of another AWS command line tool or an AWS SDK, or by sending HTTPS requests directly to Macie. For information about AWS tools and SDKs, see Tools to Build on AWS.

Creating suppression rules

Before you create a suppression rule, it's important to note that you can't restore (unarchive) findings that you suppress using a suppression rule. You can, however, review suppressed findings on the Amazon Macie console and access suppressed findings with the Amazon Macie API.

When you create a suppression rule, you specify filter criteria, a name, and, optionally, a description of the rule. You can create a suppression rule by using the Amazon Macie console or the Amazon Macie API.

Console

Follow these steps to create a suppression rule by using the Amazon Macie console.

To create a suppression rule

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

    Tip

    To use an existing suppression or filter rule as a starting point, choose the rule from the Saved rules list.

    You can also streamline creation of a rule by first pivoting and drilling down on findings by a predefined logical group. If you do this, Macie automatically creates and applies the appropriate filter conditions, which can be a helpful starting point for creating a rule. To do this, choose By bucket, By type, or By job in the navigation pane (under Findings), and then choose an item in the table. In the details panel, choose the link for the field to pivot on.

  3. In the filter bar, add filter conditions that specify attributes of the findings that you want the rule to suppress.

    
									The filter bar above the table on the
											Findings page.

    To learn how to add filter conditions, see Creating and applying filters to findings.

  4. When you finish adding filter conditions for the rule, choose Suppress findings above the filter bar.

  5. Under Suppression rule, enter a name and, optionally, a description of the rule.

  6. Choose Save.

API

To create a suppression rule programmatically, use the CreateFindingsFilter operation of the Amazon Macie API and specify the appropriate values for the required parameters:

  • For the action parameter, specify ARCHIVE to ensure that Macie suppresses findings that match the criteria of the rule.

  • For the criterion parameter, specify a map of conditions that define the filter criteria for the rule.

    In the map, each condition should specify a field, an operator, and one or more values for the field. The type and number of values depends on the field and operator that you choose. For information about the fields, operators, and types of values that you can use in a condition, see Fields for filtering findings, Using operators in conditions, and Specifying values for fields.

To create a suppression rule by using the AWS CLI, run the create-findings-filter command and specify the appropriate values for the required parameters. The following examples create a suppression rule that returns all sensitive data findings that are in the current AWS Region and report occurrences of mailing addresses (and no other types of sensitive data) in S3 objects.

This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\) line-continuation character to improve readability.

$ aws macie2 create-findings-filter \ --action ARCHIVE \ --name my_suppression_rule \ --finding-criteria '{"criterion":{"classificationDetails.result.sensitiveData.detections.type":{"eqExactMatch":["ADDRESS"]}}}'

This example is formatted for Microsoft Windows and it uses the caret (^) line-continuation character to improve readability.

C:\> aws macie2 create-findings-filter ^ --action ARCHIVE ^ --name my_suppression_rule ^ --finding-criteria={\"criterion\":{\"classificationDetails.result.sensitiveData.detections.type\":{\"eqExactMatch\":[\"ADDRESS\"]}}}

Where:

  • my_suppression_rule is the custom name for the rule.

  • criterion is a map of filter conditions for the rule:

    • classificationDetails.result.sensitiveData.detections.type is the JSON name of the Sensitive data detection type field.

    • eqExactMatch specifies the equals exact match operator.

    • ADDRESS is an enumerated value for the Sensitive data detection type field.

If the command runs successfully, you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a3c5608-aa2f-4940-b347-d1451example", "id": "8a3c5608-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the suppression rule that was created, and id is the unique identifier for the rule.

For additional examples of filter criteria, see Filtering findings programmatically with the Amazon Macie API.

Reviewing suppressed findings

By default, Macie doesn't display suppressed findings on the Amazon Macie console. However, you can review these findings on the console by changing your filter settings.

To review suppressed findings on the console

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings. The Findings page displays findings that Macie created or updated for your account in the current AWS Region during the past 90 days. By default, this doesn't include findings that were suppressed by a suppression rule.

  3. In the filter bar, do one of the following:

    • To display only suppressed findings, choose Current, and then choose Archived.

    • To display both suppressed and current findings, choose Current, and then choose All.

You can also access suppressed findings by using the Amazon Macie API. To retrieve a list of suppressed findings, use the ListFindings operation and include a filter condition that specifies true for the archived field. For an example of how to do this using the AWS CLI, see Filtering findings programmatically. To then retrieve the details of one or more suppressed findings, use the GetFindings operation and specify the unique identifier for each finding to retrieve.

Changing suppression rules

You can change the settings for a suppression rule at any time by using the Amazon Macie console or the Amazon Macie API. You can also assign and manage tags for the rule.

tag is a label that you define and assign to certain types of AWS resources. Each tag consists of a required tag key and an optional tag value. Tags can help you identify, categorize, and manage resources in different ways, such as by purpose, owner, environment, or other criteria. To learn more, see Tagging Amazon Macie resources.

Console

Follow these steps to change the settings for an existing suppression rule by using the Amazon Macie console.

To change a suppression rule

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. In the Saved rules list, choose the edit icon ( A box with a pencil ) next to the suppression rule that you want to change.

  4. Do any of the following:

    • To change the filter criteria of the rule, use the filter bar to enter conditions that specify attributes of the findings that you want the rule to suppress. To learn how, see Creating and applying filters to findings.

    • To change the name of the rule, enter a new name in the Name box under Suppression rule.

    • To change the description of the rule, enter a new description in the Description box under Suppression rule.

    • To assign, review, or edit tags for the rule, choose Manage tags under Suppression rule. Then review and change the tags as necessary. A rule can have as many as 50 tags.

  5. When you finish making changes, choose Save.

API

To change a suppression rule programmatically, use the UpdateFindingsFilter operation of the Amazon Macie API. When you submit your request, use the supported parameters to specify a new value for each setting that you want to change.

For the id parameter, specify the unique identifier for the rule to change. You can get this identifier by using the ListFindingsFilter operation to retrieve a list of suppression and filter rules for your account. If you're using the AWS CLI, run the list-findings-filters command to retrieve this list.

To change a suppression rule by using the AWS CLI, run the update-findings-filter command and use the supported parameters to specify a new value for each setting that you want to change. For example, the following command changes the name of an existing suppression rule.

C:\> aws macie2 update-findings-filter --id 8a3c5608-aa2f-4940-b347-d1451example --name mailing_addresses_only

Where:

  • 8a3c5608-aa2f-4940-b347-d1451example is the unique identifier for the rule.

  • mailing_addresses_only is the new name for the rule.

If the command runs successfully, you receive output similar to the following.

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a3c5608-aa2f-4940-b347-d1451example", "id": "8a3c5608-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Similarly, the following example converts a filter rule to a suppression rule by changing the value for the action parameter from NOOP to ARCHIVE.

C:\> aws macie2 update-findings-filter --id 8a1c3508-aa2f-4940-b347-d1451example --action ARCHIVE

Where:

  • 8a1c3508-aa2f-4940-b347-d1451example is the unique identifier for the rule.

  • ARCHIVE is the new action for Macie to perform on findings that match the criteria of the rule—suppress the findings.

If the command runs successfully, you receive output similar to the following:

{ "arn": "arn:aws:macie2:us-west-2:123456789012:findings-filter/8a1c3508-aa2f-4940-b347-d1451example", "id": "8a1c3508-aa2f-4940-b347-d1451example" }

Where arn is the Amazon Resource Name (ARN) of the rule that was changed, and id is the unique identifier for the rule.

Deleting suppression rules

You can delete a suppression rule at any time by using the Amazon Macie console or the Amazon Macie API. If you delete a suppression rule, Macie stops suppressing new and subsequent occurrences of findings that match the criteria of the rule and aren't suppressed by other rules. Note, however, that Macie might continue to suppress findings that it's currently processing and match the rule's criteria.

After you delete a suppression rule, new and subsequent occurrences of findings that match the rule's criteria have a status of current. This means that they appear by default on the Amazon Macie console. In addition, Macie publishes these findings to Amazon EventBridge as events. Depending on the publication settings for your account, Macie also publishes the findings to AWS Security Hub.

Console

Follow these steps to delete a suppression rule by using the Amazon Macie console.

To delete a suppression rule

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. In the Saved rules list, choose the edit icon ( A box with a pencil ) next to the suppression rule that you want to delete.

  4. Under Suppression rule, choose Delete.

API

To delete a suppression rule programmatically, use the DeleteFindingsFilter operation of the Amazon Macie API. For the id parameter, specify the unique identifier for the suppression rule to delete. You can get this identifier by using the ListFindingsFilter operation to retrieve a list of suppression and filter rules for your account. If you're using the AWS CLI, run the list-findings-filters command to retrieve this list.

To delete a suppression rule by using the AWS CLI, run the delete-findings-filter command. For example:

C:\> aws macie2 delete-findings-filter --id 8a3c5608-aa2f-4940-b347-d1451example

Where 8a3c5608-aa2f-4940-b347-d1451example is the unique identifier for the suppression rule to delete.

If the command runs successfully, Macie returns an empty HTTP 200 response. Otherwise, Macie returns an HTTP 4xx or 500 response that indicates why the operation failed.