Analyzing Amazon Macie findings - Amazon Macie

Analyzing Amazon Macie findings

Amazon Macie generates a finding when it detects a potential policy violation that affects the security or privacy of an Amazon Simple Storage Service (Amazon S3) bucket or it discovers sensitive data in an S3 object. A finding is a detailed report of a potential policy violation or sensitive data that Macie found. Each finding provides a severity rating, information about the affected resource, and additional details, such as when and how Macie found the issue. Macie stores your findings for 90 days.

You can review, analyze, and manage findings in the following ways.

Amazon Macie console

The Findings pages on the Amazon Macie console list your findings and provide detailed information for individual findings. These pages also provide options for grouping, filtering, and sorting findings, and for creating and managing suppression rules. Suppression rules can help you streamline your analysis of findings.

Amazon Macie API

With the Amazon Macie API, you can query and retrieve findings data by sending HTTPS requests directly to Macie or by using the AWS Command Line Interface (AWS CLI) or another AWS tool or SDK of your choice. To query the data, you send a request to the Amazon Macie API and use supported parameters to specify which findings you want to retrieve. After you submit your query, Macie returns the results in a JSON response. You can then pass the results to another service or application for deeper analysis, long-term storage, or reporting. For more information, see the Amazon Macie API Reference.

Amazon EventBridge

To further support integration with other services and systems, such as monitoring or event management systems, Macie publishes findings to Amazon EventBridge as events. EventBridge, formerly called Amazon CloudWatch Events, is a serverless event bus service that can deliver a stream of real-time data from your own applications, software as a service (SaaS) applications, and AWS services such as Macie. It can route that data to targets such as AWS Lambda functions, Amazon Simple Notification Service topics, and Amazon Kinesis streams. To learn about this service, see the Amazon EventBridge User Guide.

Macie automatically publishes events to EventBridge for new findings. It also publishes events automatically for subsequent occurrences of existing policy findings. Because the notifications are structured as EventBridge events, you can more easily monitor, analyze, and act upon findings by using other services and tools. For example, you might use EventBridge to automatically send specific types of new findings to an AWS Lambda function that, in turn, processes and sends the data to your security incident and event management (SIEM) system. In addition to automated processing, use of EventBridge events helps ensure longer-term retention of findings data. To learn about using EventBridge events for findings, see Monitoring and processing findings.

AWS Security Hub

For additional, broader analysis of your organization's security posture, you can also review and analyze findings by using AWS Security Hub. Security Hub is a service that provides you with a comprehensive view of your security state across your AWS environment and helps you check your environment against security industry standards and best practices. To learn about this service, see the AWS Security Hub User Guide. To learn about how Macie publishes findings to Security Hub, see Monitoring and processing findings.

In addition to findings, Macie creates sensitive data discovery results for S3 objects that you configure it to analyze as part of a sensitive data discovery job. A sensitive data discovery result is a record that logs details about the analysis of an object. This includes objects that don't contain sensitive data, and therefore don't produce a finding, and objects that Macie can't analyze due to issues such as permission settings for a bucket. To learn more about sensitive data discovery results, see Reviewing job statistics and results.

You can't access sensitive data discovery results directly on the Amazon Macie console or through the Amazon Macie API. Instead, you configure Macie to store the results in an S3 bucket. You can then optionally access and query the results in that bucket. To learn how to configure Macie to store the results, see Storing and retaining sensitive data discovery results. For samples of Amazon Athena queries that you can use to analyze the results, visit the Amazon Macie Results Analytics repository on GitHub. This repository also provides step-by-step instructions for configuring Athena to retrieve and decrypt sensitive data discovery results, and scripts for creating tables for the results.