Allowing Macie to access S3 buckets and objects
When you enable Amazon Macie for your AWS account, Macie creates a service-linked role that grants Macie the permissions that it requires to call Amazon Simple Storage Service (Amazon S3) and other AWS services on your behalf. A service-linked role simplifies the process of setting up an AWS service because you don't have to manually add permissions for the service to complete actions on your behalf. To learn about this type of role, see IAM roles in the AWS Identity and Access Management User Guide.
The permissions policy for the Macie service-linked role
(AWSServiceRoleForAmazonMacie
) allows Macie to perform actions that include
retrieving information about your S3 buckets and objects, and retrieving objects from your
buckets. If you're the Macie administrator for an organization, the policy also allows Macie to
perform these actions on your behalf for member accounts in your organization.
Macie uses these permissions to perform tasks such as:
-
Generate and maintain an inventory of your S3 general purpose buckets.
-
Provide statistical and other data about the buckets and objects in the buckets.
-
Monitor and evaluate the buckets for security and access control.
-
Analyze objects in the buckets to detect sensitive data.
In most cases, Macie has the permissions that it needs to perform these tasks. However, if an S3 bucket has a restrictive bucket policy, the policy might prevent Macie from performing some or all of these tasks.
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that specifies which actions a principal (user, account, service, or other entity) can perform on an S3 bucket, and the conditions under which a principal can perform those actions. The actions and conditions can apply to bucket-level operations, such as retrieving information about a bucket, and object-level operations, such as retrieving objects from a bucket.
Bucket policies typically grant or restrict access by using explicit Allow
or
Deny
statements and conditions. For example, a bucket policy might contain an
Allow
or Deny
statement that denies access to the bucket unless
specific source IP addresses, Amazon Virtual Private Cloud (Amazon VPC) endpoints, or VPCs are used to access the
bucket. For information about using bucket policies to grant or restrict access to buckets,
see Bucket
policies for Amazon S3 and How Amazon S3 authorizes a
request in the Amazon Simple Storage Service User Guide.
If a bucket policy uses an explicit Allow
statement, the policy doesn’t
prevent Macie from retrieving information about the bucket and the bucket’s objects, or
retrieving objects from the bucket. This is because the Allow
statements in the
permissions policy for the Macie service-linked role grant these permissions.
However, if a bucket policy uses an explicit Deny
statement with one or more
conditions, Macie might not be allowed to retrieve information about the bucket or the
bucket’s objects, or retrieve the bucket’s objects. For example, if a bucket policy
explicitly denies access from all sources except a specific IP address, Macie won't be
allowed to analyze the bucket’s objects when you run a sensitive data discovery job. This is
because restrictive bucket policies take precedence over the Allow
statements
in the permissions policy for the Macie service-linked role.
To allow Macie to access an S3 bucket that has a restrictive bucket policy, you can add a
condition for the Macie service-linked role (AWSServiceRoleForAmazonMacie
) to
the bucket policy. The condition can exclude the Macie service-linked role from matching the
Deny
restriction in the policy. It can do this by using the
aws:PrincipalArn
global condition
context key and the Amazon Resource Name (ARN) of the Macie service-linked
role.
The following procedure guides you through this process and provides an example.
To add the Macie service-linked role to a bucket policy
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/
. -
In the navigation pane, choose Buckets.
-
Choose the S3 bucket that you want to allow Macie to access.
-
On the Permissions tab, under Bucket policy, choose Edit.
-
In the Bucket policy editor, identify each
Deny
statement that restricts access and prevents Macie from accessing the bucket or the bucket's objects. -
In each
Deny
statement, add a condition that uses theaws:PrincipalArn
global condition context key and specifies the ARN of the Macie service-linked role for your AWS account.The value for the condition key should be
arn:aws:iam::
, where123456789012
:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie123456789012
is the account ID for your AWS account.
Where you add this to a bucket policy depends on the structure, elements, and conditions that the policy currently contains. To learn about supported structures and elements, see Policies and permissions in Amazon S3 in the Amazon Simple Storage Service User Guide.
The following is an example of a bucket policy that uses an explicit Deny
statement to restrict access to an S3 bucket named amzn-s3-demo-bucket
. With the current
policy, the bucket can be accessed only from the VPC endpoint whose ID is
vpce-1a2b3c4d
. Access from all other VPC endpoints is denied, including
access from the AWS Management Console and Macie.
{
"Version": "2012-10-17",
"Id": "Policy1415115example",
"Statement": [
{
"Sid": "Access only from specific VPCE",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
To change this policy and allow Macie to access the S3 bucket and the bucket's objects, we
can add a condition that uses the StringNotLike
condition operator and the aws:PrincipalArn
global condition
context key. This additional condition excludes the Macie service-linked role
from matching the Deny
restriction.
{
"Version": "2012-10-17",
"Id":" Policy1415115example ",
"Statement": [
{
"Sid": "Access only from specific VPCE and Macie",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
},
"StringNotLike": {
"aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
}
}
}
]
}
In the preceding example, the StringNotLike
condition operator uses the
aws:PrincipalArn
condition context key to specify the ARN of the Macie
service-linked role, where:
-
123456789012
is the account ID for the AWS account that's permitted to use Macie to retrieve information about the bucket and the bucket's objects, and retrieve objects from the bucket. -
macie.amazonaws.com
is the identifier for the Macie service principal. -
AWSServiceRoleForAmazonMacie
is the name of the Macie service-linked role.
We used the StringNotLike
operator because the policy already uses a
StringNotEquals
operator. A policy can use the StringNotEquals
operator only once.
For additional policy examples and detailed information about managing access to Amazon S3 resources, see Access management in the Amazon Simple Storage Service User Guide.