Allowing Amazon Macie to access S3 buckets and objects - Amazon Macie

Allowing Amazon Macie to access S3 buckets and objects

When you enable Amazon Macie for your AWS account, Macie creates a service-linked role that grants Macie the permissions that it requires to call Amazon Simple Storage Service (Amazon S3) and other AWS services on your behalf. A service-linked role makes it easier to set up an AWS service because you don't have to manually add the necessary permissions for the service to complete actions on your behalf. To learn more about this type of role, see Using service-linked roles in the AWS Identity and Access Management User Guide.

The permissions policy for the Macie service-linked role allows Macie to perform actions that include retrieving information about your S3 buckets and objects, and retrieving objects from your S3 buckets. If you're the Macie administrator for an organization, the policy also allows Macie to perform these actions for member accounts in your organization.

Macie uses these permissions to:

  • Generate and maintain an inventory of your S3 buckets

  • Provide statistical and other data about the buckets and objects in the buckets

  • Monitor and evaluate the buckets for security and access control

  • Analyze objects in the buckets to detect sensitive data

In most cases, Macie has the permissions that it needs to perform these tasks. However, if a bucket has a restrictive bucket policy, the policy might prevent Macie from performing some or all of these tasks.

A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that specifies which actions a principal (AWS account, IAM user, or IAM role) can perform on an S3 bucket, and the conditions under which a principal can perform those actions. The actions and conditions can apply to bucket-level operations, such as retrieving information about a bucket, and object-level operations, such as retrieving objects from a bucket.

Bucket policies typically grant or restrict access by using explicit Allow or Deny statements and conditions. For example, a bucket policy might contain an Allow or Deny statement that denies access to the bucket unless specific source IP addresses, Amazon Virtual Private Cloud (Amazon VPC) endpoints, or VPCs are used to access the bucket. For information about using bucket policies to grant or restrict access to buckets, see Bucket policies and user policies and How Amazon S3 authorizes a request in the Amazon Simple Storage Service User Guide.

If a bucket policy uses an explicit Allow statement, the policy doesn’t prevent Macie from retrieving information about the bucket and the bucket’s objects, or retrieving objects from the bucket. This is because the Allow statements in the permissions policy for the Macie service-linked role grant these permissions.

However, if a bucket policy uses an explicit Deny statement with one or more conditions, Macie might not be allowed to retrieve information about the bucket or the bucket’s objects, or retrieve the bucket’s objects. For example, if a bucket policy explicitly denies access from all sources except a specific IP address, Macie won't be allowed to analyze the bucket’s objects as part of a sensitive data discovery job. This is because restrictive bucket policies take precedence over the Allow statements in the permissions policy for the Macie service-linked role.

To allow Macie to access a bucket that has a restrictive bucket policy, you can add a condition for the Macie service-linked role (AWSServiceRoleForAmazonMacie) to the bucket policy. The condition can exclude the Macie service-linked role from matching the Deny restriction in the policy. It can do this by using the aws:PrincipalArn global condition key and the Amazon Resource Name (ARN) of the Macie service-linked role.

The following procedure walks you through this process and provides an example.

To add the Macie service-linked role to a bucket policy

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the navigation pane, choose Buckets.

  3. Choose the bucket that you want to allow Macie to access.

  4. On the Permissions tab, under Bucket policy, choose Edit.

  5. In the Bucket policy editor, identify each Deny statement that restricts access and prevents Macie from accessing the bucket or the bucket's objects.

  6. In each Deny statement, add a condition that uses the aws:PrincipalArn global condition key and specifies the ARN of the Macie service-linked role for your AWS account.

    The value for the condition key should be arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie, where 123456789012 is the account ID for your AWS account.

Where you add this to a bucket policy depends on the structure, elements, and conditions that the policy currently contains. To learn about supported structures and elements, see Policies and permissions in Amazon S3 in the Amazon Simple Storage Service User Guide.

The following is an example of a bucket policy that uses an explicit Deny statement to restrict access to a bucket named DOC-EXAMPLE-BUCKET. With the current policy, the bucket can be accessed only from the VPC endpoint whose ID is vpce-1a2b3c4d. Access from all other VPC endpoints is denied, including access from the AWS Management Console and Macie.

{ "Version": "2012-10-17", "Id": "Policy1415115example", "Statement": [ { "Sid": "Access to specific VPCE only", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" } } } ] }

To change this policy and allow Macie to access the bucket and the bucket's objects, we can add a condition that uses the StringNotLike condition operator and the aws:PrincipalArn global condition key. This additional condition excludes the Macie service-linked role from matching the Deny restriction.

{ "Version": "2012-10-17", "Id":" Policy1415115example ", "Statement": [ { "Sid": "Access to specific VPCE and Macie only", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" }, "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie" } } } ] }

In the preceding example, the StringNotLike condition operator uses the aws:PrincipalArn condition key to specify the ARN of the Macie service-linked role, where:

  • 123456789012 is the account ID for the AWS account that's permitted to use Macie to retrieve information about the bucket and the bucket's objects and to analyze objects in the bucket.

  • macie.amazonaws.com is the identifier for the Macie service principal.

  • AWSServiceRoleForAmazonMacie is the name of the Macie service-linked role.

We used the StringNotLike operator because the policy already uses a StringNotEquals operator. A policy can use the StringNotEquals operator only once.

For additional policy examples and detailed information about managing access to Amazon S3 resources, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.