Assessing your Amazon S3 security posture with Amazon Macie - Amazon Macie

Assessing your Amazon S3 security posture with Amazon Macie

To assess the overall security posture of your Amazon Simple Storage Service (Amazon S3) data and determine where to take action, you can use the Summary dashboard on the Amazon Macie console.

The Summary dashboard provides a snapshot of aggregated statistics for your Amazon S3 data in the current AWS Region. The statistics include data for key security metrics such as the number of buckets that are publicly accessible or don't encrypt new objects by default. The dashboard also displays groups of aggregated findings data for your account—for example, the types of findings that had the highest number of occurrences during the preceding seven days. If you're the Macie administrator for an organization, the dashboard includes aggregated statistics and data for member accounts in your organization.

To perform deeper analysis, you can drill down and review the supporting data for individual items on the dashboard. You can also review and analyze your S3 bucket inventory by using the Amazon Macie console, or query and analyze inventory data by using the Amazon S3 Data Source resource of the Amazon Macie API.

Displaying the Summary dashboard

On the Amazon Macie console, the Summary dashboard provides a snapshot of aggregated statistics and findings data for your Amazon S3 data in the current AWS Region. If you prefer to query and review this data programmatically, you can use the Amazon S3 Data Source Statistics resource of the Amazon Macie API.

To display the Summary dashboard

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Summary. Macie displays the Summary dashboard.

  3. To determine when Macie most recently retrieved both bucket and object metadata for your account, refer to the Last updated field at the top of the dashboard. For more information, see Data refreshes.

  4. To review the supporting data for an item on the dashboard, choose the item.

If you're the Macie administrator for an organization, the dashboard displays aggregated statistics and data for your account and member accounts in your organization. To filter the dashboard and display data only for a particular account, enter the account's ID in the Account box above the dashboard.

Understanding components of the Summary dashboard

On the Summary dashboard, statistics and data are organized into four sections, as shown in the following image.


				The Summary dashboard on the Amazon Macie console. Each
					section of the dashboard contains example data.

Each section provides insight into key metrics or recent findings data that can help you assess the security and privacy of your Amazon S3 data in the current AWS Region.

1. S3 buckets

This section provides statistics about the amount of data that you store in Amazon S3 and how much of that data Macie can analyze to detect sensitive data. It also provides statistics that indicate potential security and privacy risks for the data. For details about each statistic, see Understanding S3 bucket statistics on the dashboard.

This section also indicates when Macie most recently retrieved bucket and object metadata from Amazon S3 as part of the daily refresh cycle. You can find this information in the Last updated field. For more information, see Data refreshes.

2. Top S3 buckets

This section lists the S3 buckets that generated the most findings (of any type) during the preceding seven days, for as many as five buckets. It also indicates the number of findings that Macie created for each bucket.

To display and optionally drill down on all the findings for a bucket for the preceding seven days, choose the value in the Total findings field. To display all current findings for all of your buckets, grouped by bucket, choose View all findings by bucket.

This section is empty if Macie didn’t create any findings during the preceding seven days.

3. Top finding types

This section lists the types of findings that had the highest number of occurrences during the preceding seven days, for as many as five types of findings. It also indicates the number of findings that Macie created for each type.

To display and optionally drill down on all findings of a particular type for the preceding seven days, choose the value in the Total findings field. To display all current findings, grouped by finding type, choose View all findings by type.

This section is empty if Macie didn’t create any findings during the preceding seven days.

4. Policy findings

This section lists the policy findings that Macie created or updated most recently, for as many as ten findings. To display the details of a particular finding, choose the finding.

This section is empty if Macie didn’t create or update any policy findings during the preceding seven days.

Note that findings data on the Summary dashboard doesn't include findings that were suppressed by a suppression rule.

Understanding S3 bucket statistics on the Summary dashboard

The S3 buckets section of the Summary dashboard provides statistics about the amount of data that you store in Amazon S3 in the current AWS Region and how much of that data Macie can analyze to detect sensitive data. It also provides statistics that can help you identify and investigate potential security risks. For example, you might use this data to identify S3 buckets that are publicly accessible or don’t encrypt new objects by default, and then create a sensitive data discovery job to determine whether the buckets also contain sensitive data.

The statistics are organized into four sections, as shown in the following image.


				The S3 buckets section of the Summary
					dashboard on the Amazon Macie console. Each subsection contains example data.
1. Storage and sensitive data discovery

The statistics at the top of the S3 buckets section indicate how much data you store in Amazon S3 and how much of that data Macie can analyze to detect sensitive data:

  • Total S3 buckets – The total number of S3 buckets, including buckets that don't contain any objects.

  • Storage

    • Classifiable – The total storage size of all the objects that Macie can analyze in the buckets.

    • Total – The total storage size of all the objects in the buckets, including objects that Macie can’t analyze.

    If any of the objects are compressed files, these values don’t reflect the actual size of those files after they’re decompressed. If versioning is enabled for any of the buckets, these values are based on the storage size of the latest version of each object in those buckets.

  • Objects

    • Classifiable – The total number of objects that Macie can analyze in the buckets.

    • Total – The total number of objects in the buckets, including objects that Macie can’t analyze.

In the preceding statistics, data and objects are classifiable if they use a supported Amazon S3 storage class (S3 Intelligent-Tiering, S3 One Zone-IA, S3 Standard, or S3 Standard-IA) and have a file name extension for a supported file or storage format. You can detect sensitive data in these objects by creating and running sensitive data discovery jobs.

Note that the Storage and Objects statistics don't include data about objects in buckets that Macie isn't allowed to access. To identify buckets where this is the case, you can review your bucket inventory. If the warning icon ( A red triangle with a red exclamation point in it ) appears next to a bucket's name in your inventory, Macie isn't allowed to access the bucket.

2. Public access

This section indicates how many S3 buckets are or aren't publicly accessible:

  • Publicly accessible – The number and percentage of buckets that allow the general public to have read or write access to the bucket.

  • Publicly world writable – The number and percentage of buckets that allow the general public to have write access to the bucket.

  • Publicly world readable – The number and percentage of buckets that allow the general public to have read access to the bucket.

  • Not publicly accessible – The number and percentage of buckets that don’t allow the general public to have read or write access to the bucket.

To calculate each percentage, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.

To determine the values in this section, Macie analyzes a combination of account- and bucket-level settings for each bucket: the block public access setting for the account; the block public access setting for the bucket; the bucket policy for the bucket; and, the access control list (ACL) for the bucket. For information about these settings, see Identity and access management in Amazon S3 and Blocking public access to your Amazon S3 storage in the Amazon Simple Storage Service User Guide.

In certain cases, this section also displays values for Unknown. If these values appear, Macie wasn’t able to evaluate the public access settings for the specified number and percentage of buckets. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or Macie wasn't able to fully determine whether one or more policy statements allow an external entity to access the buckets.

3. Encryption

This section indicates how many S3 buckets are or aren't configured to encrypt new objects automatically, and how many S3 buckets do or don't require server-side encryption of objects when objects are uploaded to the buckets:

  • Default encryption disabled – The number and percentage of buckets that don’t encrypt new objects automatically. Default encryption is disabled for these buckets.

  • Not required by bucket policy – The number and percentage of buckets whose bucket policies don't require server-side encryption of new objects. For these buckets, PutObject requests don't have to specify a valid, server-side encryption option.

  • Encrypt by default – SSE-S3 – The number and percentage of buckets that encrypt new objects automatically using an Amazon S3 managed key. Default encryption is enabled for these buckets.

  • Encrypt by default – SSE-KMS – The number and percentage of buckets that encrypt new objects automatically using an AWS KMS key. Default encryption is enabled for these buckets.

  • Required by bucket policy – The number and percentage of buckets whose bucket policies require server-side encryption of new objects. For these buckets, PutObject requests must specify a valid, server-side encryption option. Otherwise, Amazon S3 denies the request.

Note that the totals in this section might exceed the total number of buckets in your inventory. This is because a bucket can have a combination of encryption settings. For example, a bucket might not be configured to encrypt new objects automatically and it might not have a bucket policy that requires server-side encryption of new objects.

To calculate each percentage in this section, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.

To determine the values in this section, Macie analyzes the default encryption settings and, if applicable, the bucket policy for each bucket. For information about default encryption settings, see Setting default server-side encryption behavior for Amazon S3 buckets in the Amazon Simple Storage Service User Guide. For information about using bucket policies to require sever-side encryption of new objects, see How to prevent uploads of unencrypted objects to Amazon S3 on the AWS Security Blog.

In certain cases, this section also displays values for Unknown. If these values appear, Macie wasn’t able to evaluate the default encryption settings or bucket policy for the specified number and percentage of buckets. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or Macie wasn't able to fully determine whether the buckets' policies require server-side encryption of new objects.

4. Sharing

This section indicates how many S3 buckets are or aren't shared with other AWS accounts:

  • Shared outside – The number and percentage of buckets that are shared with accounts that aren’t in the same organization.

  • Shared inside – The number and percentage of buckets that are shared with accounts in the same organization.

  • Not shared – The number and percentage of buckets that aren’t shared with other accounts.

To calculate each percentage, Macie divides the number of applicable buckets by the total number of buckets in your bucket inventory.

To determine the values in this section, Macie analyzes the bucket policy and ACL for each bucket. In addition, an organization is defined as a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.

In certain cases, this section also displays values for Unknown. If these values appear, Macie wasn’t able to determine whether the specified number and percentage of buckets are shared with another account. For example, a temporary issue or the buckets' permissions settings prevented Macie from retrieving the requisite data. Or Macie wasn't able to fully determine whether the buckets' policies or ACLs are configured to share the buckets with another account.