Amazon Macie integration with AWS Security Hub - Amazon Macie

Amazon Macie integration with AWS Security Hub

AWS Security Hub is a service that provides you with a comprehensive view of your security posture across your AWS environment and helps you check your environment against security industry standards and best practices. It does this partly by consuming, aggregating, organizing, and prioritizing findings from multiple AWS services and supported AWS Partner Network security solutions. Security Hub helps you analyze your security trends and identify the highest priority security issues. To learn more about Security Hub, see the AWS Security Hub User Guide.

Amazon Macie integration with Security Hub enables you to publish findings from Macie to Security Hub automatically. Security Hub can then include those findings in its analysis of your security posture. This means that you can use Security Hub to monitor and process policy and sensitive data findings as part of a larger, aggregated set of findings data for your AWS environment. In other words, you can analyze Macie findings while you perform a broader analysis of your organization’s security posture and remediate findings as necessary. Security Hub reduces the complexity of addressing large volumes of findings from multiple providers.

In addition, Security Hub uses a standard format for all findings, including findings from Macie. Use of this format, the AWS Security Finding Format (ASFF), eliminates the need for you to perform time-consuming data conversion efforts.

How Macie publishes findings to Security Hub

In Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by supported AWS Partner Network security solutions. Security Hub also has a set of rules that it uses to detect security issues and generate findings.

Security Hub provides tools to manage findings from all of these sources. You can view and filter lists of findings and view the details of individual findings. To learn how, see Viewing findings in the AWS Security Hub User Guide. You can also track the status of an investigation into a finding. To learn how, see Taking action on findings in the AWS Security Hub User Guide.

All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of an issue, the affected resources, and the current status of a finding. For more information, see AWS Security Finding Format (ASFF) in the AWS Security Hub User Guide.

Amazon Macie is one of the AWS services that publishes findings to Security Hub.

Types of findings that Macie publishes

Depending on the publication settings that you choose for your Macie account, Macie can publish all the findings that it creates to Security Hub, both sensitive data findings and policy findings. For information about these settings and how to change them, see Configuring publication settings for findings. By default, Macie publishes only new and updated policy findings to Security Hub. Macie doesn't publish sensitive data findings to Security Hub.

Sensitive data findings

If you configure Macie to publish sensitive data findings to Security Hub, Macie automatically publishes each sensitive data finding that it creates for your account and it does so immediately after it finishes processing the finding. Macie does this for all sensitive data findings that aren't archived automatically by a suppression rule. If you're the Macie administrator for an organization, publication is also limited to findings from sensitive data discovery jobs that you ran. Only the account that creates a job can publish sensitive data findings that the job produces.

When Macie publishes sensitive data findings to Security Hub, it uses the AWS Security Finding Format (ASFF), which is the standard format for all findings in Security Hub. In the ASFF, the Types field indicates a finding's type. This field uses a taxonomy that's slightly different from the finding type taxonomy in Macie.

The following table lists the ASFF finding type for each type of sensitive data finding that Macie can create.

Macie finding type ASFF finding type

SensitiveData:S3Object/Credentials

Sensitive Data Identifications/Passwords/SensitiveData:S3Object-Credentials

SensitiveData:S3Object/CustomIdentifier

Sensitive Data Identifications/PII/SensitiveData:S3Object-CustomIdentifier

SensitiveData:S3Object/Financial

Sensitive Data Identifications/Financial/SensitiveData:S3Object-Financial

SensitiveData:S3Object/Multiple

Sensitive Data Identifications/PII/SensitiveData:S3Object-Multiple

SensitiveData:S3Object/Personal

Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal

Policy findings

If you configure Macie to publish policy findings to Security Hub, Macie automatically publishes each new policy finding that it creates and it does so immediately after it finishes processing the finding. If Macie detects a subsequent occurrence of an existing policy finding, it automatically publishes an update to the existing finding in Security Hub, using a publication frequency that you specify for your account.

Macie performs these tasks for all policy findings that aren't archived automatically by a suppression rule. If you're the Macie administrator for an organization, publication is also limited to policy findings for S3 buckets that are owned directly by your account. Macie doesn't publish policy findings that it creates or updates for member accounts in your organization. This helps ensure that you don't have duplicate findings data in Security Hub.

As is the case for sensitive data findings, Macie uses the AWS Security Finding Format (ASFF) when it publishes new and updated policy findings to Security Hub. In the ASFF, the Types field uses a taxonomy that's slightly different from the finding type taxonomy in Macie.

The following table lists the ASFF finding type for each type of policy finding that Macie can create. If Macie created or updated a policy finding in Security Hub on or after January 28, 2021, the finding has one of the following values for the ASFF Types field in Security Hub.

Macie finding type ASFF finding type

Policy:IAMUser/S3BlockPublicAccessDisabled

Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled

Policy:IAMUser/S3BucketEncryptionDisabled

Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketEncryptionDisabled

Policy:IAMUser/S3BucketPublic

Effects/Data Exposure/Policy:IAMUser-S3BucketPublic

Policy:IAMUser/S3BucketReplicatedExternally

Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketReplicatedExternally

Policy:IAMUser/S3BucketSharedExternally

Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketSharedExternally

If Macie created or last updated a policy finding before January 28, 2021, the finding has one of the following values for the ASFF Types field in Security Hub:

  • Policy:IAMUser/S3BlockPublicAccessDisabled

  • Policy:IAMUser/S3BucketEncryptionDisabled

  • Policy:IAMUser/S3BucketPublic

  • Policy:IAMUser/S3BucketReplicatedExternally

  • Policy:IAMUser/S3BucketSharedExternally

The values in the preceding list map directly to values for the Finding type (type) field in Macie.

Note

As you review and process policy findings in Security Hub, note the following exceptions:

  • In certain AWS Regions, Macie began using ASFF finding types for new and updated findings as early as January 25, 2021.

  • If you acted upon a policy finding in Security Hub before Macie began using ASFF finding types in your AWS Region, the value for the ASFF Types field of the finding will be one of the Macie finding types in the preceding list. It will not be one of the ASFF finding types in the preceding table. This is true for policy findings that you acted upon using the AWS Security Hub console or the BatchUpdateFindings operation of the AWS Security Hub API.

Latency for publishing findings

When Macie creates a new policy or sensitive data finding, it publishes the finding to Security Hub immediately after it finishes processing the finding.

When Macie detects a subsequent occurrence of an existing policy finding, it publishes an update to the existing Security Hub finding. The timing of the update depends on the publication frequency that you choose for your Macie account. By default, Macie publishes updates every 15 minutes. For more information, including how to change the setting for your account, see Configuring publication settings for findings.

Retrying publication when Security Hub is not available

If Security Hub isn't available, Macie creates a queue of findings that haven't been received by Security Hub. When the system is restored, Macie retries publication until the findings are received by Security Hub.

Updating existing findings in Security Hub

After Macie publishes a policy finding to Security Hub, Macie updates the finding to reflect any additional occurrences of the finding or finding activity. Macie does this only for policy findings. Sensitive data findings, unlike policy findings, are all treated as new (unique) because they derive from individual sensitive data discovery jobs.

When Macie publishes an update to a policy finding, Macie updates the value for the Updated At (UpdatedAt) field of the finding. You can use this value to determine when Macie most recently detected a subsequent occurrence of the potential policy violation that produced the finding.

Macie might also update the value for the Types (Types) field of a finding if the existing value for the field isn't an ASFF finding type. This depends on whether you've acted upon the finding in Security Hub. If you haven't acted upon the finding, Macie changes the field's value to the appropriate ASFF finding type. If you've acted upon the finding, using either the AWS Security Hub console or the BatchUpdateFindings operation of the AWS Security Hub API, Macie doesn't change the field's value.

Examples of Macie findings in Security Hub

When Macie publishes findings to Security Hub, it uses the AWS Security Finding Format (ASFF). This is the standard format for all findings in Security Hub. The following examples use sample data to demonstrate the structure and nature of the findings data that Macie publishes to Security Hub using this format:

Example of a sensitive data finding in Security Hub

Here's an example of a sensitive data finding that Macie published to Security Hub using the ASFF.

{ "SchemaVersion": "2018-10-08", "Id": "5be50fce24526e670df77bc00example", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/macie", "GeneratorId": "aws/macie", "AwsAccountId": "111122223333", "Types":[ "Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal" ], "CreatedAt": "2021-06-28T23:21:49.667Z", "UpdatedAt": "2021-06-28T23:21:49.667Z", "Severity": { "Label": "HIGH", "Normalized": 70 }, "Title": "The S3 object contains personal information.", "Description": "The object contains personal information such as first or last names, addresses, or identification numbers.", "ProductFields": { "JobArn": "arn:aws:macie2:us-east-1:111122223333:classification-job/698e99c283a255bb2c992feceexample", "S3Object.Path": "DOC-EXAMPLE-BUCKET1/2021 Sourcing.tsv", "S3Object.Extension": "tsv", "S3Bucket.effectivePermission": "NOT_PUBLIC", "S3Object.PublicAccess": "false", "S3Object.Size": "14", "S3Object.StorageClass": "STANDARD", "S3Bucket.allowsUnencryptedObjectUploads": "TRUE", "JobId": "698e99c283a255bb2c992feceexample", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/macie/5be50fce24526e670df77bc00example", "aws/securityhub/ProductName": "Macie", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsS3Bucket", "Id": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1", "Partition": "aws", "Region": "us-east-1", "Details": { "AwsS3Bucket": { "OwnerId": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example", "OwnerName": "johndoe", "CreatedAt": "2020-12-30T18:16:25.000Z", "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "NONE" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": true, "BlockPublicPolicy": true, "IgnorePublicAcls": true, "RestrictPublicBuckets": true } } } }, { "Type": "AwsS3Object", "Id": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/2021 Sourcing.tsv", "Partition": "aws", "Region": "us-east-1", "DataClassification": { "DetailedResultsLocation": "s3://macie-data-discovery-results/AWSLogs/111122223333/Macie/us-east-1/ 698e99c283a255bb2c992feceexample/111122223333/32b8485d-4f3a-3aa1-be33-aa3f0example.jsonl.gz", "Result":{ "MimeType": "text/tsv", "SizeClassified": 14, "AdditionalOccurrences": false, "Status": { "Code": "COMPLETE" }, "SensitiveData": [ { "Category": "PERSONAL_INFORMATION", "Detections": [ { "Count": 1, "Type": "USA_SOCIAL_SECURITY_NUMBER", "Occurrences": { "Cells": [ { "Row": 1, "Column": 1, "ColumnName": "Other", "CellReference": null } ] } } ], "TotalCount": 1 } ], "CustomDataIdentifiers": { "Detections": [ ], "TotalCount": 0 } } }, "Details": { "AwsS3Object": { "LastModified": "2021-03-22T18:16:46.000Z", "ETag": "ebe1ca03ee8d006d457444445example", "VersionId": "SlBC72z5hArgexOJifxw_IN57EXAMPLE", "ServerSideEncryption": "NONE" } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "HIGH" }, "Types": [ "Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal" ] } }

Example of a policy finding in Security Hub

Here's an example of a new policy finding that Macie published to Security Hub in the ASFF.

{ "SchemaVersion": "2018-10-08", "Id": "36ca8ba0-caf1-4fee-875c-37760example", "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/macie", "GeneratorId": "aws/macie", "AwsAccountId": "111122223333", "Types": [ "Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled" ], "CreatedAt": "2021-06-28T01:20:52.313Z", "UpdatedAt": "2021-06-28T01:20:52.313Z", "Severity": { "Label": "HIGH", "Normalized": 70 }, "Title": "Block Public Access settings are disabled for the S3 bucket", "Description": "All Amazon S3 block public access settings are disabled for the Amazon S3 bucket. Access to the bucket is controlled only by access control lists (ACLs) or bucket policies.", "ProductFields": { "S3Bucket.effectivePermission": "PUBLIC", "S3Bucket.allowsUnencryptedObjectUploads": "FALSE", "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/macie/36ca8ba0-caf1-4fee-875c-37760example", "aws/securityhub/ProductName": "Macie", "aws/securityhub/CompanyName": "Amazon" }, "Resources": [ { "Type": "AwsS3Bucket", "Id": "arn:aws:s3:::DOC-EXAMPLE-BUCKET2", "Partition": "aws", "Region": "us-east-1", "Tags": { "Team": "Recruiting", "Division": "HR" }, "Details": { "AwsS3Bucket": { "OwnerId": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example", "OwnerName": "johndoe", "CreatedAt": "2020-11-25T18:24:38.000Z", "ServerSideEncryptionConfiguration": { "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "NONE" } } ] }, "PublicAccessBlockConfiguration": { "BlockPublicAcls": false, "BlockPublicPolicy": false, "IgnorePublicAcls": false, "RestrictPublicBuckets": false } } } } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ACTIVE", "FindingProviderFields": { "Severity": { "Label": "LOW" }, "Types": [ "Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled" ] } }

Enabling and configuring Security Hub integration

To use Macie integration with Security Hub, you must enable Security Hub for your AWS account. For information about how to enable Security Hub, see Setting up AWS Security Hub in the AWS Security Hub User Guide.

When you enable both Macie and Security Hub, the integration is enabled automatically. This means that Macie automatically begins to publish new and updated policy findings to Security Hub. You don't need to take any additional steps to configure the integration.

You can optionally customize your configuration by choosing the frequency with which Macie publishes updates to policy findings in Security Hub. You can also choose to publish sensitive data findings to Security Hub in addition to policy findings. To learn how, see Configuring publication settings for findings.

Stopping the publication of findings to Security Hub

To stop publishing findings to Security Hub, you can change the publication settings for your Macie account. To learn how, see Choosing publication destinations for findings. You can also do this by using the Security Hub console or the Security Hub API. To learn how, see Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, AWS CLI) in the AWS Security Hub User Guide.