Amazon Macie Classic Alerts - Amazon Macie Classic

This is the user guide for Amazon Macie Classic. For information about the new Amazon Macie, see the Amazon Macie User Guide. To access the Macie Classic console, open the Macie console at https://console.aws.amazon.com/macie/, and then choose Macie Classic in the navigation pane.

Amazon Macie Classic Alerts

An alert is a notification about a potential security issue discovered by Amazon Macie Classic.

Basic and Predictive Macie Classic Alerts

Macie Classic generates two types of alerts:

  • Basic alerts – Alerts generated by the security checks that Macie Classic performs. There are two types of basic alerts in Macie Classic:

    • Managed (curated by Macie Classic) basic alerts that you can't modify. You can enable or disable the existing managed basic alerts.

      Note

      You can identify managed basic alerts by the value of Default in the Created by field in the Basic alerts list in the Settings tab.

    • Custom basic alerts that you can create and modify to your exact specifications. For more information, see Adding New and Editing Existing Custom Basic Alerts.

  • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie Classic continuously monitors activity in your AWS infrastructure and builds a model of the normal behavior. Then it looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts. For example, a user uploading or downloading a large number of S3 objects in a day might trigger an alert if that user typically downloads one or two S3 objects in a week.

Alert Categories in Macie Classic

Macie Classic's basic alerts (managed and custom) can be of the following categories:

  • Configuration compliance – Related to compliance-controlled content, policy, configuration settings, control and data plane logging, and patch level.

  • Data compliance – Related to the discovery of compliance or security-controlled content, such as the existence of Personally Identifiable Information (PII), or access credentials.

  • File hosting – Related to you hosting possible malware, unsafe software, or attackers' command and control infrastructure through compromised hosts or storage services.

  • Service disruption – Configuration changes that can lead to you being unable to access resources in your own environment.

  • Ransomware – Potentially malicious software or activity designed to block your access to your own computer system until a sum of money is paid.

  • Suspicious access – Access to your resources from a risky anomalous IP address, user, or system, such as an attacker masquerading their connection through a compromised host.

  • Identity enumeration – A series of API calls or accesses enumerating access levels to your systems that can possibly indicate the early stages of an attack or compromised credentials.

  • Privilege escalation – Successful or unsuccessful attempts to gain elevated access to resources that are normally protected from an application or user, or attempts to gain access to your system or network for an extended period of time.

  • Anonymous access – Attempted access to your resources from an IP address, user, or service with the intent to hide a user's true identity. Examples include the use of proxy servers, virtual private networks, and other anonymity services such as Tor.

  • Open permissions – Identification of sensitive resources protected by potentially overly permissive (and thus risky) access control mechanisms.

  • Location anomaly – An anomalous and risky location of the access attempt to your sensitive data.

  • Information loss – An anomalous and risky access to your sensitive data.

  • Credentials loss – Possible compromise of your credentials.

To view a list of your existing alerts of a particular category, choose that category from the Categories list on the Macie Classic console's Alerts tab.

Severity Levels for Alerts in Macie Classic

Each Macie Classic alert has an assigned severity level. This reduces the need to prioritize one alert over another in your analyses. It can also help you determine your response when an alert highlights a potential problem. Critical, High, Medium, and Low levels indicate a security issue that can result in compromised information confidentiality, integrity, and availability in your infrastructure. The Informational level highlights a security configuration detail of your infrastructure that Macie Classic monitors. The following are recommended ways to respond to each level:

  • Critical – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you treat this security issue as an emergency and implement an immediate remediation. The main difference between a Critical and High severity is that a Critical severity alert might be informing you of a security compromise of a large number of your resources or systems. A High severity alert is informing you of a security compromise of one or several of your resources or systems.

  • High – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you treat this security issue as an emergency and implement an immediate remediation.

  • Medium – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you fix this issue at the next possible opportunity, for example, during your next service update.

  • Low – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you fix this issue as part of one of your future service updates.

  • Informational – Describes a particular security configuration detail of your infrastructure. Based on your business and organization goals, you can either note this information or use it to improve the security of your systems and resources.

Locating and Analyzing Macie Classic Alerts

You can use the following procedure to locate and analyze existing alerts.

  1. To view your generated alerts (including Active and Archived basic or predictive alerts), in the Macie Classic console, navigate to the Alerts page.

    Each alert has a summary section that contains the following information:

    • Alert severity, which can be Critical, High, Medium, Low, or Informational. For more information, see Severity Levels for Alerts in Macie Classic.

    • A timestamp that indicates when the alert was generated or last updated.

    • The alert category. For more information, see Alert Categories in Macie Classic.

    • One of the following:

      • If the alert's index is CloudTrail data, a user that engaged in the activity that prompted Macie Classic to generate the alert. For more information, see the definition of user in the context of Macie Classic in Concepts and Terminology.

      • If the alert's index is S3 bucket properties or S3 objects, a bucket name that was involved in or that contains the objects that were involved in the activity that prompted Macie Classic to generate the alert.

      Important

      In Macie Classic, each alert is based on one of the following:

      • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie Classic to generate the alert.

      • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie Classic to generate the alert.

    • The number of comments that were left on the alert.

    • The total number of results, which can consist of a list of user sessions, or a list of S3 buckets, or a list of S3 objects that match the query that is included in the definition of the alert. For more information, see Adding New and Editing Existing Custom Basic Alerts.

    • The number of views on the alert.

    • The AWS Region where the activity captured in this alert took place.

  2. To analyze any alert further, choose the alert to expand its details pane. The following information is included in the alert details:

    • The alert summary that includes the description and the total number of results: a number of user sessions, S3 buckets, or S3 objects that match the query that is included in the definition of the alert.

    • A list of the alert results. This is a list of user sessions, S3 buckets, or S3 objects, depending on the index that is specified in the definition for this alert. For more information, see Adding New and Editing Existing Custom Basic Alerts.

      • If you specified CloudTrail data as the index, the alert details contain a list of user sessions that match the query specified in the alert definition for a particular user.

      • If you specified S3 buckets as the index, the alert details contain a list of S3 buckets that match the query specified in the alert definition for a particular user.

      • If you specified S3 objects as the index, the alert details contain a list of S3 objects that match the query specified in the alert definition for a particular user.

      You can choose each result to examine it and view all its fields. For more information, see the Researching AWS Data, Researching S3 Bucket Properties Data, or Researching S3 Objects Data sections in Researching Through Data Monitored by Amazon Macie Classic.

      You can also use the Research looking glass icon to navigate to the Research tab and view the results of a particular alert there. The query parser in the Research tab is then prepopulated with the query that can be used to generate these results.

Adding New and Editing Existing Custom Basic Alerts

You can use the following procedure to add new and edit existing custom basic alerts.

  1. In the Macie Classic console, navigate to the Settings page and choose the icon for Basic alerts.

  2. On the Basic alerts page, either choose the edit icon for the alert that you want to modify or, to add a basic alert, choose Add new.

  3. Do one of the following:

    • If you're editing the existing alert, make your changes, including enabling or disabling the alert, and then choose Save.

    • If you're adding a new alert, on the Basic alert definition page, specify the following:

      • Alert title – For example, "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone."

      • Description for the alert – For example, "An S3 bucket policy or S3 ACL on an S3 bucket contains a clause that effectively grants read access to any user. We recommend that you audit this S3 bucket and its data and confirm that this is intentional.

      • Alert category – For more information, see Alert Categories in Macie Classic.

      • Alert query – A query that describes the activity that you want Macie Classic to generate an alert about. For example, s3_world_readability:"true". This query looks for an S3 bucket policy or S3 ACL policy on an S3 bucket that grants read access to any user. For more information about constructing queries, see Constructing Queries in Macie Classic.

        Note

        You can use the looking glass icon next to an existing alert to navigate to the Research tab. This alert's query automatically appears in the Query Parser, and the results of this query appear in the Research tab.

      • Query index – The repository of data against which Macie Classic will run the query specified in this alert. You can select either CloudTrail data, S3 buckets, or S3 objects. Depending on your selection, the alert will contain a list of CloudTrail user sessions (5-minute aggregates of raw CloudTrail data), S3 buckets, or S3 objects that match the activity that your alert defines.

      • A minimum number of activity matches that must occur before an alert is generated.

      • Alert severity – For more information, see Severity Levels for Alerts in Macie Classic

      • Users or buckets, depending on the selected alert index, that are explicitly allowed to perform the activity that the alert defines. If you explicitly allow a user or a bucket, Macie Classic doesn't generate an alert for this user or bucket when they're involved in the activity that the alert defines.

        Important

        In Macie Classic, each alert is based on one of the following:

        • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie Classic to generate the alert.

        • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie Classic to generate the alert.

        When you explicitly allow a user in a basic alert with the index of CloudTrail data, you must use a special Macie Classic format called macieUniqueId. Examples include 123456789012:root, 123456789012:user/Bob, and 123456789012:assumed-role/Accounting-Role/Mary, depending on the identity type of the user. For more information, see the definition of user in Analyzing Amazon Macie Classic–Monitored Data by User Activity.

      • Specify whether this alert is enabled or disabled.

Working with Existing Alerts

You can use the following procedure to archive or unarchive alerts or to edit the existing basic alerts.

  1. In the Macie Classic console, navigate to the Alerts page and locate the alert that you want to archive, unarchive (if it's an archived alert), or edit.

  2. Choose the down arrow in the alert summary pane and then choose either of the following:

    • Archive

      Note

      Or Unarchive if this is an archived alert.

    • Edit basic alert

      Important

      This option isn't available for predictive alerts. You can't edit predictive alerts, which Macie Classic automatically generates based on activity in your AWS infrastructure that deviates from the established normal activity baseline. For more information, see Basic and Predictive Macie Classic Alerts.

Group Archiving Alerts

You can use the following procedure to group archive alerts.

  1. In the Macie Classic console's Alerts page, choose Group Archive.

  2. In the Group archive window, use the available settings to archive or unarchive multiple alerts at the same time.

Explicitly Allowing Users or Buckets for Basic Alerts

You can explicitly allow users (if the alert's index is CloudTrail data) and buckets (if the alert's index is S3 bucket properties or S3 objects) for alerts managed by Macie Classic and custom basic alerts. (You cannot do this for predictive alerts.)

Use the following procedure to explicitly allow a specific user or a specific bucket that engaged in or was involved in the activity that prompted Macie Classic to generate a specific alert.

Important

In Macie Classic, each alert is based on one the following:

  • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie Classic to generate the alert.

  • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie Classic to generate the alert.

To explicitly allow users or S3 buckets for custom basic alerts using the Alerts tab

  1. In the Macie Classic console's Alerts tab, locate the custom basic alert for which you want to explicitly allow a user or S3 bucket listed in the alert's summary.

  2. Choose the down arrow in the alert summary pane and then choose Allow user (if this alert's index is CloudTrail data) or Allow bucket (if the alert's index is S3 bucket properties or S3 objects).

  3. In the window that appears, verify the user or bucket that you want to allow (automatically preselected and matching the user or bucket listed in the alert's summary) and then choose Submit.

You can use the following procedure to explicitly allow multiple users or buckets at the same time for custom basic alerts.

To explicitly allow users or S3 buckets for custom basic alerts using the Settings tab

  1. In the Macie Classic console's Settings tab, choose Basic alerts and then locate the custom basic alert for which you want to explicitly allow users or S3 buckets.

  2. Choose the edit icon next to the alert.

  3. Specify the users or S3 buckets that you want to allow in either the Allowed users (if this alert's index is CloudTrail data) or Allowed buckets (if the alert's index is S3 bucket properties or S3 objects) field and choose Save.

    Note

    When you explicitly allow a user in a basic alert with the index of CloudTrail data, you must use a special Macie Classic format called macieUniqueId. Examples include 123456789012:root, 123456789012:user/Bob, and 123456789012:assumed-role/Accounting-Role/Mary, depending on the identity type of the user. For more information, see the definition of the user concept in Analyzing Amazon Macie Classic–Monitored Data by User Activity.

Explicitly allow users or S3 buckets for Macie Classic-managed basic alerts

  1. In the Macie Classic console's Alerts tab, locate the basic alert that is managed by Macie Classic and you want to explicitly allow users or S3 buckets for.

  2. Choose the down arrow in the alert summary pane and then choose Allow user (if the alert's index is CloudTrail data) or Allow bucket (if the alert's index is S3 bucket properties or S3 objects).

  3. In the window that appears, select the Clone and disable the default managed alert check box and choose Submit.

  4. Navigate to the Macie Classic console's Settings tab.

    The original managed alert that you worked with in the previous step is now disabled. This alert has also been cloned into a new custom basic alert. For example, if your original managed basic alert was called "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone," this alert is now disabled, and a custom basic alert called "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone (modified)" is created (cloned).

  5. Choose the edit icon next to the cloned custom basic alert.

  6. Specify the users or S3 buckets that you want to explicitly allow in either the Allowed users (if this alert's index is CloudTrail data) or Allowed buckets (if the alert's index is S3 bucket properties or S3 objects) field and choose Save.

    Note

    When you explicitly allow a user in a basic alert with the index of CloudTrail data, you must use a special Macie Classic format called macieUniqueId. Examples include 123456789012:root, 123456789012:user/Bob, and 123456789012:assumed-role/Accounting-Role/Mary, depending on the identity type of the user. For more information, see the definition of user in Analyzing Amazon Macie Classic–Monitored Data by User Activity.