Amazon Macie
User Guide

Amazon Macie Alerts

An alert is a notification about a potential security issue discovered by Amazon Macie. This section describes the following information:

Basic and Predictive Macie Alerts

Macie generates two types of alerts:

  • Basic alerts – Alerts generated by the security checks that Macie performs. There are two types of basic alerts in Macie:

    • Managed (curated by Macie) basic alerts that you can't modify. You can enable or disable the existing managed basic alerts.

      Note

      You can identify managed basic alerts by the value of MacieDefault in the Created by field in the Basic alerts list in the Settings tab.

    • Custom basic alerts that you can create and modify to your exact specifications. For more information, see Adding New and Editing Existing Custom Basic Alerts.

  • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie continuously monitors activity in your AWS infrastructure and builds a model of the normal behavior. Then it looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts. For example, a user uploading or downloading a large number of S3 objects in a day might trigger an alert if that user typically downloads one or two S3 objects in a week.

Alert Categories in Macie

Macie's basic alerts (managed and custom) can be of the following categories:

  • Configuration compliance – Related to compliance-controlled content, policy, configuration settings, control and data plane logging, and patch level.

  • Data compliance – Related to the discovery of compliance or security-controlled content, such as the existence of Personally Identifiable Information (PII), or access credentials.

  • File hosting – Related to you hosting possible malware, unsafe software, or attackers' command and control infrastructure through compromised hosts or storage services.

  • Service disruption – Configuration changes that can lead to you being unable to access resources in your own environment.

  • Ransomware – Potentially malicious software or activity designed to block your access to your own computer system until a sum of money is paid.

  • Suspicious access – Access to your resources from a risky anomalous IP address, user, or system, such as an attacker masquerading their connection through a compromised host.

  • Identity enumeration – A series of API calls or accesses enumerating access levels to your systems that can possibly indicate the early stages of an attack or compromised credentials.

  • Privilege escalation – Successful or unsuccessful attempts to gain elevated access to resources that are normally protected from an application or user, or attempts to gain access to your system or network for an extended period of time.

  • Anonymous access – Attempted access to your resources from an IP address, user, or service with the intent to hide a user's true identity. Examples include the use of proxy servers, virtual private networks, and other anonymity services such as Tor.

  • Open permissions – Identification of sensitive resources protected by potentially overly permissive (and thus risky) access control mechanisms.

  • Location anomaly – An anomalous and risky location of the access attempt to your sensitive data.

  • Information loss – An anomalous and risky access to your sensitive data.

  • Credentials loss – Possible compromise of your credentials.

To view a list of your existing alerts of a particular category, choose that category from the Categories list on the Macie console's Alerts tab.

Severity Levels for Alerts in Macie

Each Macie alert has an assigned severity level. This reduces the need to prioritize one alert over another in your analyses. It can also help you determine your response when an alert highlights a potential problem. Critical, High, Medium, and Low levels indicate a security issue that can result in compromised information confidentiality, integrity, and availability in your infrastructure. The Informational level highlights a security configuration detail of your infrastructure that Macie monitors. The following are recommended ways to respond to each level:

  • Critical – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you treat this security issue as an emergency and implement an immediate remediation. The main difference between a Critical and High severity is that a Critical severity alert might be informing you of a security compromise of a large number of your resources or systems. A High severity alert is informing you of a security compromise of one or several of your resources or systems.

  • High – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you treat this security issue as an emergency and implement an immediate remediation.

  • Medium – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you fix this issue at the next possible opportunity, for example, during your next service update.

  • Low – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability in your infrastructure. We recommend that you fix this issue as part of one of your future service updates.

  • Informational – Describes a particular security configuration detail of your infrastructure. Based on your business and organization goals, you can either note this information or use it to improve the security of your systems and resources.

Locating and Analyzing Macie Alerts

You can use the following procedure to locate and analyze existing alerts.

  1. To view your generated alerts (including Active and Archived basic or predictive alerts), in the Macie console, navigate to the Alerts page.

    Each alert has a summary section that contains the following information:

    • Alert severity, which can be Critical, High, Medium, Low, or Informational. For more information, see Severity Levels for Alerts in Macie.

    • A timestamp that indicates when the alert was generated or last updated.

    • The alert category. For more information, see Alert Categories in Macie.

    • One of the following:

      • If the alert's index is CloudTrail data, a user that engaged in the activity that prompted Macie to generate the alert. For more information, see the definition of user in the context of Macie in Concepts and Terminology.

      • If the alert's index is S3 bucket properties or S3 objects, a bucket name that was involved in or that contains the objects that were involved in the activity that prompted Macie to generate the alert.

      Important

      In Macie, each alert is based on one of the following:

      • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie to generate the alert.

      • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie to generate the alert.

    • The number of comments that were left on the alert.

    • The total number of results, which can consist of a list of user sessions, or a list of S3 buckets, or a list of S3 objects that match the query that is included in the definition of the alert. For more information, see Adding New and Editing Existing Custom Basic Alerts.

    • The number of views on the alert.

    • The AWS Region where the activity captured in this alert took place.

  2. To analyze any alert further, choose the alert to expand its details pane. The following information is included in the alert details:

    • The alert summary that includes the description and the total number of results: a number of user sessions, S3 buckets, or S3 objects that match the query that is included in the definition of the alert.

    • A list of the alert results. This is a list of user sessions, S3 buckets, or S3 objects, depending on the index that is specified in the definition for this alert. For more information, see Adding New and Editing Existing Custom Basic Alerts.

      • If you specified CloudTrail data as the index, the alert details contain a list of user sessions that match the query specified in the alert definition for a particular user.

      • If you specified S3 buckets as the index, the alert details contain a list of S3 buckets that match the query specified in the alert definition for a particular user.

      • If you specified S3 objects as the index, the alert details contain a list of S3 objects that match the query specified in the alert definition for a particular user.

      You can choose each result to examine it and view all its fields. For more information, see the Researching AWS Data, Researching S3 Bucket Properties Data, or Researching S3 Objects Data sections in Researching Through Data Monitored by Amazon Macie.

      You can also use the Research looking glass icon to navigate to the Research tab and view the results of a particular alert there. The query parser in the Research tab is then prepopulated with the query that can be used to generate these results.

Adding New and Editing Existing Custom Basic Alerts

You can use the following procedure to add new and edit existing custom basic alerts.

  1. In the Macie console, navigate to the Settings page and choose the icon for Basic alerts.

  2. On the Basic alerts page, either choose the edit icon for the alert that you want to modify or, to add a basic alert, choose Add new.

  3. Do one of the following:

    • If you're editing the existing alert, make your changes, including enabling or disabling the alert, and then choose Save.

    • If you're adding a new alert, on the Basic alert definition page, specify the following:

      • Alert title – For example, "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone."

      • Description for the alert – For example, "An S3 bucket policy or S3 ACL on an S3 bucket contains a clause that effectively grants read access to any user. We recommend that you audit this S3 bucket and its data and confirm that this is intentional.

      • Alert category – For more information, see Alert Categories in Macie.

      • Alert query – A query that describes the activity that you want Macie to generate an alert about. For example, s3_world_readability:"true". This query looks for an S3 bucket policy or S3 ACL policy on an S3 bucket that grants read access to any user. For more information about constructing queries, see Constructing Queries in Macie.

        Note

        You can use the looking glass icon next to an existing alert to navigate to the Research tab. This alert's query automatically appears in the Query Parser, and the results of this query appears in the Research tab.

      • Query index – The repository of data against which Macie will run the query specified in this alert. You can select either CloudTrail data, S3 buckets, or S3 objects. Depending on your selection, the alert will contain a list of CloudTrail user sessions (5-minute aggregates of raw CloudTrail data), S3 buckets, or S3 objects that match the activity that your alert defines.

      • A minimum number of activity matches that must occur before an alert is generated.

      • Alert severity – For more information, see Severity Levels for Alerts in Macie

      • Whitelisted users or whitelisted buckets, depending on the selected alert index. If you whitelist a user or a bucket, Macie doesn't generate an alert for this user or bucket when they're involved in the activity that the alert defines.

        Important

        In Macie, each alert is based on one of the following:

        • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie to generate the alert.

        • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie to generate the alert.

        When whitelisting a user in a basic alert with the index of CloudTrail data, you must use a special Macie format called macieUniqueId. Examples include 123456789012:root, 123456789012:user/Bob, and 123456789012:assumed-role/Accounting-Role/Mary, depending on the identity type of the user that you want to whitelist. For more information, see the definition of user in Analyzing Amazon Macie–Monitored Data by User Activity.

      • Specify whether this alert is enabled or disabled.

Working with Existing Alerts

You can use the following procedure to archive or unarchive alerts or to choose edit the existing basic alerts.

  1. In the Macie console, navigate to the Alerts page and locate the alert that you want to archive, unarchive (if it's an archived alert), or edit.

  2. Choose the down arrow in the alert summary pane and then choose either of the following:

    • Archive

      Note

      Or Unarchive if this is an archived alert.

    • Edit basic alert

      Important

      This option isn't available for predictive alerts. You can't edit predictive alerts, which Macie automatically generates based on activity in your AWS infrastructure that deviates from the established normal activity baseline. For more information, see Basic and Predictive Macie Alerts.

Group Archiving Alerts

You can use the following procedure to group archive alerts.

  1. In the Macie console's Alerts page, choose Group Archive.

  2. In the Group archive window, use the available settings to archive or unarchive multiple alerts at the same time.

Whitelisting Users or Buckets for Basic Alerts

Macie allows you to whitelist users (if the alert's index is CloudTrail data) and buckets (if the alert's index is S3 bucket properties or S3 objects) for both alerts managed by Macie and custom basic alerts.

Note

Macie doesn't allow you to whitelist users or buckets for predictive alerts.

You can use the following procedure to whitelist a specific user or a specific bucket that engaged in or was involved in the activity that prompted Macie to generate a specific alert.

Important

In Macie, each alert is based on one the following:

  • For the alerts with the index of CloudTrail data, only one user: the IAM identity whose activity prompted Macie to generate the alert.

  • For the alerts with the index of S3 bucket properties or S3 objects, only one S3 bucket that was involved in or that contains objects that were involved in the activity that prompted Macie to generate the alert.

To whitelist users or S3 buckets for custom basic alerts using the Alerts tab

  1. In the Macie console's Alerts tab, locate the custom basic alert for which you want to whitelist a user or S3 bucket listed in the alert's summary.

  2. Choose the down arrow in the alert summary pane and then choose Whitelist user (if this alert's index is CloudTrail data) or Whitelist bucket (if the alert's index is S3 bucket properties or S3 objects).

  3. In the Whitelist user (or Whitelist bucket) window, verify the user or bucket that you want to whitelist (automatically preselected and matching the user or bucket listed in the alert's summary) and then choose Submit.

You can use the following procedure to whitelist multiple users or buckets at the same time for custom basic alerts.

To whitelist users or S3 buckets for custom basic alerts using the Settings tab

  1. In the Macie console's Settings tab, choose Basic alerts and then locate the custom basic alert for which you want to whitelist users or S3 buckets.

  2. Choose the edit icon next to the alert.

  3. Specify users or S3 buckets that you want to whitelist in either Whitelisted users (if this alert's index is CloudTrail data) or Whitelisted buckets (if the alert's index is S3 bucket properties or S3 objects) fields and choose Save.

    Note

    When whitelisting a user in a basic alert with the index of CloudTrail data, you must use a special Macie format called macieUniqueId: Examples include 123456789012:root, 123456789012:user/Bob, and CloudTrail, depending on the identity type of the user you want to whitelist. For more information, see the definition of the user concept in Analyzing Amazon Macie–Monitored Data by User Activity.

Whitelist users or S3 buckets for Macie-managed basic alerts

  1. In the Macie console's Alerts tab, locate the basic alert managed by Macie that you want to whitelist users or S3 buckets for.

  2. Choose the down arrow in the alert summary pane and then choose Whitelist user (if this alert's index is CloudTrail data) or Whitelist bucket (if the alert's index is S3 bucket properties or S3 objects).

  3. In the Whitelist user or Whitelist bucket window, select the Clone and disable the default managed alert check box and choose Submit.

  4. Navigate to the Macie console's Settings tab.

    The original managed alert that you worked with in the previous step is now disabled. This alert has also been cloned into a new custom basic alert. For example, if your original managed basic alert was called "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone," this alert is now disabled, and a custom basic alert called "An S3 bucket has an S3 bucket policy or S3 ACL that grants read rights to everyone (modified)" is created (cloned).

  5. Choose the edit icon next to the cloned custom basic alert.

  6. Specify users or S3 buckets that you want to whitelist in either Whitelisted users (if this alert's index is CloudTrail data) or Whitelisted buckets (if the alert's index is S3 bucket properties or S3 objects) fields and choose Save.

    Note

    When whitelisting a user in a basic alert with the index of CloudTrail data, you must use a special Macie format called macieUniqueId: Examples include 123456789012:root, 123456789012:user/Bob, and 123456789012:assumed-role/Accounting-Role/Mary, depending on the identity type of the user that you want to whitelist. For more information, see the definition of user in Analyzing Amazon Macie–Monitored Data by User Activity.