Menu
Amazon Macie
User Guide

Researching S3 Bucket Properties Data

Analyzing S3 Buckets Properties Search Results

The following section describes the elements of the search results that get displayed when you use the Research tab to investigate your Macie-monitored S3 bucket properties data.

Complete the following steps in the Research tab:

  1. Select S3 bucket properties in the first filter pull-down list.

  2. For this sample procedure, select Top 10 in the second filter pull-down list.

  3. For this sample procedure, select Past 90 days in the third filter pull-down list.

  4. Choose the button with the looking glass icon to start the search.

Your search results contain the following elements:

  • The total number of results that matched your S3 bucket properties data search for the selected time range.

  • The graphical representation of the S3 bucket properties data search results for the selected time range.

    Note

    If your data set is very large and you specify a very wide time range, you data might not render properly and this graph might not be displayed as one of the resulting elements of your search.

    Important

    You can use the graph to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Double-click any of the graph's results and your selection is translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • Search results summary - this is a list of the most significant fields from your search. The first line includes the top (or bottom) 3 values for each field. The second line includes the top (or bottom) 10 values for each field.

    Important

    You can use the fields in the search results summary to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Choose the first or the second line of results for any field, and in the expanded results breakdown, choose the looking glass icon next to any of the results. Your choices are then translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • A list of S3 buckets that match your search criteria. You can choose any bucket to expand it and view its details.

S3 Bucket Properties Data Fields and Sample Queries

The following tables include the fields that can appear in the results of your S3 buckets metadata searches.

  • The first table includes the fields that Macie extracts from the Amazon S3 bucket API metadata. For example, acl.Grants.Grantee.DisplayName in Macie corresponds to Grants.Grantee.DisplayName in the S3 Get Bucket acl API response.

  • The second table includes the fields that are generated by Macie to provide further security intelligence and context based on the examined S3 buckets metadata. For example, s3_world_readability describes a true/false/unknown state condition of whether an S3 bucket is readable by everyone as part of evaluating its S3 ACL and bucket (IAM) policy.

S3 Bucket Properties Data Fields Extracted by Macie

Macie field name

Amazon S3 API field name

Amazon S3 API operation

Macie field type

Description

Example search query

acl.Grants.Grantee.DisplayName

Grants.Grantee.DisplayName

get-bucket-acl

string

The display name of the S3 bucket ACL grantee.

Search for S3 buckets accessible by John Doe:

  • acl.Grants.Grantee.DisplayName:"JohnDoe"

acl.Grants.Grantee.ID

Grants.Grantee.ID

get-bucket-acl

string

The ID of the identity that was granted access to the S3 bucket by the bucket owner.

Search for an S3 bucket's grantee with a particular canonical ID:

  • acl.Grants.Grantee.ID:"75bee88dfe7bf9b7243aea123934be3e55d777d8412b4aa1703284e2bb29371b"

acl.Grants.Grantee.Type

Grants.Grantee.Type

get-bucket-acl

string

The user type of the S3 bucket ACL grantee.

  • Search for all S3 buckets that are granted to Users:

    • acl.Grants.Grantee.Type:CanonicalUser

  • Search for all S3 buckets that are granted to Groups:

    • acl.Grants.Grantee.Type:Group

acl.Grants.Grantee.URI

Grants.Grantee.URI

get-bucket-acl

string

The URI identifier of the S3 bucket ACL grantee.

  • Search for all S3 buckets except those that belong to the LogDelivery group:

    • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/s3/LogDelivery"

  • Search for all S3 buckets that have global share permissions:

    • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AllUsers"

  • Search for all S3 buckets that allow access to (any) AWS authenticated users:

    • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

acl.Grants.Permission

Grants.Permission

get-bucket-acl

string

The permission level assigned to the ACL grantee.

Search for S3 buckets that grant full (read/write) access to anyone:

  • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AllUsers" AND acl.Grants.Permission:"FULL_CONTROL"

acl.Owner.DisplayName

Owner.DisplayName

get-bucket-acl

string

The display name of the S3 bucket owner.

Search for S3 buckets owned by John Doe:

  • acl.Owner.DisplayName: "JohnDoe"

acl.Owner.ID

Owner.ID

get-bucket-acl

string

The ID of the S3 bucket owner.

Search for a particular S3 bucket owner ID:

  • acl.Owner.ID:"73bee78dfe7b89b7243aea1c6934baae55d777d8412b4fd1703284e2bb29371f"

location.LocationConstraint

LocationConstraint

get-bucket-location

string

The AWS region where the S3 bucket resides.

Note

By default, buckets in us-east-1 region have no region returned from the S3 API call. In order to facilitate searching, Macie automatically populates these with the string “us-east-1”.

  • Search for buckets hosted in the us-west-2 region:

    • location.LocationConstraint:"us-west-2"

  • Search for buckets hosted in the us-east-1 region:

    • location.LocationConstraint:"us-east-1"

logging.LoggingEnabled.TargetBucket

LoggingEnabled.TargetBucket

get-bucket-logging

string

Specifies the bucket whose logging status is being returned.

Search for all buckets with S3 object level logging enabled:

  • logging.LoggingEnabled.TargetBucket:*

logging.LoggingEnabled.TargetPrefix

LoggingEnabled.TargetPrefix

get-bucket-logging

string

The configured prefix or folder containing Object Level Logging data for a particular S3 bucket.

Search for buckets configured with a prefix substring of "Production":

  • logging.LoggingEnabled.TargetPrefix: "Production"

policy.Policy.Id

Policy.Id

get-bucket-policy

string

The ID for an S3 bucket policy.

Search for bucket policies with a particular ID:

  • policy.Policy.Id:"aaaa-bbbb-cccc-dddd"

policy.Policy.Statement.Action

Policy.Statement.Action

get-bucket-policy

string

The list of actions (API requests) associated with an S3 bucket policy.

Search for bucket policies with "put" substring actions (for example, PutObject,PubBucketPolicy, etc.):

  • policy.Policy.Statement.Action: /s3:Put.*/

policy.Policy.Statement.Effect

Policy.Statement.Effect

get-bucket-policy

string

The list of policy effects associated with an S3 bucket policy.

Search for bucket policies with explicit "allow" grants:

  • policy.Policy.Statement.Effect: "Allow"

policy.Policy.Statement.NotPrincipal.AWS

Policy.Statement.NotPrincipal.AWS

get-bucket-policy

string

The principal exception to which the policy rule is applied.

Search for bucket policies with a particular account specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.AWS:"arn:aws:iam::AWS-account-ID:role/role-name"

policy.Policy.Statement.NotPrincipal.CanonicalUser

Policy.Statement.NotPrincipal.CanonicalUser

get-bucket-policy

string

The CanonicalUser stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular CanonicalUser specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.CanonicalUser:"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"

policy.Policy.Statement.NotPrincipal.Federated

Policy.Statement.NotPrincipal.Federated

get-bucket-policy

string

The Federated identity stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular Federated user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Federated:"arn:aws:iam::AWS-account-ID:saml-provider/provider-name"

policy.Policy.Statement.NotPrincipal.Service

Policy.Statement.NotPrincipal.Service

get-bucket-policy

string

The Service stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular Service specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Service:"elasticmapreduce.amazonaws.com"

policy.Policy.Statement.Principal.AWS

Policy.Statement.Principal.AWS

get-bucket-policy

string

The principal specified in the AWS expression.

Search for bucket policies with explicit allow grants to any AWS resource:

  • policy.Policy.Statement.Effect: Allow AND policy.Policy.Statement.Principal.AWS: \"*\"

policy.Policy.Statement.Principal.CanonicalUser

Policy.Statement.Principal.CanonicalUser

get-bucket-policy

string

The CanonicalUser stated in the principal expression of the policy.

Search for bucket policies with a particular CanonicalUser specified in the Principal section:

  • policy.Policy.Statement.Principal.CanonicalUser:"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"

policy.Policy.Statement.Principal.Federated

Policy.Statement.Principal.Federated

get-bucket-policy

string

The Federated identity stated in the principal expression of the policy.

Search for bucket policies with a particular Federated user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Federated:"arn:aws:iam::AWS-account-ID:saml-provider/provider-name"

policy.Policy.Statement.Principal.Service

Policy.Statement.Principal.Service

get-bucket-policy

string

The Service stated in the principal expression of the policy.

Search for bucket policies with a particular Service user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Service:"elasticmapreduce.amazonaws.com"

policy.Policy.Statement.Resource

Policy.Statement.Resource

get-bucket-policy

string

The S3 resource to which the S3 bucket policy is applied.

Search for S3 bucket policies containing wildcards:

  • policy.Policy.Statement.Resource: /.*\*/

policy.Policy.Statement.Sid

Policy.Statement.Sid

get-bucket-policy

string

The Sid of the S3 bucket policy.

Search for bucket policies with a particular Sid:

  • policy.Policy.Statement.Sid:"1"

policy.Policy.Version

Policy.Version

get-bucket-policy

string

The version number for the S3 bucket policy.

Search for bucket policies with a particular version:

  • policy.Policy.Statement.Version:"2012-10-17"

tagging.TagSet.Key

TagSet.Key

get-bucket-tagging

string

The key of the S3 bucket tag.

Search for bucket policies with a particular tag key:

  • tagging.TagSet.Key:"User"

tagging.TagSet.Value

TagSet.Value

get-bucket-tagging

string

The value of the S3 bucket tag.

Search for bucket policies with a particular tag value:

  • tagging.TagSet.Value:"johndoe"

versioning.MFADelete

MFADelete

get-bucket-versioning

string

The MFA delete (enabled/disabled) state of the bucket version configuration.

Search for buckets where MFA delete is enabled in the bucket versioning configuration:

  • versioning.MFADelete:"enabled"

website.ErrorDocument.Key

ErrorDocument.Key

get-bucket-website

string

The error document configured as part of S3 static website hosting.

Search for S3 buckets configured for static website hosting and with an error page redirection to 404.html:

  • website.ErrorDocument.Key: "404.html"

website.IndexDocument.Suffix

IndexDocument.Suffix

get-bucket-website

string

The suffix of a webpage that Amazon S3 returns when a request is made to the root of a website or any subfolder.

Search for the index document configured as part of S3 static website hosting and with an index page redirection to index.html:

  • website.IndexDocument.Key: "index.html"

  • lifecycle_configuration.Rules.Expiration.Date

  • lifecycle_configuration.Rules.Expiration.Days

  • lifecycle_configuration.Rules.AbortIncompleteMultipartUpload.DaysAfterInitiation

  • lifecycle_configuration.Rules.Filter.Prefix

  • lifecycle_configuration.Rules.Filter.Tag.Key

  • lifecycle_configuration.Rules.Filter.Tag.Value

  • lifecycle_configuration.Rules.ID

  • lifecycle_configuration.Rules.NoncurrentVersionExpiration.NoncurrentDays

  • lifecycle_configuration.Rules.NoncurrentVersionTransitions.NoncurrentDays

  • lifecycle_configuration.Rules.NoncurrentVersionTransitions.StorageClass

  • lifecycle_configuration.Rules.Prefix

  • lifecycle_configuration.Rules.Status

  • lifecycle_configuration.Rules.Transitions.Date

  • lifecycle_configuration.Rules.Transitions.Days

  • lifecycle_configuration.Rules.Transitions.StorageClass

  • Rules.Expiration.Date

  • Rules.Expiration.Days

  • Rules.AbortIncompleteMultipartUpload.DaysAfterInitiation

  • Rules.Filter.Prefix

  • Rules.Filter.Tag.Key

  • Filter.Tag.Value

  • Rules.ID

  • NoncurrentVersionExpiration.NoncurrentDays

  • NoncurrentVersionTransitions.NoncurrentDays

  • NoncurrentVersionTransitions.StorageClass

  • Prefix

  • Status

  • Transitions.Date

  • Transitions.Days

  • Transitions.StorageClass

get-bucket-lifecycle_configuration

  • date

  • integer

  • integer

  • string

  • string

  • string

  • string

  • integer

  • integer

  • string

  • string

  • string

  • date

  • integer

  • string

For more information, see GET Bucket lifecycle.

Search for the S3 buckets with a lifecycle configuration rule whose expiration is less than 3 days:

  • lifecycle_configuration.Rules.Expiration.Days:<3

S3 Bucket Properties Data Fields Generated by Macie

Macie field name

Macie field type

Description

Example search query

@timestamp

date

The timestamp when the bucket was last analyzed by Macie.

Search for S3 buckets analyzed by Macie in the last 24 hours:

  • @timestamp:[now-1d TO now]

accountId

string

The AWS Account ID of the S3 bucket owner.

Search for any S3 buckets that do not belong to a given AWS account:

  • NOT accountId: 110912345678

bucket

string

The name of an S3 bucket.

Search for a particular S3 bucket by name:

  • bucket: "MyBucket"

s3_world_readability

string

A "true" or "false" or "unknown" value indicating whether the S3 bucket is globally readable. The "unknown" value indicates that Macie is unable to determine whether the S3 bucket is globally readable.

Search for S3 buckets that are globally readable either by the S3 ACL or bucket (IAM) policy:

  • s3_world_readability: "true"

s3_world_writability

string

A "true" or "false" or "unknown" value indicating if the S3 bucket is globally writable. The "unknown" value indicates that Macie is unable to determine whether the S3 bucket is globally writable.

Search for S3 buckets that is globally writable either by the S3 ACL or the bucket (IAM) policy:

  • s3_world_writability: "true"