Amazon Macie
User Guide

Researching S3 Bucket Properties Data

Analyzing S3 Buckets Properties Search Results

The following section describes the elements of the search results that appear when you use the Research tab to investigate your S3 bucket properties data that Macie monitors.

Complete the following steps in the Research tab.

  1. Select S3 bucket properties in the first filter dropdown.

  2. For this example, select Top 10 in the second filter dropdown.

  3. For this example, select Past 90 days in the third filter dropdown.

  4. Choose the button with the looking glass icon to start the search.

Your search results contain the following elements:

  • The total number of results that matched your S3 bucket properties data search for the selected time range.

  • The graphical representation of the S3 bucket properties data search results for the selected time range.

    Note

    If your dataset is very large and you specify a very wide time range, your data might not render properly, and this graph might not appear as one of the resulting elements of your search.

    Important

    You can use the graph to further narrow your search and generate and run a query that produces a subset of the results generated by your original selections in the preceding steps. Double-click any of the graph's results, and your selection is translated into a new query that automatically appears in the query parser, and the Research tab is refreshed with the results of this new query.

  • Search results summary – A list of the most significant fields from your search. The first line includes the top (or bottom) three values for each field. The second line includes the top (or bottom) 10 values for each field.

    Important

    You can use the fields in the search results summary to further narrow your search and generate and run a query that produces a subset of the results generated by your original selections in the preceding steps. Choose the first or the second line of results for any field, and in the expanded results breakdown, choose the looking glass icon next to any of the results. Your choices are translated into a new query that automatically appears in the query parser, and the Research tab is refreshed with the results of this new query.

  • A list of S3 buckets that match your search criteria. Choose any bucket to expand it and view its details.

S3 Bucket Properties Data Fields and Example Queries

The following tables include the fields that can appear in the results of your S3 buckets metadata searches:

  • The first table includes the fields that Macie extracts from the Amazon S3 bucket API metadata. For example, acl.Grants.Grantee.DisplayName in Macie corresponds to Grants.Grantee.DisplayName in the Amazon S3 getbucket-acl API response.

  • The second table includes the fields that Macie generates to provide further security intelligence and context based on the examined S3 buckets metadata. For example, s3_world_readability describes a true/false/unknown state condition of whether an S3 bucket is readable by everyone as part of evaluating its Amazon S3 ACL and bucket (IAM) policy.

S3 Bucket Properties Data Fields That Macie Extracts

Macie Field Name

Amazon S3 API Field Name

Amazon S3 API Operation

Macie Field Type

Description

Example Search Query

acl.Grants.Grantee.DisplayName

Grants.Grantee.DisplayName

get-bucket-acl

String

The display name of the S3 bucket ACL grantee.

Search for S3 buckets accessible by John Doe:

  • acl.Grants.Grantee.DisplayName:"JohnDoe"

acl.Grants.Grantee.ID

Grants.Grantee.ID

get-bucket-acl

String

The ID of the identity that was granted access to the S3 bucket by the bucket owner.

Search for an S3 bucket's grantee with a particular canonical ID:

  • acl.Grants.Grantee.ID:"75bee88dfe7bf9b7243aea123934be3e55d777d8412b4aa1703284e2bb29371b"

acl.Grants.Grantee.Type

Grants.Grantee.Type

get-bucket-acl

String

The user type of the S3 bucket ACL grantee.

Search for all S3 buckets that are granted to Users:

  • acl.Grants.Grantee.Type:CanonicalUser

Search for all S3 buckets that are granted to Groups:

  • acl.Grants.Grantee.Type:Group

acl.Grants.Grantee.URI

Grants.Grantee.URI

get-bucket-acl

String

The URI identifier of the S3 bucket ACL grantee.

Search for all S3 buckets except those that belong to the LogDelivery group:

  • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/s3/LogDelivery"

Search for all S3 buckets that have global share permissions:

  • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AllUsers"

Search for all S3 buckets that allow access to (any) AWS authenticated users:

  • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AuthenticatedUsers"

acl.Grants.Permission

Grants.Permission

get-bucket-acl

String

The permission level assigned to the ACL grantee.

Search for S3 buckets that grant full (read/write) access to anyone:

  • acl.Grants.Grantee.URI:"http://acs.amazonaws.com/groups/global/AllUsers" AND acl.Grants.Permission:"FULL_CONTROL"

acl.Owner.DisplayName

Owner.DisplayName

get-bucket-acl

String

The display name of the S3 bucket owner.

Search for S3 buckets owned by John Doe:

  • acl.Owner.DisplayName: "JohnDoe"

acl.Owner.ID

Owner.ID

get-bucket-acl

String

The ID of the S3 bucket owner.

Search for a particular S3 bucket owner ID:

  • acl.Owner.ID:"73bee78dfe7b89b7243aea1c6934baae55d777d8412b4fd1703284e2bb29371f"

location.LocationConstraint

LocationConstraint

get-bucket-location

String

The AWS Region where the S3 bucket resides.

Note

By default, buckets in the us-east-1 Region have no region returned from the S3 API call. To facilitate searching, Macie automatically populates them with the string “us-east-1”.

Search for buckets hosted in the us-west-2 Region:

  • location.LocationConstraint:"us-west-2"

Search for buckets hosted in the us-east-1 Region:

  • location.LocationConstraint:"us-east-1"

logging.LoggingEnabled.TargetBucket

LoggingEnabled.TargetBucket

get-bucket-logging

String

The bucket whose logging status is being returned.

Search for all buckets with S3 object level logging enabled:

  • logging.LoggingEnabled.TargetBucket:*

logging.LoggingEnabled.TargetPrefix

LoggingEnabled.TargetPrefix

get-bucket-logging

String

The configured prefix or folder containing Object Level Logging data for a particular S3 bucket.

Search for buckets configured with a prefix substring of "Production":

  • logging.LoggingEnabled.TargetPrefix: "Production"

policy.Policy.Id

Policy.Id

get-bucket-policy

String

The ID for an S3 bucket policy.

Search for bucket policies with a particular ID:

  • policy.Policy.Id:"aaaa-bbbb-cccc-dddd"

policy.Policy.Statement.Action

Policy.Statement.Action

get-bucket-policy

String

The list of actions (API requests) associated with an S3 bucket policy.

Search for bucket policies with "put" substring actions (PutObject, PubBucketPolicy, etc.):

  • policy.Policy.Statement.Action: /s3:Put.*/

policy.Policy.Statement.Effect

Policy.Statement.Effect

get-bucket-policy

String

The list of policy effects associated with an S3 bucket policy.

Search for bucket policies with explicit "allow" grants:

  • policy.Policy.Statement.Effect: "Allow"

policy.Policy.Statement.NotPrincipal.AWS

Policy.Statement.NotPrincipal.AWS

get-bucket-policy

String

The principal exception to which the policy rule is applied.

Search for bucket policies with a particular account specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.AWS:"arn:aws:iam::AWS-account-ID:role/role-name"

policy.Policy.Statement.NotPrincipal.CanonicalUser

Policy.Statement.NotPrincipal.CanonicalUser

get-bucket-policy

String

The CanonicalUser stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular CanonicalUser specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.CanonicalUser:"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"

policy.Policy.Statement.NotPrincipal.Federated

Policy.Statement.NotPrincipal.Federated

get-bucket-policy

String

The Federated identity stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular Federated user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Federated:"arn:aws:iam::AWS-account-ID:saml-provider/provider-name"

policy.Policy.Statement.NotPrincipal.Service

Policy.Statement.NotPrincipal.Service

get-bucket-policy

String

The Service stated in the NotPrincipal expression of the policy.

Search for bucket policies with a particular Service specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Service:"elasticmapreduce.amazonaws.com"

policy.Policy.Statement.Principal.AWS

Policy.Statement.Principal.AWS

get-bucket-policy

String

The principal specified in the AWS expression.

Search for bucket policies with explicit allow grants to any AWS resource:

  • policy.Policy.Statement.Effect: Allow AND policy.Policy.Statement.Principal.AWS: \"*\"

policy.Policy.Statement.Principal.CanonicalUser

Policy.Statement.Principal.CanonicalUser

get-bucket-policy

String

The CanonicalUser stated in the principal expression of the policy.

Search for bucket policies with a particular CanonicalUser specified in the Principal section:

  • policy.Policy.Statement.Principal.CanonicalUser:"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"

policy.Policy.Statement.Principal.Federated

Policy.Statement.Principal.Federated

get-bucket-policy

String

The Federated identity stated in the principal expression of the policy.

Search for bucket policies with a particular Federated user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Federated:"arn:aws:iam::AWS-account-ID:saml-provider/provider-name"

policy.Policy.Statement.Principal.Service

Policy.Statement.Principal.Service

get-bucket-policy

String

The Service stated in the principal expression of the policy.

Search for bucket policies with a particular Service user specified in the NotPrincipal section:

  • policy.Policy.Statement.NotPrincipal.Service:"elasticmapreduce.amazonaws.com"

policy.Policy.Statement.Resource

Policy.Statement.Resource

get-bucket-policy

String

The S3 resource that the S3 bucket policy is applied to.

Search for S3 bucket policies containing wildcards:

  • policy.Policy.Statement.Resource: /.*\*/

policy.Policy.Statement.Sid

Policy.Statement.Sid

get-bucket-policy

String

The Sid of the S3 bucket policy.

Search for bucket policies with a particular Sid:

  • policy.Policy.Statement.Sid:"1"

policy.Policy.Version

Policy.Version

get-bucket-policy

String

The version number for the S3 bucket policy.

Search for bucket policies with a particular version:

  • policy.Policy.Statement.Version:"2012-10-17"

tagging.TagSet.Key

TagSet.Key

get-bucket-tagging

String

The key of the S3 bucket tag.

Search for bucket policies with a particular tag key:

  • tagging.TagSet.Key:"User"

tagging.TagSet.Value

TagSet.Value

get-bucket-tagging

String

The value of the S3 bucket tag.

Search for bucket policies with a particular tag value:

  • tagging.TagSet.Value:"johndoe"

versioning.MFADelete

MFADelete

get-bucket-versioning

String

The MFADelete (enabled/disabled) state of the bucket version configuration.

Search for buckets where MFADelete is enabled in the bucket versioning configuration:

  • versioning.MFADelete:"enabled"

website.ErrorDocument.Key

ErrorDocument.Key

get-bucket-website

String

The error document configured as part of S3 static website hosting.

Search for S3 buckets configured for static website hosting and with an error page redirection to 404.html:

  • website.ErrorDocument.Key: "404.html"

website.IndexDocument.Suffix

IndexDocument.Suffix

get-bucket-website

String

The suffix of a webpage that Amazon S3 returns when a request is made to the root of a website or any subfolder.

Search for the index document configured as part of S3 static website hosting and with an index page redirection to index.html:

  • website.IndexDocument.Key: "index.html"

  • lifecycle_configuration.Rules.Expiration.Date

  • lifecycle_configuration.Rules.Expiration.Days

  • lifecycle_configuration.Rules.AbortIncompleteMultipartUpload.DaysAfterInitiation

  • lifecycle_configuration.Rules.Filter.Prefix

  • lifecycle_configuration.Rules.Filter.Tag.Key

  • lifecycle_configuration.Rules.Filter.Tag.Value

  • lifecycle_configuration.Rules.ID

  • lifecycle_configuration.Rules.NoncurrentVersionExpiration.NoncurrentDays

  • lifecycle_configuration.Rules.NoncurrentVersionTransitions.NoncurrentDays

  • lifecycle_configuration.Rules.NoncurrentVersionTransitions.StorageClass

  • lifecycle_configuration.Rules.Prefix

  • lifecycle_configuration.Rules.Status

  • lifecycle_configuration.Rules.Transitions.Date

  • lifecycle_configuration.Rules.Transitions.Days

  • lifecycle_configuration.Rules.Transitions.StorageClass

  • Rules.Expiration.Date

  • Rules.Expiration.Days

  • Rules.AbortIncompleteMultipartUpload.DaysAfterInitiation

  • Rules.Filter.Prefix

  • Rules.Filter.Tag.Key

  • Filter.Tag.Value

  • Rules.ID

  • NoncurrentVersionExpiration.NoncurrentDays

  • NoncurrentVersionTransitions.NoncurrentDays

  • NoncurrentVersionTransitions.StorageClass

  • Prefix

  • Status

  • Transitions.Date

  • Transitions.Days

  • Transitions.StorageClass

get-bucket-lifecycle_configuration

  • Date

  • Integer

  • Integer

  • String

  • String

  • String

  • String

  • Integer

  • Integer

  • String

  • String

  • String

  • Sate

  • Integer

  • String

For more information, see GET Bucket lifecycle.

Search for the S3 buckets with a lifecycle configuration rule whose expiration is less than 3 days:

  • lifecycle_configuration.Rules.Expiration.Days:<3

S3 Bucket Properties Data Fields That Macie Generates

Macie Field Name

Macie Field Type

Description

Example search query

@timestamp

Date

The timestamp when Macie last analyzed the bucket.

Search for S3 buckets that Macie analyzed in the last 24 hours:

  • @timestamp:[now-1d TO now]

accountId

String

The account ID of the S3 bucket owner.

Search for any S3 buckets that don't belong to a given account:

  • NOT accountId: 110912345678

bucket

String

The name of an S3 bucket.

Search for a particular S3 bucket by name:

  • bucket: "MyBucket"

s3_world_readability

String

A value indicating whether the S3 bucket is globally readable: true, false, or unknown. The unknown value indicates that Macie can't determine whether the S3 bucket is globally readable.

Search for S3 buckets that are globally readable by either the Amazon S3 ACL or bucket (IAM) policy:

  • s3_world_readability: "true"

s3_world_writability

String

A value indicating if the S3 bucket is globally writable: true, false, or unknown. The unknown value indicates that Macie can't determine whether the S3 bucket is globally writable.

Search for S3 buckets that is globally writable by either the Amazon S3 ACL or the bucket (IAM) policy:

  • s3_world_writability: "true"