Menu
Amazon Macie
User Guide

Researching S3 Objects Data

Analyzing S3 Objects Search Results

The following section describes the elements of the search results that get displayed when you use the Research tab to investigate your Macie-monitored S3 objects.

Complete the following steps in the Research tab:

  1. Select S3 objects in the first filter pull-down list.

  2. For this sample procedure, select Top 10 in the second filter pull-down list.

  3. For this sample procedure, select Past 90 days in the third filter pull-down list.

  4. Choose the button with the looking glass icon to start the search.

Your search results include the following elements:

  • The total number of results that matched your S3 objects search for the selected time range.

  • The graphical representation of the S3 objects search results for the selected time range.

    Note

    If your data set is very large and you specify a very wide time range, you data might not render properly and this graph might not be displayed as one of the resulting elements of your search.

    Important

    You can use the graph to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Double-click any of the graph's results and your selection is translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • Search results summary - this is a list of the most significant fields from your search. The first line includes the top (or bottom) 3 values for each field. The second line includes the top (or bottom) 10 values for each field.

    Important

    You can use the fields in the search results summary to further narrow your search and generate and run a query that will produce a subset of the results generated by your original selections in the steps above. Choose the first or the second line of results for any field, and in the expanded results breakdown, choose the looking glass icon next to any of the results. Your choices are then translated into a new query that's automatically displayed in the Query Parser, and the Research tab is refreshed with the results of this new query.

  • A list of S3 objects that match your search criteria. You can choose any S3 object to expand it and view its details.

S3 Objects Data Fields and Sample Queries

The following tables include the fields that can appear in the results of your S3 object searches.

  • The first table includes the fields that Macie extracts from the Amazon S3 object API metadata. These are Macie fields that are also found in S3 API metadata. For example, filesystem_metadata.ETag describes the entity tag of an S3 object based on the checksum or hash of its content.

  • The second table includes the fields that are generated by Macie to provide further security intelligence and context based on the examined S3 objects content and metadata. For example, dlp_risk represents a weighted score describing the risk profile of an S3 object metadata and its content, or pii_types describes any personal identifiable information contained in an S3 object.

S3 Object Data Fields Extracted by Macie

Macie field name

Amazon S3 API field name

Amazon S3 API operation

Macie field type

Description

Example search query

key

key

get-bucket (listObjects)

string

The S3 object key path.

Search for document names with the keyword 'myobject'

  • key: /.*myobject.*/

accountId

None

None

string

The AWS account ID that owns the S3 object.

Search for S3 objects owned by a particular AWS account ID:

  • accountId:"110912345678"

filesystem_metadata.bucket

None

None

string

The S3 bucket name that holds the S3 object.

Search for S3 objects in a particular S3 bucket:

  • filesystem_metadata.bucket:"MyBucket"

filesystem_metadata.first_prefix

None

Note

Macie uses the S3 key field and parses out everything before the first '/', not including the bucket name.

get-bucket (listObjects)

string

The name of the first folder that contains the S3 object.

Search for S3 objects contained in first folder names where folder name is AWSLogs:

  • filesystem_metadata.first_prefix:"AWSLogs"

filesystem_metadata.ETag

eTag

get-bucket (listBuckets)

string

The entity tag as defined in RFC 2616.

Search for a particular eTag:

  • filesystem_metadata.ETag:""8b7186a0147b3ff5a0c4d0546f0efc7b""

filesystem_metadata.bucket_owner.id

ID

get-bucket-acl

string

The unique ID of the S3 bucket owner.

Search for S3 objects belonging to a particular owner ID:

  • filesystem_metadata.bucket_owner.id : "447fba12b05da301df359096ff54dd86bbbe347d3d5aff1e59f0906cd6a8394d2"

filesystem_metadata.bucket_owner.name

Owner

get-bucket-acl

string

The name of the S3 bucket owner.

Search for S3 objects owned by John Doe:

  • filesystem_metadata.bucket_owner.name: "JohnDoe"

filesystem_metadata.last_modified

LastModified

get-bucket (list-buckets)

date

The timestamp when the S3 object was last modified.

Search for S3 objects that were modified in the last 24 hours:

  • filesystem_metadata.last_modified:[now-1d TO now]

filesystem_metadata.server_encryption

ServerSideEncryption

get-object

string

The server side encryption used to encrypt an S3 object.

Search for objects that are not encrypted with the AES256 standard:

  • NOT filesystem.metadata.server_encryption: "AES256"

filesystem_metadata.size

Size

get-bucket (list-buckets)

integer

The size of the S3 object's content in bytes.

Search for S3 objects that are larger than 1 MB:

  • filesystem.metadata.size: > 1024000

filesystem_metadata.sse_kms_key_id

SSEKMSKeyId

get-object

string

The unique identifier (ARN) of the master key used for server side encryption of the S3 objects.

Search for all S3 objects encrypted with a given key ID:

  • filesystem_metadata.sse_kms_key_id: "arn:aws:kms:us-west-2: 110912345678:key/06f8b4fa-3f50-4aad-8a98-b60a56a9a1f2"

object_acl.Grants.Grantee.DisplayName

Grants.Grantee.DisplayName

get-object-acl

string

The ACL grantee name.

Search for S3 object ACL permissions granted to John Doe:

  • object_acl.Grants.Grantee.DisplayName: "JohnDoe"

object_acl.Grants.Grantee.ID

Grants.Grantee.ID

get-object-acl

string

The ACL grantee unique ID.

Search for S3 object ACL permissions with a particular Grantee ID:

  • object_acl.Grants.Grantee.ID:"75aa57f09aa0c8caeab4f8c24e99d10f8e7faeebf76c078efc7c6caea54ba06a"

object_acl.Grants.Grantee.Type

Grants.Grantee.Type

get-object-acl

string

The ACL grantee type, such as "CanonicalUser" or "Group".

Search for all S3 object ACLs that are granted to users or groups:

  • object_acl.Grants.Grantee.Type:CanonicalUser

  • object_acl.Grants.Grantee.Type:Group

object_acl.Grants.Grantee.URI

Grants.Grantee.URI

get-object-acl

string

The ACL grantee URI.

Search for S3 object ACLs with the AllUsers grant:

  • object_acl.Grants.Grantee.URI: "http://acs.amazonaws.com/groups/global/AllUsers"

object_acl.Grants.Permission

Grants.Permission

get-object-acl

string

The ACL grantee permission.

Search for S3 object ACLs that grant full control:

  • object_acl.Grants.Permission: "FULL_CONTROL"

object_acl.Owner.DisplayName

Owner.DisplayName

get-object-acl

string

The ACL owner name.

Search for S3 objects owned by John Doe:

  • object_acl.Owner.DisplayName: "JohnDoe"

object_acl.Owner.ID

Owner.ID

get-object-acl

string

The ACL owner ID.

Search for S3 objects belonging to a particular owner ID:

  • object_acl.Owner.ID: "447fba12b05da301df359096ff54dd86bbbe347d3d5aff1e59f0906cd6a8394d2"

S3 Object Data Fields Generated by Macie

Macie field name

Macie field type

Description

Example search query

@timestamp

date

The timestamp when the S3 object was last modified.

Search for S3 objects classified by Macie in the last 24 hours:

  • @timestamp:[now-1d TO now]

content_type

string

The content and encoding type of the S3 object.

Note

You can locate this value in the Name field for a particular content type in the Content types section of the Settings page in the Macie console.

Search for java source code containing hard-coded AWS credentials:

  • content_type:"text/x-java-source" AND regex_themes: "aws_access_key"

  • content_type:"text/x-java-source" AND regex_themes: "aws_access_key"

dlp_risk

integer

Through the automatic classification methods, a Macie-monitored object is assigned various risk levels based on each content type, file extension, theme, regex, PII, and SVM artifact that is assigned to it. The object's compound (final) risk level (dlp_risk) is set to the highest value of its assigned risk levels.

Note

You can find risk levels in the Settings page of the Macie console for their respective supported data classifiers.

Search for globally accessible (Read or Write) objects with the compound (final) risk level of 5 or higher:

  • object_acl.Grants.Grantee.URI: "http://acs.amazonaws.com/groups/global/AllUsers" AND dlp_risk>5

encoding

string

The encoding scheme identified when analyzing the S3 object content.

Search for Unicode text documents:

  • encoding: "utf-8"

filetype_risk

integer

The risk level assigned to an S3 object based on its file extension.

Note

You can find risk levels in the Settings page of the Macie console for their respective supported data classifiers.

Search for documents with the assigned file extension risk of greater than 6:

  • filetype_risk: > 6

filetypes

string

The type of the file based on the extension.

Note

You can locate this value in the Name and Description fields for a particular file type in the File extensions section of the Settings page in the Macie console.

Search for files with an extension of (.pdf):

  • filetypes: "Adobe PDF (.pdf)"

keyword_themes

string

The themes assigned to S3 object. You can find supported themes in the Settings page of the Macie console.

Search for S3 objects containing content related to Social Security

  • keyword_themes: "Social Security Keywords"

language_code

string

The language code found when analyzing the S3 object's content.

Search for S3 objects containing German keywords:

  • language_code: "de"

last_crawl_time

date

The timestamp of when an S3 object was last analyzed by Macie.

Search for S3 objects analyzed by Macie in the last 24 hours:

  • last_crawl_time: [now-1d/d TO now]

mimetype_risk

integer

The risk level based on an S3 objects content / mime type.

Search for S3 objects containing mimetypes associated with high risk content:

  • mimetype_risk: > 5

mimetypes

string

The mimetype of an S3 object.

Search for Plaintext documents containing AWS secret keys:

  • mimetypes: "Plain Text (text/plain)" AND themes: aws_secret_key

pii_impact

string

The Macie-assigned PII severity impact of an S3 object.

Search for S3 objects containing highly valuable personal identifiable information:

  • pii_impact: "high"

pii_types

string

The specific type of PII found in an S3 object.

Search for S3 objects containing emails:

  • pii_types: "email"

regex_risk

integer

The risk level based on an S3 object's Macie-assigned regex.

Search for S3 objects with a regex-based risk level greater than 5:

  • regex_risk: > 5

regex_themes

string

The regex themes of an S3 object.

Search for S3 objects containing RSA private keys

  • regex_themes: "RSA Private Key"

theme_risk

string

The risk level based on the Macie-assigned themes of an S3 object.

Search for S3 objects with a theme-based risk level higher than 5:

  • theme_risk: > 5

themes

string

The combined themes of an S3 object.

Search for S3 objects containing RSA private keys:

  • themes: "RSA Private Key"