Evaluating Macie findings with AWS Security Hub
AWS Security Hub is a service that provides you with a comprehensive view of your security posture across your AWS environment and helps you check your environment against security industry standards and best practices. It does this partly by consuming, aggregating, organizing, and prioritizing findings from multiple AWS services and supported AWS Partner Network security solutions. Security Hub helps you analyze your security trends and identify the highest priority security issues. With Security Hub, you can also aggregate findings from multiple AWS Regions, and then evaluate and process all the aggregated findings data from a single Region. To learn more about Security Hub, see the AWS Security Hub User Guide.
Amazon Macie integrates with Security Hub, which means that you can publish findings from Macie to Security Hub automatically. Security Hub can then include those findings in its analysis of your security posture. In addition, you can use Security Hub to evaluate and process policy and sensitive data findings as part of a larger, aggregated set of findings data for your AWS environment. In other words, you can evaluate Macie findings while performing broader analyses of your organization’s security posture, and remediate findings as necessary. Security Hub reduces the complexity of addressing large volumes of findings from multiple providers. In addition, it uses a standard format for all findings, including findings from Macie. Use of this format, the AWS Security Finding Format (ASFF), eliminates the need for you to perform time-consuming data conversion efforts.
Topics
How Macie publishes findings to AWS Security Hub
In AWS Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by AWS services, such as Amazon Macie, or by supported AWS Partner Network security solutions. Security Hub also has a set of rules that it uses to detect security issues and generate findings.
Security Hub provides tools to manage findings from all of these sources. You can review and filter lists of findings and review the details of individual findings. To learn how, see Reviewing finding history and finding details in the AWS Security Hub User Guide. You can also track the status of an investigation into a finding. To learn how, see Setting the workflow status of findings in the AWS Security Hub User Guide.
All findings in Security Hub use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of an issue, the affected resources, and the current status of a finding. For more information, see AWS Security Finding Format (ASFF) in the AWS Security Hub User Guide.
Types of findings that Macie publishes to Security Hub
Depending on the publication settings that you choose for your Macie account, Macie can publish all the findings that it creates to Security Hub, both sensitive data findings and policy findings. For information about these settings and how to change them, see Configuring publication settings for findings. By default, Macie publishes only new and updated policy findings to Security Hub. Macie doesn't publish sensitive data findings to Security Hub.
Sensitive data findings
If you configure Macie to publish sensitive data findings to Security Hub, Macie automatically publishes each sensitive data finding that it creates for your account and it does so immediately after it finishes processing the finding. Macie does this for all sensitive data findings that aren't archived automatically by a suppression rule.
If you're the Macie administrator for an organization, publication is limited to findings from sensitive data discovery jobs that you ran and automated sensitive data discovery activities that Macie performed for your organization. Only the account that creates a job can publish sensitive data findings that the job produces. Only the Macie administrator account can publish sensitive data findings that automated sensitive data discovery produces for their organization.
When Macie publishes sensitive data findings to Security Hub, it uses the AWS
Security Finding Format (ASFF), which is the standard format for all
findings in Security Hub. In the ASFF, the Types field indicates a
finding's type. This field uses a taxonomy that's slightly different from the
finding type taxonomy in Macie.
The following table lists the ASFF finding type for each type of sensitive data finding that Macie can create.
| Macie finding type | ASFF finding type |
|---|---|
SensitiveData:S3Object/Credentials |
Sensitive Data Identifications/Passwords/SensitiveData:S3Object-Credentials |
SensitiveData:S3Object/CustomIdentifier |
Sensitive Data Identifications/PII/SensitiveData:S3Object-CustomIdentifier |
|
SensitiveData:S3Object/Financial |
Sensitive Data Identifications/Financial/SensitiveData:S3Object-Financial |
SensitiveData:S3Object/Multiple |
Sensitive Data Identifications/PII/SensitiveData:S3Object-Multiple |
|
SensitiveData:S3Object/Personal |
Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal |
Policy findings
If you configure Macie to publish policy findings to Security Hub, Macie automatically publishes each new policy finding that it creates and it does so immediately after it finishes processing the finding. If Macie detects a subsequent occurrence of an existing policy finding, it automatically publishes an update to the existing finding in Security Hub, using a publication frequency that you specify for your account. Macie performs these tasks for all policy findings that aren't archived automatically by a suppression rule.
If you're the Macie administrator for an organization, publication is limited to policy findings for S3 buckets that are owned directly by your account. Macie doesn't publish policy findings that it creates or updates for member accounts in your organization. This helps ensure that you don't have duplicate findings data in Security Hub.
As is the case for sensitive data findings, Macie uses the AWS Security
Finding Format (ASFF) when it publishes new and updated policy findings to
Security Hub. In the ASFF, the Types field uses a taxonomy that's slightly
different from the finding type taxonomy in Macie.
The following table lists the ASFF finding type for each type of policy
finding that Macie can create. If Macie created or updated a policy finding in
Security Hub on or after January 28, 2021, the finding has one of the following values
for the ASFF Types field in Security Hub.
| Macie finding type | ASFF finding type |
|---|---|
|
Policy:IAMUser/S3BlockPublicAccessDisabled |
Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled |
Policy:IAMUser/S3BucketEncryptionDisabled |
Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketEncryptionDisabled |
|
Policy:IAMUser/S3BucketPublic |
Effects/Data Exposure/Policy:IAMUser-S3BucketPublic |
Policy:IAMUser/S3BucketReplicatedExternally |
Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketReplicatedExternally |
|
Policy:IAMUser/S3BucketSharedExternally |
Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketSharedExternally |
|
Policy:IAMUser/S3BucketSharedWithCloudFront |
Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BucketSharedWithCloudFront |
If Macie created or last updated a policy finding before January 28, 2021, the
finding has one of the following values for the ASFF Types field in
Security Hub:
-
Policy:IAMUser/S3BlockPublicAccessDisabled
-
Policy:IAMUser/S3BucketEncryptionDisabled
-
Policy:IAMUser/S3BucketPublic
-
Policy:IAMUser/S3BucketReplicatedExternally
-
Policy:IAMUser/S3BucketSharedExternally
The values in the preceding list map directly to values for the
Finding type (type) field in Macie.
Notes
As you review and process policy findings in Security Hub, note the following exceptions:
-
In certain AWS Regions, Macie began using ASFF finding types for new and updated findings as early as January 25, 2021.
-
If you acted upon a policy finding in Security Hub before Macie began using ASFF finding types in your AWS Region, the value for the ASFF
Typesfield of the finding will be one of the Macie finding types in the preceding list. It will not be one of the ASFF finding types in the preceding table. This is true for policy findings that you acted upon using the AWS Security Hub console or the BatchUpdateFindings operation of the AWS Security Hub API.
Latency for publishing findings to Security Hub
When Amazon Macie creates a new policy or sensitive data finding, it publishes the finding to AWS Security Hub immediately after it finishes processing the finding.
If Macie detects a subsequent occurrence of an existing policy finding, it publishes an update to the existing Security Hub finding. The timing of the update depends on the publication frequency that you choose for your Macie account. By default, Macie publishes updates every 15 minutes. For more information, including how to change the setting for your account, see Configuring publication settings for findings.
Retrying publication when Security Hub isn't available
If AWS Security Hub isn't available, Amazon Macie creates a queue of findings that haven't been received by Security Hub. When the system is restored, Macie retries publication until the findings are received by Security Hub.
Updating existing findings in Security Hub
After Amazon Macie publishes a policy finding to AWS Security Hub, Macie updates the finding to reflect any additional occurrences of the finding or finding activity. Macie does this only for policy findings. Sensitive data findings, unlike policy findings, are all treated as new (unique).
When Macie publishes an update to a policy finding, Macie updates the value for the
Updated At (UpdatedAt) field of the finding.
You can use this value to determine when Macie most recently detected a subsequent
occurrence of the potential policy violation or issue that produced the
finding.
Macie might also update the value for the Types (Types)
field of a finding if the existing value for the field isn't an ASFF finding type.
This depends on whether you've acted upon the finding in Security Hub. If you haven't acted
upon the finding, Macie changes the field's value to the appropriate ASFF finding
type. If you've acted upon the finding, using either the AWS Security Hub console or the
BatchUpdateFindings operation of the AWS Security Hub API, Macie
doesn't change the field's value.
Examples of Macie findings in AWS Security Hub
When Amazon Macie publishes findings to AWS Security Hub, it uses the AWS Security Finding Format (ASFF). This is the standard format for all findings in Security Hub. The following examples use sample data to demonstrate the structure and nature of the findings data that Macie publishes to Security Hub in this format:
Example of a sensitive data finding in Security Hub
Here's an example of a sensitive data finding that Macie published to Security Hub using the ASFF.
{
"SchemaVersion": "2018-10-08",
"Id": "5be50fce24526e670df77bc00example",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/macie",
"ProductName": "Macie",
"CompanyName": "Amazon",
"Region": "us-east-1",
"GeneratorId": "aws/macie",
"AwsAccountId": "111122223333",
"Types":[
"Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal"
],
"CreatedAt": "2022-05-11T10:23:49.667Z",
"UpdatedAt": "2022-05-11T10:23:49.667Z",
"Severity": {
"Label": "HIGH",
"Normalized": 70
},
"Title": "The S3 object contains personal information.",
"Description": "The object contains personal information such as first or last names, addresses, or identification numbers.",
"ProductFields": {
"JobArn": "arn:aws:macie2:us-east-1:111122223333:classification-job/698e99c283a255bb2c992feceexample",
"S3Object.Path": "amzn-s3-demo-bucket/2022 Sourcing.tsv",
"S3Object.Extension": "tsv",
"S3Bucket.effectivePermission": "NOT_PUBLIC",
"OriginType": "SENSITIVE_DATA_DISCOVERY_JOB",
"S3Object.PublicAccess": "false",
"S3Object.Size": "14",
"S3Object.StorageClass": "STANDARD",
"S3Bucket.allowsUnencryptedObjectUploads": "TRUE",
"JobId": "698e99c283a255bb2c992feceexample",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/macie/5be50fce24526e670df77bc00example",
"aws/securityhub/ProductName": "Macie",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::amzn-s3-demo-bucket",
"Partition": "aws",
"Region": "us-east-1",
"Details": {
"AwsS3Bucket": {
"OwnerId": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example",
"OwnerName": "johndoe",
"OwnerAccountId": "444455556666",
"CreatedAt": "2020-12-30T18:16:25.000Z",
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
}
},
{
"Type": "AwsS3Object",
"Id": "arn:aws:s3:::amzn-s3-demo-bucket/2022 Sourcing.tsv",
"Partition": "aws",
"Region": "us-east-1",
"DataClassification": {
"DetailedResultsLocation": "s3://macie-data-discovery-results/AWSLogs/111122223333/Macie/us-east-1/
698e99c283a255bb2c992feceexample/111122223333/32b8485d-4f3a-3aa1-be33-aa3f0example.jsonl.gz",
"Result":{
"MimeType": "text/tsv",
"SizeClassified": 14,
"AdditionalOccurrences": false,
"Status": {
"Code": "COMPLETE"
},
"SensitiveData": [
{
"Category": "PERSONAL_INFORMATION",
"Detections": [
{
"Count": 1,
"Type": "USA_SOCIAL_SECURITY_NUMBER",
"Occurrences": {
"Cells": [
{
"Column": 10,
"Row": 1,
"ColumnName": "Other"
}
]
}
}
],
"TotalCount": 1
}
],
"CustomDataIdentifiers": {
"Detections": [
],
"TotalCount": 0
}
}
},
"Details": {
"AwsS3Object": {
"LastModified": "2022-04-22T18:16:46.000Z",
"ETag": "ebe1ca03ee8d006d457444445example",
"VersionId": "SlBC72z5hArgexOJifxw_IN57example",
"ServerSideEncryption": "aws:kms",
"SSEKMSKeyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "HIGH"
},
"Types": [
"Sensitive Data Identifications/PII/SensitiveData:S3Object-Personal"
]
},
"Sample": false,
"ProcessedAt": "2022-05-11T10:23:49.667Z"
}Example of a policy finding in Security Hub
Here's an example of a new policy finding that Macie published to Security Hub in the ASFF.
{
"SchemaVersion": "2018-10-08",
"Id": "36ca8ba0-caf1-4fee-875c-37760example",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/macie",
"ProductName": "Macie",
"CompanyName": "Amazon",
"Region": "us-east-1",
"GeneratorId": "aws/macie",
"AwsAccountId": "111122223333",
"Types": [
"Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled"
],
"CreatedAt": "2022-04-24T09:27:43.313Z",
"UpdatedAt": "2022-04-24T09:27:43.313Z",
"Severity": {
"Label": "HIGH",
"Normalized": 70
},
"Title": "Block Public Access settings are disabled for the S3 bucket",
"Description": "All Amazon S3 block public access settings are disabled for the Amazon S3 bucket. Access to the bucket is
controlled only by access control lists (ACLs) or bucket policies.",
"ProductFields": {
"S3Bucket.effectivePermission": "NOT_PUBLIC",
"S3Bucket.allowsUnencryptedObjectUploads": "FALSE",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/macie/36ca8ba0-caf1-4fee-875c-37760example",
"aws/securityhub/ProductName": "Macie",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsS3Bucket",
"Id": "arn:aws:s3:::amzn-s3-demo-bucket",
"Partition": "aws",
"Region": "us-east-1",
"Tags": {
"Team": "Recruiting",
"Division": "HR"
},
"Details": {
"AwsS3Bucket": {
"OwnerId": "7009a8971cd538e11f6b6606438875e7c86c5b672f46db45460ddcd08example",
"OwnerName": "johndoe",
"OwnerAccountId": "444455556666",
"CreatedAt": "2020-11-25T18:24:38.000Z",
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
}
}
}
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"FindingProviderFields": {
"Severity": {
"Label": "HIGH"
},
"Types": [
"Software and Configuration Checks/AWS Security Best Practices/Policy:IAMUser-S3BlockPublicAccessDisabled"
]
},
"Sample": false
}Integrating Macie with AWS Security Hub
To integrate Amazon Macie with AWS Security Hub, enable Security Hub for your AWS account. To learn how, see Enabling Security Hub in the AWS Security Hub User Guide.
When you enable both Macie and Security Hub, the integration is enabled automatically. By default, Macie begins to publish new and updated policy findings to Security Hub automatically. You don't need to take additional steps to configure the integration. If you have existing policy findings when the integration is enabled, Macie doesn't publish them to Security Hub. Instead, Macie publishes only those policy findings that it creates or updates after the integration is enabled.
You can optionally customize your configuration by choosing the frequency with which Macie publishes updates to policy findings in Security Hub. You can also choose to publish sensitive data findings to Security Hub. To learn how, see Configuring publication settings for findings.
Stopping publication of Macie findings to AWS Security Hub
To stop publishing Amazon Macie findings to AWS Security Hub, you can change the publication settings for your Macie account. To learn how, see Choosing publication destinations for findings. You can also do this by using Security Hub. To learn how, see Disabling the flow of findings from an integration in the AWS Security Hub User Guide.
