π AWS S3 Bucket sensitive data is not discovered, classified, and secured π’
- Contextual name: π Bucket sensitive data is not discovered, classified, and secured π’
- ID:
/ce/ca/aws/s3/bucket-sensitive-data-discovered-classified-and-secured
- Located in: π AWS S3
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY
- Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Descriptionβ
Descriptionβ
Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.
Rationaleβ
Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Impactβ
There is a cost associated with using Amazon Macie. There is also typically a cost associated with 3rd Party tools that perform similar processes and protection.
Auditβ
Perform the following steps to determine if Macie is running:
From Consoleβ
- Login to the Macie console at https://console.aws.amazon.com/macie/.
- In the left hand pane click on By job under findings.
... see more
Remediationβ
Remediationβ
Perform the steps below to enable and configure Amazon Macie:
From Consoleβ
- Log on to the Macie console at https://console.aws.amazon.com/macie/.
- Click
Get started
.- Click
Enable Macie
.Setup a repository for sensitive data discovery results:
- In the Left pane, under Settings, click
Discovery results
.- Make sure
Create bucket
is selected.- Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
- Click on
Advanced
.- Block all public access, make sure
Yes
is selected.- KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
- Click on
Save
.Create a job to discover sensitive data:
- In the left pane, click
S3 buckets
. Macie displays a list of all the S3 buckets for your account.- Select the
check box
for each bucket that you want Macie to analyze as part of the job.... see more