π‘οΈ AWS S3 Bucket sensitive data is not discovered, classified, and securedπ’βͺ
- Contextual name: π‘οΈ Bucket sensitive data is not discovered, classified, and securedπ’βͺ
- ID:
/ce/ca/aws/s3/bucket-sensitive-data-discovered-classified-and-secured - Tags:
- βͺ Impossible policy
- π’ Policy with categories
- π’ Policy with type
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Similar Policiesβ
- Cloud Conformity: Amazon Macie In Use
Descriptionβ
Descriptionβ
Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets.
Rationaleβ
Using a cloud service or third-party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Impactβ
There is a cost associated with using Amazon Macie. There is also typically a cost associated with third-party tools that perform similar processes and protection.
Auditβ
Perform the following steps to determine if Macie is running:
From Consoleβ
- Log in to the Macie console at https://console.aws.amazon.com/macie/.
- In the left-hand pane, click on By job under findings.
... see more
Remediationβ
Remediationβ
Perform the steps below to enable and configure Amazon Macie:
From Consoleβ
- Log on to the Macie console at https://console.aws.amazon.com/macie/.
- Click
Get started.- Click
Enable Macie.Setup a repository for sensitive data discovery results:
- In the Left pane, under Settings, click
Discovery results.- Make sure
Create bucketis selected.- Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
- Click on
Advanced.- Block all public access, make sure
Yesis selected.- KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
- Click on
Save.Create a job to discover sensitive data:
- In the left pane, click
S3 buckets. Macie displays a list of all the S3 buckets for your account.- Select the
check boxfor each bucket that you want Macie to analyze as part of the job.... see more