Control: 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required
Description
Macie along with other 3rd party tools can be used to discover, monitor, classify, and inventory S3 buckets.
Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.
Remediation
From Console
- Enable Macie through the Macie console.
- Create an S3 bucket to use as a repository for sensitive data discovery results.
- Select the buckets you want Macie to analyze and then create a job.
- After the job has run, review the findings by selecting Findings in the left pane.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v150_2_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v150_2_1_4 --shareSQL
This control uses a named query:
with bucket_list as ( select trim(b::text, '"' ) as bucket_name from aws_macie2_classification_job, jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d, jsonb_array_elements(d -> 'Buckets') as b)select b.arn as resource, case when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip' when l.bucket_name is not null then 'ok' else 'alarm' end as status, case when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' when l.bucket_name is not null then b.title || ' protected by Macie.' else b.title || ' not protected by Macie.' end as reason , b.region, b.account_idfrom aws_s3_bucket as b left join bucket_list as l on b.name = l.bucket_name;