Control: 3.1.3 Ensure all data in Amazon S3 has been discovered, classified, and secured when necessary
Description
Amazon S3 buckets can contain sensitive data that, for security purposes, should be discovered, monitored, classified, and protected. Macie, along with other third-party tools, can automatically provide an inventory of Amazon S3 buckets.
Remediation
Perform the steps below to enable and configure Amazon Macie:
From Console:
- Log on to the Macie console at https://console.aws.amazon.com/macie/.
- Click Get
started
. - Click
Enable Macie.
Set up a repository for sensitive data discovery results:
- In the left pane, under Settings, click
Discovery results.
- Make sure
Create bucket
is selected. - Create a bucket and enter a name for it. The name must be unique across all S3 buckets, and it must start with a lowercase letter or a number.
- Click
Advanced
. - For block all public access, make sure Yes is selected.
- For KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric customer master key (CMK) that is in the same region as the S3 bucket.
- Click
Save
.
Create a job to discover sensitive data:
- In the left pane, click
S3 buckets
. Macie displays a list of all the S3 buckets for your account. - Check the box for each bucket that you want Macie to analyze as part of the job.
- Click
Create job.
- Click
Quick create.
- For the Name and Description step, enter a name and, optionally, a description of the job.
- Click
Next.
- For the Review and create step, click
Submit.
Review your findings:
- In the left pane, click
Findings
. - To view the details of a specific finding, choose any field other than the check box for the finding.
If you are using a third-party tool to manage and protect your S3 data, follow the vendor documentation for implementing and configuring that tool.
Default Value:
By default, Amazon S3 does not perform data discovery, classification, or monitoring. Services such as Amazon Macie or third-party tools must be explicitly enabled and configured.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_3_1_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_3_1_3 --share
SQL
This control uses a named query:
with bucket_list as ( select jsonb_array_elements_text(d -> 'Buckets') as bucket_name from aws_macie2_classification_job, jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d)select b.arn as resource, case when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip' when l.bucket_name is not null then 'ok' else 'alarm' end as status, case when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' when l.bucket_name is not null then b.title || ' protected by Macie.' else b.title || ' not protected by Macie.' end as reason , b.region, b.account_idfrom aws_s3_bucket as b left join bucket_list as l on b.name = l.bucket_name;