Use Security Hub custom made activities to remediate S3 assets predicated on Macie discovery results
The quantity of data open to be collected, stored and prepared within an business’s AWS environment can easily grow and exponentially quickly. This escalates the operational complexity and the necessity to identify and protect delicate data. If your security teams have to evaluation manually and remediate protection risks, it would either have a large team or what might not be timely. There is a opportunity that with manual procedure also, a step could possibly be missed or the wrong action could possibly be taken. As a total result, your security groups shall want an automated and scalable solution to support these procedures efficiently.
<pre> <code> <p><a href="https://aws.amazon.com/macie/" focus on="_blank" rel="noopener noreferrer">Amazon Macie</a> is really a fully managed information security and data personal privacy service that uses device learning and design matching to find and protect your delicate information in AWS. Macie generates results for sensitive data within an S3 object or perhaps a potential concern with the safety or personal privacy of an S3 bucket. <a href="https://aws.amazon.com/security-hub/" target="_blank" rel="noopener noreferrer">AWS Security Hub</the> enables you to get a centralized view in to the security position across your AWS atmosphere by aggregating security results from various AWS providers and partner items, including Amazon Macie. Safety Hub includes the &lt also;a href="https://docs.aws.amazon.com/securityhub/current/userguide/securityhub-cwe-custom-activities.html" rel="noopener noreferrer" target="_blank">custom made actions</the> feature, used to generate actions for reaction and remediation to chosen findings within the Protection Hub console within an efficient and consistent way.</p>
<p>It is necessary for the security teams to generate effective and standardized mechanisms when planning on taking activity against Macie results to make sure that data remains to be secure. Through the use of Security Hub custom activities, you could have predefined activities for the security group to consider against Macie results without needing to manually discover and remediate the assets.</p>
<p>This website post gives you a good example solution for giving an answer to Macie <a href=”https://docs.aws.amazon.com/macie/latest/consumer/macie-terms.html#macie-terms-sensitive-data-finding” target=”_blank” rel=”noopener noreferrer”>delicate data findings</the> and <a href=”https://docs.aws.amazon.com/macie/recent/user/macie-conditions.html#macie-terms-policy-finding” target=”_blank” rel=”noopener noreferrer”>policy findings</the> in Safety Hub through the use of custom actions. I will walk through the the different parts of the solution, along with opportunities where resources could be customized for the specific use situation.</p>
<h2>Prerequisites</h2>
<p>You’ll want <a href=”https://aws.amazon.com/security-hub” focus on=”_blank” rel=”noopener noreferrer”>AWS Protection Hub</the> and <a href=”http://aws.amazon.com/macie” focus on=”_blank” rel=”noopener noreferrer”>Amazon Macie</the> allowed in the AWS accounts what your location is deploying this answer.</p>
<h2>Option overview</h2>
<p>In this solution, you’ll work with a mix of Security Hub custom actions, <a href=”https://aws.amazon.com/eventbridge/” focus on=”_blank” rel=”noopener noreferrer”>Amazon EventBridge</the>, and <a href=”http://aws.amazon.com/lambda” focus on=”_blank” rel=”noopener noreferrer”>AWS Lambda</a> to do this on Macie results in Safety Hub. You will end up working with the results within exactly the same AWS accounts where you deployed the answer.</p>
<p>Macie generates 2 categories of findings associated with different resources, that will require different remediation activities.</p>
<ol>
<li>Plan finding is really a detailed report of the potential policy violation or even issue with the protection or privacy of a good <a href=”https://aws.amazon.com/s3/” target=”_blank” rel=”noopener noreferrer”>Amazon Basic Storage Services (Amazon S3)</the> bucket.</li>
<li>Sensitive data finding is really a comprehensive report of delicate data within an S3 object.</li>
</ol>
<p>A complete set of Macie finding types are available in the <a href=”https://docs.aws.amazon.com/macie/latest/consumer/findings-types.html” focus on=”_blank” rel=”noopener noreferrer”>Macie User guideline</the>.</p>
<p>For both Macie finding categories, there’s an associated Security Hub custom action:</p>
<ol>
<li>Custom made action for sensitive information finding (S3 object) – Once the security group selects this custom made action, the action invokes a Lambda functionality that will take the next steps about the S3 object inside the Macie finding:
<ol>
<li>The thing with the Security Hub locating ID< tag;/li>
<li>Encrypt the S3 object with another customer-managed KMS key</li>
<li>Update the Protection Hub finding workflow standing to RESOLVED</li>
</ol> </li>
<li>Custom made action for policy finding (S3 bucket). Once you choose this this custom motion, it invokes a Lambda functionality that will take the next methods on the S3 bucket in the Macie acquiring:
<ol>
<li>Tag the thing with the Safety Hub finding ID</li>
<li>Update the S3 bucket construction to:
<ul>
<li>Enable default encryption</li>
<li>Enable open public access block</li>
</ul> </li>
<li>Update the Protection Hub finding workflow position to RESOLVED</li>
</ol> </li>
</ol>
<p>The answer is configured to do this within the AWS account where in fact the finding and corresponding resource is generated. To be able to enable cross-accounts remediation, you will have to deploy yet another IAM part for the automation to believe and provision a KMS essential to utilize for encryption.</p>
<blockquote>
<p><strong>Take note</strong>: The custom activities in this remedy are designed to be examples of activities to get against Macie plan and sensitive data results. These actions changes based on your environment and use-case. You will also have to review and upgrade the associated Lambda functionality execution role IAM plans accordingly.</p>
</blockquote>
<h2>Alternative architecture</h2>
<div id=”attachment_26527″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26527″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/picture1.png” alt=”Figure 1: Resources deployed inside the Security AWS accounts taking action in resources identified inside the Workload AWS accounts” width=”760″ height=”442″ class=”size-full wp-image-26527″>
<p id=”caption-attachment-26527″ course=”wp-caption-text”>Figure 1: Resources deployed inside the Security AWS accounts taking action on sources identified inside the Workload AWS accounts</p>
</div>
<p>Number 1 exhibits the architecture for the perfect solution is. The workflow is really as follows:</p>
<ol>
<li>The Macie work runs and creates results, which are delivered to Safety Hub in exactly the same AWS account because the Macie acquiring.</li>
<li>The delegated administrator Protection Hub account combines findings across all known member Safety Hub accounts, including Macie findings.</li>
<li>The security team reviews the Macie findings in the Security Hub delegated administrator account and determines to take remediation actions for a finding by selecting the finding and selecting the correct Security Hub custom action.</li>
<li>The Protection Hub custom action sends the finding to the EventBridge rule, that is from the Lambda function.</li>
<li>The EventBridge rule invokes the Lambda function to do this contrary to the resources from the Macie finding.</li>
<li>The Lambda function will:
<ol>
<li>Do something for the S3 useful resource</li>
<li>Tag the Macie finding like resolved inside the delegated administrator Safety Hub accounts</li>
</ol> </li>
</ol>
<p>The perfect solution is is supposed to work within a Region currently. To be able to enable this option across Areas, you will have to modification the Remediation Lambda functionality code for just about any regional resources useful for remediation actions (i.electronic. <a href=”https://aws.amazon.com/kms/” focus on=”_blank” rel=”noopener noreferrer”>AWS Key Administration Service</the>).</p>
<h2>Deploy the alternative</h2>
<p>It is possible to deploy the answer through either the AWS Administration Console or even the <a href=”https://aws.amazon.com/cdk/” focus on=”_blank” rel=”noopener noreferrer”>AWS Cloud Growth Package (AWS CDK)</the>.</p>
<p><strong>To deploy the perfect solution is utilizing the AWS Management Gaming console</strong></p>
<ul>
<li>In your safety tooling account, release the <a href=”http://aws.amazon.com/cloudformation” focus on=”_blank” rel=”noopener noreferrer”>AWS CloudFormation</the> template by selecting the next <strong>Start Stack</strong> button. It will require ten minutes for the CloudFormation stack to perform approximately.<br><a href=”https://gaming console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/fresh?stackName=securityhubmaciecustomactions&templateURL=https://awsiammedia.s3.amazonaws.com/public/sample/1368-security-hub-custom-actions-to-remediate-s3/macie-remediation-answer.yaml” rel=”noopener noreferrer” focus on=”_blank”><img src=”https://d2908q01vomqb2.cloudfront.internet/22d200f8670dbdb3e253a90eee5098477c95c23d/2019/06/05/launch-stack-switch.png” alt=”Choose this image to open up a web link that starts developing the CloudFormation stack” width=”190″ height=”36″ course=”aligncenter size-full wp-image-10149″></the><br><blockquote>
<p><strong>Take note:</strong> The stack shall start in the N. Virginia (us-east-1) Area. To deploy this remedy into other AWS Areas, <a href=”https://github.com/aws-samples/security-hub-macie-remediation” focus on=”_blank” rel=”noopener noreferrer”>download the solution’s CloudFormation template</the>, change it, and deploy it to the selected Area.</p>
</blockquote> </li>
<li>(OPTIONAL) If you need to enable cross-account remediation, launch the next AWS CloudFormation template inside the AWS account where you need in order to get remediation actions. You may use < also;a href=”https://docs.aws.amazon.com/AWSCloudFormation/best and newest/UserGuide/what-is-cfnstacksets.html” focus on=”_blank” rel=”noopener noreferrer”>AWS CloudFormation StackSets</the> if deploying to several AWS accounts.<br><a href=”https://system.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/brand-new?stackName=securityhubmaciecrossaccountrole&templateURL=https://awsiammedia.s3.amazonaws.com/public/sample/1368-security-hub-custom-actions-to-remediate-s3/macie-remediation-cross-account-iam-function.yaml” rel=”noopener noreferrer” focus on=”_blank”><img src=”https://d2908q01vomqb2.cloudfront.internet/22d200f8670dbdb3e253a90eee5098477c95c23d/2019/06/05/launch-stack-key.png” alt=”Choose this image to open up a web link that starts developing the CloudFormation stack” width=”190″ height=”36″ course=”aligncenter size-full wp-image-10149″></the></li>
</ul>
<p><strong>To deploy the answer through the use of AWS CDK</strong></p>
<p>You will find the most recent code in <a href=”https://github.com/aws-samples/security-hub-macie-remediation” focus on=”_blank” rel=”noopener noreferrer”>our GitHub repository</a>, where one can donate to the sample program code also. The next commands show how exactly to deploy the option utilizing the AWS CDK. Initial, the CDK initializes your uploads and environment the AWS Lambda assets to Amazon S3. Then, it is possible to deploy the solution back. Ensure that you replace <period><AWS_Accounts></period> with the accounts amount, and replace <period><Area></period> with the AWS Region that the perfect solution is is wanted by you deployed to.</p>
<ol>
<li>Run the next commands in your own terminal while authenticated in the protection tooling AWS accounts: <p>cdk bootstrap aws://<period><Protection_Tooling_AWS_Accounts></period>/<period><Area></period></p> <p>cdk deploy MacieRemediationStack</p> </li>
<li>(OPTIONAL) In order to enable cross-account remediation, Run the next commands inside your terminal while authenticated to associate AWS account: <p>cdk bootstrap aws://<period><Associate_AWS_Accounts></period>/<period><Area></period></p> <p>cdk deploy MacieRemediationIAMStack -parameters solutionaccount=<period><Safety_Tooling_AWS_Accounts></period></p> </li>
</ol>
<h2>Solution validation< and walkthrough;/h2>
<p>Given that you’ve successfully deployed the answer, you can view things doing his thing. You have two choices for tests the workflow by yourself:</p>
<ol>
<li>Work with a <a href=”https://docs.aws.amazon.com/macie/latest/consumer/findings-publish-event-schemas.html” focus on=”_blank” rel=”noopener noreferrer”>sample occasion</the>, generated by way of a Macie getting in Protection Hub, and invoke the Lambda functionality that is linked with the Security Hub custom made actions.<br><blockquote>
<p><strong>Notice:</strong> If using sample activities, the values could be replaced by you for the resources with real resources. Otherwise, you won’t be able to start to see the Lambda functionality successfully take action as the source in your sample occasion may not can be found.</p>
</blockquote> </li>
<li>Generate demo Macie findings inside Security Hub employing this <a href=”https://github.com/aws-samples/amazon-macie-demo-with-sample-data” focus on=”_blank” rel=”noopener noreferrer”>sample information for Amazon Macie</the>.</li>
</ol>
<p>I’ve existing results for Macie generated in my own AWS accounts, and in the processes in this area, I’ll walk through using activity against these.</p>
<blockquote>
<p><strong>Take note:</strong> If you create Macie and Safety Hub in a delegated administrator and associate model that ingests results from additional AWS accounts, the IAM remediation roles for the S3 bucket and S3 objects should be deployed in the known member accounts.</p>
</blockquote>
<h3>Evaluation deployed resources inside the AWS gaming console</h3>
<p>Before taking action on your own sample findings, critique the deployed assets that you’ll use.</p>
<p><strong>To examine deployed sources</strong></p>
<ol>
<li>In the AWS account console where in fact the automation was deployed, head to <strong>Protection Hub</strong>, select <strong>Configurations</strong>, and choose < then;strong>Custom activities</strong>. You need to see two custom activities:
<ul>
<li><strong>Macie Plan Finding</strong>
<ul>
<li>arn:aws:securityhub:<period><area></period>:<period><account-id></span>:action/custom made/MacieS3BucketPolicy</li>
</ul> </li>
<li><strong>Macie Information Finding</strong>
<ul>
<li>arn:aws:securityhub:<period><area></period>:<period><account-id></span>:action/custom made/MacieSensitiveData
<div id=”attachment_26531″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26531″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/image2-1024×364.png” alt=”Figure 2: Custom actions inside Security Hub” width=”700″ class=”size-large wp-image-26531″>
<p id=”caption-attachment-26531″ course=”wp-caption-text”>Figure 2: Custom actions in Safety Hub</p>
</div> </li>
</ul> </li>
</ul> </li>
<li>Demand EventBridge system and choose <strong>Guidelines</strong>. You need to see four rules:
<ul>
<li><strong>Disabled</strong> – They are disabled automagically during deployment
<ul>
<li>Autoremediate_Macie_Policy_Getting</li>
<li>Autoremediate_Macie_Sensitive_Data_Getting
<div id=”attachment_26532″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26532″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/picture3-1.png” alt=”Determine 3: Disabled EventBridge guidelines for autoremediation of Macie results inside Security Hub” width=”700″ height=”70″ course=”size-full wp-picture-26532″>
<p id=”caption-attachment-26532″ course=”wp-caption-text”>Figure 3: Disabled EventBridge guidelines for autoremediation of Macie results in Protection Hub</p>
</div> </li>
</ul> </li>
<li><strong>Enabled</strong> – They are enabled automagically during deployment:
<ul>
<li>Custom made_Action_Macie_Policy_Locating</li>
<li>Customized_Action_Macie_Sensitive_Data_Finding
<div id=”attachment_26533″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26533″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/picture4-1.png” alt=”Number 4: Enabled EventBridge guidelines linked with the Security Hub custom made actions” width=”698″ elevation=”69″ class=”size-complete wp-image-26533″>
<p id=”caption-attachment-26533″ course=”wp-caption-text”>Figure 4: Enabled EventBridge rules linked with the Security Hub custom made actions</p>
</div> </li>
</ul> </li>
</ul> <p>In the allowed EventBridge rules, you need to start to see the corresponding Security Hub custom action Amazon Resource Brands (ARNs) in the rule event pattern.</p>
<div id=”attachment_26534″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26534″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/image5-1-1024×264.png” alt=”Shape 5: Enabled EventBridge principle event design for the Security Hub custom made action” width=”700″ course=”size-large wp-picture-26534″>
<p id=”caption-attachment-26534″ course=”wp-caption-text”>Figure 5: Enabled EventBridge rule occasion pattern for the Safety Hub custom motion</p>
</div> </li>
</ol>
<h3>Do something on a good Amazon Macie policy or even object finding</h3>
<p>Each Protection Hub custom made action invokes a corresponding Lambda functionality that’s configured as a focus on in the EventBridge guideline. The Lambda function parses the given information in the Macie finding from Safety Hub to do this.</p>
<p>Each Protection Hub custom made action is particular to either an S3 item or an S3 bucket. In the event that you attempt a custom made action designed for an S3 item against a Macie plan finding, this can successfully initiate the custom made action, however the Lambda function that’s invoked will undoubtedly be unsuccessful.</p>
<p>If the Macie locating is particular to an S3 object, the title shall display “The S3 object …,” whereas if the Macie acquiring is for an insurance plan finding, the title shall screen information for an S3 bucket.</p>
<p><strong>To do this on results</strong></p>
<ol>
<li>In the AWS account console where in fact the automation was deployed, get around to AWS Security Hub, and choose <strong>Results</strong>.</li>
<li>Filter the results by placing <strong>Product Title</strong> to <strong>Macie</strong>.
<div id=”attachment_26536″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26536″ src=”https://d2908q01vomqb2.cloudfront.net/22d200f8670dbdb3electronic253a90eee5098477c95c23d/2022/07/13/picture6-1.png” alt=”Body 6: Filtration system for Macie findings inside Security Hub” width=”760″ height=”211″ course=”size-full wp-picture-26536″>
<p id=”caption-attachment-26536″ course=”wp-caption-text”>Figure 6: Filter for Macie results in Safety Hub</p>
</div> </li>
<li>Choose the checkbox for the Macie plan finding or perhaps a sensitive information finding; this will decide on a custom action. Once you select the actions, there is absolutely no confirmation step, and the action shall invoke the Lambda function.
<div id=”attachment_26537″ course=”wp-caption aligncenter”>
<img aria-describedby=”caption-attachment-26537″ src=”https://infracom.com.sg/wp-content/uploads/2022/07/image7-1-1024×488-1.png” alt=”Amount 7: Validate Custom Activity has sent the selecting to Amazon CloudWatch Events (EventBridge rule)” width=”760″ class=”size-large wp-image-26537″>
<p id=”caption-attachment-26537″ course=”wp-caption-text”>Figure 7: Validate Custom Action offers sent the getting to Amazon CloudWatch Activities (EventBridge principle)</p>
</div> </li>
</ol>
<h3>Evaluation and validate the Protection Hub custom activity on target assets</h3>
<p>To be able to validate or troubleshoot the perfect solution is, you should review if the Lambda function could take action contrary to the resources in the Security Hub finding for Macie.</p>
<p><strong>To validate or troubleshoot the custom made motion</strong></p>
<ol>
<li>For validation of delicate data finding remediation, evaluation S3 object configuration:
<ol>
<li>Demand Amazon S3 gaming console.</li>
<li>Pick the S3 object in the Macie obtaining.</li>
<li>Pick the <strong>Qualities</strong> tab and review the next fields:
<ul>
<li><strong>Tags</strong> ought to be fixed to <strong>SH_Acquiring_ID</strong>.</li>
<li><strong>AWS KMS essential ARN</strong> ought to be arranged to the KMS essential with the alias macie_key
<ol>
<li>Go through the KMS essential ARN and validate the key’s alias may be the key deployed inside the alternative</li>
</ol> </li>
</ul> </li>
</ol> </li>
<li>For validation of policy finding remediation, evaluation the S3 bucket configuration:
<ol>
<li>Demand Amazon S3 system.</li>
<li>Pick the S3 bucket in the Macie getting.</li>
<li>Pick the <strong>Attributes</strong> tab and review the next fields:
<ul>
<li><strong>Tags</strong> ought to be established to <strong>SH_Getting_ID</strong>.</li>
<li><strong>Default Encryption</strong> ought to be fixed to <strong>Enabled</strong>.</li>
</ul> </li>
<li>Pick the <strong>Permissions</strong> tab and review the next fields:
<ul>
<li>Block open public access should be arranged to <strong>On</strong>.</li>
</ul> </li>
</ol> </li>
<li>For troubleshooting, it is possible to evaluation the CloudWatch logs for the Lambda functionality:
<ol>
<li>Demand CloudWatch gaming console.</li>
<li>Choose <period>/aws/lambda/Remediate_Macie_S3_Bucket</period>.</li>
<li>Pick the latest log stream and evaluate the logs to notice what actions were used on the sources.</li>
</ol> </li>
</ol>
<h3>Next customization< and steps;/h3>
<p>The answer in a custom is had by this post action for an S3 object and an S3 bucket, and is intended to serve as a template. You can modify the Lambda features linked to the custom activities to take various or additional actions which are specific to your atmosphere and information classification.</p>
<p>In addition, I walked by means of specific Security Hub custom actions for Macie policy (bucket) or sensitive data (objects) findings. Should you have defined activities to consider for both, you can consolidate the custom activities and invoke a Lambda functionality that parses details from the Safety Hub Macie locating to find out if it is an insurance plan or sensitive data acquiring.</p>
<p>Both disabled EventBridge rules deployed within the solution are examples which can be leveraged for auto-remediation. Once you use Protection Hub’s custom activities to remediate results, your security group could start to visit a tendency where you always desire to take specific activities and enable the EventBridge guidelines to do this without requiring your safety team to choose a custom actions in Safety Hub in the AWS system.</p>
<ul>
<li>Autoremediate_Macie_Policy_Locating</li>
<li>Autoremediate_Macie_Sensitive_Data_Acquiring</li>
</ul>
<h2>Bottom line</h2>
<p>In this article, you deployed a remedy to allow your protection team to take automated actions against a Macie sensitive data and plan finding from Protection Hub through the use of custom actions in the AWS console. We walked through what the answer does and the way the solution can be personalized to your use situation.</p>
<p>In case you have feedback concerning this post, submit remarks in the Comments area below. If any queries are experienced by you concerning this post, take up a thread on the <a href=”https://forums.aws.amazon.com/discussion board.jspa?forumID=283″ target=”_blank” rel=”noopener noreferrer”>AWS Safety Hub forum</the> or <a href=”https://repost.aws/tags/TA_J7v39UoTdiBWCAlEs2svA/amazon-macie” focus on=”_blank” rel=”noopener noreferrer”>Amazon Macie discussion board</the>.</p>
<p><strong>Want a lot more AWS Security news? Stick to us on <a name=”Twitter” href=”https://twitter.com/AWSsecurityinfo” focus on=”_blank” rel=”noopener noreferrer”>Twitter</the>.</strong></p>
<!– ‘”` –>