The course is part of this learning path
Within this course, I will be providing an overview of the relationship between Amazon Macie Master and Member accounts, in addition to a demonstration on how to configure this relationship allowing you to centralize S3 data compliance findings.
By the end of this course, you will understand the core principles of amalgamating multiple accounts to help you protect S3 data using automatic detection and classification of PII data.
This course has been created for:
- Anyone who is responsible for managing sensitive data within Amazon S3
- Those who are required to assess their environment to comply with specific governance and audit controls
To get the most from this course you should be familiar with basic concepts of Amazon Macie. For more information relating to this service, please see our existing course here: https://cloudacademy.com/course/enforcing-compliance-security-controls-amazon-macie/
Hello and welcome to this lecture focusing on how to integrate additional AWS accounts to help you protect your Amazon S3 data. Amazon Macie was introduced as a powerful security and compliance enabling service, which sits within the Security Identity and Compliance category of AWS. The main function of the service is to provide an automatic method of detecting, identifying, and also classifying personally identifiable information known as PII data, that you're storing within your AWS account, primarily within Amazon S3.
The service is backed by machine learning, allowing your data to be actively reviewed as different actions are taken. Machine learning can spot access patterns and user behavior by analyzing CloudTrail event data to alert against any unusual or irregular activity.
Any findings made by Amazon Macie are presented within a dashboard, which can trigger alerts allowing you to quickly resolve any potential threat of exposure or compromise to your data. There might be a wide variety of compliance programs that you need to adhere to, and ensuring you maintain your compliance is crucial to your business.
As an example, and from a general data protection regulation perspective, you are required to keep any personal information of EU citizens protected and secure at all times with adequate protection. If you inadvertently expose data of EU citizens, you could be faced with significant financial penalties. So maintaining compliance and having the available tools and services to help you enable this is fundamental for businesses storing data in the cloud.
Many organizations have multiple AWS accounts for management and best practice. And, in turn, have many different Amazon S3 buckets with those accounts. You can run Amazon Macie in each of those accounts to detect and identify PII data being stored in S3. However, Macie also offers the ability to have one of your AWS accounts act as a master account, and other accounts act as member accounts. But what does this mean? Well, master accounts allow you to use that single account to view Amazon Macie findings from all of your other member accounts, effectively acting as a single pane of glass approach.
Your member accounts will send their Amazon Macie findings to the master account as and when they are detected. This reduces levels of administration and effort and allows a single security team to monitor any issues detected from just a single AWS account. If you'd like to learn more about Amazon Macie at a far deeper level to understand its configuration, alerts, the classification of data and more, then please see our existing course here dedicated to this service.
I will now provide a demonstration on how you can use a single AWS master account to gather data from multiple AWS accounts that you own, to gain a full understanding of any risks exposed. The first part of this demonstration will start with the member account, as you'll need to configure the necessary permissions and trust policy to discover and identify data and generate alerts to send to the master account. This is completed via the AmazonMacieHandshakeRole and the AWSServiceRoleForAmazonMacie. AWS has created a CloudFormation stack template to set this up for you. So I'll start by implementing this on my member account. Once this is then in place, I will then use the master account to integrate the member account into the master account's Amazon Macie dashboard. Let's take a look.
So as I just mentioned, we firstly need to run the CloudFormation stack to get the role set up in the member accounts. Now you can go to the AWS site here as shown and this will give you two links to the CloudFormation stacks that AWS has created. So one of them is for U.S. East, and another one is for U.S. West. So depending on where you're running your accounts from, you can select either one of these CloudFormation templates for Amazon Macie.
So I'm going to select the U.S. East stack. So all I need to do is simply click on the link and this will load up my AWS member account as long as I'm already signed into it, and we simply accept all the defaults for this. So if you're new to CloudFormation, you don't need to worry, it's all preset, simply scroll down, click on Next.
On this screen, we simply need to enter the master account number that we intend to use, so I'll just add that in now. Click on Next. You can add any tags that you need here, if you want to. For the rest of the options, just accept all the defaults, click on Next. And this final screen is just the review. Again, scroll down to the very bottom, acknowledge this checkbox at the bottom that says "I acknowledge that AWS CloudFormation might create IAM resources with custom names." And this will be the role.
So once you've acknowledged that, simply click on Create stack. Now you can see this CloudFormation stack is in progress. If we just do a quick refresh, we can see that some of the processes have completed and that won't take long to go through. So it'll just take a few seconds to let us continue.
Okay, that's now completed. So now what we need to do is go across to our master account. So let me just flick over to that account now. Okay, so I'm now back in my master account. So if I go to the Macie service. And what I need to do is go down to integrations on the left-hand side. From here, we can see we have two tabs: S3 Resources and Accounts. And this currently shows that the current account that I'm in at the moment, the master account, but what I want to do is to add another member account.
So if I click on the Accounts tab, and then scroll down to member accounts and go across to the plus. I can now enter the member account number, which is the account that we just ran the CloudFormation stack on. So let me just enter that. And click on Add Accounts. We can see that it's been approved.
So we know that the permissions were all set up all okay. If we close that, we can now see under the member accounts here, the member account ID. So we now have our member account integrated with our master account. If I go back to the S3 Resources tab, here we can configure on each account, what resources we'd like for Amazon Macie to monitor. So if I select the master account, then here I can specify which resources that I'd like Amazon Macie to monitor.
So if I click on Add, I now have all the bucket information that Amazon Macie can see. So for example, let me just select this bucket and this bucket. They're the only two buckets that I'd like Amazon Macie to monitor. Then click on Add. It gives us a quick breakdown of some statistics there, the number of objects and price, etc. So click on Review, and then Start Classification. Click on Done. And again, you can do the same with the member account, you can define which buckets that you'd like Amazon Macie to monitor. So simply go through the same process again. And there you have it and that's it. So that's how you integrate member accounts into a master account to enable you to present all the findings on the dashboard.
That brings me to the end of this course, which explained how to configure Amazon Macie across multiple accounts to automatically detect and classify PII data in S3. Feedback on our courses here at CloudAcademy is valuable to both us as trainers and any students looking to take the same course in the future. If you have any feedback, positive or negative, it'd be greatly appreciated if you can contact firstname.lastname@example.org. Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 90+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.