Resources Referenced

Constructing Queries in Amazon Macie

Lecture Transcript

Hello and welcome to this lecture on Amazon Macie alerts. As Amazon Macie is a security analysis and compliance tool, we can expect it to identify and notify us of any potential issues that it finds, and this action is performed by Macie Alerts. By default, the service is pre-configured with a wide range of alerts based on security best practices and the sensitivity of data that the service will check against. Depending on your organization and the industry that you're in, it can affect what you deem as sensitive information, and so there may not be an alert which fulfills your requirements. Thankfully, Amazon Macie provides the functionality of being able to create custom alerts which you can configure which Macie will then use against your data. This is very useful when it comes to maintaining and control and compliance of your data sets. 

Alerts exist as two different types, these being basic and predictive. 

Basic alerts. The basic alert consist of both pre-built alerts that come with Amazon Macie and custom alerts. These customized alerts are designed and built by you, which relate to specific security checks. The pre-defined alerts and checks defined by Macie have been categorized as follows. 

• Anonymized access. This is where users are trying to gain access to your AWS account and its resources while trying to mask and hide their own identity. 
• Config compliance. This focuses on settings and policies that can relate to compliance issues within your environment such as a change to a CloudTrail login policy. 
• Credential loss covers scenarios where access control data may have been compromised. 
• Data compliance. This checks your data for identification of security content, such as access keys, credential data, or PII and PHI information. 
• File hosting. This check relates to compromised instances where malware may be detected. 
• Identity enumeration. This check helps to detect a potential attack or weakness in access control and credentials by identifying a rise in API calls or access attempts across your account. 
• Information loss. This looks at unusual behavior and irregular activity of access to information classed as sensitive. 
• Location anomaly. Checks for access requests where the source of the request is from an unexpected and unusual location from outside the normal operations based on history. 
• Open permissions. This check is very useful as it checks your permissions to sensitive data to see if they are overly permissive and potentially allow for unnecessary data exposure. 
• Privilege escalation. These checks focus on all access attempts, which will result in a privileged level of access control which could potentially cause further damage and harm to your environment. 
• Ransomware. This focuses on compromised infrastructure where ransomware has been detected. 
• Service disruption. This checks if a disruption to your environment is likely when making your own internal configuration alterations to your infrastructure. For example, the alteration of a security group that will result in the denial of access of previously used communications. 
• Suspicious access. Checks for unusual and risky access being requested by anonymous users where source data is being masked, such as their IP address, etc. For example, a malicious user masking their connection across a number of compromised hosts. 

It's worth noting that these alerts provided by Amazon Macie cannot be altered or modified in any way. 

Predictive alerts. Predictive alerts look at the behavior of your AWS account to automatically identify activities that sit outside the realms of normal operations. Over time, Macie forms a baseline understanding of day-to-day operations and learns what is normal and what is unusual behavior through analysis of your CloudTrail logs and events using machine learning. For example, this could be a sudden spike in user access of a particular S3 bucket that may normally only be accessed very rarely. When this happens, Amazon Macie will send a predictive alert informing you of the anomaly. The same principle applies to predictive alerts as with basic in that they can't be edited or changed in any way. 

Let me now explain the different points of interest on the alert itself so you know what to expect and what information comes with an alert as and when you receive one. This image shows an alert within my Amazon Macie console. This is the view of an alert that appears in the alerts section of the console for Macie, and it gives a high-level overview of information relating to that event that triggered the alert. The top half displays the severity, which is set to low, the name of the alert, which is Change to Cloudtrail logging policy, the alert type and category, these being basic and config compliance, and the bottom half gives some additional detail, such as when the alert was triggered, the identity that triggered the alert, and in which region, along with the number of results captured in the alert and how many times it's been viewed. 

To drill down into this further, you can click on the alert and it will display a detailed finding. This view is broken down into two parts, the alert summary and the alert details. The summary provides additional information allowing you to respond to the alert appropriately with the findings given. The description of the alert provides a deeper level of understanding of why the alert has been generated. A breakdown of results is also displayed, and as this relates to a CloudTrail action rather than an S3 action, it displays the API calls related and captured in the event. If it was related to S3 data, then it would list the S3 buckets and objects affected by the alert. The alert details section allows you to gain even more information. By clicking on the type icon, a whole host of additional information is displayed. I won't go through all the data, but as an example, the following are just some elements of data captured for this alert. As you can see, you can obtain a substantial amount of information and useful data from these alerts to ascertain if there is a viable threat. If you analyze the alert and identify that this is in fact a legitimate security incident, then you can make the necessary changes to your infrastructure to ensure this doesn't happen again. For example, restrict the user permissions or revoke the user entirely. However, you may decide that this activity is a normal operation and is expected of this user. In this situation, you have the ability to whitelist the user for this alert. By doing so, Amazon Macie will no longer register an alert for Change to Cloudtrail logging policy for this particular user. As you can see, you can also archive the alert for future reference or edit the alert. As this alert was predefined by Amazon Macie, you are unable to edit it. If it was a custom alert, then you could edit it as required. 

Before I move on to show you how to create a custom alert, I just want to explain the different level of severity associated with these alerts and what these severities generally mean. There are five different severities for an alert, these being:

• Informational. If you receive this alert, it doesn't indicate a threat or any risk to your current operations. These alerts are used to provide information to allow you to make informed decisions and changes to your infrastructure if you deem it necessary. 
• Low. This is the lowest level of a potential security threat that could compromise your data from a confidentiality, integrity, and availability perspective. Action isn't required immediately, but it should be investigated and resolved in future changes and fixes. 
• Medium. This indicates the next level up for a threat that could impact the CIA of your data, and action should be taken against this prior to any low severities. 
• High. If an alert is set to high, this requires immediate action and attention, as there is a very high chance that your data can be compromised from a CIA perspective. 
• Critical. This is very similar to high. However, the main difference is that it is likely that your data and services have already been compromised from a CIA standpoint. 

Let me now move on to show you how you can add your own customized alert via a quick demonstration. In this demonstration, I will show you how to create a custom basic alert using a very simple query. 

Okay, so I'm on the dashboard of my Amazon Macie account, and what I need to do to create my own alert is go down to Settings and then scroll down and select Basic alerts at the bottom. Now, this shows all the basic alerts that have been created, and as you can see, many of them have been created by Macie. But if I want to add my own alert, I can click on the green button here, click on Add New, and it'll ask me for a number of different types of information. So we can give it an alert title. I'll just call it This is a test alert. Same for a description. 

Next I'll need to select a category, and these are all the different categories for basic alerts. For this one, I'm going to select Anonymized Access. Now, this next section is the query. Now, this is where you enter the query information that defines what the alert is, the information that it's searching for within the data that's been collected by Macie through CloudTrail logs and also through S3 data. How to construct these queries is outside of the scope of this course. However, you can find more information on these queries in the following link on the screen. 

So I'm going to add in my query here, and what this will do, this will search for every time the GetBucketPolicy API is called by the user identity type of IAMUser. So this alert will not be triggered if an AWS service called the GetBucketPolicy, for example. It'll only be alerted if an IAMUser requested the GetBucketPolicy. Next we have the index, and this is the source data that it'll search upon, either CloudTrail data, S3 bucket properties, and S3 objects. For this particular query, I want it to search through the CloudTrail data. Then you can have the minimum number of matches. For this demonstration, I'm going to have it as one. For the severity, we can have informational, low, medium, high, or critical. I'm just going to leave this as informational. And then at the bottom here, we have enabled Yes - active. And all I need to do at this point is then click on Save. 

And that's now added our alert to this list of basic alerts, and we can filter and order these alerts. So if I click on the Created by, we can see here our alert, This is a test alert, and it's a custom alert. Now, if we want to test that just to make sure it's picking up data, we can go across to the magnifying class and click on Research current query. This takes us to the Research section, and as you can see, currently there's a total of 13 matched results based on that query. But I'll be covering more on this research feature in another lecture in later in this course. 

So if you go back and find our alert again, then what we can do, as well, we can delete this alert or edit it, and if we want to edit it, we can just change the details here. And that's how you create your own basic alert.