Amazon Macie Configuration
Amazon Macie was launched in the summer of 2017, much to the delight of cloud security engineers. Amazon Macie is a powerful security and compliance service that provides an automatic method to detect, identify, and classify data within your AWS account. Macie currently supports Amazon S3 storage, however additional support for other storage systems will be developed and added over time. Backed by machine learning, Macie can actively review your data as different actions are taken within your AWS account. Machine learning spots access patterns and analyzes user behaviour using CloudTrail event data to alert against any unusual or irregular activity. Any findings are presented within a dashboard which can trigger alerts allowing you to quickly resolve any potential threat of exposure or compromise to your data.
This course will dive into all elements of the service, discussing its many different features and customizable elements allowing you to gain the maximum potential of its ability.
By the end of this course you will be able to:
- Provide an understanding and awareness of what Amazon Macie is and what it’s used for
- Provide an explanation of each configurable component of the service to allow you to gain maximum benefit from Macie’s capabilities
- Understand how the service can provide a customizable approach to maintaining compliance
- Understand how through automation and machine learning Amazon Mazie detects and categorizes S3 content to detect potential security threats and exposures
The content of this course is centered around security and compliance. As a result, this course is beneficial to those who are in the roles or their equivalent of:
- Cloud Security Architects
- Compliance Managers
- Cloud Administrators
- Cloud Support & Operations
As a prerequisite of this course you should have an understanding and awareness of:
- Amazon S3
- AWS CloudTrail
Hello, and welcome to this lecture what looks at the research feature offered by Amazon Macie. This is a very useful function providing having an awareness and understanding of how to create queries using Apache Lucerne. How to construct queries is outside the limitations of this course. However, for further information you can visit the Apache Lucerne Query Parser syntax page.
This research function allows you to create your own queries against all of the data Amazon Macie has collected and monitored for AWS CloudTrail and Amazon S3. By doing so it enhances the flexibility of the service by providing a way of enabling deep dive analysis of your data that relates to your specific requirements within your business. Using the query parser you can build and construct your own queries to return the exact results that you need.
Underneath the query parser are a number of options that provide additional filters for your results. The first option allows you to limit the data source that Amazon Macie uses to perform your query. The options included here are CloudTrail data, S3 bucket properties and S3 objects. There are also two other filters that allow you to restrict the number of results found along with the date range filter. The number of results filters here include top 10, top 50, top 100 and top 500. The date range include seven days, 30 days, 90 days, 365 days, all, and a custom time frame. Amazon research is in fact closely tied with most of the other sections we have already discussed and look at. For example, the dashboard and alerts of Amazon Macie. When looking at the information represented in your dashboard graphs and visual representations of statistical information you will find that the graphs and images are interactive. If you were to click on the data or magnifying glass, by doing so you will often be redirected to the research feature.
For example, if I were to select CloudTrail events in the dashboard and then select the magnifying glass next to one of these events. Let's say, get bucket policy, I am redirected to the research feature which will automatically fill out the query parser, allowing me to investigate the data further. As you can see, there are 707 results matched which we already knew from the dashboard page with the statistics provided there. However, what we could do now is perform additional analysis by drilling down in this information further. If I only wanted to look at IAM users that perform this API call rather than all user identity types which as we know know includes the root account IM users assumed roles of federated users, et cetera, et cetera then I can add some additional commands to the query parser which only currently states event name, error code key, get bucket policy. By adding the following commands after the current content, this query will then only display results where the get bucket policy API is used by IAM users only.
The results of this query are then displayed as follows. This query now only shows a total of nine matched results. This was a very simple example of how you can use the query parser to get further detailed analysis of your data that's specific to the results that you need to investigate instant security threats and compliance requirements further. As you become more and more familiar with Amazon Macie and the components and elements that are of particular interest to you you are able to save your queries as a favorite to save you having to repeatedly type them into the query parser, using the following icon.
You can also create your queries and have them saved as a custom alert. This ensures that whenever criteria that matches your query appears it will appear within your alert screen to allow it to quickly identify and take the appropriate action as necessary. Again, this level of customization allows you to filter and direct your search for specific elements, allowing you to achieve different levels of compliance regulation. The following icon allows you to save your query as one of these custom alerts.
That now brings me to the end of this lecture. Coming up next I'll be looking at how Amazon Macie classifies and protects your monitored data.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.