This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathAmazonMacie.yaml
130 lines (118 loc) · 6.48 KB
/
AmazonMacie.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
version: 1
ATT&CK version: 9
creation date: 06/03/2021
name: Amazon Macie
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: AWS
tags:
- Storage
description: >-
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching
to help you discover, monitor, and protect sensitive data in your AWS environment. Macie automates the discovery of
sensitive data, such as personally identifiable information (PII) and financial data, to provide you with a better
understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3).
Macie also provides you with an inventory of your S3 buckets, and it automatically evaluates and monitors those buckets
for security and access control. Within minutes, Macie can identify and report overly permissive or unencrypted buckets
for your organization.
If Macie detects sensitive data or potential issues with the security or privacy of your data, it
creates detailed findings for you to review and remediate as necessary.
techniques:
- id: T1530
name: Data from Cloud Storage Object
technique-scores:
- category: Detect
value: Minimal
comments: >-
The following Macie findings can detect the collection of data from S3 buckets:
Policy:IAMUser/S3BlockPublicAccessDisabled
Policy:IAMUser/S3BucketEncryptionDisabled
Policy:IAMUser/S3BucketPublic
Policy:IAMUser/S3BucketReplicatedExternally
Policy:IAMUser/S3BucketSharedExternally
This type of detection is limited to only the S3 storage type and not other storage types available on the
platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.
- category: Protect
value: Minimal
comments: >-
The following Macie findings can protect against collection of sensitive data from S3 buckets:
SensitiveData:S3Object/Credentials
SensitiveData:S3Object/CustomIdentifier
SensitiveData:S3Object/Financial
SensitiveData:S3Object/Multiple
SensitiveData:S3Object/Personal
The ability to discover this type of sensitive data stored in a bucket may lead to hardening steps or removing the
data altogether which would prevent an adversary from being able to collect the data.
This type of protection is limited to only the S3 storage type and not other storage types available on the
platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.
- id: T1567
name: Exfiltration Over Web Service
technique-scores:
- category: Detect
value: Minimal
comments: >-
Macie only provides detection of this technique for the S3 storage type and not other storage types offerred by
the platform such as file or block storage resulting in a Minimal coverage score resulting in an overall score
of Minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1567.002
name: Exfiltration to Cloud Storage
scores:
- category: Detect
value: Minimal
comments: >-
The following Macie findings can detect attempts to replicate data objects from a monitored bucket to an
Amazon Web Services account that isn't part of your organization:
Policy:IAMUser/S3BucketReplicatedExternally
Policy:IAMUser/S3BucketSharedExternally
This type of detection is limited to only the S3 storage type and not other storage types available on the
platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.
- id: T1537
name: Transfer Data to Cloud Account
technique-scores:
- category: Detect
value: Minimal
comments: >-
The following Macie findings can detect attempts to replicate data objects from a monitored bucket to an
Amazon Web Services account that isn't part of your organization:
Policy:IAMUser/S3BucketReplicatedExternally
Policy:IAMUser/S3BucketSharedExternally
This type of detection is limited to only the S3 storage type and not other storage types available on the
platform (such as file or block storage) and therefore has Minimal coverage resulting in a Minimal score.
- id: T1552
name: Unsecured Credentials
technique-scores:
- category: Protect
value: Minimal
comments: >-
Macie only provides detection for the Credentials in Files sub-technique of this technique and only for the S3
storage type resulting in Minimal coverage and an overall Minimal score.
sub-techniques-scores:
- sub-techniques:
- id: T1552.001
name: Credentials In Files
scores:
- category: Protect
value: Minimal
comments: >-
The following Macie findings can result in protecting sensitive data (e.g. credentials) from being collected
from data stored in S3 buckets:
SensitiveData:S3Object/Credentials
SensitiveData:S3Object/Multiple
S3 buckets can be mounted as file systems on some platforms (e.g. Linux) and therefore its objects can be
accessed as normal files. Consequently hardening these objects or removing the credentials altogether can
protect against adversaries harvesting these credentials.
This type of detection is limited to only the S3 storage type and not other storage types
available on the platform (such as file or block storage) and therefore has Minimal coverage resulting in
a Minimal score.
comments: >-
Although the service detects the instance of sensitive data, it does not create an alert for the
user to take immediate action. It does create a log report which the user can then view to see the
results of the scan jobs.
references:
- 'https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html#securityhub-integration-finding-example'
- 'https://docs.aws.amazon.com/macie/latest/user/custom-data-identifiers.html'
- 'https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html'
- 'https://docs.aws.amazon.com/macie/latest/user/discovery-jobs-manage.html'
- 'https://docs.aws.amazon.com/macie/latest/user/findings-types.html'