This solution establishes an automated event driven workflow for notifying and auto-remediating sensitive data findings from Amazon Macie. Human interaction is via ChatOps style integration with Slack.
This solution allows for the configuration of the auto-remediation behaviour based on finding type and finding severity. For each finding type you can define if you want the offending S3 object to be automatically quarantined or if you want the finding details to be reviewed and approved by a human in Slack prior to being quarantined. In a similar manner you can define the minimum severity level (Low, Medium, High) that a finding must have before the solution will take action. Adjusting these parameters allows you to manage false positives and tune the volume and type of findings on which you wish to be notified and take action.
The solution architecture and eight step interaction sequence are detailed below in Figure 1.
Figure 1 - Solution Overview
- Amazon Macie is configured with sensitive data discovery jobs (scheduled or adhoc) which detect sensitive data within Amazon S3 buckets. See here for a full list of the categories of sensitive data Macie can detect.
- For each sensitive data finding an event is sent to Amazon EventBridge containing the finding details. An EventBridge rule triggers a Lambda function for processing.
- The Finding Handler Lambda function parses the event, examines the type of the finding, and based on auto-remediation configuration will either invoke the Finding Remediator function for immediate remediation, or send finding details for manual review and remediation approval via Slack.
- Delegated security / compliance admins monitor the configured Slack channel for notifications. Notifications provide high level finding information, remediation status, and a deep link to the Amazon Macie console for the finding in question. For findings configured for manual review, users can choose to approve the remediation in Slack via an action button on the notification.
- After a user clicks the “Remediate” button, Slack issues an API call to an Amazon API Gateway endpoint supplying the unique identifier of the finding to be remediated and the Slack user. API Gateway proxies the request to a remediation handler Lambda function.
- The Remediation Handler Lambda function validates the request and request signature, extracts the offending object location from the finding, and makes an asynchronous call to the Finding Remediator Lambda function.
- The Finding Remediator Lambda function moves the offending object from the source bucket to a designated S3 quarantine bucket with restricted access.
- Finally, the Finding Remediator Lambda function will use a callback URL to update the original finding notification in Slack indicating that the offending object has now been quarantined.
Before proceeding to deploy the solution ensure your environment is setup with the following pre-requisites.
- You have access to an AWS account via an AWS Identity and Access Management role or user with permissions to create the resources listed in the Solution Overview via AWS CloudFormation
- The AWS Command Line Interface (CLI) is installed and configured for use. Ensure your configured default region supports Amazon Macie by checking service availability here
- The AWS Cloud Development Kit (CDK) is installed and configured for use
- You have a Slack account with permissions to add apps and integrations in your desired Workspace and Channel. If you are not already a Slack user its free to sign up and create a workspace and channel of your own
Important: this solution uses various AWS services, and there are costs associated with these resources after the Free Tier usage. Please see the AWS pricing page for details.
Full walkthrough instructions instructions for configuring Slack and deploying the solution via AWS CDK are available in a blog post here.
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.