Amazon Macie, how often automated discovery run runs?
Hi,
I have classification error in my coverage issues console in Amazon Macie, issue is Permission denied (9) - Update AWS KMS key policies. But KMS has all needed policies:
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
},
{
"Sid": "Allow the Macie service-linked role to use the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account_id:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
There is also info, that automated discovery run was running 2 weeks ago. How often automated discovery run runs? Does S3 buckets (that I scan) need also macie permissions?
I can't find that info.
Thank you
- 최신
- 최다 투표
- 가장 많은 댓글
Hi there,
Macie Automated Data Discovery runs daily, but does not necessarily look at every bucket every day depending on how much content is scanned, how much as already been scanned, and what the sensitivity score is. For buckets with Permission Denied errors, it may take a few days to reflect after a KMS policy has been updated.
Two comments on the policy statement above:
- For the Principal ARN, can you confirm that you have the correct account ID in the real policy (instead of the accountID placeholder)?
- If this KMS key is being used cross account (key lives in account 123, bucket is in account 456), please see https://docs.aws.amazon.com/macie/latest/user/discovery-supported-encryption-types.html#discovery-supported-encryption-cmk-configuration for an additional policy statement that is required.
Macie should have permissions to the S3 buckets via the Service Linked Role (SLR). Note that if the bucket has any explicit "Deny" statements in the bucket policy, these will override the SLR - that might be worth checking as well.
aws:PrincipalAccount key means that all services from the account (include Macie) can access S3 bucket? That's strange as I have a lot of buckets
There is only classification error (not access denied). I have a lot of buckets with that Deny conditions above but Macie only complains about this bucket?
also this digit 9 means like it can't access only 9 objects...
Hi. Yes, 1: account is correct 2. I don't use cross-accounts. I have a deny statement in S3 but his deny is fine as I am using this syntax: "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "account_id" }. When I go to classification error and go to details, I see that the latest automated run was running 2 months ago. You are telling it's every day?
If you're using Deny but have not added the Macie Service principal to the condition key (which it looks like you haven't), then Macie cannot access the bucket.