By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Macie not enabled means false-positive AccessDeniedExceptions in CloudTrail?

0

Recently I've noticed I've started getting a lot more AccessDeniedExceptions in my CloudTrail logs, which cause false-positive alarms for my SecurityHub/CIS metric filters.

These AccessDeniedExceptions all stem from AWS Config calling macie2:GetMacieSession:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxx:configLambdaExecution",
        "arn": "arn:aws:sts::xxxxx:assumed-role/AWSServiceRoleForConfig/configLambdaExecution",
        "accountId": "xxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxx",
                "arn": "arn:aws:iam::xxxxx:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
                "accountId": "xxxx",
                "userName": "AWSServiceRoleForConfig"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2024-01-01T18:42:33Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "config.amazonaws.com"
    },
    "eventTime": "2024-01-01T18:42:34Z",
    "eventSource": "macie2.amazonaws.com",
    "eventName": "GetMacieSession",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "config.amazonaws.com",
    "userAgent": "config.amazonaws.com",
    "errorCode": "AccessDenied",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management"
}

I don't have Macie enabled in my account -- I get the same error if I try to access it via the aws cli:

$ aws macie2 get-macie-session

An error occurred (AccessDeniedException) when calling the GetMacieSession operation: Macie is not enabled

Is there anyway to eliminate these false positives without enabling Macie?

1 Answer
1
Accepted Answer

The issue you're facing with the AccessDeniedExceptions from AWS Config calling macie2:GetMacieSession is a known problem, and there are a few ways to address it without enabling Macie:

  1. Exclude the macie2:GetMacieSession API call from your SecurityHub/CIS metric filters:

    • You can update your SecurityHub/CIS metric filters to exclude the macie2:GetMacieSession API call, which will prevent these AccessDeniedExceptions from triggering false-positive alarms.
    • To do this, you can modify your metric filters to exclude the eventName of "GetMacieSession" or the eventSource of "macie2.amazonaws.com".
  2. Use AWS Config Aggregator to filter out the AccessDeniedExceptions:

    • If you're using AWS Config Aggregator to centrally manage your AWS Config configurations, you can create a custom Config Aggregator rule to filter out the AccessDeniedExceptions from macie2:GetMacieSession.
    • This approach allows you to address the issue centrally, without having to update your SecurityHub/CIS metric filters in each individual account.
  3. Use AWS Security Hub Findings Suppression:

    • AWS Security Hub allows you to suppress specific findings, including those triggered by AccessDeniedExceptions.
    • You can create a suppression rule in Security Hub to ignore the findings related to macie2:GetMacieSession API calls.
  4. Use AWS CloudWatch Logs Metric Filters:

    • Instead of relying on SecurityHub/CIS metric filters, you can create custom CloudWatch Logs Metric Filters to monitor for the AccessDeniedExceptions from macie2:GetMacieSession.
    • This approach allows you to have more control over the metric filters and can help you avoid false-positive alarms.
  5. Investigate AWS Config Permissions:

    • Check the permissions granted to the AWSServiceRoleForConfig role, which is responsible for the macie2:GetMacieSession API calls.
    • Ensure that the role has the minimum necessary permissions, and consider creating a custom IAM policy with the required permissions instead of using the managed AWSServiceRoleForConfig policy.

By implementing one or more of these solutions, you should be able to effectively eliminate the false-positive alarms caused by the AccessDeniedExceptions from the macie2:GetMacieSession API calls, without the need to enable Macie in your account.

AWS
answered 7 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions