By using AWS re:Post, you agree to the Terms of Use
/AWS Macie not work with sensitive data/

AWS Macie not work with sensitive data

0

I tried setting the AWS Macie to analyze sensitive data. but not work. I create the following "custom data identifiers"

Name: Test01
Regular expression: (?i)batman\.txt.*
Keywords: None
Ignore words: None
Maximum match distance: 50
Occurrences threshold: 1
Severity Level: Medium

https://capsula-01.s3.amazonaws.com/AWS_MACIE01.png

Create the job.

https://capsula-01.s3.amazonaws.com/AWS_MACIE02.png

I analysing the session file of the SSM. I connect to the server EC2 via session manager and run the command "scp batman.txt server:~" for example. Is it possible to get this?

The bucket s3 https://capsula-01.s3.amazonaws.com/AWS_MACIE03.png

But not work. Let me know if i'm doing something wrong.

  • Hi ricardobarbosams - would you able to include an excerpt of a few lines of context in the relevant log file that contains "scp batman.txt server:~" or similar? You can obfuscate things like your servername or any user names, as long as the format is preserved. Thanks!

4 Answers
1

Hi, Chris, thanks for replying

of course, follow

]0;root@ip-172-30-102-209: ~root@ip-172-30-102-209:~# scp batman.txt server01:~
ssh: Could not resolve hostname server01: Temporary failure in name resolution


lost connection


]0;root@ip-172-30-102-209: ~root@ip-172-30-102-209:~# scp batman.txt server01:~:~:~:~:~:~:~:~:~:~ :~1:~2:~7:~.:~0:~.:~0:~.:~1:~



The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.


Are you sure you want to continue connecting (yes/no/[fingerprint])? yes


Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.


root@127.0.0.1: Permission denied (publickey).


lost connection


]0;root@ip-172-30-102-209: ~root@ip-172-30-102-209:~# scp batman.txt 127.0.0.1:~


root@127.0.0.1: Permission denied (publickey).


lost connection


]0;root@ip-172-30-102-209: ~root@ip-172-30-102-209:~# exit
answered 14 days ago
0

Thank you for the context, this is very helpful.

On first investigation it appears that the issue is not with the custom detection, but rather the format of the log file. Using the excerpt you provided above, I ran this through Macie and the file was not scanned due to an UNSUPPORTED_FILE_TYPE_EXCEPTION. This is visible in the discovery results that are published to your S3 bucket.

The team is having a look to see if this is something that's easily addressable.

answered 13 days ago
0

Thanks for replying Cris :)

answered 12 days ago
0

I tested by creating a file with string scp batman server:~ and it worked.

https://capsula-01.s3.amazonaws.com/AWS_MACIE04.png

answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions