Deploy an automated ChatOps remedy for remediating Amazon Macie findings

The amount of information being collected, stored, and processed by Amazon Web Services (AWS) customers keeps growing at an exponential price. To keep pace with this particular growth, customers are embracing scalable cloud storage solutions like Amazon Simple Storage Service (Amazon S3) to create information lakes at the petabyte level. Customers are searching for new, automated, and scalable methods to address their information compliance and security needs, including the have to recognize and protect their delicate data. Amazon Macie helps customers deal with this need by supplying a managed data protection and data privacy services that uses machine understanding and design matching to find and protect your delicate data that’s stored within Amazon S3.

In this website post, I demonstrate how to deploy a remedy that establishes an automated event-driven workflow for notification and remediation of delicate data results from Macie. Administrators can evaluation and approve remediation of results by way of a ChatOps-design integration with Slack. Slack is really a continuing business communication device that delivers messaging functionality, including persistent boards known as stations. With this particular solution, it is possible to streamline the notification, investigation, and remediation of delicate data results in your AWS atmosphere.


Before you deploy the answer, be sure that your environment is established with the next prerequisites:

Important: This solution uses different AWS services, and you can find costs connected with these resources following the Free Tier use. Start to see the AWS pricing page for details.

Solution overview

The answer workflow and architecture are detailed in Figure 1.

Figure 1: Solution overview

Physique 1: Solution overview

This solution permits the configuration of auto-remediation behavior predicated on finding type and finding severity. For every finding type, it is possible to define if the offending is desired by you S3 item to be immediately quarantined, or whether you need the finding information to be examined and approved by way of a individual in Slack ahead of being quarantined. In the same way, it is possible to define the minimum intensity level (Low, Medium, Higher) a finding must possess before the solution will need activity. By adjusting these parameters, it is possible to manage fake positives and tune the quantity and kind of findings about that you desire to be notified and do something. This configurability is essential because customers have various security, danger, and regulatory requirements.

Figure 1 information the ongoing services found in the perfect solution is and the integration factors between them. Let’s stroll through the entire sequence from the recognition of sensitive information to the remediation (quarantine) of the offending item.

  1. Macie is configured with sensitive data discovery careers (scheduled or one-time), that you create and set you back detect sensitive information within S3 buckets. When Macie runs an operating job, it uses a mix of techniques and criteria to investigate objects within S3 buckets that you specify. For a full set of the types of sensitive information Macie can detect, start to see the Amazon Macie User Guide.
  2. For each delicate data finding, a meeting is delivered to Amazon EventBridge which has the finding information. An EventBridge guideline triggers a Lambda perform for processing.
  3. The Selecting Handler Lambda function parses the function and examines the type of the finding. In line with the auto-remediation configuration, the event either invokes the Obtaining Remediator functionality for immediate remediation, or sends the finding details for guide remediation and review acceptance through Slack.
  4. Delegated compliance and protection administrators keep track of the configured Slack channel for notifications. Notifications provide high-degree finding information, remediation standing, and a web link to the Macie system for the finding involved. For results configured for manual evaluation, administrators can elect to approve the remediation in Slack through the use of an action switch on the notification.
  5. After an administrator chooses the Remediate button, Slack issues an API call to an Amazon API Gateway endpoint, providing both the special identifier of the acquiring to be remediated and that of the Slack consumer. API Gateway proxies the demand to a Remediation Handler Lambda perform.
  6. The Remediation Handler Lambda function validates the ask for and demand signature, extracts the offending object’s location from the finding, and can make an asynchronous call to the Getting Remediator Lambda function.
  7. The Locating Remediator Lambda function moves the offending object from the foundation bucket to a designated S3 quarantine bucket with restricted access.
  8. Lastly, the Finding Remediator Lambda function runs on the callback URL to update the initial finding notification within Slack, indicating that the offending item has been quarantined.

Deploy the alternative

Now we’ll stroll through the steps for configuring Slack and deploying the answer into your AWS environment utilizing the AWS CDK. The AWS CDK is really a software development framework which you can use to define cloud infrastructure in program code and provision through AWS CloudFormation.

The deployment steps could be summarized the following:

    1. Configure the Slack app

and channel

  1. Check the project from GitHub
  2. Set the construction parameters
  3. Create and deploy the solution
  4. Configure Slack having an API Gateway endpoint

To configure a Slack app

and channel

  1. In your browser, make certain you’re logged in to the Slack workspace where you intend to integrate the perfect solution is.
  2. Create a fresh channel where a person shall deliver the notifications, as follows:
    1. Choose the + icon close to the Stations menu, and choose Create the channel.
    2. Give your channel a genuine name, for example macie-findings, plus make sure you start the Make personal establishing.

      Important: By giving Slack users with usage of this configured channel, you’re providing implicit usage of review Macie finding information and approve remediations. In order to avoid unwanted user accessibility, it’s highly recommended that you get this to channel personal and by invite just.

  3. On your Apps page, develop a brand new app by selecting Create New App, and enter the next information:
    1. For App Name, enter a genuine name of one’s choosing, for instance MacieRemediator.
    2. Select your chosen growth Slack workspace that a person logged into within step one 1.
    3. Choose Create App.

    Figure 2: Develop a Slack app

    Figure 2: Develop a Slack app

  4. You will then start to see the Basic Information page for the app. Scroll right down to the App Credentials area, and make a note of the Signing Secret. This secret will be utilized by the Lambda function that handles all remediation requests from Slack. The functionality uses the trick with Hash-based Information Authentication Program code (HMAC) authentication to validate that requests to the answer are legitimate and comes from your reliable Slack channel.

    Physique 3: Signing key

    Figure 3: Signing secret

  5. Scroll back to the very best of the Simple Information web page, and under Include features and efficiency, choose the Incoming Webhooks tile. Start the Activate Incoming Webhooks setting.
  6. At underneath of the web page, choose Add New Webhook to Workspace.
    1. Select the macie-results channel you created within step two 2, and choose Allow.
    2. You should see webhook URL information under Webhook URLs for the Workspace now. Use the Copy key to notice down the URL, that you will later need.

      Number 4: Webhook URL

      Number 4: Webhook URL

To check out the project from GitHub

The solution source can be acquired on GitHub inside AWS Samples. Clone the task to your local device or download and extract the accessible zip file.

To set the construction parameters

In the main directory of the task you’ve just cloned, there’s a document named cdk.json. This file contains construction parameters to permit integration with the macie-findings channel you created previously, and also to permit you to handle the auto-remediation habits of the perfect solution is. Open this document and ensure that you evaluation and update the next parameters:

Save your valuable changes to the construction file.

To create and deploy the solution

  1. From the order line, ensure that your present working directory may be the root directory of the task that you cloned previous. Run the next commands:
    • npm install – Installs all Node.js dependencies.
    • npm run construct – Compiles the CDK TypeScript source.
    • cdk bootstrap – Initializes the CDK environment in your AWS Region and account, as shown inside Figure 5.

      Number 5: CDK bootstrap result

      Figure 5: CDK bootstrap result

    • cdk deploy – Generates the CloudFormation template and deploys the perfect solution is resources.

    The resources created could be examined in the CloudFormation console and will be summarized the following:

    • Lambda functions – Locating Handler, Remediation Handler, and Remediator
    • IAM execution roles and associated policy – The policy and roles associated with each Lambda function and the API Gateway
    • S3 bucket – The quarantine S3 bucket
    • EventBridge principle – The rule that creates the Lambda functionality for Macie sensitive information findings
    • API Gateway – An individual remediation API with proxy integration to the Lambda handler
  2. After you operate the deploy command, you’ll be prompted to examine the IAM assets deployed within the solution. Press y to keep.
  3. As soon as the deployment is complete, you’ll be offered an output parameter, shown in Shape 6, that is the endpoint for the API Gateway that has been deployed within the solution. Duplicate this URL.

    Figure 6: CDK deploy result

    Figure 6: CDK deploy result

To configure Slack with the API Gateway endpoint

  1. Open up Slack and go back to the Basic Details web page for the Slack app you created earlier.
  2. Under Increase features and functionality, choose the Interactive Components tile.
  3. Switch on the Interactivity environment.
  4. In the Request URL box, enter the API Gateway endpoint URL you previously copied.
  5. Choose Save Changes.

    Number 7: Slack application interactivity

    Body 7: Slack application interactivity

That you have the answer elements deployed and Slack configured right now, it’s time and energy to test things out.

Test the answer

The testing steps could be summarized the following:

  1. Upload dummy data files to S3
  2. Operate the Macie sensitive information discovery job
  3. Review and do something about Slack notifications
  4. Confirm that S3 items are quarantined

To dummy documents to S3


Two sample text data files containing dummy financial and private data can be found in the task you cloned from GitHub. If you haven’t transformed the default auto-remediation configurations, both of these files shall exercise both auto-remediation and guide remediation review flows.

Find the files below sensitive-data-samples/dummy-financial-data.sensitive-data-samples/dummy-personal-data and txt.txt. Take both of these documents and upload them to S3 through the use of either the gaming console, as shown in Body 8, or AWS CLI. It is possible to opt for any existing or fresh bucket, but be sure that the bucket will be in exactly the same AWS accounts and Region that has been utilized to deploy the perfect solution is.

Number 8: Dummy documents uploaded to S3

Figure 8: Dummy data files uploaded to S3

To work a Macie sensitive information discovery job

  1. Navigate to the Amazon Macie system, and ensure that your selected Area is equivalent to the one that had been used to deploy the answer.
    1. If that is your first-time using Macie, pick the Have Started button, and choose Enable Macie then.
  2. On the Macie Overview dashboard, you will notice a Create Job switch at the very top right. Choose this switch to launch the operating job creation wizard. Configure each step the following:
    1. Select S3 buckets: Choose the bucket where you uploaded the dummy sensitive information file. Choose Following.
    2. Evaluation S3 buckets: Zero changes are needed, choose Next.
    3. Scope: For Job kind, choose One-time work. Make certain Sampling depth is defined to 100%. Choose Next.
    4. Custom information identifiers: No changes are needed, choose Next.
    5. Name and explanation: For Work name, enter any true title you like, such as for example Dummy job, and choose Next then.
    6. Evaluation and create: Evaluation your settings; they ought to look like the next sample. Choose Submit.

Number 9: Configure the Macie sensitive data discovery work

Figure 9: Configure the Macie sensitive information discovery job

Macie shall start the sensitive information discovery job. It is possible to track its position from the Careers web page within the Macie gaming console.

To review and do something on Slack notifications

Within 5 minutes of submitting the info discovery job, you need to expect to see 2 notifications come in your configured Slack channel. One notification, like the one in Amount 10, is informational just and relates to an auto-remediation actions which has taken place.

Figure 10: Slack notification of auto-remediation for the document containing dummy financial information

Figure 10: Slack notification of auto-remediation for the document containing dummy financial information

The other notification, like the one in Figure 11, requires person action and is for a discovering that requires administrator review. All notifications shall display crucial information like the offending S3 object, a explanation of the selecting, the finding severity, along with other relevant metadata.

Figure 11: Slack notification for human overview of the document containing dummy personal information

Amount 11: Slack notification for individual review of the document containing dummy personal information

(Optional) It is possible to review the finding details by choosing the View Macie Finding inside Console link inside the notification.

In the Slack notification, pick the Remediate button to quarantine the thing. The notification will be up-to-date with confirmation of the quarantine action, as shown in Physique 12.

Figure 12: Slack notification of authorized remediation

Determine 12: Slack notification of authorized remediation

To concur that S3 items are quarantined

Finally, demand S3 console and validate that the items have been taken off their original bucket and placed in to the quarantine bucket listed within the notification details, simply because shown in Figure 13. Remember that you may want to refresh your S3 object listing inside the browser.

Figure 13: Slack notification of authorized remediation

Number 13: Slack notification of authorized remediation

Congratulations! At this point you have a completely operational treatment for detect and react to Macie sensitive information findings by way of a Slack ChatOps workflow.

Solution cleanup

To remove the perfect solution is and steer clear of incurring additional charges from the AWS sources that you deployed, complete the next steps.

To take away the solution and associated assets

  1. Navigate to the Macie system. Under Settings, choose Suspend Macie.
  2. Navigate to the S3 gaming console and delete all items inside the quarantine bucket.
  3. Run the control cdk ruin from the order line within the main directory of the task. You will be prompted to confirm you want to remove the answer. Press y.


In this blog write-up, I demonstrated you how exactly to integrate Amazon Macie sensitive data results having an auto-remediation and Slack ChatOps workflow. We examined the AWS providers used, how they’re integrated, and the methods to configure, deploy, and test the perfect solution is. With Macie and the answer in this website post, it is possible to substantially decrease the heavy lifting connected with detecting and giving an answer to sensitive information in your AWS atmosphere.

I encourage one to get this customize and remedy it to your preferences. More enhancements could include helping policy findings, adding additional remediation activities, or even integrating with additional results from AWS Security Hub.

When you have feedback concerning this post, submit remarks in the Comments section below. Should you have questions concerning this post, start a brand-new thread on the Amazon Macie forum or contact AWS Support.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.

%d bloggers like this: