mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-14 13:56:30 -08:00
fix macie
This commit is contained in:
Carlos Polop
@@ -1,8 +1,70 @@
|
||||
# Amazon Macie
|
||||
|
||||
## Introduction
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
|
||||
## Macie
|
||||
|
||||
Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns.
|
||||
|
||||
Key Features of Amazon Macie:
|
||||
|
||||
1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account.
|
||||
2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
|
||||
3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
|
||||
4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
|
||||
5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
|
||||
|
||||
Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
|
||||
|
||||
### Alert System
|
||||
|
||||
Macie categorizes alerts into predefined categories like:
|
||||
|
||||
- Anonymized access
|
||||
- Data compliance
|
||||
- Credential Loss
|
||||
- Privilege escalation
|
||||
- Ransomware
|
||||
- Suspicious access, etc.
|
||||
|
||||
These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
|
||||
|
||||
### Dashboard Features
|
||||
|
||||
The dashboard categorizes data into various sections, including:
|
||||
|
||||
- S3 Objects (by time range, ACL, PII)
|
||||
- High-risk CloudTrail events/users
|
||||
- Activity Locations
|
||||
- CloudTrail user identity types, and more.
|
||||
|
||||
### User Categorization
|
||||
|
||||
Users are classified into tiers based on the risk level of their API calls:
|
||||
|
||||
- **Platinum**: High-risk API calls, often with admin privileges.
|
||||
- **Gold**: Infrastructure-related API calls.
|
||||
- **Silver**: Medium-risk API calls.
|
||||
- **Bronze**: Low-risk API calls.
|
||||
|
||||
### Identity Types
|
||||
|
||||
Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
|
||||
|
||||
### Data Classification
|
||||
|
||||
Data classification encompasses:
|
||||
|
||||
- Content-Type: Based on detected content type.
|
||||
- File Extension: Based on file extension.
|
||||
- Theme: Categorized by keywords within files.
|
||||
- Regex: Categorized based on specific regex patterns.
|
||||
|
||||
The highest risk among these categories determines the file's final risk level.
|
||||
|
||||
### Research and Analysis
|
||||
|
||||
Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
|
||||
|
||||
## Listing Findings with AWS Console
|
||||
|
||||
@@ -19,31 +81,63 @@ Amazon Macie provides a feature that displays detected secrets in clear-text for
|
||||
|
||||
<img width="1154" alt="Screenshot 2025-02-10 at 19 15 11" src="https://github.com/user-attachments/assets/df616e56-a11a-41da-ac69-0bea37d143a5" />
|
||||
|
||||
## Enumeration
|
||||
### Enumeration
|
||||
|
||||
```bash
|
||||
# List and describe classification jobs
|
||||
aws macie2 list-classification-jobs --region eu-west-1
|
||||
aws macie2 describe-classification-job --job-id <Job_ID> --region eu-west-1
|
||||
# Get buckets
|
||||
aws macie2 describe-buckets
|
||||
|
||||
# Org config
|
||||
aws macie2 describe-organization-configuration
|
||||
|
||||
# Get admin account (if any)
|
||||
aws macie2 get-administrator-account
|
||||
aws macie2 list-organization-admin-accounts # Run from the management account of the org
|
||||
|
||||
# Get macie account members (run this from the admin account)
|
||||
aws macie2 list-members
|
||||
|
||||
# Check if automated sensitive data discovey is enabled
|
||||
aws macie2 get-automated-discovery-configuration
|
||||
|
||||
# Get findings
|
||||
aws macie2 list-findings
|
||||
aws macie2 get-findings --finding-ids <ids>
|
||||
aws macie2 list-findings-filters
|
||||
aws macie2 get -findings-filters --id <id>
|
||||
|
||||
# Get allow lists
|
||||
aws macie2 list-allow-lists
|
||||
aws macie2 get-allow-list --id <id>
|
||||
|
||||
# Get different info
|
||||
aws macie2 list-classification-jobs
|
||||
aws macie2 describe-classification-job --job-id <Job_ID>
|
||||
aws macie2 list-classification-scopes
|
||||
aws macie2 list-custom-data-identifiers
|
||||
aws macie2 get-custom-data-identifier --id <Identifier_ID>
|
||||
|
||||
# Retrieve account details and statistics
|
||||
aws macie2 get-macie-session --region eu-west-1
|
||||
aws macie2 get-usage-statistics --region eu-west-1
|
||||
|
||||
# List and manage Macie members (for organizations)
|
||||
aws macie2 list-members --region eu-west-1
|
||||
|
||||
# List findings and get detailed information about specific findings
|
||||
aws macie2 list-findings --region eu-west-1
|
||||
aws macie2 get-findings --finding-id <Finding_ID> --region eu-west-1
|
||||
|
||||
# Manage custom data identifiers
|
||||
aws macie2 list-custom-data-identifiers --region eu-west-1
|
||||
aws macie2 get-custom-data-identifier --id <Identifier_ID> --region eu-west-1
|
||||
|
||||
# List and detail findings filters
|
||||
aws macie2 list-findings-filters --region eu-west-1
|
||||
aws macie2 get-findings-filter --id <Filter_ID> --region eu-west-1
|
||||
|
||||
aws macie2 get-macie-session
|
||||
aws macie2 get-usage-statistic
|
||||
```
|
||||
|
||||
### Privesc
|
||||
|
||||
{{#ref}}
|
||||
../aws-privilege-escalation/aws-macie-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
### Post Exploitation
|
||||
|
||||
> [!TIP]
|
||||
> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\
|
||||
> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
|
||||
|
||||
TODO: PRs are welcome!
|
||||
|
||||
## References
|
||||
|
||||
- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
Reference in New Issue
Block a user