Nick Little

Automated Email Alerts for Amazon Macie PII Detection

In my previous post I talked about how to detect Personally Identifiable Information (PII) with Amazon Macie. In this post, we will explore making the day to day usage of Macie more streamlined, by adding email alerting when any PII leakage from S3 buckets is detected.

To do this we will configure an SNS topic and use EventBridge to send out email alerts when Macie finds any PII data leaks, which is a much better solution for the longer term.

Getting Started - Configure the Topic

As AWS SNS (Simple Notification Service) is a pub/sub messaging model (publisher/subscriber).

First we’ll create the Topic, and then will create the Subscription.

1.) Search for “Simple Notification Service” in the AWS Management Console, and head on over to the SNS service page

2.) Click “Create Topic”

3.) Enter in “macie-alerts” (or other similar name into the Topic Name), leave the rest, and scroll down to “Access Policy”.

MacieS3_1

Because we are wanting to publish and subscribe to messages in the same AWS account, we’ll need to make this AWS account both the publisher and the subscriber.

4.) Choose “Basic” as the method, and then click on the “Publishers drop-down”, and select “Only the specified AWS accounts” (Only the specified AWS account IDs can publish to the topic)

5.) Click at the top right of the AWS Management Console to copy your AWS account ID, and then paste it in the free text field below publishers

6.) Choose “Basic” as the method, and then click on the “Subscribers drop-down”, and select “Only the specified AWS accounts” (Only the specified AWS account IDs can subscribe to the topic)

7.) Click at the top right of the AWS Management Console to copy your AWS account ID, and then paste it in the free text field below publishers

Once you’ve configured this you’ll note the JSON preview will contain the account ID as the resource for action on SNS publish, and SNS subscribe respectively:

MacieS3_2

Then scroll down, and click on “Create topic”.

Next - Configure the Subscriber

1.) Click on “Subscribers and then “Create subscription”

2.) Select your “macie-alerts” SNS Topic in the “Topic ARN” field

3.) In the “Protocol” drop-down click on “Email” and enter your desired email address you want alerts to in the “Endpoint” free text field:

MacieS3_3

Now check your email inbox, and you’ll get an email from AWS, and you need to go into the email and click on the link to confirm the subscription. Once you’ve done that, go back to the SNS Console, and confirm the subscription has been validated the Status for the Subscription will change to “Confirmed”:

MacieS3_4

Once that is confirmed we can move on to configuring Event Bridge, in order for us to be notified whenever Macie has any findings

Event Bridge - Notifications of Macie Findings

1.) Click in the search box in the AWS Management Console, and search for and go to “Amazon Event Bridge”

2.) Under getting started select “EventBridge Rule” and then “Create rule”:

MacieS3_5

3.) Use “macie-events” for the Rule Name, and select “Rule with an event pattern”

4.) Ensure the “Enable the rule on the selected event bus” toggle is enabled, and click next:

MacieS3_6

5.) Select “AWS events or EventBridge partner events” under the Event Source section:

MacieS3_7

6.) Scroll down to Creation Method and select “Use pattern form”, and set Event Pattern > Event Source to “AWS services”

7.) Type Macie, and set Macie as the “AWS Service” field, and set Event Type to “Macie Finding”, so this will alert whenever Macie identifies any sensitive data.

MacieS3_8

8.) Now click “Next”

9.) For the Target, select “AWS Service”, and click in the Select a target drop-down, and click “SNS topic”

10.) Pick the “macie-alerts” Topic you created before., then click “Next”, and “Next” again:

MacieS3_9

11.) Scroll down and click on “Create Rule” after you’ve validated the configuration.

So now, whenever Macie finds any sensitive data in your S3 bucket(s) this EventBridge rule will be triggered and will send that rule through to SNS and you’ll receive an email notification.

Now you won’t need to login to the AWS Management Console to review any Macie findings in a reactive manner, you’ll get an email as soon as a finding is made. Let’s leave it at that! Good luck on your Macie journey.