1 Answer
- Newest
- Most votes
- Most comments
1
The issue you're facing with the AccessDeniedExceptions from AWS Config calling macie2:GetMacieSession
is a known problem, and there are a few ways to address it without enabling Macie:
-
Exclude the
macie2:GetMacieSession
API call from your SecurityHub/CIS metric filters:- You can update your SecurityHub/CIS metric filters to exclude the
macie2:GetMacieSession
API call, which will prevent these AccessDeniedExceptions from triggering false-positive alarms. - To do this, you can modify your metric filters to exclude the
eventName
of"GetMacieSession"
or theeventSource
of"macie2.amazonaws.com"
.
- You can update your SecurityHub/CIS metric filters to exclude the
-
Use AWS Config Aggregator to filter out the AccessDeniedExceptions:
- If you're using AWS Config Aggregator to centrally manage your AWS Config configurations, you can create a custom Config Aggregator rule to filter out the AccessDeniedExceptions from
macie2:GetMacieSession
. - This approach allows you to address the issue centrally, without having to update your SecurityHub/CIS metric filters in each individual account.
- If you're using AWS Config Aggregator to centrally manage your AWS Config configurations, you can create a custom Config Aggregator rule to filter out the AccessDeniedExceptions from
-
Use AWS Security Hub Findings Suppression:
- AWS Security Hub allows you to suppress specific findings, including those triggered by AccessDeniedExceptions.
- You can create a suppression rule in Security Hub to ignore the findings related to
macie2:GetMacieSession
API calls.
-
Use AWS CloudWatch Logs Metric Filters:
- Instead of relying on SecurityHub/CIS metric filters, you can create custom CloudWatch Logs Metric Filters to monitor for the AccessDeniedExceptions from
macie2:GetMacieSession
. - This approach allows you to have more control over the metric filters and can help you avoid false-positive alarms.
- Instead of relying on SecurityHub/CIS metric filters, you can create custom CloudWatch Logs Metric Filters to monitor for the AccessDeniedExceptions from
-
Investigate AWS Config Permissions:
- Check the permissions granted to the
AWSServiceRoleForConfig
role, which is responsible for themacie2:GetMacieSession
API calls. - Ensure that the role has the minimum necessary permissions, and consider creating a custom IAM policy with the required permissions instead of using the managed
AWSServiceRoleForConfig
policy.
- Check the permissions granted to the
By implementing one or more of these solutions, you should be able to effectively eliminate the false-positive alarms caused by the AccessDeniedExceptions from the macie2:GetMacieSession
API calls, without the need to enable Macie in your account.
answered 5 months ago
Relevant content
- asked 2 years ago
- asked 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago