Amazon Macie, how often automated discovery run runs?

0

Hi,

I have classification error in my coverage issues console in Amazon Macie, issue is Permission denied (9) - Update AWS KMS key policies. But KMS has all needed policies:

{
            "Sid": "Allow Macie to use the key",
            "Effect": "Allow",
            "Principal": {
                "Service": "macie.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow the Macie service-linked role to use the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account_id:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
            },
            "Action": "kms:Decrypt",
            "Resource": "*"
        }

There is also info, that automated discovery run was running 2 weeks ago. How often automated discovery run runs? Does S3 buckets (that I scan) need also macie permissions?

I can't find that info.

Thank you

2 Answers
1
Accepted Answer

Hi there,

Macie Automated Data Discovery runs daily, but does not necessarily look at every bucket every day depending on how much content is scanned, how much as already been scanned, and what the sensitivity score is. For buckets with Permission Denied errors, it may take a few days to reflect after a KMS policy has been updated.

Two comments on the policy statement above:

Macie should have permissions to the S3 buckets via the Service Linked Role (SLR). Note that if the bucket has any explicit "Deny" statements in the bucket policy, these will override the SLR - that might be worth checking as well.

AWS
answered 9 months ago
  • Hi. Yes, 1: account is correct 2. I don't use cross-accounts. I have a deny statement in S3 but his deny is fine as I am using this syntax: "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "account_id" }. When I go to classification error and go to details, I see that the latest automated run was running 2 months ago. You are telling it's every day?

  • If you're using Deny but have not added the Macie Service principal to the condition key (which it looks like you haven't), then Macie cannot access the bucket.

0

aws:PrincipalAccount key means that all services from the account (include Macie) can access S3 bucket? That's strange as I have a lot of bucketsEnter image description here

There is only classification error (not access denied). I have a lot of buckets with that Deny conditions above but Macie only complains about this bucket?

profile picture
answered 9 months ago
  • also this digit 9 means like it can't access only 9 objects...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions