/ChatOps-Macie

Primary LanguageJavaScriptMIT No AttributionMIT-0

Automated ChatOps solution for remediating Amazon Macie findings

This solution establishes an automated event driven workflow for notifying and auto-remediating sensitive data findings from Amazon Macie. Human interaction is via ChatOps style integration with Slack.

Solution Overview

This solution allows for the configuration of the auto-remediation behaviour based on finding type and finding severity. For each finding type you can define if you want the offending S3 object to be automatically quarantined or if you want the finding details to be reviewed and approved by a human in Slack prior to being quarantined. In a similar manner you can define the minimum severity level (Low, Medium, High) that a finding must have before the solution will take action. Adjusting these parameters allows you to manage false positives and tune the volume and type of findings on which you wish to be notified and take action.

The solution architecture and eight step interaction sequence are detailed below in Figure 1.

Solution Architecture Figure 1 - Solution Overview

  1. Amazon Macie is configured with sensitive data discovery jobs (scheduled or adhoc) which detect sensitive data within Amazon S3 buckets. See here for a full list of the categories of sensitive data Macie can detect.
  2. For each sensitive data finding an event is sent to Amazon EventBridge containing the finding details. An EventBridge rule triggers a Lambda function for processing.
  3. The Finding Handler Lambda function parses the event, examines the type of the finding, and based on auto-remediation configuration will either invoke the Finding Remediator function for immediate remediation, or send finding details for manual review and remediation approval via Slack.
  4. Delegated security / compliance admins monitor the configured Slack channel for notifications. Notifications provide high level finding information, remediation status, and a deep link to the Amazon Macie console for the finding in question. For findings configured for manual review, users can choose to approve the remediation in Slack via an action button on the notification.
  5. After a user clicks the “Remediate” button, Slack issues an API call to an Amazon API Gateway endpoint supplying the unique identifier of the finding to be remediated and the Slack user. API Gateway proxies the request to a remediation handler Lambda function.
  6. The Remediation Handler Lambda function validates the request and request signature, extracts the offending object location from the finding, and makes an asynchronous call to the Finding Remediator Lambda function.
  7. The Finding Remediator Lambda function moves the offending object from the source bucket to a designated S3 quarantine bucket with restricted access.
  8. Finally, the Finding Remediator Lambda function will use a callback URL to update the original finding notification in Slack indicating that the offending object has now been quarantined.

Prerequisites

Before proceeding to deploy the solution ensure your environment is setup with the following pre-requisites.

Important: this solution uses various AWS services, and there are costs associated with these resources after the Free Tier usage. Please see the AWS pricing page for details.

Deploying & Testing the Solution

Full walkthrough instructions instructions for configuring Slack and deploying the solution via AWS CDK are available in a blog post here.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.