Amazon Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.

Amazon configuration

  1. Create a new S3 bucket. (If you want to use an already created one, skip this step).

  2. Go to Services > Analytics > Kinesis:

    1. If it's the first time you're using this service, you'll see the following screen. Just click on Get started:

  3. Click on Create delivery stream button:

  4. Put a name to your delivery stream and click on the Next button at the bottom of the page:

  5. On the next page, leave both options as Disabled and click on Next:

  6. Select Amazon S3 as the destination, then select the previously created S3 bucket and add a prefix where logs will be stored. AWS Firehose creates a file structure YYYY/MM/DD/HH, if a prefix is used the created file structure would be firehose/YYYY/MM/DD/HH. If a prefix is used it must be specified under the ThreatLockDown Bucket configuration:

  7. You can select the compression you prefer. ThreatLockDown supports any kind of compression but Snappy. After that, click on Create new or choose:

  8. Give a proper name to the role and click on the Allow button:

  9. The following page is just a summary of the Firehose stream created, go to the bottom of the page and click on the Create delivery stream button:

  10. Go to Services > Management Tools > CloudWatch:

  11. Select Rules on the left menu and click on the Create rule button:

  12. Select the services you want to get logs from using the Service name slider, then, click on the Add target button and add the previously created Firehose delivery stream there. Also, create a new role to access the delivery stream.

  13. Give the rule some name and click on the Create rule button:

  14. Once the rule is created, data will start to be sent to the previously created S3 bucket. Remember to first enable the service you want to monitor, otherwise, you won't get any data.

Policy configuration

To create a policy using the Amazon Web Services console, follow the AWS documentation.

Take into account that the policies below follow the principle of least privilege to ensure that only the minimum permissions are provided to the ThreatLockDown user.

To allow an AWS user to use the module with read-only permissions, it must have a policy like the following attached:

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

If it is necessary to delete the log files once they have been collected, the associated policy would be as follows:

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "VisualEditor0",
             "Effect": "Allow",
             "Action": [
                 "s3:GetObject",
                 "s3:ListBucket",
                 "s3:DeleteObject"
             ],
             "Resource": [
                 "arn:aws:s3:::<bucket-name>/*",
                 "arn:aws:s3:::<bucket-name>"
             ]
         }
     ]
 }

Note

<bucket-name> is a placeholder. Replace it with the actual name of the bucket from which you want to retrieve logs.

Once a policy has been created, there are different methods available to attach it to a user, such as attaching it directly or to a group to which the user belongs. More information on how to perform those tasks on the AWS documentation.

ThreatLockDown configuration

  1. Open the ThreatLockDown configuration file (/var/ossec/etc/ossec.conf) and add the following block:

    <wodle name="aws-s3">
      <disabled>no</disabled>
      <interval>10m</interval>
      <run_on_start>yes</run_on_start>
      <skip_on_error>yes</skip_on_error>
      <bucket type="custom">
        <name>wazuh-aws-wodle</name>
        <path>macie</path>
        <aws_profile>default</aws_profile>
      </bucket>
    </wodle>
    

    Note

    Check the AWS S3 module reference manual to learn more about each setting.

  2. Restart ThreatLockDown in order to apply the changes:

    • If you're configuring a ThreatLockDown manager:

      # systemctl restart wazuh-manager
      
    • If you're configuring a ThreatLockDown agent:

      # systemctl restart wazuh-agent
      

Use cases

Amazon S3 (Simple Storage Service) provides secure and reliable storage capacity in the cloud. When using this service, it is highly recommended to monitor it to detect data loss attacks.

Below are some use cases for ThreatLockDown alerts built for S3.

Bucket removal

Multiple alerts will be raised when a Bucket has been removed. Some examples are shown below: