AWS - Macie Enum

AWS - Macie Enum

Support HackTricks


Amazon Macie stands out as a service designed to automatically detect, classify, and identify data within an AWS account. It leverages machine learning to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining cloud trail event data and user behavior patterns.

Key Features of Amazon Macie:

  1. Active Data Review: Employs machine learning to review data actively as various actions occur within the AWS account.

  2. Anomaly Detection: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.

  3. Continuous Monitoring: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.

  4. Data Classification with NLP: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.

  5. Security Monitoring: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.

Amazon Macie is a regional service and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.

Alert System

Macie categorizes alerts into predefined categories like:

  • Anonymized access

  • Data compliance

  • Credential Loss

  • Privilege escalation

  • Ransomware

  • Suspicious access, etc.

These alerts provide detailed descriptions and result breakdowns for effective response and resolution.

Dashboard Features

The dashboard categorizes data into various sections, including:

  • S3 Objects (by time range, ACL, PII)

  • High-risk CloudTrail events/users

  • Activity Locations

  • CloudTrail user identity types, and more.

User Categorization

Users are classified into tiers based on the risk level of their API calls:

  • Platinum: High-risk API calls, often with admin privileges.

  • Gold: Infrastructure-related API calls.

  • Silver: Medium-risk API calls.

  • Bronze: Low-risk API calls.

Identity Types

Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.

Data Classification

Data classification encompasses:

  • Content-Type: Based on detected content type.

  • File Extension: Based on file extension.

  • Theme: Categorized by keywords within files.

  • Regex: Categorized based on specific regex patterns.

The highest risk among these categories determines the file's final risk level.

Research and Analysis

Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.


# Get buckets
aws macie2 describe-buckets

# Org config
aws macie2 describe-organization-configuration

# Get admin account (if any)
aws macie2 get-administrator-account
aws macie2 list-organization-admin-accounts # Run from the management account of the org

# Get macie account members (run this form the admin account)
aws macie2 list-members

# Check if automated sensitive data discovey is enabled
aws macie2 get-automated-discovery-configuration

# Get findings
aws macie2 list-findings
aws macie2 get-findings --finding-ids <ids>
aws macie2 list-findings-filters
aws macie2 get -findings-filters --id <id>

# Get allow lists
aws macie2 list-allow-lists
aws macie2 get-allow-list --id <id>

# Get different info
aws macie2 list-classification-jobs
aws macie2 list-classification-scopes
aws macie2 list-custom-data-identifiers

Post Exploitation

From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might help an attacker to find sensitive info inside the buckets. However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.

TODO: PRs are welcome!


Support HackTricks

Last updated