HackTricks CloudAWS - Macie Enum
Reading time: 4 minutes
AWS - Macie Enum
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Macie
Amazon Macie stands out as a service designed to automatically detect, classify, and identify data within an AWS account. It leverages machine learning to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining cloud trail event data and user behavior patterns.
Key Features of Amazon Macie:
- Active Data Review: Employs machine learning to review data actively as various actions occur within the AWS account.
- Anomaly Detection: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks.
- Continuous Monitoring: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time.
- Data Classification with NLP: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings.
- Security Monitoring: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks.
Amazon Macie is a regional service and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality.
Alert System
Macie categorizes alerts into predefined categories like:
- Anonymized access
- Data compliance
- Credential Loss
- Privilege escalation
- Ransomware
- Suspicious access, etc.
These alerts provide detailed descriptions and result breakdowns for effective response and resolution.
Dashboard Features
The dashboard categorizes data into various sections, including:
- S3 Objects (by time range, ACL, PII)
- High-risk CloudTrail events/users
- Activity Locations
- CloudTrail user identity types, and more.
User Categorization
Users are classified into tiers based on the risk level of their API calls:
- Platinum: High-risk API calls, often with admin privileges.
- Gold: Infrastructure-related API calls.
- Silver: Medium-risk API calls.
- Bronze: Low-risk API calls.
Identity Types
Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests.
Data Classification
Data classification encompasses:
- Content-Type: Based on detected content type.
- File Extension: Based on file extension.
- Theme: Categorized by keywords within files.
- Regex: Categorized based on specific regex patterns.
The highest risk among these categories determines the file's final risk level.
Research and Analysis
Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring.
Enumeration
# Get buckets
aws macie2 describe-buckets
# Org config
aws macie2 describe-organization-configuration
# Get admin account (if any)
aws macie2 get-administrator-account
aws macie2 list-organization-admin-accounts # Run from the management account of the org
# Get macie account members (run this form the admin account)
aws macie2 list-members
# Check if automated sensitive data discovey is enabled
aws macie2 get-automated-discovery-configuration
# Get findings
aws macie2 list-findings
aws macie2 get-findings --finding-ids <ids>
aws macie2 list-findings-filters
aws macie2 get -findings-filters --id <id>
# Get allow lists
aws macie2 list-allow-lists
aws macie2 get-allow-list --id <id>
# Get different info
aws macie2 list-classification-jobs
aws macie2 list-classification-scopes
aws macie2 list-custom-data-identifiers
Post Exploitation
tip
From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might help an attacker to find sensitive info inside the buckets.
However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier.
TODO: PRs are welcome!
References
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.