The Macie Organization solution will enable Amazon Macie by delegating administration to an Audit account within the Organization Management Account and configuring Macie within the delegated administrator account for all the existing and future AWS Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key.
Terraform templates are available to deploy below pre-requisites with Readme document in Prerequisites directory in this repository.
AUDIT ACCOUNT
In this step , KMS key will be created in Audit account . This will be used to encrypt objects in S3 bucket which we are going to have in log archive account.
- KMS Key creation steps in Control Tower Audit account
- Clone the repository to local using git clone
- Go to prerequisites/AUDIT folder
- Update terrform.tfvars file with the appropriate details
- Run terraform commands to deploy these resources in Audit account.
export AWS_REGION={{ REGION }}
terraform init
terraform plan
terraform apply
LOG ARCHIVE ACCOUNT
In this step, S3 bucket will be created in log archive account with the KMS key which is created in previous step.
- S3 bucket creation steps in Control Tower Audit account
- Clone the repository to local using git clone
- Go to prerequisites/LOGARCHIVE folder
- Update terrform.tfvars file with the appropriate details
- Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply
Organization Management Account:
Delegate Administration to Control Tower Audit account
- Clone the repository to local using git clone
- Go to prerequisites/MANAGEMENT folder
- Update terrform.tfvars file with the appropriate details
- Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply
- Log in to Management account and validate Macie Administration has been delegated to Audit account
- Also validate Macie enabled on Audit account
No requirements.
No providers.
Name | Source | Version |
---|---|---|
Delegation_Admin_Access | ../../modules/delegation-access-module | n/a |
Name | Type |
---|---|
aws_macie2_organization_admin_account.admin_account | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
audit_account_id | Account id which we want to delegate access | string |
n/a | yes |
No outputs.
Audit account:
Macie customization in Audit Account
- Clone the repository to local using git clone
- Go to deployment folder
- Update terrform.tfvars file with the appropriate details
- Run terraform commands to deploy these resources in Audit account.
terraform init
terraform plan
terraform apply
- Log in to Audit account and validate Macie is monitoring all the accounts s3 buckets and export findings configuration is in place.
- Also validate Auto enable is turned on
No requirements.
No providers.
Name | Source | Version |
---|---|---|
Macie_customization | ../../modules/macie-customization-module | n/a |
Name | Type |
---|---|
aws_macie2_classification_export_configuration.macieconfiguration | resource |
aws_macie2_member.this | resource |
null_resource.Autoenablemode | resource |
aws_caller_identity.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
LogArchiveAccountId | Account id of LogArchiveAccount | string |
n/a | yes |
MacieOrgDeliveryKeyAlias | kms key arn which is created part of pre-requisites | string |
n/a | yes |
ManagementAccountId | Account id of ManagementAccount | string |
n/a | yes |
autoenablemode | Auto enable option to enable macie automatically for new accounts | string |
"yes" |
no |
exports3bucket | Bucket name which is created part of pre-requisites | string |
n/a | yes |
member_accounts | Member account lists | list(object({ |
n/a | yes |
No outputs.
- Log into the Management account and navigate to the Macie page
- Validate that the delegated admin account is set
- Log into the Audit account and navigate to the Macie page
- Verify the correct Macie configurations have been applied
- Verify all existing accounts have been enabled
- Verify the findings export is configured for the S3 bucket
- Generate sample findings to verify S3 delivery
- Log into the Log archive account and navigate to the S3 page
- Verify the sample findings have been delivered
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.