When you create a job on Amazon Macie you will be prompted that you do not have an s3 bucket configured for sensitive data discovery results. If you did not configure it, then our results will be deleted within 90 days. In this article, let’s see how to add Discovery results to Amazon S3 for sensitive data discovery results.
Create an S3 bucket and make sure your that has the following actions
- s3:CreateBucket
- s3:GetBucketLocation
- s3:ListAllMyBuckets
- s3:PutBucketAcl
- s3:PutBucketPolicy
- s3:PutBucketPublicAccessBlock
- s3:PutObject
Create an AWS KMS key and verify that you’re allowed to perform “kms:ListAliases” action. Also, click on the Key that you created and click Key policy and choose Edit as shown below.
Add the following statement to the policy and click save.
{
"Sid": "Allow Macie to use the key",
"Effect": "Allow",
"Principal": {
"Service": "macie.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "*"
}
Now go to Amazon Macie and click on Discovery results under the settings. Now choose the bucket and KMS key that you created and click save as shown below.
Happy Programming!!