This guide will walk you through the steps you need to do in order to collect the AWS Macie alerts and events using the SkyFormation for AWS cloud connector and send them to your SIEM/Log system of choice.
Steps to do in your AWS
Configure your AWS to monitor Macie events with CloudWatch Events.
The following AWS guidehttps://docs.aws.amazon.com/macie/latest/userguide/macie-cloudwatch.html will show you how to:
() Configure your master Macie account to receive events in CloudWatch Events from Macie
() Pipe those events into an Amazon Simple Queue Service (Amazon SQS) queue.
Once completed you will only need to have your SQS URL at hand for the SkyFormation for AWS cloud connector settings.
Grant the AWS IAM user used for the SkyFormation AWS connector in addition the following
permissions (only for the Macie provided SQS Queue)
The following AWS guidehttps://docs.aws.amazon.com/macie/latest/userguide/macie-
Steps to do in your SkyFormation app
- Login into your SkyFormation webapp
- Go to SETTINGS->ACCOUNTS
- Focus on the AWS connector you want to configure to collect the Macie alerts
- Press its EDIT button and scroll to the top of the page for its settings
- Add the SQS URL value from the previous section
- Press SAVE