diff --git a/aws_sra_examples/solutions/macie/macie_org/README.md b/aws_sra_examples/solutions/macie/macie_org/README.md
index 3c50afe3a..2eb85cca8 100644
--- a/aws_sra_examples/solutions/macie/macie_org/README.md
+++ b/aws_sra_examples/solutions/macie/macie_org/README.md
@@ -14,7 +14,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
## Introduction
The Macie Organization solution will enable Amazon Macie by delegating administration to a member account within the Organization Management Account and configuring Macie within the delegated administrator account for all the existing and future AWS
-Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key.
+Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key. Additionally, a daily Macie classification job can be created to analyze objects in Amazon Simple Storage Service (Amazon S3) general purpose buckets.
---
diff --git a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml
index e9d877aa0..aac5a2d19 100644
--- a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml
+++ b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml
@@ -33,6 +33,13 @@ resources:
parameter_value: INFO
- parameter_key: pSRAAlarmEmail
parameter_value: ''
+ - parameter_key: pCreateMacieJob
+ parameter_value: 'true'
+ - parameter_key: pExcludesTagKey
+ parameter_value: 'sra-exclude-from-default-job'
+ - parameter_key: pMacieJobName
+ parameter_value: 'sra-macie-classification-job'
+
deploy_method: stack_set
deployment_targets:
accounts:
diff --git a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json
index d75214dcb..b1d63f2c4 100644
--- a/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json
+++ b/aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json
@@ -44,7 +44,15 @@
"ParameterValue": ""
},
{
- "ParameterKey": "pSRAStagingS3BucketName",
- "ParameterValue": ""
+ "ParameterKey": "pCreateMacieJob",
+ "ParameterValue": "true"
+ },
+ {
+ "ParameterKey": "pExcludesTagKey",
+ "ParameterValue": "sra-exclude-from-default-job"
+ },
+ {
+ "ParameterKey": "pMacieJobName",
+ "ParameterValue": "sra-macie-classification-job"
}
]
\ No newline at end of file
diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py
index c51d432ef..ec64bd086 100644
--- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py
+++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py
@@ -12,6 +12,7 @@
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
+
from __future__ import annotations
import json
@@ -92,6 +93,10 @@ def process_create_update_event(params: dict, regions: list) -> None:
params["KMS_KEY_ARN"],
params["FINDING_PUBLISHING_FREQUENCY"],
)
+ if params["CREATE_MACIE_JOB"]:
+ macie.create_macie_job(
+ params["CONFIGURATION_ROLE_NAME"], params["DELEGATED_ADMIN_ACCOUNT_ID"], regions, params["MACIE_JOB_NAME"], params["TAG_KEY"]
+ )
def parameter_pattern_validator(parameter_name: str, parameter_value: str, pattern: str) -> None:
@@ -147,7 +152,12 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
pattern=r"^arn:(aws[a-zA-Z-]*){1}:sns:[a-z0-9-]+:\d{12}:[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$",
)
parameter_pattern_validator("MANAGEMENT_ACCOUNT_ID", params.get("MANAGEMENT_ACCOUNT_ID", ""), pattern=r"^\d{12}$")
+ parameter_pattern_validator("CREATE_MACIE_JOB", params.get("CREATE_MACIE_JOB", ""), pattern=r"^true|false$")
+ parameter_pattern_validator("MACIE_JOB_NAME", params.get("MACIE_JOB_NAME", ""), pattern=r"^[\w-]{1,500}$")
+ parameter_pattern_validator("TAG_KEY", params.get("TAG_KEY", ""), pattern=r"^[\w-]{1,64}$")
+ # Convert true/false string parameters to boolean
+ params.update({"CREATE_MACIE_JOB": (params["CREATE_MACIE_JOB"] == "true")})
return params
diff --git a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py
index 5e2e863bb..728621d62 100644
--- a/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py
+++ b/aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py
@@ -7,6 +7,7 @@
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
+
from __future__ import annotations
import json
@@ -21,7 +22,7 @@
if TYPE_CHECKING:
from mypy_boto3_macie2 import Macie2Client
- from mypy_boto3_macie2.type_defs import ListOrganizationAdminAccountsResponseTypeDef
+ from mypy_boto3_macie2.type_defs import CreateClassificationJobRequestRequestTypeDef, ListOrganizationAdminAccountsResponseTypeDef
from mypy_boto3_organizations import OrganizationsClient
from mypy_boto3_sns import SNSClient
@@ -180,6 +181,45 @@ def enable_macie(
LOGGER.info(f"Macie already enabled in {region}.")
+def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None:
+ """Create Macie job.
+
+ Args:
+ configuration_role_name: Configuration Role Name
+ admin_account_id: Delegated administrator account id
+ regions: AWS Region List
+ job_name: Macie job name
+ tag_key: Macie job tag key for bucket criteria
+ """
+ kwargs: CreateClassificationJobRequestRequestTypeDef = { # type: ignore[typeddict-item] # noqa: ECE001
+ "description": "SRA Macie job (Daily)",
+ "jobType": "SCHEDULED",
+ "initialRun": True,
+ "name": job_name,
+ "managedDataIdentifierSelector": "ALL",
+ "s3JobDefinition": {
+ "bucketCriteria": {"excludes": {"and": [{"tagCriterion": {"comparator": "EQ", "tagValues": [{"key": tag_key, "value": "True"}]}}]}}
+ },
+ "samplingPercentage": 100,
+ "scheduleFrequency": {"dailySchedule": {}},
+ "tags": {"sra-solution": "sra-macie-org"},
+ }
+ account_session: boto3.Session = boto3.Session()
+
+ if configuration_role_name:
+ account_session = common.assume_role(configuration_role_name, "sra-enable-macie", admin_account_id)
+ for region in regions:
+ regional_client: Macie2Client = account_session.client("macie2", region_name=region, config=BOTO3_CONFIG)
+ try:
+ response = regional_client.create_classification_job(**kwargs)
+ LOGGER.debug({"API_Call": "macie2:CreateClassificationJob", "API_Response": response})
+ LOGGER.info(f"Created Macie classification job '{job_name}' in {region}")
+ except ClientError as e:
+ error_code = e.response["Error"]["Code"]
+ if error_code == "ResourceInUseException":
+ LOGGER.info(f"Macie classification job '{job_name}' already exists in {region}")
+
+
def process_delete_event(params: dict, regions: list, account_ids: list, include_members: bool = False) -> None:
"""Delete Macie solution resources.
diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml
index 30b7ca7b3..2ce4009b1 100644
--- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml
+++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml
@@ -114,6 +114,7 @@ Resources:
- macie2:PutClassificationExportConfiguration
- macie2:UpdateMacieSession
- macie2:UpdateOrganizationConfiguration
+ - macie2:TagResource
Resource: '*'
- Sid: MacieMember
@@ -124,6 +125,15 @@ Resources:
- macie2:DisassociateMember
- macie2:GetMember
Resource: !Sub arn:${AWS::Partition}:macie2:*:${AWS::AccountId}:*
+
+ - Sid: MacieClassifications
+ Effect: Allow
+ Action:
+ - macie2:CreateClassificationJob
+ Resource: '*'
+ Condition:
+ StringEquals:
+ aws:ResourceTag/sra-solution: !Ref pSRASolutionName
Tags:
- Key: sra-solution
diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml
index 5b50c4d30..abb3c4549 100644
--- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml
+++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml
@@ -38,6 +38,9 @@ Metadata:
- pFindingPublishingFrequency
- pKMSKeyArn
- pPublishingDestinationBucketName
+ - pCreateMacieJob
+ - pMacieJobName
+ - pExcludesTagKey
- Label:
default: General Lambda Function Properties
@@ -52,6 +55,8 @@ Metadata:
default: Control Tower Regions Only
pCreateLambdaLogGroup:
default: Create Lambda Log Group
+ pCreateMacieJob:
+ default: Create Macie job
pDelegatedAdminAccountId:
default: Delegated Admin Account ID
pDisableMacie:
@@ -60,6 +65,8 @@ Metadata:
default: Disable Macie Role Name
pEnabledRegions:
default: Enabled Regions
+ pExcludesTagKey:
+ default: Tag Key
pFindingPublishingFrequency:
default: Finding Publishing Frequency
pKMSKeyArn:
@@ -70,6 +77,8 @@ Metadata:
default: Lambda Log Group Retention
pLambdaLogLevel:
default: Lambda Log Level
+ pMacieJobName:
+ default: Macie Job Name
pMacieOrgConfigurationRoleName:
default: Configuration Role Name
pMacieOrgLambdaFunctionName:
@@ -100,6 +109,11 @@ Parameters:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
+ pCreateMacieJob:
+ AllowedValues: ['true', 'false']
+ Default: 'true'
+ Description: Indicates whether to create a Macie classification job with a daily schedule.
+ Type: String
pDelegatedAdminAccountId:
AllowedPattern: '^\d{12}$'
ConstraintDescription: Must be 12 digits
@@ -123,6 +137,12 @@ Parameters:
us-east-1,ap-southeast-2)
Description: Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
Type: String
+ pExcludesTagKey:
+ AllowedPattern: '^[\w-]{1,64}$'
+ ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
+ Default: sra-exclude-from-default-job
+ Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'.
+ Type: String
pFindingPublishingFrequency:
AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
Default: FIFTEEN_MINUTES
@@ -150,6 +170,12 @@ Parameters:
Default: INFO
Description: Lambda Function Logging Level
Type: String
+ pMacieJobName:
+ AllowedPattern: '^[\w-]{1,500}$'
+ ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -]
+ Default: sra-macie-classification-job
+ Description: A custom name for the job.
+ Type: String
pMacieOrgConfigurationRoleName:
AllowedPattern: '^[\w+=,.@-]{1,64}$'
ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
@@ -449,6 +475,9 @@ Resources:
MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
PUBLISHING_DESTINATION_BUCKET_NAME: !Ref pPublishingDestinationBucketName
SNS_TOPIC_ARN: !Ref rMacieOrgTopic
+ CREATE_MACIE_JOB: !Ref pCreateMacieJob
+ MACIE_JOB_NAME: !Ref pMacieJobName
+ TAG_KEY: !Ref pExcludesTagKey
rMacieOrgTopic:
Type: AWS::SNS::Topic
diff --git a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml
index 831542e3c..0c575aa6e 100644
--- a/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml
+++ b/aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml
@@ -46,6 +46,9 @@ Metadata:
- pEnabledRegions
- pFindingPublishingFrequency
- pOrganizationId
+ - pCreateMacieJob
+ - pMacieJobName
+ - pExcludesTagKey
- Label:
default: General Lambda Function Properties
@@ -66,10 +69,14 @@ Metadata:
default: Control Tower Regions Only
pCreateLambdaLogGroup:
default: Create Lambda Log Group
+ pCreateMacieJob:
+ default: Create Macie Job
pDisableMacie:
default: Disable Macie in All Accounts
pEnabledRegions:
default: (Optional) Enabled Regions
+ pExcludesTagKey:
+ default: Tag Key
pFindingPublishingFrequency:
default: Finding Publishing Frequency
pLambdaLogGroupKmsKey:
@@ -80,6 +87,8 @@ Metadata:
default: Lambda Log Level
pLogArchiveAccountId:
default: Log Archive Account ID
+ pMacieJobName:
+ default: Macie Job Name
pMacieOrgDeliveryBucketPrefix:
default: Macie Delivery Bucket Prefix
pMacieOrgDeliveryKeyAlias:
@@ -127,6 +136,11 @@ Parameters:
Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
Key for encryption.
Type: String
+ pCreateMacieJob:
+ AllowedValues: ['true', 'false']
+ Default: 'true'
+ Description: Indicates whether to create a Macie classification job with a daily schedule.
+ Type: String
pDisableMacie:
AllowedValues: ['true', 'false']
Default: 'false'
@@ -140,11 +154,23 @@ Parameters:
Default: ''
Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
Type: String
+ pExcludesTagKey:
+ AllowedPattern: '^[\w-]{1,64}$'
+ ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
+ Default: sra-exclude-from-default-job
+ Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'.
+ Type: String
pFindingPublishingFrequency:
AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
Default: FIFTEEN_MINUTES
Description: Finding publishing frequency
Type: String
+ pMacieJobName:
+ AllowedPattern: '^[\w-]{1,500}$'
+ ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -]
+ Default: sra-macie-classification-job
+ Description: A custom name for the job.
+ Type: String
pMacieOrgDeliveryBucketPrefix:
AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
ConstraintDescription:
@@ -395,6 +421,9 @@ Resources:
pPublishingDestinationBucketName: !Sub ${pMacieOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region}
pSRAAlarmEmail: !Ref pSRAAlarmEmail
pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+ pCreateMacieJob: !Ref pCreateMacieJob
+ pMacieJobName: !Ref pMacieJobName
+ pExcludesTagKey: !Ref pExcludesTagKey
Tags:
- Key: sra-solution
Value: !Ref pSRASolutionName
diff --git a/aws_sra_examples/terraform/common/main.tf b/aws_sra_examples/terraform/common/main.tf
index 3fc188576..624a4f036 100644
--- a/aws_sra_examples/terraform/common/main.tf
+++ b/aws_sra_examples/terraform/common/main.tf
@@ -181,6 +181,9 @@ resource "local_file" "config_file_creation" {
########################################################################
disable_macie = false
macie_finding_publishing_frequency = "FIFTEEN_MINUTES"
+ create_macie_job = "true"
+ macie_job_name = "sra-macie-classification-job"
+ macie_excludes_tag_key = "sra-exclude-from-default-job"
########################################################################
# CloudTrail Settings
diff --git a/aws_sra_examples/terraform/solutions/macie/README.md b/aws_sra_examples/terraform/solutions/macie/README.md
index a782e831f..ae94c4ec4 100644
--- a/aws_sra_examples/terraform/solutions/macie/README.md
+++ b/aws_sra_examples/terraform/solutions/macie/README.md
@@ -25,7 +25,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
## Introduction
-This Terraform module deploys the Inspector AWS SRA solution.
+This Terraform module deploys the Macie AWS SRA solution.
The common pre-requisite solution must be installed, in the management account, prior to installing this solution.
@@ -158,6 +158,9 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
| [home\_region](#input\_home\_region) | Name of the Control Tower home region | `string` | n/a | yes |
| [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | AWS Account ID of the Control Tower Log Archive account. | `string` | n/a | yes |
| [macie\_finding\_publishing\_frequency](#input\_macie\_finding\_publishing\_frequency) | Macie finding publishing frequency | `string` | n/a | yes |
+| [create\_macie\_job](#input\_create\_macie\_job) | Indicates whether to create a Macie classification job with a daily schedule | `string` | "true" | yes |
+| [macie\_job\_name](#input\_macie\_job\_name) | A custom name for the job | `string` | "sra-macie-classification-job" | yes |
+| [macie\_excludes\_tag\_key](#input\macie\_excludes\_tag\_key) | A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True' | `string` | "sra-exclude-from-default-job" | yes |
| [macie\_org\_configuration\_role\_name](#input\_macie\_org\_configuration\_role\_name) | Configuration IAM Role Name | `string` | `"sra-macie-org-configuration"` | no |
| [macie\_org\_lambda\_role\_name](#input\_macie\_org\_lambda\_role\_name) | Lambda Role Name | `string` | `"sra-macie-org-lambda"` | no |
| [management\_account\_id](#input\_management\_account\_id) | Organization Management Account ID | `string` | n/a | yes |
diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf b/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf
index 0fa2302a8..0ec4189c2 100644
--- a/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf
+++ b/aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf
@@ -22,7 +22,10 @@ resource "aws_lambda_invocation" "lambda_invoke" {
"MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}",
"CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}",
"FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}",
- "ENABLED_REGIONS" : "${var.p_enabled_regions}"
+ "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+ "CREATE_MACIE_JOB" : "${var.p_create_macie_job}",
+ "MACIE_JOB_NAME" : "${var.p_macie_job_name}",
+ "TAG_KEY" : "${var.p_macie_excludes_tag_key}"
}
})
}
@@ -46,7 +49,10 @@ resource "aws_lambda_invocation" "lambda_disable_invoke" {
"MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}",
"CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}",
"FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}",
- "ENABLED_REGIONS" : "${var.p_enabled_regions}"
+ "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+ "CREATE_MACIE_JOB" : "${var.p_create_macie_job}",
+ "MACIE_JOB_NAME" : "${var.p_macie_job_name}",
+ "TAG_KEY" : "${var.p_macie_excludes_tag_key}"
}
})
}
diff --git a/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf b/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf
index 17b306fe6..b24c6c315 100644
--- a/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf
+++ b/aws_sra_examples/terraform/solutions/macie/configuration/variables.tf
@@ -48,6 +48,24 @@ variable "p_finding_publishing_frequency" {
default = "FIFTEEN_MINUTES"
}
+variable "p_create_macie_job" {
+ description = "Indicates whether to create a Macie classification job with a daily schedule."
+ type = string
+ default = "true"
+}
+
+variable "p_macie_job_name" {
+ description = "A custom name for the job."
+ type = string
+ default = "sra-macie-classification-job"
+}
+
+variable "p_macie_excludes_tag_key" {
+ description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'."
+ type = string
+ default = "sra-exclude-from-default-job"
+}
+
variable "p_kms_key_arn" {
description = "Logging S3 bucket KMS Key ARN"
type = string
diff --git a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf
index b23159b78..54dcbb9af 100644
--- a/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf
+++ b/aws_sra_examples/terraform/solutions/macie/configuration_role/main.tf
@@ -31,6 +31,7 @@ resource "aws_iam_role" "macie_org_configuration_role" {
}
resource "aws_iam_policy" "macie_org_policy" {
+ #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
name = "sra-macie-org-policy"
description = "Policy for Macie Org Configuration Role"
@@ -60,7 +61,7 @@ resource "aws_iam_policy" "macie_org_policy" {
"macie2:ListOrganizationAdminAccounts",
"macie2:PutClassificationExportConfiguration",
"macie2:UpdateMacieSession",
- "macie2:UpdateOrganizationConfiguration"
+ "macie2:UpdateOrganizationConfiguration",
],
Resource = "*"
},
@@ -74,6 +75,27 @@ resource "aws_iam_policy" "macie_org_policy" {
"macie2:GetMember"
],
Resource = "arn:${data.aws_partition.current.partition}:macie2:*:${var.audit_account_id}:*"
+ },
+ {
+ Sid = "MacieClassifications",
+ Effect = "Allow",
+ Action = [
+ "macie2:CreateClassificationJob",
+ ],
+ Resource = "*",
+ Condition = {
+ StringEquals = {
+ "aws:ResourceTag/sra-solution" = var.sra_solution_name
+ }
+ }
+ },
+ {
+ Sid = "MacieTagResource",
+ Effect = "Allow",
+ Action = [
+ "macie2:TagResource",
+ ],
+ Resource = "*"
}
]
})
diff --git a/aws_sra_examples/terraform/solutions/macie/main.tf b/aws_sra_examples/terraform/solutions/macie/main.tf
index a1be46011..1f6fc283b 100644
--- a/aws_sra_examples/terraform/solutions/macie/main.tf
+++ b/aws_sra_examples/terraform/solutions/macie/main.tf
@@ -79,4 +79,7 @@ module "macie_configuration" {
p_publishing_destination_bucket_name = module.delivery_s3_bucket[0].macie_delivery_bucket_name
disable_macie = var.disable_macie
p_finding_publishing_frequency = var.macie_finding_publishing_frequency
+ p_create_macie_job = var.create_macie_job
+ p_macie_job_name = var.macie_job_name
+ p_macie_excludes_tag_key = var.macie_excludes_tag_key
}
diff --git a/aws_sra_examples/terraform/solutions/macie/variables.tf b/aws_sra_examples/terraform/solutions/macie/variables.tf
index 2e921b0c0..3526ff9e0 100644
--- a/aws_sra_examples/terraform/solutions/macie/variables.tf
+++ b/aws_sra_examples/terraform/solutions/macie/variables.tf
@@ -55,3 +55,21 @@ variable "macie_finding_publishing_frequency" {
description = "Macie finding publishing frequency"
type = string
}
+
+variable "create_macie_job" {
+ description = "Indicates whether to create a Macie classification job with a daily schedule."
+ type = string
+ default = "true"
+}
+
+variable "macie_job_name" {
+ description = "A custom name for the job."
+ type = string
+ default = "sra-macie-classification-job"
+}
+
+variable "macie_excludes_tag_key" {
+ description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'."
+ type = string
+ default = "sra-exclude-from-default-job"
+}
\ No newline at end of file
diff --git a/aws_sra_examples/terraform/solutions/main.tf b/aws_sra_examples/terraform/solutions/main.tf
index 637ae0281..d341f9bdb 100644
--- a/aws_sra_examples/terraform/solutions/main.tf
+++ b/aws_sra_examples/terraform/solutions/main.tf
@@ -130,6 +130,9 @@ module "macie" {
organization_id = var.organization_id
macie_finding_publishing_frequency = var.macie_finding_publishing_frequency
disable_macie = var.disable_macie
+ create_macie_job = var.create_macie_job
+ macie_job_name = var.macie_job_name
+ macie_excludes_tag_key = var.macie_excludes_tag_key
}
module "cloudtrail" {
diff --git a/aws_sra_examples/terraform/solutions/variables.tf b/aws_sra_examples/terraform/solutions/variables.tf
index cbbd67e37..d5d9bb2cb 100644
--- a/aws_sra_examples/terraform/solutions/variables.tf
+++ b/aws_sra_examples/terraform/solutions/variables.tf
@@ -335,6 +335,24 @@ variable "disable_macie" {
description = "Update to 'true' to disable Macie in all accounts and regions before deleting the TF."
}
+variable "create_macie_job" {
+ description = "Indicates whether to create a Macie classification job with a daily schedule."
+ type = string
+ default = "true"
+}
+
+variable "macie_job_name" {
+ description = "A custom name for the job."
+ type = string
+ default = "sra-macie-classification-job"
+}
+
+variable "macie_excludes_tag_key" {
+ description = "A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'."
+ type = string
+ default = "sra-exclude-from-default-job"
+}
+
########################################################################
# CloudTrail Configurations
########################################################################