Macie: Support Supress Findings #1021
Description
Is your feature request related to a problem? Please describe.
When deploying AWS accounts with Macie enabled through LZA, we encounter false positive security findings that require manual investigation and suppression in each account.
Describe the feature you'd like
We need the ability to centrally define and deploy suppression rules to all LZA-managed accounts through configuration. This would allow us to handle common false positives.
A few requirements:
- Configuration in LZA to define Macie findings filters
- Ability to filter by bucket name, object key pattern, finding type, severity
A possible configuration block cloud look like:
macie:
enable: true
excludeRegions: []
policyFindingsPublishingFrequency: FIFTEEN_MINUTES
publishSensitiveDataFindings: true
findingsFilters:
- name: suppress-bucket--false-positives
description: Suppress false positive findings in buckets
action: ARCHIVE
criteria:
- field: resourcesAffected.s3Bucket.name
comparison: equals
value: mybucket
- field: type
comparison: equals
value: SensitiveData:S3Object/Personal
Additional context
This would require extending https://awslabs.github.io/landing-zone-accelerator-on-aws/v1.9.0/typedocs/v1.7.0/classes/_aws_accelerator_config.MacieConfig.html