adding macie classification job

aws_sra_examples/solutions/macie/macie_org/README.md

@@ -14,7 +14,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 ## Introduction
 
 The Macie Organization solution will enable Amazon Macie by delegating administration to a member account within the Organization Management Account and configuring Macie within the delegated administrator account for all the existing and future AWS
-Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key.
+Organization accounts. Macie is also configured to send the findings to a central S3 bucket encrypted with a KMS key. Additionally, a daily Macie classification job can be created to analyze objects in Amazon Simple Storage Service (Amazon S3) general purpose buckets.
 
 ---
 

aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/manifest.yaml

@@ -33,6 +33,13 @@ resources:
         parameter_value: INFO
       - parameter_key: pSRAAlarmEmail
         parameter_value: ''
+      - parameter_key: pCreateMacieJob
+        parameter_value: 'true'
+      - parameter_key: pExcludesTagKey
+        parameter_value: 'sra-exclude-from-default-job'
+      - parameter_key: pMacieJobName
+        parameter_value: 'sra-macie-classification-job'
+
     deploy_method: stack_set
     deployment_targets:
       accounts:

aws_sra_examples/solutions/macie/macie_org/customizations_for_aws_control_tower/parameters/sra-macie-org-main-ssm.json

@@ -44,7 +44,15 @@
         "ParameterValue": ""
     },
     {
-        "ParameterKey": "pSRAStagingS3BucketName",
-        "ParameterValue": ""
+        "ParameterKey": "pCreateMacieJob",
+        "ParameterValue": "true"
+    },
+    {
+        "ParameterKey": "pExcludesTagKey",
+        "ParameterValue": "sra-exclude-from-default-job"
+    },
+    {
+        "ParameterKey": "pMacieJobName",
+        "ParameterValue": "sra-macie-classification-job"
     }
 ]

aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py

@@ -12,6 +12,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import json
@@ -92,6 +93,10 @@ def process_create_update_event(params: dict, regions: list) -> None:
             params["KMS_KEY_ARN"],
             params["FINDING_PUBLISHING_FREQUENCY"],
         )
+        if params["CREATE_MACIE_JOB"]:
+            macie.create_macie_job(
+                params["CONFIGURATION_ROLE_NAME"], params["DELEGATED_ADMIN_ACCOUNT_ID"], regions, params["MACIE_JOB_NAME"], params["TAG_KEY"]
+            )
 
 
 def parameter_pattern_validator(parameter_name: str, parameter_value: str, pattern: str) -> None:
@@ -147,7 +152,12 @@ def get_validated_parameters(event: CloudFormationCustomResourceEvent) -> dict:
         pattern=r"^arn:(aws[a-zA-Z-]*){1}:sns:[a-z0-9-]+:\d{12}:[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$",
     )
     parameter_pattern_validator("MANAGEMENT_ACCOUNT_ID", params.get("MANAGEMENT_ACCOUNT_ID", ""), pattern=r"^\d{12}$")
+    parameter_pattern_validator("CREATE_MACIE_JOB", params.get("CREATE_MACIE_JOB", ""), pattern=r"^true|false$")
+    parameter_pattern_validator("MACIE_JOB_NAME", params.get("MACIE_JOB_NAME", ""), pattern=r"^[\w-]{1,500}$")
+    parameter_pattern_validator("TAG_KEY", params.get("TAG_KEY", ""), pattern=r"^[\w-]{1,64}$")
 
+    # Convert true/false string parameters to boolean
+    params.update({"CREATE_MACIE_JOB": (params["CREATE_MACIE_JOB"] == "true")})
     return params
 
 

aws_sra_examples/solutions/macie/macie_org/lambda/src/macie.py

@@ -7,6 +7,7 @@
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 SPDX-License-Identifier: MIT-0
 """
+
 from __future__ import annotations
 
 import json
@@ -21,7 +22,7 @@
 
 if TYPE_CHECKING:
     from mypy_boto3_macie2 import Macie2Client
-    from mypy_boto3_macie2.type_defs import ListOrganizationAdminAccountsResponseTypeDef
+    from mypy_boto3_macie2.type_defs import CreateClassificationJobRequestRequestTypeDef, ListOrganizationAdminAccountsResponseTypeDef
     from mypy_boto3_organizations import OrganizationsClient
     from mypy_boto3_sns import SNSClient
 
@@ -180,6 +181,45 @@ def enable_macie(
             LOGGER.info(f"Macie already enabled in {region}.")
 
 
+def create_macie_job(configuration_role_name: str, admin_account_id: str, regions: list, job_name: str, tag_key: str) -> None:
+    """Create Macie job.
+
+    Args:
+        configuration_role_name: Configuration Role Name
+        admin_account_id: Delegated administrator account id
+        regions: AWS Region List
+        job_name: Macie job name
+        tag_key: Macie job tag key for bucket criteria
+    """
+    kwargs: CreateClassificationJobRequestRequestTypeDef = {  # type: ignore[typeddict-item]  # noqa: ECE001
+        "description": "SRA Macie job (Daily)",
+        "jobType": "SCHEDULED",
+        "initialRun": True,
+        "name": job_name,
+        "managedDataIdentifierSelector": "ALL",
+        "s3JobDefinition": {
+            "bucketCriteria": {"excludes": {"and": [{"tagCriterion": {"comparator": "EQ", "tagValues": [{"key": tag_key, "value": "True"}]}}]}}
+        },
+        "samplingPercentage": 100,
+        "scheduleFrequency": {"dailySchedule": {}},
+        "tags": {"sra-solution": "sra-macie-org"},
+    }
+    account_session: boto3.Session = boto3.Session()
+
+    if configuration_role_name:
+        account_session = common.assume_role(configuration_role_name, "sra-enable-macie", admin_account_id)
+    for region in regions:
+        regional_client: Macie2Client = account_session.client("macie2", region_name=region, config=BOTO3_CONFIG)
+        try:
+            response = regional_client.create_classification_job(**kwargs)
+            LOGGER.debug({"API_Call": "macie2:CreateClassificationJob", "API_Response": response})
+            LOGGER.info(f"Created Macie classification job '{job_name}' in {region}")
+        except ClientError as e:
+            error_code = e.response["Error"]["Code"]
+            if error_code == "ResourceInUseException":
+                LOGGER.info(f"Macie classification job '{job_name}' already exists in {region}")
+
+
 def process_delete_event(params: dict, regions: list, account_ids: list, include_members: bool = False) -> None:
     """Delete Macie solution resources.
 

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration-role.yaml

@@ -114,6 +114,7 @@ Resources:
                   - macie2:PutClassificationExportConfiguration
                   - macie2:UpdateMacieSession
                   - macie2:UpdateOrganizationConfiguration
+                  - macie2:TagResource
                 Resource: '*'
 
               - Sid: MacieMember
@@ -124,6 +125,15 @@ Resources:
                   - macie2:DisassociateMember
                   - macie2:GetMember
                 Resource: !Sub arn:${AWS::Partition}:macie2:*:${AWS::AccountId}:*
+
+              - Sid: MacieClassifications
+                Effect: Allow
+                Action:
+                  - macie2:CreateClassificationJob
+                Resource: '*'
+                Condition:
+                  StringEquals:
+                    aws:ResourceTag/sra-solution: !Ref pSRASolutionName
 
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-configuration.yaml

@@ -38,6 +38,9 @@ Metadata:
           - pFindingPublishingFrequency
           - pKMSKeyArn
           - pPublishingDestinationBucketName
+          - pCreateMacieJob
+          - pMacieJobName
+          - pExcludesTagKey
 
       - Label:
           default: General Lambda Function Properties
@@ -52,6 +55,8 @@ Metadata:
         default: Control Tower Regions Only
       pCreateLambdaLogGroup:
         default: Create Lambda Log Group
+      pCreateMacieJob:
+        default: Create Macie job
       pDelegatedAdminAccountId:
         default: Delegated Admin Account ID
       pDisableMacie:
@@ -60,6 +65,8 @@ Metadata:
         default: Disable Macie Role Name
       pEnabledRegions:
         default: Enabled Regions
+      pExcludesTagKey:
+        default: Tag Key
       pFindingPublishingFrequency:
         default: Finding Publishing Frequency
       pKMSKeyArn:
@@ -70,6 +77,8 @@ Metadata:
         default: Lambda Log Group Retention
       pLambdaLogLevel:
         default: Lambda Log Level
+      pMacieJobName:
+        default: Macie Job Name
       pMacieOrgConfigurationRoleName:
         default: Configuration Role Name
       pMacieOrgLambdaFunctionName:
@@ -100,6 +109,11 @@ Parameters:
       Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
       Key for encryption.
     Type: String
+  pCreateMacieJob:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether to create a Macie classification job with a daily schedule.
+    Type: String
   pDelegatedAdminAccountId:
     AllowedPattern: '^\d{12}$'
     ConstraintDescription: Must be 12 digits
@@ -123,6 +137,12 @@ Parameters:
       us-east-1,ap-southeast-2)
     Description: Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
     Type: String
+  pExcludesTagKey:
+    AllowedPattern: '^[\w-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
+    Default: sra-exclude-from-default-job
+    Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'.
+    Type: String
   pFindingPublishingFrequency:
     AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
     Default: FIFTEEN_MINUTES
@@ -150,6 +170,12 @@ Parameters:
     Default: INFO
     Description: Lambda Function Logging Level
     Type: String
+  pMacieJobName:
+    AllowedPattern: '^[\w-]{1,500}$'
+    ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -]
+    Default: sra-macie-classification-job
+    Description: A custom name for the job.
+    Type: String
   pMacieOrgConfigurationRoleName:
     AllowedPattern: '^[\w+=,.@-]{1,64}$'
     ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
@@ -449,6 +475,9 @@ Resources:
       MANAGEMENT_ACCOUNT_ID: !Ref AWS::AccountId
       PUBLISHING_DESTINATION_BUCKET_NAME: !Ref pPublishingDestinationBucketName
       SNS_TOPIC_ARN: !Ref rMacieOrgTopic
+      CREATE_MACIE_JOB: !Ref pCreateMacieJob
+      MACIE_JOB_NAME: !Ref pMacieJobName
+      TAG_KEY: !Ref pExcludesTagKey
 
   rMacieOrgTopic:
     Type: AWS::SNS::Topic

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-main-ssm.yaml

@@ -46,6 +46,9 @@ Metadata:
           - pEnabledRegions
           - pFindingPublishingFrequency
           - pOrganizationId
+          - pCreateMacieJob
+          - pMacieJobName
+          - pExcludesTagKey
 
       - Label:
           default: General Lambda Function Properties
@@ -66,10 +69,14 @@ Metadata:
         default: Control Tower Regions Only
       pCreateLambdaLogGroup:
         default: Create Lambda Log Group
+      pCreateMacieJob:
+        default: Create Macie Job
       pDisableMacie:
         default: Disable Macie in All Accounts
       pEnabledRegions:
         default: (Optional) Enabled Regions
+      pExcludesTagKey:
+        default: Tag Key
       pFindingPublishingFrequency:
         default: Finding Publishing Frequency
       pLambdaLogGroupKmsKey:
@@ -80,6 +87,8 @@ Metadata:
         default: Lambda Log Level
       pLogArchiveAccountId:
         default: Log Archive Account ID
+      pMacieJobName:
+        default: Macie Job Name
       pMacieOrgDeliveryBucketPrefix:
         default: Macie Delivery Bucket Prefix
       pMacieOrgDeliveryKeyAlias:
@@ -127,6 +136,11 @@ Parameters:
       Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function, to allow for setting a Log Retention and/or KMS
       Key for encryption.
     Type: String
+  pCreateMacieJob:
+    AllowedValues: ['true', 'false']
+    Default: 'true'
+    Description: Indicates whether to create a Macie classification job with a daily schedule.
+    Type: String
   pDisableMacie:
     AllowedValues: ['true', 'false']
     Default: 'false'
@@ -140,11 +154,23 @@ Parameters:
     Default: ''
     Description: (Optional) Enabled regions (AWS regions, separated by commas). Leave blank to enable all regions.
     Type: String
+  pExcludesTagKey:
+    AllowedPattern: '^[\w-]{1,64}$'
+    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [_, -]
+    Default: sra-exclude-from-default-job
+    Description: A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True'.
+    Type: String
   pFindingPublishingFrequency:
     AllowedValues: [FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS]
     Default: FIFTEEN_MINUTES
     Description: Finding publishing frequency
     Type: String
+  pMacieJobName:
+    AllowedPattern: '^[\w-]{1,500}$'
+    ConstraintDescription: Max 500 alphanumeric characters. Also special characters supported [_, -]
+    Default: sra-macie-classification-job
+    Description: A custom name for the job.
+    Type: String
   pMacieOrgDeliveryBucketPrefix:
     AllowedPattern: '^$|^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$'
     ConstraintDescription:
@@ -395,6 +421,9 @@ Resources:
         pPublishingDestinationBucketName: !Sub ${pMacieOrgDeliveryBucketPrefix}-${pLogArchiveAccountId}-${AWS::Region}
         pSRAAlarmEmail: !Ref pSRAAlarmEmail
         pSRAStagingS3BucketName: !Ref pSRAStagingS3BucketName
+        pCreateMacieJob: !Ref pCreateMacieJob
+        pMacieJobName: !Ref pMacieJobName
+        pExcludesTagKey: !Ref pExcludesTagKey
       Tags:
         - Key: sra-solution
           Value: !Ref pSRASolutionName

aws_sra_examples/terraform/common/main.tf

@@ -181,6 +181,9 @@ resource "local_file" "config_file_creation" {
     ########################################################################
     disable_macie                      = false
     macie_finding_publishing_frequency = "FIFTEEN_MINUTES"
+    create_macie_job                   = "true"
+    macie_job_name                     = "sra-macie-classification-job"
+    macie_excludes_tag_key             = "sra-exclude-from-default-job"
 
     ########################################################################
     # CloudTrail Settings

aws_sra_examples/terraform/solutions/macie/README.md

@@ -25,7 +25,7 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-
 
 ## Introduction
 
-This Terraform module deploys the Inspector AWS SRA solution.  
+This Terraform module deploys the Macie AWS SRA solution.  
 
 The common pre-requisite solution must be installed, in the management account, prior to installing this solution.
 
@@ -158,6 +158,9 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
 | <a name="input_home_region"></a> [home\_region](#input\_home\_region) | Name of the Control Tower home region | `string` | n/a | yes |
 | <a name="input_log_archive_account_id"></a> [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | AWS Account ID of the Control Tower Log Archive account. | `string` | n/a | yes |
 | <a name="input_macie_finding_publishing_frequency"></a> [macie\_finding\_publishing\_frequency](#input\_macie\_finding\_publishing\_frequency) | Macie finding publishing frequency | `string` | n/a | yes |
+| <a name="create_macie_job"></a> [create\_macie\_job](#input\_create\_macie\_job) | Indicates whether to create a Macie classification job with a daily schedule | `string` | "true" | yes |
+| <a name="macie_job_name"></a> [macie\_job\_name](#input\_macie\_job\_name) | A custom name for the job | `string` | "sra-macie-classification-job" | yes |
+| <a name="macie_excludes_tag_key"></a> [macie\_excludes\_tag\_key](#input\macie\_excludes\_tag\_key) | A key for a tag-based condition that determines which buckets to exclude from the job. To exclude the bucket set the value of this tag to 'True' | `string` | "sra-exclude-from-default-job" | yes |
 | <a name="input_macie_org_configuration_role_name"></a> [macie\_org\_configuration\_role\_name](#input\_macie\_org\_configuration\_role\_name) | Configuration IAM Role Name | `string` | `"sra-macie-org-configuration"` | no |
 | <a name="input_macie_org_lambda_role_name"></a> [macie\_org\_lambda\_role\_name](#input\_macie\_org\_lambda\_role\_name) | Lambda Role Name | `string` | `"sra-macie-org-lambda"` | no |
 | <a name="input_management_account_id"></a> [management\_account\_id](#input\_management\_account\_id) | Organization Management Account ID | `string` | n/a | yes |

aws_sra_examples/terraform/solutions/macie/configuration/invoke.tf

@@ -22,7 +22,10 @@ resource "aws_lambda_invocation" "lambda_invoke" {
       "MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}",
       "CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}",
       "FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}",
-      "ENABLED_REGIONS" : "${var.p_enabled_regions}"
+      "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+      "CREATE_MACIE_JOB" : "${var.p_create_macie_job}",
+      "MACIE_JOB_NAME" : "${var.p_macie_job_name}",
+      "TAG_KEY" : "${var.p_macie_excludes_tag_key}"
     }
   })
 }
@@ -46,7 +49,10 @@ resource "aws_lambda_invocation" "lambda_disable_invoke" {
       "MANAGEMENT_ACCOUNT_ID" : "${var.p_management_account_id}",
       "CONFIGURATION_ROLE_NAME" : "${var.p_macie_org_configuration_role_name}",
       "FINDING_PUBLISHING_FREQUENCY" : "${var.p_finding_publishing_frequency}",
-      "ENABLED_REGIONS" : "${var.p_enabled_regions}"
+      "ENABLED_REGIONS" : "${var.p_enabled_regions}",
+      "CREATE_MACIE_JOB" : "${var.p_create_macie_job}",
+      "MACIE_JOB_NAME" : "${var.p_macie_job_name}",
+      "TAG_KEY" : "${var.p_macie_excludes_tag_key}"
     }
   })
 }