Amazon Macie will review API calls gathered from CloudTrail logs stored on Amazon S3 and depending on the type of API and the impact it can have on your security posture, it will associate a risk score, again ranging from 1 to 10 (with 10 being the highest). If we look at a sample of these API calls, we can see what it looks for:
To make it easier to navigate, a search option is available to search for a specific API call. The table is self-explanatory and follows a similar approach to the object classifications we looked at previously.
By using the magnifying glass search option associated with each API call, you can query the CloudTrail data to understand where and how this API is being used. For example, here is a screenshot of the AssumeRole API, allowing you to dive deeper into all the details captured by CloudTrail:
As you can see from the top section, this API was used multiple times and you can quickly see there was a peak on Tuesday 7. If this was...