⭐ Adds: aws.macie resource (#5988)

* resolved mr

Signed-off-by: Manuel Weber <manuel@mondoo.com>

* fix: update go.mod after tidy to resolve CI failure

* spellcheck

Signed-off-by: Manuel Weber <manuel@mondoo.com>

* Add new consts

* refactor: replace string literals with resource constants in aws.macie

* add new aws.lr.go

* fix error handling

Signed-off-by: Manuel Weber <manuel@mondoo.com>

---------

Signed-off-by: Manuel Weber <manuel@mondoo.com>
Co-authored-by: Dimitar ganev <dimitar@mondoo.com>

Author: mm-weber

.github/actions/spelling/expect.txt

@@ -83,6 +83,7 @@ notebookinstancedetails
 nsrecord
 nullgroup
 nullstring
+oidc
 opcplc
 openssh
 openssl

go.sum

@@ -38,6 +38,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/inspector2"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/aws-sdk-go-v2/service/lambda"
+	"github.com/aws/aws-sdk-go-v2/service/macie2"
 	"github.com/aws/aws-sdk-go-v2/service/neptune"
 	"github.com/aws/aws-sdk-go-v2/service/organizations"
 	"github.com/aws/aws-sdk-go-v2/service/rds"
@@ -635,6 +636,30 @@ func (t *AwsConnection) Lambda(region string) *lambda.Client {
 	return client
 }
 
+func (t *AwsConnection) Macie2(region string) *macie2.Client {
+	// if no region value is sent in, use the configured region
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_macie2_" + region
+
+	// check for cached client and return it if it exists
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached macie2 client")
+		return c.Data.(*macie2.Client)
+	}
+
+	// create the client
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := macie2.NewFromConfig(cfg)
+
+	// cache it
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}
+
 func (t *AwsConnection) Dynamodb(region string) *dynamodb.Client {
 	// if no region value is sent in, use the configured region
 	if len(region) == 0 {

providers/aws/connection/clients.go

@@ -41,6 +41,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/inspector2 v1.44.6
 	github.com/aws/aws-sdk-go-v2/service/kms v1.45.6
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.78.0
+	github.com/aws/aws-sdk-go-v2/service/macie2 v1.49.6
 	github.com/aws/aws-sdk-go-v2/service/neptune v1.42.5
 	github.com/aws/aws-sdk-go-v2/service/organizations v1.45.3
 	github.com/aws/aws-sdk-go-v2/service/rds v1.108.2

providers/aws/go.mod

@@ -70,6 +70,27 @@ func Is400AccessDeniedError(err error) bool {
 	return false
 }
 
+// IsMacieNotEnabledError checks if the error indicates Macie is not enabled in the region
+func IsMacieNotEnabledError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	var respErr *http.ResponseError
+	if errors.As(err, &respErr) {
+		// Macie returns 401 status code with AccessDeniedException when not enabled
+		if respErr.HTTPStatusCode() == 401 && strings.Contains(respErr.Error(), "AccessDeniedException: Macie is not enabled") {
+			return true
+		}
+		// Also catch general access denied cases for Macie
+		if (respErr.HTTPStatusCode() == 400 || respErr.HTTPStatusCode() == 401 || respErr.HTTPStatusCode() == 403) &&
+			(strings.Contains(respErr.Error(), "AccessDeniedException") || strings.Contains(respErr.Error(), "AccessDenied")) {
+			return true
+		}
+	}
+	return false
+}
+
 func Is400InstanceNotFoundError(err error) bool {
 	var respErr *http.ResponseError
 	if errors.As(err, &respErr) {

providers/aws/go.sum

@@ -1354,6 +1354,122 @@ private aws.guardduty.finding @defaults("title region severity") {
   updatedAt time
 }
 
+// Amazon Macie
+aws.macie {
+  // List of Macie sessions
+  sessions() []aws.macie.session
+  // List of classification jobs
+  classificationJobs() []aws.macie.classificationJob
+  // List of findings
+  findings() []aws.macie.finding
+  // List of custom data identifiers
+  customDataIdentifiers() []aws.macie.customDataIdentifier
+}
+
+// Amazon Macie session
+private aws.macie.session @defaults("arn region status") {
+  // ARN of the Macie session
+  arn string
+  // Region where Macie is enabled
+  region string
+  // Status of the Macie session: ENABLED or PAUSED
+  status string
+  // Date and time when the Macie session was created
+  createdAt time
+  // Date and time when the Macie session was last updated
+  updatedAt time
+  // Finding publishing frequency: FIFTEEN_MINUTES, ONE_HOUR, or SIX_HOURS
+  findingPublishingFrequency() string
+  // Service role ARN used by Macie
+  serviceRole() string
+  // Number of S3 buckets monitored by Macie
+  s3BucketCount() int
+}
+
+// Amazon Macie classification job
+private aws.macie.classificationJob @defaults("jobId name status region") {
+  // ARN of the classification job
+  arn string
+  // Unique ID of the job
+  jobId string
+  // Name of the job
+  name string
+  // Region where the job runs
+  region string
+  // Status of the job: RUNNING, PAUSED, CANCELLED, COMPLETE, IDLE, or USER_PAUSED
+  status string
+  // Type of job: ONE_TIME or SCHEDULED
+  jobType string
+  // Date and time when the job was created
+  createdAt time
+  // Date and time when the job was last run
+  lastRunTime() time
+  // Sampling percentage for the job
+  samplingPercentage() int
+  // Bucket definitions for the job
+  bucketDefinitions() []dict
+  // Schedule frequency for the job
+  scheduleFrequency() dict
+  // Statistics for the job
+  statistics() dict
+  // Tags for the job
+  tags() map[string]string
+}
+
+// Amazon Macie finding
+private aws.macie.finding @defaults("id arn region type severity") {
+  // Unique ID of the finding
+  id string
+  // ARN of the finding
+  arn string
+  // Region where the finding was discovered
+  region string
+  // Account ID where the finding was discovered
+  accountId string
+  // Type of the finding
+  type string
+  // Severity details of the finding
+  severity dict
+  // Category of the finding: CLASSIFICATION or POLICY
+  category string
+  // Whether the finding is archived
+  archived bool
+  // Count of occurrences for this finding
+  count int
+  // Date and time when the finding was created
+  createdAt time
+  // Date and time when the finding was last updated
+  updatedAt time
+  // Title of the finding
+  title string
+  // Description of the finding
+  description string
+  // Classification details for the finding
+  classificationDetails() dict
+  // Resources affected by the finding
+  resourcesAffected() dict
+}
+
+// Amazon Macie custom data identifier
+private aws.macie.customDataIdentifier @defaults("id name") {
+  // Unique ID of the custom data identifier
+  id string
+  // ARN of the custom data identifier
+  arn string
+  // Name of the custom data identifier
+  name string
+  // Description of the custom data identifier
+  description() string
+  // Regular expression pattern for the identifier
+  regex() string
+  // Keywords for the identifier
+  keywords() []string
+  // Date and time when the identifier was created
+  createdAt time
+  // Tags for the identifier
+  tags() map[string]string
+}
+
 // AWS Security Hub
 aws.securityhub {
   // List of Security Hubs in the account