Posted On: May 17, 2021

Amazon Macie now allows you to define a run-time criteria to determine which S3 buckets should be included in a sensitive data discovery job. When a job runs, Macie identifies the S3 buckets that match your criteria and automatically adds or removes them from the job’s scope. This capability makes it easier for you to manage S3 buckets that should be monitored for sensitive data and also removes the need to create new jobs to monitor newly created or modified S3 buckets.

The criteria consist of one or more conditions derived from bucket properties, such as the account, resource tags, public access permissions, or shared access configurations. For example, you can configure a scheduled job with bucket criteria that targets all publicly accessible S3 buckets in your account. Upon each run of the scheduled job, Macie will automatically evaluate the job criteria that you have configured to identify the bucket or buckets that should be included. This will allow you to continually monitor all publicly accessible buckets in your account without manual intervention. As new publicly-accessible buckets are created, or configuration changes occur, those buckets are automatically added to the scheduled sensitive data discovery job upon the next run. Similarly, if bucket policy changes take a bucket out of scope for a criteria-based job, that bucket is automatically excluded from the next job run. To get started with criteria-based jobs, simply create a job in Macie and select “Specify bucket criteria”, or visit the updated documentation page.  

Getting started with Amazon Macie is fast and easy with one-click in the AWS Management Console or with a single API call. In addition, Macie has multi-account support using AWS Organizations, which makes it easy for you to enable Macie across all of your AWS accounts. Once enabled, Macie automatically gathers a complete S3 inventory at the bucket level and automatically and continually evaluates every bucket to alert on any publicly accessible buckets, unencrypted buckets, or buckets shared or replicated with AWS accounts outside of a customer’s organization. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII), financial information, or credential materials. This can help you comply with regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR).

Amazon Macie comes with a 30-day free trial for S3 bucket level inventory and evaluation of access control and encryption. Sensitive data discovery is free for the first 1 GB per account per region each month with additional scanning charged according to the Amazon Macie pricing plan. To learn more, see the Amazon Macie documentation page.