Amazon Macie Documentation

Amazon Macie is a managed data security and data privacy service that uses machine learning and pattern matching to help you discover and protect your sensitive data in AWS.

Amazon Macie is designed to continually evaluate your Amazon S3 environment and provide an S3 resource summary across all of your accounts. You can search, filter, and sort buckets by metadata variables, such as bucket names, tags, and security controls like encryption status or public accessibility. For any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in AWS Organizations, you can be alerted in order to take action.

Amazon Macie allows you to run one-time, daily, weekly, or monthly sensitive data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. For sensitive data discovery jobs, Amazon Macie tracks changes to the bucket and only evaluates new or modified objects over time.

Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI-DSS, and HIPAA. These data types use various data detection techniques including machine learning and are added to and improved upon over time.

Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover proprietary or unique sensitive data for your business.

Macie is designed to reduce alert volume and speed up triage by consolidating findings by object or bucket. Based on severity level, Macie findings are prioritized and each finding includes details, such as the sensitive data type, tags, public accessibility, and encryption status. Findings are retained for 30 days and are available in the AWS Management Console or through the API. The full sensitive data discovery details are written to a customer-owned S3 bucket for retention.

Macie allows for temporary retrieval of examples of sensitive data found in S3. This capability helps you more easily view and understand which contents of an S3 object were identified to be sensitive ,so you can review, validate, and take action as needed. All sensitive data examples captured are encrypted using customer-managed AWS Key Management Service (KMS) keys and are temporarily viewable within the Macie console after being retrieved.

Macie’s allow list feature can help you reduce alert volume due to data text or formats in your environment that do not require action. An allow list defines specific text or a text pattern that you want Macie to ignore when it inspects S3 objects for sensitive data. If text matches an entry or pattern in an allow list, Macie doesn’t report the text in sensitive data findings or sensitive data discovery results, even if the text matches the criteria of a managed data identifier or a custom data identifier.

Through the AWS Management Console or using a single API call, you can enable Amazon Macie in a single account. With a few more clicks in the console, you can enable Macie across multiple accounts. Once enabled, Macie generates an ongoing Amazon S3 resource summary across accounts that includes bucket and object counts as well as the bucket-level security and access controls.

In the multi-account configuration, a single Macie administrator account can manage all member accounts, including the creation and administration of sensitive data discovery jobs across accounts. Amazon Macie supports multiple accounts through AWS Organizations integration as well as natively within Macie. Security and sensitive data discovery findings are aggregated in the Macie administrator account and sent to Amazon CloudWatch Events. Using one account, you can integrate with event management, workflow, and ticketing systems or use Macie findings with AWS Step Functions to help automate remediation actions.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.