Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Ongoing evaluation of your Amazon S3 environment
Amazon Macie continually evaluates your Amazon S3 environment and provides an S3 resource summary across all of your accounts. You can search, filter, and sort buckets by metadata variables, such as bucket names, tags, and security controls like encryption status or public accessibility. For any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in AWS Organizations, you can be alerted in order to take action.
Scalable on-demand and automated sensitive data discovery jobs
Amazon Macie allows you to run one-time, daily, weekly, or monthly sensitive data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. For sensitive data discovery jobs, Amazon Macie automatically tracks changes to the bucket and only evaluates new or modified objects over time.
Fully managed sensitive data types
Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI-DSS, and HIPAA. These data types use various data detection techniques including machine learning and are continually added to and improved upon over time.
Custom-defined sensitive data types
Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover proprietary or unique sensitive data for your business.
Detailed and actionable security and sensitive data discovery findings
Macie reduces alert volume and speeds up triage by consolidating findings by object or bucket. Based on severity level, Macie findings are prioritized and each finding includes details, such as the sensitive data type, tags, public accessibility, and encryption status. Findings are retained for 30-days and are available in the AWS Management Console or through the API. The full sensitive data discovery details are automatically written to a customer-owned S3 bucket for long-term retention.
One-click deployment with no upfront data source integration
With one-click in the AWS Management Console or a single API call, you can enable Amazon Macie in a single account. With a few more clicks in the console, you can enable Macie across multiple accounts. Once enabled, Macie generates an ongoing Amazon S3 resource summary across accounts that includes bucket and object counts as well as the bucket-level security and access controls.
Multi-account support and integration with AWS Organizations
In the multi-account configuration, a single Macie administrator account can manage all member accounts, including the creation and administration of sensitive data discovery jobs across accounts. Amazon Macie supports multiple accounts through AWS Organizations integration as well as natively within Macie. Security and sensitive data discovery findings are aggregated in the Macie administrator account and sent to Amazon CloudWatch Events. Now using one account, you can integrate with event management, workflow, and ticketing systems or use Macie findings with AWS Step Functions to automate remediation actions.