Amazon Macie features

What is Amazon Macie?

Amazon Macie is a data security service that discovers sensitive data using machine learning and pattern matching, provides visibility into data security risks, and enables you to automate protection against those risks. To help you manage the data security posture of your Amazon S3 environment, Macie continually evaluates your S3 buckets for security and access controls, and generates findings to notify you of issues such as unencrypted buckets, publicly accessible buckets, and buckets that are shared with AWS accounts outside your organization. Macie then automatically samples and analyzes objects in your S3 buckets, inspecting them for sensitive data such as personally identifiable information (PII), builds an interactive data map of where your sensitive data in S3 resides across accounts, and provides a sensitivity score for each bucket. The interactive data map can guide your decisions to perform deeper investigations of specific S3 buckets by running targeted, sensitive data discovery jobs with Macie. Running targeted sensitive data discovery jobs can help you meet regulations, such as Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR). All Macie findings are sent to Amazon EventBridge and can also be published to AWS Security Hub to initiate automated remediation such as blocking public access to your S3 storage. You can get started with Macie by leveraging the 30-day free trial, which includes automated sensitive data discovery and S3 bucket-level evaluation. The free trial can also help you understand estimated spend for continued usage before committing to paid usage.

Page Topics

Key Features

Key Features

Amazon Macie continually evaluates your Amazon S3 environment and provides a summary of your data security posture across all of your accounts. You can search, filter, and sort S3 buckets by metadata variables, such as bucket names, tags, and security controls like encryption status or public accessibility. For any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in AWS Organizations, you can be alerted in order to take action. Macie then automatically samples and analyzes objects in your S3 buckets, inspecting them for sensitive data such as personally identifiable information (PII), builds an interactive data map of where your sensitive data in S3 resides across accounts, and provides sensitivity score for each bucket. The interactive data map can guide your decisions to perform deeper investigations of specific S3 buckets by running targeted, sensitive data discovery jobs with Macie.

Amazon Macie allows you to run one-time, daily, weekly, or monthly sensitive data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. For targeted sensitive data discovery jobs, Amazon Macie automatically tracks changes to the bucket and only evaluates new or modified objects over time.

Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI DSS, and HIPAA. These data types use various data detection techniques including machine learning and are continually added to and improved upon over time.

Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover proprietary or unique sensitive data for your business.

Macie reduces alert volume and speeds up triage by consolidating findings by object or bucket. Based on severity level, Macie findings are prioritized and each finding includes details, such as the sensitive data type, tags, public accessibility, and encryption status. Findings are retained for 30-days and are available in the AWS Management Console or through the API. The full sensitive data discovery details are automatically written to a customer-owned S3 bucket for long-term retention.

Macie allows for one-selection, temporary retrieval of up to 10 examples of sensitive data found in S3. This capability helps you more easily view and understand which contents of an S3 object were identified to be sensitive, so you can review, validate, and quickly take action as needed. All sensitive data examples captured are encrypted using customer-managed AWS Key Management Service (KMS) keys and are temporarily viewable within the Macie console after being retrieved.

Macie’s allow list feature can help you reduce alert volume due to data text or formats in your environment that do not require action. An allow list defines specific text or a text pattern that you want Macie to ignore when it inspects S3 objects for sensitive data. If text matches an entry or pattern in an allow list, Macie doesn’t report the text in sensitive data findings or sensitive data discovery results, even if the text matches the criteria of a managed data identifier or a custom data identifier.

In the multi-account configuration, a single Macie administrator account can manage all member accounts, including the creation and administration of sensitive data discovery jobs across accounts. Macie supports multiple accounts through AWS Organizations integration. Security and sensitive data discovery findings are aggregated in the Macie administrator account and sent to Amazon EventBridge. Now using one account, you can integrate with event management, workflow, and ticketing systems or use Macie findings with AWS Step Functions to automate remediation actions.