It is important to monitor the location of sensitive data to protect it from unauthorized access, misuse, or destruction. By tracking and monitoring sensitive data locations, companies can ensure that it remains secure and confidential. Additionally, monitoring sensitive data locations allows for quick response times in case of a security breach or other malicious activity.
This article covers the most important information about AWS Macie, a fully-managed data security service that uses Machine Learning and pattern matching to automatically discover, classify, and protect sensitive data in AWS.
Table of Contents
What is Amazon Macie?
Amazon Macie is a fully-managed data security service that uses Machine Learning and pattern matching to automatically discover, classify, and protect sensitive data in AWS. It provides an automated way to discover sensitive data stored across Amazon Simple Storage Service (Amazon S3) buckets.
It helps with sensitive data discovery in the vast amounts of data across many S3 buckets. In case of sensitive data findings, for example, Personally Identifiable Information (PII), Macie can send an alert or notify EventBridge to start complex automated remediation workflows.
Sensitive data discovery workflow
Amazon Macie is a regional AWS service that analyzes data stored in Amazon S3 buckets. In case of any finding, Macie notifies Amazon EventBridge from where the event might be processed by any of the EventBridge rule targets, such as AWS Lambda, SNS, SQS, API Gateway, Step Functions, Kinesis, or even 3-rd party services.
Macie can scan your S3 buckets automatically, or you can define sensitive data discovery jobs for existing or custom identifiers.
Macie runs all sensitive data discovery jobs for each S3 bucket and returns sensitive data findings to the service. For example, Macie automatically provides an inventory of Amazon S3 buckets, including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside of your AWS Organizations.
You can enable Macie and configure it by using:
- AWS Management Console
- AWS CLI
- AWS SDK
- Infrastructure as Code (IaC) solution:
- AWS CDK
Macie can be configured for organizations using AWS Landing Zone or Control Tower solutions to collect and analyze all findings centrally across all accounts in AWS Organizations. Check out the “Centralized logging and multiple-account security guardrails” for more information.
Enabling Macie in all AWS accounts across AWS Organizations is one of the recommended best practices for organizations that must comply with industry regulatory requirements.
Finally, Macie is integrated with AWS Security Hub contributing its findings to the overall security analysis of your AWS infrastructure.
Free hands-on AWS workshops
To get hands-on experience with AWS Macie, we encourage you to take the “Data Discovery and Classification with Amazon Macie” fee AWS security workshop.
Is Macie Only For S3?
Currently, Amazon Macie analyzes only data stored in Amazon S3 buckets. If you’d like to discover, classify, and protect sensitive data stored in other AWS data stores, such as Amazon RDS, Amazon DynamoDB, and Amazon Redshift, you need to export this data into the S3 bucket. Check the “Enabling data classification for Amazon RDS database with Macie” article for more information.
Is Macie A DLP?
Amazon Macie is not a Data Loss Prevention (DLP) solution, it is a security service that uses Machine Learning to automatically discover and classify data in Amazon S3 buckets that might be intentionally or unintentionally exposed by their misconfiguration.
What type of data does Amazon Macie analyze and protect?
Amazon Macie analyzes and discovers sensitive data such as credentials, personally identifiable information (PII), payment card or bank account number information, personal health information (such as health insurance or medical identification numbers), and other sensitive data types.
Amazon Macie is an essential data security service for discovering and protecting sensitive data across multiple S3 buckets in one AWS account or many AWS accounts in the entire AWS Organization. Macie’s integration with EventBridge allows us to build automated security remediation workflows and minimize data security risks.