It is important to monitor the location of sensitive data to protect it from unauthorized access, misuse, or destruction. By tracking and monitoring sensitive data locations, companies can ensure that it remains secure and confidential. Additionally, monitoring sensitive data locations allows for quick response times in case of a security breach or other malicious activity.

This article covers the most important information about AWS Macie. This fully managed data security service uses Machine Learning and pattern matching to automatically discover, classify, and protect sensitive data in AWS.

What is Amazon Macie?

Amazon Macie is a fully managed data security service that uses Machine Learning and pattern matching to automatically discover, classify, and protect sensitive data in AWS. It provides an automated way to discover sensitive data stored across Amazon Simple Storage Service (Amazon S3) buckets.

It helps with sensitive data discovery in the vast amounts of data across many S3 buckets. In case of sensitive data findings, for example, Personally Identifiable Information (PII), Macie can send an alert or notify EventBridge to start complex automated remediation workflows.

Sensitive data discovery workflow

Amazon Macie is a regional AWS service that analyzes data stored in Amazon S3 buckets. In case of any finding, Macie notifies Amazon EventBridge from where the event might be processed by any of the EventBridge rule targets, such as AWS Lambda, SNS, SQS, API Gateway, Step Functions, Kinesis, or even 3-rd party services.

AWS Macie - Workflow

Macie can scan your S3 buckets automatically, or you can define sensitive data discovery jobs for existing or custom identifiers.

Macie runs all sensitive data discovery jobs for each S3 bucket and returns sensitive data findings to the service. For example, Macie automatically provides an inventory of Amazon S3 buckets, including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside of your AWS Organizations.

You can enable Macie and configure it by using:

  • AWS Management Console
  • AWS CLI
  • AWS SDK
  • Infrastructure as Code (IaC) solution:
    • Terraform
    • CloudFormation
    • AWS CDK

Macie can be configured for organizations using AWS Landing Zone or Control Tower solutions to collect and analyze all findings centrally across all accounts in AWS Organizations. Check out the “Centralized logging and multiple-account security guardrails” for more information.

Enabling Macie in all AWS accounts across AWS Organizations is one of the recommended best practices for organizations that must comply with industry regulatory requirements.

Finally, Macie is integrated with AWS Security Hub contributing its findings to the overall security analysis of your AWS infrastructure.

Free hands-on AWS workshops

To get hands-on experience with AWS Macie, we encourage you to take the “Data Discovery and Classification with Amazon Macie” fee AWS security workshop.

Summary

Amazon Macie is an essential data security service for discovering and protecting sensitive data across multiple S3 buckets in one AWS account or many AWS accounts in the entire AWS Organization. Macie’s integration with EventBridge allows us to build automated security remediation workflows and minimize data security risks.