Macie
What is Amazon Macie?¶
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to:
-
Discover sensitive data stored in AWS (primarily in Amazon S3 buckets).
-
Classify and protect that data by identifying personally identifiable information (PII), intellectual property, or other sensitive content.
-
Provide visibility into data security risks.
-
Alert on suspicious activity, such as data access anomalies or policy violations.
Key Features¶
| Feature | Description |
|---|---|
| Automated Data Discovery | Automatically scans S3 buckets to identify sensitive data |
| Data Classification | Uses ML and pattern matching to classify PII, financial data, credentials, etc. |
| Custom Data Identifiers | Define custom patterns to detect proprietary or specific data |
| Sensitive Data Dashboard | Visualizes where sensitive data resides and its risk posture |
| Security and Compliance Alerts | Integrates with AWS Security Hub, CloudWatch Events for alerting on policy violations or unusual access |
| Data Access Monitoring | Detects anomalous or unauthorized data access |
| Integration with AWS Services | Works with AWS CloudTrail, S3, Security Hub, and more |
How Amazon Macie Works¶
-
Setup: You enable Macie on your AWS account and specify which S3 buckets to monitor.
-
Discovery & Classification: Macie automatically or on-demand scans buckets, analyzes data with machine learning models and pattern matching.
-
Findings: Macie generates findings detailing sensitive data locations, security issues, or anomalous access.
-
Alerts and Remediation: Findings are sent to Security Hub, CloudWatch Events, or SNS to trigger alerts or remediation workflows.
Supported Data Types¶
-
Personal Identifiable Information (PII), e.g., names, addresses, Social Security numbers
-
Financial data like credit card numbers, bank accounts
-
Credentials (API keys, passwords)
-
Intellectual property or sensitive business documents
-
Custom data types defined by user patterns
Use Cases¶
| Use Case | Description |
|---|---|
| Data Privacy Compliance | Helps comply with regulations like GDPR, HIPAA by discovering PII |
| Data Security Posture | Continuous monitoring to prevent accidental exposure or leaks |
| Risk Management | Identify sensitive data exposure risk and prioritize remediation |
| Incident Response | Detect anomalous data access indicating compromise or insider threats |
| Data Governance | Maintain an inventory of sensitive data across your S3 environment |
Pricing¶
-
Charged based on:
-
Amount of data scanned (GB/month).
-
Number of data classification jobs.
-
Number of custom data identifiers used.
-
-
Pricing varies by region; see the official Amazon Macie pricing page for details.
Integration with Other AWS Security Services¶
| Service | Integration Purpose |
|---|---|
| AWS Security Hub | Centralizes Macie findings with other security findings |
| Amazon CloudWatch | Monitor Macie findings and trigger alarms or workflows |
| AWS CloudTrail | Provides audit logs for Macie activity and access events |
| AWS Lambda | Automate remediation actions based on Macie findings |
| Amazon S3 | Direct integration for data scanning and monitoring |
Getting Started with Amazon Macie¶
-
Enable Macie via AWS Management Console, CLI, or SDK.
-
Configure S3 buckets to monitor.
-
Set up data classification jobs (automatic or on-demand).
-
Review Macie findings in the Console or via Security Hub.
-
Define custom data identifiers if needed.
-
Set up alerts and automate remediation workflows.
Sample AWS CLI Commands¶
Enable Macie in your AWS account:
Create a classification job for an S3 bucket:
aws macie2 create-classification-job \
--job-type ONE_TIME \
--name "ScanSensitiveDataJob" \
--s3-job-definition bucketDefinitions=[{accountId="123456789012",buckets=["my-sensitive-data-bucket"]}]
List Macie findings:
Get details on a finding: