Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to give you a better understanding of the data stored in Amazon Simple Storage Service by your organisation (Amazon S3). Macie also keeps an inventory of your S3 buckets and automatically evaluates and monitors them for security and access control. Macie can identify and report overly permissive or unencrypted buckets for your organisation in minutes.
If Macie detects sensitive data or potential issues with your data's security or privacy, it generates detailed findings for you to review and correct as needed. These findings can be reviewed and analysed directly in Macie, or they can be monitored and processed using other services, applications, and systems.
Features of Amazon Macie
Here are some of the key ways Amazon Macie can assist you in discovering, monitoring, and protecting sensitive data stored in Amazon S3.
Automate the discovery of sensitive data
Macie allows you to automate sensitive data discovery and reporting in two ways: by configuring Macie to perform automated sensitive data discovery and by creating and running sensitive data discovery jobs. Macie generates a sensitive data finding for you if it detects sensitive data in an S3 object. The discovery includes a detailed report on the sensitive data discovered by Macie.
Automated sensitive data discovery provides comprehensive visibility into the location of sensitive data in your Amazon S3 data estate. With this option, Macie evaluates your S3 bucket inventory on a regular basis and employs sampling techniques to identify and select representative S3 objects in your buckets. Macie then retrieves and inspects the selected objects for sensitive data.
Sensitive data discovery jobs offer more in-depth, targeted analysis. This option allows you to define the breadth and depth of the analysis—the S3 buckets to analyse, the sampling depth, and custom include and exclude criteria derived from S3 object properties. You can also set a job to run only once for on-demand analysis and assessment, or to run on a regular basis for periodic analysis and assessment.
Discover a variety of sensitive data types
Macie can analyse objects in S3 buckets using built-in criteria and techniques such as machine learning and pattern matching to discover sensitive data. These criteria and techniques, known as managed data identifiers, are capable of detecting a large and expanding list of sensitive data types for many countries and regions, including multiple types of personally identifiable information (PII), financial data, and credentials data.
Custom data identifiers can also be used. A custom data identifier is a set of criteria you define to detect sensitive data, including a regular expression (regex) that defines a text pattern to match and, optionally, character sequences and a proximity rule to refine the results. You can use this type of identifier to detect sensitive data that reflects your specific scenarios, intellectual property, or proprietary data, and supplement the managed data identifiers provided by Macie.
Allow lists can be used to fine-tune the analysis. Allow lists define specific text and text patterns that you want Macie to ignore in S3 objects, such as the names of your organization's public representatives, public phone numbers, or sample data that your organisation uses for testing.
Evaluate and monitor data for security and access control
When you enable Macie, it generates and begins maintaining a complete inventory of your S3 buckets, as well as evaluating and monitoring the buckets for security and access control. If Macie detects a potential problem with a bucket's security or privacy, it generates a policy finding for you.
A dashboard, in addition to specific findings, provides a snapshot of aggregated statistics for your Amazon S3 data. This includes statistics indicating how many of your buckets are public, shared with other AWS accounts, or do not encrypt objects by default. You can review the supporting data by drilling down on each statistic.
Macie also offers detailed information and statistics for each S3 bucket in your inventory. This information includes breakdowns of a bucket's public access and encryption settings, as well as the size and number of objects Macie can analyse in order to detect sensitive data in the bucket. You can browse the inventory or sort and filter it by specific fields. When you select a bucket, a panel with the bucket's details appears.
Review and analyze findings
A finding in Macie is a detailed report of sensitive data that Macie detects in an S3 object or a potential policy-related issue with an S3 bucket's security or privacy. Each discovery includes a severity rating, information about the affected resource, and additional information, such as when and how Macie discovered the problem.
The Amazon Macie console's Findings pages can be used to review, analyse, and manage findings. These pages list your findings and provide details on each one. They also offer numerous options for grouping, filtering, sorting, and suppressing results. You can also query, retrieve, and suppress results using the Amazon Macie API. You can use the API to send data to another application, service, or system for further analysis, long-term storage, or reporting.
Monitor and process findings with other services and systems
Macie publishes findings to Amazon EventBridge as finding events to facilitate integration with other services and systems. EventBridge is a serverless event bus service that can route findings data to AWS Lambda functions and Amazon Simple Notification Service (Amazon SNS) topics, among other things. You can monitor and process findings in near real time as part of your existing security and compliance workflows with EventBridge.
You can instruct Macie to publish findings to AWS Security Hub as well. Security Hub is a service that provides a comprehensive view of your AWS security posture and assists you in comparing your environment to security industry standards and best practises. With Security Hub, you can more easily monitor and process your findings as part of a broader AWS security posture analysis.
Centrally manage multiple Macie accounts
If your AWS environment contains multiple accounts, you can centrally manage Macie for those accounts. You can accomplish this in two ways: integrate Macie with AWS Organizations or send membership invitations directly from Macie.
A designated Macie administrator can perform certain tasks and access certain Macie settings, data, and resources for accounts that are members of the same organisation in a multiple-account configuration. Reviewing information about S3 buckets owned by member accounts, reviewing policy findings for those buckets, and discovering sensitive data in the buckets are among the tasks. If the accounts are linked via AWS Organizations, the Macie administrator can also enable Macie for the organization's member accounts.
Develop and manage resources programmatically
You can interact with Macie in addition to the Amazon Macie console by using the Amazon Macie API, which provides comprehensive, programmatic access to your Macie account and resources.
To develop and manage resources with the Amazon Macie API, send HTTPS requests directly to Macie or use the most recent version of an AWS command line tool or an AWS SDK. AWS provides tools and SDKs that include libraries and sample code for a variety of languages and platforms, including PowerShell, Java, Go, Python, C++, and.NET.
Accessing Amazon Macie
Amazon Macie is available in the majority of AWS Regions. See Amazon Macie endpoints and quotas in the AWS General Reference for a list of Regions where Macie is currently available. See Managing AWS Regions in the AWS General Reference for more information on AWS Regions.
You can collaborate with Macie in any of the following ways in each Region.
AWS Management Console
The AWS Management Console is a browser-based interface for creating and managing AWS resources. The Amazon Macie console is a component of that console that gives you access to your Macie account and resources. You can use the Macie console to perform any Macie task, including reviewing statistics and other information about your S3 buckets, running sensitive data discovery jobs, reviewing and analysing findings, and more.
AWS command line tools
You can use AWS command line tools to perform Macie and AWS tasks from your system's command line. Using the command line instead of the console can be faster and more convenient. If you want to create scripts that perform tasks, the command line tools are also useful.
The AWS Command Line Interface (AWS CLI) and the AWS Tools for PowerShell are two sets of command line tools provided by AWS. The AWS Command Line Interface User Guide contains information on installing and using the AWS CLI. The AWS Tools for PowerShell User Guide contains information on installing and using the Tools for PowerShell.
AWS offers SDKs that include libraries and sample code for a variety of programming languages and platforms, including Java, Go, Python, C++, and.NET. The SDKs allow easy programmatic access to Macie and other AWS services. They also handle tasks like cryptographically signing requests, managing errors, and automatically retrying requests. See Tools to Build on AWS for information on installing and using the AWS SDKs.
Amazon Macie REST API
The Amazon Macie REST API allows you to access your Macie account and resources programmatically. You can send HTTPS requests directly to Macie using this API. In contrast to the AWS command line tools and SDKs, however, using this API requires your application to handle low-level details such as generating a hash to sign a request. See the Amazon Macie API Reference for more information on this API.
Pricing for Amazon Macie
Amazon Macie, like other AWS products, has no contracts or minimum commitments.
Macie pricing is based on three dimensions: evaluating and monitoring S3 buckets for security and access control, monitoring S3 objects for automated sensitive data discovery, and analysing S3 objects for sensitive data discovery and reporting. Macie provides estimated usage costs for your account to help you understand and forecast the cost of using Macie. These estimates are available on the Amazon Macie console and via the Amazon Macie API.
Depending on how you use the service, you may incur additional costs if you use other AWS services in conjunction with certain Macie features, such as retrieving bucket data from Amazon S3 and decrypting objects for analysis using customer managed AWS KMS keys.
When you first enable Macie, your AWS account is automatically enrolled in a 30-day free trial of Macie. Individual accounts that are enabled as part of an organisation in AWS Organizations are included. Using Macie in the applicable AWS Region to evaluate and monitor your Amazon S3 data for security and access control is free during the free trial. The free trial also includes automated sensitive data discovery, which includes monitoring and evaluating your S3 bucket inventory to identify S3 objects that are eligible for analysis, analysing up to 150 GB of uncompressed data in selected objects, and reporting statistics, data, and other types of results.
Macie provides you with estimated usage costs based on your use of Macie during the trial to help you understand and forecast the cost of using Macie after the free trial ends. Your usage data also indicates how much time is left before your free trial expires. This data is accessible via the Amazon Macie console and the Amazon Macie API.
Consider using the following AWS services in conjunction with Amazon Macie to further secure your data, workloads, and applications in AWS.
AWS Security Hub
AWS Security Hub provides a comprehensive view of the security state of your AWS resources and assists you in comparing your AWS environment to industry security standards and best practises. It accomplishes this in part by consuming, aggregating, organising, and prioritising your security findings from various AWS services (including Macie) and AWS Partner Network (APN) products. Security Hub analyses your security trends and identifies the most critical security issues in your AWS environment.
See the AWS Security Hub User Guide for more information on Security Hub. See Amazon Macie integration with AWS Security Hub for more information on combining Macie and Security Hub.
Amazon GuardDuty is a security monitoring service that analyses and processes specific types of AWS logs, such as Amazon S3 CloudTrail data event logs and CloudTrail management event logs. It employs machine learning and threat intelligence feeds, such as lists of malicious IP addresses and domains, to detect unexpected and potentially unauthorised and malicious activity within your AWS environment.