What is Amazon Macie? - Amazon Macie

What is Amazon Macie?

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor, and protect your sensitive data in AWS.

Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to provide you with a better understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3). Macie also provides you with an inventory of your S3 buckets, and it automatically evaluates and monitors those buckets for security and access control. Within minutes, Macie can identify and report overly permissive or unencrypted buckets for your organization.

If Macie detects sensitive data or potential issues with the security or privacy of your data, it creates detailed findings for you to review and remediate as necessary. You can review and analyze these findings directly in Macie, or monitor and process them by using other services, applications, and systems.

Features of Amazon Macie

Here are some of the key ways that you can use Amazon Macie to discover, monitor, and protect your sensitive data in Amazon S3.

Automate the discovery of sensitive data

With Macie, you can automate discovery and reporting of sensitive data by creating and running sensitive data discovery jobs. A sensitive data discovery job analyzes objects in S3 buckets to determine whether they contain sensitive data. If Macie detects sensitive data in an object, it creates a sensitive data finding for you.

You can configure a job to run only once, for on-demand analysis and assessment, or on a recurring basis for periodic analysis, assessment, and monitoring. You can also choose various options to control the breadth and depth of a job's analysis—the S3 buckets that you want to analyze, the sampling depth, and custom include and exclude criteria that derive from properties of S3 objects. With these scheduling and scope options, you can build and maintain a comprehensive view of the data that you store in Amazon S3 and any security or compliance risks for that data.

Discover a variety of sensitive data types

When you run a sensitive data discovery job, Macie automatically uses built-in criteria and techniques, such as machine learning and pattern matching, to analyze objects in S3 buckets. These techniques and criteria, referred to as managed data identifiers, can detect a large and growing list of sensitive data types for many countries and regions, including multiple types of personally identifiable information (PII), personal health information (PHI), and financial data.

You can supplement managed data identifiers by creating custom data identifiers. A custom data identifier is a set of criteria that you define—a regular expression (regex) that defines a text pattern to match and, optionally, character sequences and a proximity rule that refine the results. With this type of identifier, you can detect sensitive data that reflects your particular scenarios, intellectual property, or proprietary data, such as customer account numbers or internal data classifications.

Evaluate and monitor data for security and access control

When you enable Macie, Macie immediately generates and begins maintaining a complete inventory of your S3 buckets, and it begins evaluating and monitoring the buckets for security and access control. If Macie detects a potential issue with the security or privacy of the data, it creates a policy finding for you.

In addition to specific findings, a dashboard gives you a snapshot of aggregated statistics for your buckets. This includes statistics that indicate how many of your buckets are publicly accessible, shared with other AWS accounts, or don’t encrypt objects by default. You can drill down on each statistic to view the supporting data.

Macie also provides you with detailed information and statistics for individual buckets in your inventory. This data includes breakdowns of a bucket’s public access and encryption settings, and the size and number of objects that Macie can analyze to detect sensitive data in the bucket. You can browse the inventory, or sort and filter the inventory by certain fields. When you choose a bucket, a panel displays the bucket’s details.

Review and analyze findings

In Macie, a finding is a detailed report of sensitive data in an S3 object or a potential policy-related issue with the security or privacy of an S3 bucket. Each finding provides a severity rating, information about the affected resource, and additional details, such as when and how Macie found the issue.

To review, analyze, and manage findings, you can use the Findings pages on the Amazon Macie console. These pages list your findings and provide the details of individual findings. They also provide multiple options for grouping, filtering, sorting, and suppressing findings. You can also use the Amazon Macie API to query, retrieve, and suppress findings. If you use the API, you can pass the data to another application, service, or system for deeper analysis, long-term storage, or reporting.

Monitor and process findings with other services and systems

To support integration with other services and systems, Macie publishes findings to Amazon EventBridge as finding events. EventBridge is a serverless event bus service that can route findings data to targets such as AWS Lambda functions and Amazon Simple Notification Service (Amazon SNS) topics. With EventBridge, you can monitor and process findings in near real time as part of your existing security and compliance workflows.

Macie also publishes policy findings to AWS Security Hub. Security Hub is a service that provides a comprehensive view of your security posture across your AWS environment, and helps you check your environment against security industry standards and best practices. With Security Hub, you can more easily monitor and process your policy findings as part of a broader analysis of your organization's security posture in AWS.

Centrally manage multiple Macie accounts

If your AWS environment has multiple accounts, you can centrally manage multiple Macie accounts as a single organization. You can do this by using AWS Organizations or by sending membership invitations from Macie.

In a multiple-account configuration, a single Macie administrator can perform certain tasks and manage certain settings for accounts that are members of the same organization. Tasks include viewing information about S3 buckets that are owned by member accounts, viewing policy findings for those buckets, and running sensitive data discovery jobs to detect sensitive data in those buckets. If the accounts are associated through AWS Organizations, the Macie administrator can also enable Macie for member accounts in the organization.

Develop and manage resources programmatically

In addition to the Amazon Macie console, you can interact with Macie by using the Amazon Macie API. The Amazon Macie API gives you comprehensive, programmatic access to your Macie account and resources.

To develop and manage resources with the Amazon Macie API, you can send HTTPS requests directly to Macie, or use a current version of an AWS command line tool or an AWS SDK. AWS provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET.

Accessing Amazon Macie

Amazon Macie is available in most AWS Regions. For a list of Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. To learn more about AWS Regions, see Managing AWS Regions in the Amazon Web Services General Reference.

In each Region, you can work with Macie in any of the following ways.

AWS Management Console

The AWS Management Console is a browser-based interface that you can use to create and manage AWS resources. As part of that console, the Amazon Macie console provides access to your Macie account and resources. You can perform any Macie task by using the Macie console—review statistics and other information about your S3 buckets, run sensitive data discovery jobs, review and analyze findings, and more.

AWS command line tools

With AWS command line tools, you can issue commands at your system's command line to perform Macie tasks and AWS tasks. Using the command line can be faster and more convenient than using the console. The command line tools are also useful if you want to build scripts that perform tasks.

AWS provides two sets of command line tools: the AWS Command Line Interface (AWS CLI) and the AWS Tools for PowerShell. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide. For information about installing and using the Tools for PowerShell, see the AWS Tools for PowerShell User Guide.

AWS SDKs

AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms—for example, Java, Go, Python, C++, and .NET. The SDKs provide convenient, programmatic access to Macie and other AWS services. They also handle tasks such as cryptographically signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS SDKs, see Tools to Build on AWS.

Amazon Macie REST API

The Amazon Macie REST API gives you comprehensive, programmatic access to your Macie account and resources. With this API, you can send HTTPS requests directly to Macie. However, unlike the AWS command line tools and SDKs, use of this API requires your application to handle low-level details such as generating a hash to sign a request. For information about this API, see the Amazon Macie API Reference.

Pricing for Amazon Macie

As with other AWS products, there are no contracts or minimum commitments for using Amazon Macie.

Macie pricing is based primarily on two dimensions—evaluating and monitoring S3 buckets for security and access control, and analyzing S3 objects to discover and report sensitive data in those objects. To help you understand and forecast the cost of using Macie, Macie provides estimated usage costs for your account. You can view these estimates on the Amazon Macie console or access them through the Amazon Macie API.

Depending on how you use the service, you might incur additional costs for using other AWS services in combination with certain Macie features, such as retrieving bucket data from Amazon S3 and using customer-managed, AWS KMS customer master keys to decrypt objects for analysis. For more information, see Amazon Macie pricing.

When you enable Macie for the first time, your AWS account is automatically enrolled in the 30-day free trial of Macie. This includes accounts that are enabled as part of an AWS organization. During the free trial, there’s no charge for Macie to evaluate and monitor your S3 data for security and access control. Note that the free trial doesn't include running sensitive data discovery jobs to discover and report sensitive data in S3 objects.

To help you understand and forecast the cost of using Macie after the free trial ends, Macie provides you with estimated usage costs based on your use of Macie during the trial. Your usage data also indicates the amount of time that remains before your free trial ends.

To further secure your data, workloads, and applications in AWS, consider using the following AWS services in combination with Amazon Macie.

AWS Security Hub

AWS Security Hub gives you a comprehensive view of the security state of your AWS resources, and helps you check your AWS environment against security industry standards and best practices. Security Hub aggregates, organizes, and prioritizes your security findings from multiple AWS services (including policy findings from Macie) and supported third-party partner products. This can help you analyze security trends to identify and prioritize security issues across your AWS environment. To learn more, see the AWS Security Hub User Guide.

Amazon GuardDuty

Amazon GuardDuty is a security monitoring service that continuously analyzes and processes certain types of AWS logs, such as AWS CloudTrail data event logs for Amazon S3 and CloudTrail management event logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. To learn more, see the Amazon GuardDuty User Guide.

To learn about additional AWS security services, see Security, Identity, and Compliance on AWS.