Welcome - Amazon Macie


Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor, and protect sensitive data in your AWS environment.

Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial information, to provide you with a better understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3). Macie also provides you with an inventory of your S3 buckets, and it automatically evaluates and monitors those buckets for security and access control. If Macie detects sensitive data or potential issues with the security or privacy of your data, it creates detailed findings for you to review and remediate as necessary.

This guide, the Amazon Macie REST API Reference, provides information about the Amazon Macie API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Macie, you might find it helpful to also review the Amazon Macie User Guide. The Amazon Macie User Guide explains key concepts and provides procedures that demonstrate how to use Macie features. It also provides information about topics such as integrating Macie with other AWS services.

In addition to interacting with Macie by making RESTful calls to the Amazon Macie API, you can use a current version of an AWS command line tool or SDK. AWS provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Macie and other AWS services. They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS tools and SDKs, see Tools to Build on AWS.

Finding regional endpoints

The Amazon Macie API is available in most AWS Regions and it provides an endpoint for each of these Regions. For a list of Regions and endpoints where the API is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. To learn more about AWS Regions, see Managing AWS Regions in the Amazon Web Services General Reference.

When you send a request to the Amazon Macie API, the request applies only to the AWS Region that’s currently active for your AWS account or specified in the request. If your request submits changes to configuration or other settings for your account, the changes apply only to that Region. To make the same changes in other Regions, send the request in each additional Region that you want to apply the changes to.

Managing multiple accounts

If your AWS environment has multiple accounts, you can associate the Amazon Macie accounts in your environment and centrally manage them as an organization in Macie. To do this, designate a single Macie account as the Macie administrator account and associate other Macie accounts with it as member accounts. You can do this in two ways, by using AWS Organizations or by sending membership invitations from Macie. We recommend using AWS Organizations to manage multiple accounts.

If you're a user of a Macie administrator account, you can access certain Macie settings, data, and resources for member accounts. You can also run classification jobs to detect sensitive data in S3 buckets that member accounts own.

If you're a user of a member account, you can access Macie settings, data, and resources only for your own account. For this reason, you might not be able to use certain operations of the Amazon Macie API.

For detailed information about the primary tasks that administrator and member accounts can perform, see Managing multiple accounts in the Amazon Macie User Guide.

Signing requests

When you send an HTTPS request to the Amazon Macie API, you have to sign the request by using your AWS access key, which consists of an access key ID and a secret access key. For everyday work with Macie, we strongly recommend that you not use the access key ID and secret access key for your root AWS account. Instead, use the access key ID and secret access key for an AWS Identity and Access Management (IAM) user. You can also use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests. All Amazon Macie operations require Signature Version 4.

For more information about using credentials and signing requests, see the following resources:

  • AWS security credentials – This section of the Amazon Web Services General Reference provides information about the types of credentials that can be used to access AWS.

  • Temporary security credentials in IAM – This section of the IAM User Guide describes how to create and use temporary security credentials.

  • Signing AWS API requests – This section of the Amazon Web Services General Reference explains and guides you through the process of signing a request using an access key ID and secret access key.

Logging API calls

Amazon Macie integrates with AWS CloudTrail, which is a service that provides a record of actions that were taken in Macie by a user, a role, or another AWS service. This includes actions that were performed using the Amazon Macie console and programmatic calls to Amazon Macie operations.

By using the information collected by CloudTrail, you can determine which requests were sent to Macie successfully. For each request, you can identify when it was made, the IP address from which it was made, who made it, and additional details. To learn more about CloudTrail, see the AWS CloudTrail User Guide.