Welcome - Amazon Macie


Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor, and protect your sensitive data in AWS.

Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial information, to provide you with a better understanding of the data that your organization stores in Amazon Simple Storage Service (Amazon S3). Macie also provides you with an inventory of your Amazon S3 buckets, and it automatically evaluates and monitors those buckets for security and access control. If Macie detects sensitive data or potential issues with the security or privacy of your data, it creates detailed findings for you to review and remediate as necessary.

This guide, the Amazon Macie REST API Reference, provides information about the Amazon Macie API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Macie, you might find it helpful to also review the Amazon Macie User Guide. The Amazon Macie User Guide explains key concepts and provides procedures that demonstrate how to use Macie features. It also provides information about topics such as integrating Macie with other AWS services.

In addition to interacting with Macie by making RESTful calls to the Amazon Macie API, you can use a current version of an AWS command line tool or SDK. AWS provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Macie and other AWS services. They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the AWS tools and SDKs, see Tools to Build on AWS.

Finding regional endpoints

The Amazon Macie API is available in most AWS Regions and it provides an endpoint for each of these Regions. For a list of Regions and endpoints where the API is currently available, see Amazon Macie endpoints and quotas in the Amazon Web Services General Reference. To learn more about AWS Regions, see Managing AWS Regions in the Amazon Web Services General Reference.

When you send a request to the Amazon Macie API, the request applies only to the AWS Region that’s currently active for your account or specified in the request. If your request submits changes to configuration or other settings for your account, the changes apply only to that Region. To make the same changes in other Regions, send the request to each additional Region that you want to apply the changes to.

Managing multiple accounts

You can centrally manage multiple accounts in Amazon Macie. To do this, you designate a single AWS account as the master account for Macie. You then associate other AWS accounts with the master account as member accounts. You can do this in two ways, by using AWS Organizations or by sending membership invitations directly from Amazon Macie.

If you're a user of a master account, you can view and manage certain Macie resources for your own account and all of its member accounts. You can also perform certain administrative tasks and choose certain settings for all the accounts.

If you're a user of a member account, you can view and manage Macie resources only for your own account. You can't view or otherwise access Macie resources for other member accounts or the master account. For this reason, you might not be able to use certain operations of the Amazon Macie API.

For detailed information about the primary tasks that master and member accounts can perform, see Managing multiple accounts in the Amazon Macie User Guide.

Signing requests

When you send an HTTPS request to the Amazon Macie API, you have to sign the request by using your AWS access key, which consists of an access key ID and a secret access key. For everyday work with Macie, we strongly recommend that you not use the access key ID and secret key for your AWS root account. Instead, use the access key ID and secret access key for an AWS Identity and Access Management (IAM) user. You can also use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests. All Amazon Macie operations require Signature Version 4.

For more information about using credentials and signing requests, see the following resources:

  • AWS security credentials – This section of the AWS General Reference provides information about the types of credentials that can be used to access AWS.

  • Temporary security credentials – This section of the IAM User Guide describes how to create and use temporary security credentials.

  • Signing AWS API requests – This section of the AWS General Reference explains and guides you through the process of signing a request using an access key ID and secret access key.

Logging API calls

Amazon Macie integrates with AWS CloudTrail, which is a service that provides a record of actions that were taken in Macie by a user, a role, or another AWS service. This includes actions that were performed using the Macie console and programmatic calls to Amazon Macie API operations.

By using the information collected by CloudTrail, you can determine which requests were successfully sent to Macie. For each request, you can identify when it was made, the IP address from which it was made, who made it, and additional details. To learn more about CloudTrail, see the AWS CloudTrail User Guide.