Defining sensitive data exceptions with Amazon Macie allow lists - Amazon Macie

Defining sensitive data exceptions with Amazon Macie allow lists

With allow lists in Amazon Macie, you can define specific text and text patterns that you want Macie to ignore when it inspects Amazon Simple Storage Service (Amazon S3) objects for sensitive data. These are typically sensitive data exceptions for your particular scenarios or environment. If data matches text or a text pattern in an allow list, Macie doesn’t report the data, even if the data matches the criteria of a managed data identifier or a custom data identifier. By using allow lists, you can refine your analysis of Amazon S3 data and reduce noise.

You can create and use two types of allow lists in Macie:

  • Predefined text – For this type of list, you specify certain character sequences to ignore—for example, the names of public representatives for your organization, specific phone numbers, or specific sample data that your organization uses for testing. If you use this type of list, Macie ignores text that exactly matches an entry in the list.

    This type of allow list is helpful if you want to specify words, phrases, and other kinds of character sequences that aren’t sensitive, aren’t likely to change, and don’t necessarily adhere to a common pattern.

  • Regular expression – For this type of list, you specify a regular expression (regex) that defines a text pattern to ignore—for example, public phone numbers for your organization, email addresses for your organization’s domain, or patterned sample data that your organization uses for testing. If you use this type of list, Macie ignores text that completely matches the pattern defined by the list.

    This type of allow list is helpful if you want to specify text that isn’t sensitive but varies or is likely to change while also adhering to a common pattern.

After you create an allow list, you can create and configure sensitive data discovery jobs to use it, or add it to the automated sensitive data discovery settings for your account. Macie then uses the list when it analyzes data. If Macie finds text that matches an entry or pattern in an allow list, Macie doesn’t report that occurrence of text in sensitive data findings or other types of sensitive data discovery results.

You can create and use allow lists in all the AWS Regions where Macie is currently available except the Asia Pacific (Osaka) Region.