Reviewing data sensitivity details for individual S3 buckets - Amazon Macie

Reviewing data sensitivity details for individual S3 buckets

On the Amazon Macie console, you can use the details panel on the S3 buckets page to review statistics and other information about individual Amazon Simple Storage Service (Amazon S3) buckets that Macie monitors and analyzes for your account. If you're the Macie administrator for an organization, this includes S3 buckets that your member accounts own.

The statistics and information include details that provide insight into the security and privacy of an S3 bucket’s data. If automated sensitive data discovery is enabled for your account, they also capture the results of automated sensitive data discovery activities that Macie has performed thus far for a bucket. For example, you can find a list of objects that Macie has analyzed in a bucket, and a breakdown of the types and number of occurrences of sensitive data that Macie has found in a bucket. Note that the data doesn't include the results of sensitive data discovery jobs that you've created and run.

Macie automatically recalculates and updates these statistics and details while performing automated sensitive data discovery for your account. For example:

  • If Macie doesn't find sensitive data in an S3 object, Macie decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. Macie also adds the object to the list of objects that it's analyzed in the bucket.

  • If Macie finds sensitive data in an S3 object, Macie adds those occurrences to the breakdown of sensitive data types that Macie has found in the bucket. Macie also increases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie adds the object to the list of objects that it's analyzed in the bucket. These tasks are in addition to creating a sensitive data finding for the object.

  • If Macie finds sensitive data in an S3 object that's subsequently changed or deleted, Macie removes sensitive data occurrences for that object from the bucket's breakdown of sensitive data types. Macie also decreases the bucket's sensitivity score and updates the bucket's sensitivity label as necessary. In addition, Macie removes the object from the list of objects that it's analyzed in the bucket.

  • If Macie attempts to analyze an S3 object but an issue or error prevents Macie from doing so, Macie adds the object to the list of objects that it's analyzed in the bucket, and indicates that it wasn't able to analyze the object.

In addition to reviewing statistics and details, you can use the panel to adjust the automated sensitive data discovery settings for an S3 bucket. For example, you can include or exclude specific types of sensitive data from a bucket's score. For more information, see Managing automated discovery for individual S3 buckets.

To review data sensitivity details for an S3 bucket
  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose S3 buckets. The S3 buckets page displays an interactive map of your bucket inventory. Optionally choose table ( The table view button, which is a button that contains three black horizontal lines ) at the top of the page to display your inventory in tabular format instead.

  3. In the S3 buckets map or table, choose the name of the S3 bucket whose details you want to review. The details panel displays statistics and other information about the bucket.

The top of the panel shows general information about the bucket: the bucket's name, and the account ID for the AWS account that owns the bucket. It also provides options for changing certain automated sensitive data discovery settings for the bucket. Additional settings and information about the bucket are organized into the following tabs:

Individual settings and information on each tab are as follows.

Sensitivity

This tab shows the bucket's current sensitivity score, ranging from -1 to 100. For information about the range of sensitivity scores that Macie defines, see Sensitivity scoring for S3 buckets.

The tab also provides a breakdown of the types of sensitive data that Macie has found in the bucket's objects, and the number of occurrences of each type:

  • Sensitive data type – The unique identifier (ID) for the managed data identifier that detected the data, or the name of the custom data identifier that detected the data.

    A managed data identifier's ID describes the type of sensitive data that the identifier is designed to detect—for example, USA_PASSPORT_NUMBER for US passport numbers. For details about each managed data identifier, see Using managed data identifiers.

  • Count – The total number of occurrences of the data that the managed or custom data identifier detected.

  • Scoring status – Specifies whether occurrences of the data are included or excluded from the bucket's sensitivity score.

    If you configured Macie to calculate the bucket's score automatically, you can adjust the calculation by including or excluding specific types of sensitive data from the bucket's score: select the check box for the data identifier that you want to include or exclude, and then choose the option that you want on the Actions menu. For more information, see Managing automated discovery for individual S3 buckets.

If Macie hasn't found sensitive data in objects that the bucket currently stores, this section shows the No detections found message.

Note that the Sensitivity tab doesn't include data for objects that Macie analyzed and were subsequently changed or deleted. If objects are changed or deleted from a bucket after Macie analyzes them, Macie automatically recalculates and updates the appropriate statistics and data to exclude the objects.

Bucket details

This tab provides details about the bucket's settings, including data security and privacy settings. For example, you can review breakdowns of the bucket’s public access settings, and determine whether the bucket replicates objects or is shared with other AWS accounts.

Of special note, the Last updated field indicates when Macie most recently retrieved metadata from Amazon S3 for the bucket or the bucket’s objects. The Latest automated discovery run field indicates when Macie most recently analyzed objects in the bucket while performing automated discovery.

The tab also provides object-level statistics that can help you assess how much data Macie can analyze in the bucket. It also indicates whether any sensitive data discovery jobs are configured to analyze objects in the bucket. If there are, you can access details about the job that ran most recently and then optionally display any findings that the job produced.

For additional details about the information on this tab, see Reviewing the details of S3 buckets.

Object samples

This tab lists objects that Macie has analyzed in the bucket while performing automated sensitive data discovery. Optionally choose an object's name to open the Amazon S3 console and display the object's properties.

The list includes data for up to 100 objects. The list is populated based on the value for the Object sensitivity field: Sensitive, followed by Not Sensitive, followed by objects that Macie wasn't able to analyze.

In the list, the Object sensitivity field indicates whether Macie found sensitive data in an object:

  • Sensitive – Macie found at least one occurrence of sensitive data in the object.

  • Not sensitive – Macie didn't find sensitive data in the object.

  • (dash) – Macie wasn't able to complete its analysis of the object due to an issue or error.

The Classification result field indicates whether Macie was able to analyze an object:

  • Complete – Macie completed its analysis of the object.

  • Partial – Macie analyzed only a subset of data in the object due to an issue or error. For example, the object is an archive file that contains files in an unsupported format.

  • Skipped – Macie wasn't able to analyze any data in the object due to an issue or error. For example, the object is encrypted with a key that Macie isn't allowed to use.

Note that the list doesn't include objects that were changed or deleted after Macie analyzed or attempted to analyze them. Macie automatically removes an object from the list if the object is subsequently changed or deleted.

Sensitive data discovery

This tab provides aggregated, automated sensitive data discovery statistics for the bucket:

  • Analyzed bytes – The total amount of data, in bytes, that Macie has analyzed in the bucket.

  • Classifiable bytes – The total storage size, in bytes, of all the objects that Macie can analyze in the bucket. These objects use supported Amazon S3 storage classes and they have file name extensions for supported file or storage formats. For more information, see Supported storage classes and formats.

  • Total detections – The total number of occurrences of sensitive data that Macie has found in the bucket. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket.

The Objects analyzed chart indicates the total number of objects that Macie has analyzed in the bucket. It also provides a visual representation of the number of objects that Macie did or didn't find sensitive data in. The legend below the chart shows a breakdown of these results:

  • Sensitive objects (red) – The total number of objects that Macie found at least one occurrence of sensitive data in.

  • Not sensitive objects (blue) – The total number of objects that Macie didn't find sensitive data in.

  • Objects skipped (dark gray) – The total number of objects that Macie wasn't able to analyze due to an issue or error.

The area below the chart's legend provides a breakdown of cases where Macie wasn't able to analyze objects because certain types of permissions issues or cryptographic errors occurred:

  • Skipped: Invalid encryption – The total number of objects that are encrypted with customer-provided keys. Macie can't access these keys.

  • Skipped: Invalid KMS – The total number of objects that are encrypted with AWS Key Management Service (AWS KMS) keys that are no longer available. These objects are encrypted with AWS KMS keys that were disabled, are scheduled for deletion, or were deleted. Macie can't use these keys.

  • Skipped: Permission denied – The total number of objects that Macie isn't allowed to access due to the permissions settings for the object, or the permissions settings for the key that was used to encrypt the object.

For details about these and other types of issues and errors that can occur, see Remediating coverage issues for automated sensitive data discovery. If you remediate the issues and errors, you can increase coverage of the bucket's data during subsequent analysis cycles.

Statistics on the Sensitive data discovery tab don't include data for objects that were changed or deleted after Macie analyzed or attempted to analyze them. If objects are changed or deleted from a bucket after Macie analyzes or attempts to analyze them, Macie automatically recalculates these statistics to exclude the objects.