Adjusting sensitivity scores for S3 buckets - Amazon Macie

Adjusting sensitivity scores for S3 buckets

As you review and evaluate statistics, data, and other results of automated sensitive data discovery, there might be cases where you want to fine tune sensitivity assessments of your Amazon Simple Storage Service (Amazon S3) buckets. You might also want to capture the results of investigations that you or your organization performs for specific buckets. If you're the Macie administrator for an organization or you have a standalone Macie account, you can make these changes by adjusting sensitivity scores and other settings for individual buckets. If you have a member account in an organization, work with your Macie administrator to adjust the settings for buckets that you own. Only the Macie administrator for your organization can adjust these settings for your buckets.

If you're a Macie administrator or you have a standalone Macie account, you can adjust the settings for an S3 bucket in the following ways.

Assign a sensitivity score

By default, Amazon Macie automatically calculates a bucket's sensitivity score. The score is based primarily on the amount of sensitive data that Macie has found in a bucket, and the amount of data that Macie has analyzed in a bucket. For more information, see Sensitivity scoring for S3 buckets.

You can override a bucket's calculated score and manually assign the maximum score (100), which also applies the Sensitive label to the bucket. If you do this, Macie continues to perform automated sensitive data discovery for the bucket. However, subsequent analyses don't affect the bucket's score. To calculate the score automatically again, change the setting again.

Exclude or include types of sensitive data in the sensitivity score

If it's calculated automatically, a bucket's sensitivity score is based partly on the amount of sensitive data that Macie has found in the bucket. This derives primarily from the nature and number of sensitive data types that Macie has found, and the number of occurrences of each type. By default, Macie includes occurrences of all types of sensitive data when it calculates a bucket's score.

You can adjust the calculation by excluding or including specific types of sensitive data in a bucket's score. For example, if Macie detected mailing addresses in a bucket and you determine that this is acceptable, you can exclude all occurrences of mailing addresses from the bucket's score. If you exclude a sensitive data type, Macie continues to inspect the bucket for that type of data, and report occurrences that it finds. However, those occurrences don't affect the bucket's score. To include a sensitive data type in the score again, change the setting again.

You can also exclude an S3 bucket from subsequent analyses. If you exclude a bucket, existing sensitive data discovery statistics and details for the bucket persist. For example, the bucket's current sensitivity score remains unchanged. However, Macie stops analyzing objects in the bucket when it performs automated sensitive data discovery. After you exclude a bucket, you can include it again later.

To adjust the settings for an S3 bucket

To adjust the sensitivity score or other settings for an S3 bucket, you can use the Amazon Macie console or the Amazon Macie API. To adjust a setting programmatically, use the following operations: UpdateResourceProfile, to assign a score to a bucket; UpdateResourceProfileDetections, to exclude or include sensitive data types in a bucket's score; and, UpdateClassificationScope, to exclude or include a bucket in subsequent analyses.

To adjust a setting by using the console, follow these steps.

  1. Open the Amazon Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose S3 buckets. The S3 buckets page displays your bucket inventory.

    By default, the page doesn't display data for buckets that are currently excluded from analyses. If you're the Macie administrator for an organization, it also doesn't display data for accounts that automated sensitive data discovery is currently disabled for. To display this data, choose X in the Is monitored by automated discovery filter token below the filter box.

  3. Choose the S3 bucket that has a setting to adjust. You can choose the bucket by using the table view ( The table view button, which is a button that displays three black horizontal lines. ) or the interactive map ( The map view button, which is a button that displays four black squares. ).

  4. In the details panel, do any of the following:

    • To override the calculated sensitivity score and manually assign a score, turn on Assign maximum score ( A toggle switch with a gray background and the toggle positioned to the left. ). This changes the bucket's score to 100 and applies the Sensitive label to the bucket.

    • To assign a sensitivity score that Macie calculates automatically, turn off Assign maximum score ( A toggle switch with a blue background and the toggle positioned to the right. ).

    • To exclude or include specific types of sensitive data in the sensitivity score, choose the Sensitivity tab. In the Detections table, select the check box for the sensitive data type to exclude or include. Then, on the Actions menu, choose Exclude from score to exclude the type or choose Include in score to include the type.

      In the table, the Sensitive data type field specifies the managed data identifier or custom data identifier that detected the data. For a managed data identifier, this is a unique identifier (ID) that describes the type of sensitive data that the identifier is designed to detect—for example, USA_PASSPORT_NUMBER for US passport numbers. For details about each managed data identifier, see Using managed data identifiers.

    • To exclude the bucket from subsequent analyses, turn on Exclude from automated discovery ( A toggle switch with a gray background and the toggle positioned to the left. ).

    • To include the bucket in subsequent analyses, if you previously excluded it, turn off Exclude from automated discovery ( A toggle switch with a blue background and the toggle positioned to the right. ).

If you changed a setting that affects the S3 bucket's sensitivity score, Macie immediately begins to recalculate the score. Macie also updates relevant statistics and other information that it provides about the bucket and your Amazon S3 data overall. For example, if you assign the maximum score to a bucket, Macie increments the count of Sensitive buckets in aggregated statistics for your account or organization.