Default settings for automated sensitive data discovery - Amazon Macie
Default managed data identifiersUpdates to the default settings

Default settings for automated sensitive data discovery

If automated sensitive data discovery is enabled, Amazon Macie automatically selects and analyzes sample objects from all the Amazon Simple Storage Service (Amazon S3) general purpose buckets that it monitors and analyzes for your account. If you're the Macie administrator for an organization, by default this includes S3 buckets that your member accounts own.

To refine the scope of the analyses, you can exclude specific S3 buckets from automated sensitive data discovery. You can do this in two ways: by changing the settings for your account, and by changing the settings for individual buckets. If you're a Macie administrator, you can also enable or disable automated sensitive data discovery for individual accounts in your organization. For more information, see Configuring automated sensitive data discovery.

By default, Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. Macie doesn't use any custom data identifiers or allow lists that you've defined. To customize the analyses, you can configure Macie to use specific managed data identifiers, custom data identifiers, and allow lists. You can do this by changing the settings for your account. For more information, see Configuring automated sensitive data discovery.

Default managed data identifiers for automated sensitive data discovery

By default, Amazon Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. This default set of managed data identifiers is designed to detect common categories and types of sensitive data. Based on our research, it can detect general categories and types of sensitive data while also optimizing your automated discovery results by reducing noise.

The default set is dynamic. As we release new managed data identifiers, we add them to the default set if they're likely to further optimize your automated sensitive data discovery results. Over time, we might also add or remove existing managed data identifiers from the set. Removal of a managed data identifier doesn't affect existing sensitive data discovery statistics and details for your S3 buckets. For example, if we remove the managed data identifier for a type of sensitive data that Macie previously detected in a bucket, Macie continues to report those detections for the bucket. If we add or remove a managed data identifier from the default set, we update this page to indicate the nature and timing of the change. For automatic alerts about these changes, you can subscribe to the RSS feed on the Macie document history page.

The following topics list the managed data identifiers that are currently in the default set, organized by sensitive data category and type. They specify the unique identifier (ID) for each managed data identifier in the set. This ID describes the type of sensitive data that a managed data identifier is designed to detect, for example: PGP_PRIVATE_KEY for PGP private keys and USA_PASSPORT_NUMBER for US passport numbers. If you change the automated sensitive data discovery settings for your account, you can use this ID to explicitly exclude a managed data identifier from subsequent analyses.

For details about specific managed data identifiers or a complete list of all the managed data identifiers that Macie currently provides, see Using managed data identifiers.

Credentials

To detect occurrences of credentials data in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
AWS secret access key AWS_CREDENTIALS
HTTP Basic Authorization header HTTP_BASIC_AUTH_HEADER
OpenSSH private key OPENSSH_PRIVATE_KEY
PGP private key PGP_PRIVATE_KEY
Public Key Cryptography Standard (PKCS) private key PKCS
PuTTY private key PUTTY_PRIVATE_KEY

Financial information

To detect occurrences of financial information in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
Credit card magnetic stripe data CREDIT_CARD_MAGNETIC_STRIPE
Credit card number CREDIT_CARD_NUMBER (for credit card numbers in proximity of a keyword)

Personally identifiable information (PII)

To detect occurrences of personally identifiable information (PII) in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
Driver’s license identification number CANADA_DRIVERS_LICENSE, DRIVERS_LICENSE (for the US), UK_DRIVERS_LICENSE
Electoral roll number UK_ELECTORAL_ROLL_NUMBER
National identification number FRANCE_NATIONAL_IDENTIFICATION_NUMBER, GERMANY_NATIONAL_IDENTIFICATION_NUMBER, ITALY_NATIONAL_IDENTIFICATION_NUMBER, SPAIN_DNI_NUMBER
National Insurance Number (NINO) UK_NATIONAL_INSURANCE_NUMBER
Passport number CANADA_PASSPORT_NUMBER, FRANCE_PASSPORT_NUMBER, GERMANY_PASSPORT_NUMBER, ITALY_PASSPORT_NUMBER, SPAIN_PASSPORT_NUMBER, UK_PASSPORT_NUMBER, USA_PASSPORT_NUMBER
Social Insurance Number (SIN) CANADA_SOCIAL_INSURANCE_NUMBER
Social Security number (SSN) SPAIN_SOCIAL_SECURITY_NUMBER, USA_SOCIAL_SECURITY_NUMBER
Taxpayer identification or reference number AUSTRALIA_TAX_FILE_NUMBER, BRAZIL_CPF_NUMBER, FRANCE_TAX_IDENTIFICATION_NUMBER, GERMANY_TAX_IDENTIFICATION_NUMBER, SPAIN_NIE_NUMBER, SPAIN_NIF_NUMBER, SPAIN_TAX_IDENTIFICATION_NUMBER, USA_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER

Updates to the default settings for automated sensitive data discovery

The following table describes changes to the settings that Amazon Macie uses by default for automated sensitive data discovery. For automatic alerts about these changes, subscribe to the RSS feed on the Macie document history page.

Change Description Date

Implemented a new, dynamic set of default managed data identifiers

New automated sensitive data discovery configurations are now based on a dynamic default set of managed data identifiers. If you enable automated sensitive data discovery for the first time on or after this date, your configuration is based on the dynamic set.

If you enabled automated sensitive data discovery for the first time before this date, your configuration is based on a different set of managed data identifiers. For more information, see the notes after this table.

 August 2, 2023

General availability

Initial release of automated sensitive data discovery.

November 28, 2022

If you initially enabled automated sensitive data discovery prior to August 2, 2023, your configuration isn't based on the dynamic set of default managed data identifiers. Instead, it's based on a static set of managed data identifiers that we defined for the initial release of automated sensitive data discovery, as listed in the table below.

To determine when you initially enabled automated sensitive data discovery, choose Automated sensitive data discovery in the navigation pane on the Amazon Macie console, and then refer to the enabled date in the Status section. To do this programmatically, use the GetAutomatedDiscoveryConfiguration operation of the Amazon Macie API and refer to the value for the firstEnabledAt field. If the date is prior to August 2, 2023, and you want to start using the dynamic set of default managed data identifiers, contact AWS Support for assistance.

The following table lists all the managed data identifiers that are in the static set. The table is sorted first by sensitive data category and then by sensitive data type. For details about specific managed data identifiers, see Using managed data identifiers.

Sensitive data category Sensitive data type Managed data identifier ID
Credentials AWS secret access key AWS_CREDENTIALS
Credentials HTTP Basic Authorization header HTTP_BASIC_AUTH_HEADER
Credentials OpenSSH private key OPENSSH_PRIVATE_KEY
Credentials PGP private key PGP_PRIVATE_KEY
Credentials Public Key Cryptography Standard (PKCS) private key PKCS
Credentials PuTTY private key PUTTY_PRIVATE_KEY
Financial information Bank account number BANK_ACCOUNT_NUMBER (for Canadian and US bank account numbers), FRANCE_BANK_ACCOUNT_NUMBER, GERMANY_BANK_ACCOUNT_NUMBER, ITALY_BANK_ACCOUNT_NUMBER, SPAIN_BANK_ACCOUNT_NUMBER, UK_BANK_ACCOUNT_NUMBER
Financial information Credit card expiration date CREDIT_CARD_EXPIRATION
Financial information Credit card magnetic stripe data CREDIT_CARD_MAGNETIC_STRIPE
Financial information Credit card number CREDIT_CARD_NUMBER (for credit card numbers in proximity of a keyword)
Financial information Credit card verification code CREDIT_CARD_SECURITY_CODE
Personal information: Personal health information (PHI) Drug Enforcement Agency (DEA) Registration Number US_DRUG_ENFORCEMENT_AGENCY_NUMBER
Personal information: PHI Health Insurance Claim Number (HICN) USA_HEALTH_INSURANCE_CLAIM_NUMBER
Personal information: PHI Health insurance or medical identification number CANADA_HEALTH_NUMBER, EUROPEAN_HEALTH_INSURANCE_CARD_NUMBER, FINLAND_EUROPEAN_HEALTH_INSURANCE_NUMBER, FRANCE_HEALTH_INSURANCE_NUMBER, UK_NHS_NUMBER, USA_MEDICARE_BENEFICIARY_IDENTIFIER
Personal information: PHI Healthcare Common Procedure Coding System (HCPCS) code USA_HEALTHCARE_PROCEDURE_CODE
Personal information: PHI National Drug Code (NDC) USA_NATIONAL_DRUG_CODE
Personal information: PHI National Provider Identifier (NPI) USA_NATIONAL_PROVIDER_IDENTIFIER
Personal information: PHI Unique device identifier (UDI) MEDICAL_DEVICE_UDI
Personal information: Personally identifiable information (PII) Birth date DATE_OF_BIRTH
Personal information: PII Driver’s license identification number AUSTRALIA_DRIVERS_LICENSE, AUSTRIA_DRIVERS_LICENSE, BELGIUM_DRIVERS_LICENSE, BULGARIA_DRIVERS_LICENSE, CANADA_DRIVERS_LICENSE, CROATIA_DRIVERS_LICENSE, CYPRUS_DRIVERS_LICENSE, CZECHIA_DRIVERS_LICENSE, DENMARK_DRIVERS_LICENSE, DRIVERS_LICENSE (for the US), ESTONIA_DRIVERS_LICENSE, FINLAND_DRIVERS_LICENSE, FRANCE_DRIVERS_LICENSE, GERMANY_DRIVERS_LICENSE, GREECE_DRIVERS_LICENSE, HUNGARY_DRIVERS_LICENSE, IRELAND_DRIVERS_LICENSE, ITALY_DRIVERS_LICENSE, LATVIA_DRIVERS_LICENSE, LITHUANIA_DRIVERS_LICENSE, LUXEMBOURG_DRIVERS_LICENSE, MALTA_DRIVERS_LICENSE, NETHERLANDS_DRIVERS_LICENSE, POLAND_DRIVERS_LICENSE, PORTUGAL_DRIVERS_LICENSE, ROMANIA_DRIVERS_LICENSE, SLOVAKIA_DRIVERS_LICENSE, SLOVENIA_DRIVERS_LICENSE, SPAIN_DRIVERS_LICENSE, SWEDEN_DRIVERS_LICENSE, UK_DRIVERS_LICENSE
Personal information: PII Electoral roll number UK_ELECTORAL_ROLL_NUMBER
Personal information: PII Full name NAME
Personal information: PII Global Positioning System (GPS) coordinates LATITUDE_LONGITUDE
Personal information: PII Mailing address ADDRESS, BRAZIL_CEP_CODE
Personal information: PII National identification number BRAZIL_RG_NUMBER, FRANCE_NATIONAL_IDENTIFICATION_NUMBER, GERMANY_NATIONAL_IDENTIFICATION_NUMBER, ITALY_NATIONAL_IDENTIFICATION_NUMBER, SPAIN_DNI_NUMBER
Personal information: PII National Insurance Number (NINO) UK_NATIONAL_INSURANCE_NUMBER
Personal information: PII Passport number CANADA_PASSPORT_NUMBER, FRANCE_PASSPORT_NUMBER, GERMANY_PASSPORT_NUMBER, ITALY_PASSPORT_NUMBER, SPAIN_PASSPORT_NUMBER, UK_PASSPORT_NUMBER, USA_PASSPORT_NUMBER
Personal information: PII Permanent residence number CANADA_NATIONAL_IDENTIFICATION_NUMBER
Personal information: PII Phone number BRAZIL_PHONE_NUMBER, FRANCE_PHONE_NUMBER, GERMANY_PHONE_NUMBER, ITALY_PHONE_NUMBER, PHONE_NUMBER (for Canada and the US), SPAIN_PHONE_NUMBER, UK_PHONE_NUMBER
Personal information: PII Social Insurance Number (SIN) CANADA_SOCIAL_INSURANCE_NUMBER
Personal information: PII Social Security number (SSN) SPAIN_SOCIAL_SECURITY_NUMBER, USA_SOCIAL_SECURITY_NUMBER
Personal information: PII Taxpayer identification or reference number AUSTRALIA_TAX_FILE_NUMBER, BRAZIL_CNPJ_NUMBER, BRAZIL_CPF_NUMBER, FRANCE_TAX_IDENTIFICATION_NUMBER, GERMANY_TAX_IDENTIFICATION_NUMBER, SPAIN_NIE_NUMBER, SPAIN_NIF_NUMBER, SPAIN_TAX_IDENTIFICATION_NUMBER, UK_TAX_IDENTIFICATION_NUMBER, USA_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER
Personal information: PII Vehicle identification number (VIN) VEHICLE_IDENTIFICATION_NUMBER