Default settings for automated sensitive data discovery - Amazon Macie

Default settings for automated sensitive data discovery

If automated sensitive data discovery is enabled for your account, Amazon Macie automatically selects and analyzes sample objects from all the Amazon Simple Storage Service (Amazon S3) buckets that it monitors and analyzes for your account. If you're the Macie administrator for an organization, this includes S3 buckets that your member accounts own. You can exclude specific buckets from the analyses in two ways: by changing the automated discovery settings for your account and by changing the automated discovery settings for individual buckets.

By default, Macie analyzes S3 objects by using only the set of managed data identifiers that we recommend for automated sensitive data discovery. Macie doesn't use custom data identifiers or allow lists that you've defined. To customize the analyses, you can configure Macie to use specific allow lists, custom data identifiers, and managed data identifiers by changing the automated discovery settings for your account.

The following topics list the managed data identifiers that Macie uses by default, organized by sensitive data category. They also indicate the unique identifier (ID) for each one. If you change the automated discovery settings for your account, you can use this ID to explicitly exclude or include a managed data identifier in subsequent analyses.

For a complete list of the managed data identifiers that Macie currently provides and additional details for each one, see Using managed data identifiers.

Credentials

To detect occurrences of credentials data in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
AWS secret access key AWS_CREDENTIALS
HTTP Basic Authorization header HTTP_BASIC_AUTH_HEADER
OpenSSH private key OPENSSH_PRIVATE_KEY
PGP private key PGP_PRIVATE_KEY
Public Key Cryptography Standard (PKCS) private key PKCS
PuTTY private key PUTTY_PRIVATE_KEY

Financial information

To detect occurrences of financial information in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
Bank account number BANK_ACCOUNT_NUMBER for Canadian and US bank account numbers, FRANCE_BANK_ACCOUNT_NUMBER, GERMANY_BANK_ACCOUNT_NUMBER, ITALY_BANK_ACCOUNT_NUMBER, SPAIN_BANK_ACCOUNT_NUMBER, UK_BANK_ACCOUNT_NUMBER
Credit card expiration date CREDIT_CARD_EXPIRATION
Credit card magnetic strip data CREDIT_CARD_MAGNETIC_STRIPE
Credit card number CREDIT_CARD_NUMBER for credit card numbers that are in proximity of a keyword
Credit card verification code CREDIT_CARD_SECURITY_CODE

Personal information: Personal health information

To detect occurrences of personal health information (PHI) in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
Drug Enforcement Agency (DEA) Registration Number US_DRUG_ENFORCEMENT_AGENCY_NUMBER
Health Insurance Claim Number (HICN) USA_HEALTH_INSURANCE_CLAIM_NUMBER
Health insurance or medical identification number CANADA_HEALTH_NUMBER, EUROPEAN_HEALTH_INSURANCE_CARD_NUMBER, FINLAND_EUROPEAN_HEALTH_INSURANCE_NUMBER, FRANCE_HEALTH_INSURANCE_NUMBER, UK_NHS_NUMBER, USA_MEDICARE_BENEFICIARY_IDENTIFIER
Healthcare Common Procedure Coding System (HCPCS) code USA_HEALTHCARE_PROCEDURE_CODE
National Drug Code (NDC) USA_NATIONAL_DRUG_CODE
National Provider Identifier (NPI) USA_NATIONAL_PROVIDER_IDENTIFIER
Unique device identifier (UDI) MEDICAL_DEVICE_UDI

Personal information: Personally identifiable information

To detect occurrences of personally identifiable information (PII) in S3 objects, Macie uses the following managed data identifiers by default.

Sensitive data type Managed data identifier ID
Birth date DATE_OF_BIRTH
Driver’s license identification number AUSTRALIA_DRIVERS_LICENSE, AUSTRIA_DRIVERS_LICENSE, BELGIUM_DRIVERS_LICENSE, BULGARIA_DRIVERS_LICENSE, CANADA_DRIVERS_LICENSE, CROATIA_DRIVERS_LICENSE, CYPRUS_DRIVERS_LICENSE, CZECHIA_DRIVERS_LICENSE, DENMARK_DRIVERS_LICENSE, DRIVERS_LICENSE (for the US), ESTONIA_DRIVERS_LICENSE, FINLAND_DRIVERS_LICENSE, FRANCE_DRIVERS_LICENSE, GERMANY_DRIVERS_LICENSE, GREECE_DRIVERS_LICENSE, HUNGARY_DRIVERS_LICENSE, IRELAND_DRIVERS_LICENSE, ITALY_DRIVERS_LICENSE, LATVIA_DRIVERS_LICENSE, LITHUANIA_DRIVERS_LICENSE, LUXEMBOURG_DRIVERS_LICENSE, MALTA_DRIVERS_LICENSE, NETHERLANDS_DRIVERS_LICENSE, POLAND_DRIVERS_LICENSE, PORTUGAL_DRIVERS_LICENSE, ROMANIA_DRIVERS_LICENSE, SLOVAKIA_DRIVERS_LICENSE, SLOVENIA_DRIVERS_LICENSE, SPAIN_DRIVERS_LICENSE, SWEDEN_DRIVERS_LICENSE, UK_DRIVERS_LICENSE
Electoral roll number UK_ELECTORAL_ROLL_NUMBER
Full name NAME
Global Positioning System (GPS) coordinates LATITUDE_LONGITUDE
Mailing address ADDRESS, BRAZIL_CEP_CODE
National identification number BRAZIL_RG_NUMBER, FRANCE_NATIONAL_IDENTIFICATION_NUMBER, GERMANY_NATIONAL_IDENTIFICATION_NUMBER, ITALY_NATIONAL_IDENTIFICATION_NUMBER, SPAIN_DNI_NUMBER
National Insurance Number (NINO) UK_NATIONAL_INSURANCE_NUMBER
Passport number CANADA_PASSPORT_NUMBER, FRANCE_PASSPORT_NUMBER, GERMANY_PASSPORT_NUMBER, ITALY_PASSPORT_NUMBER, SPAIN_PASSPORT_NUMBER, UK_PASSPORT_NUMBER, USA_PASSPORT_NUMBER
Permanent residence number CANADA_NATIONAL_IDENTIFICATION_NUMBER
Phone number BRAZIL_PHONE_NUMBER, FRANCE_PHONE_NUMBER, GERMANY_PHONE_NUMBER, ITALY_PHONE_NUMBER, PHONE_NUMBER (for Canada and the US), SPAIN_PHONE_NUMBER, UK_PHONE_NUMBER
Social Insurance Number (SIN) CANADA_SOCIAL_INSURANCE_NUMBER
Social Security number (SSN) SPAIN_SOCIAL_SECURITY_NUMBER, USA_SOCIAL_SECURITY_NUMBER
Taxpayer identification or reference number AUSTRALIA_TAX_FILE_NUMBER, BRAZIL_CNPJ_NUMBER, BRAZIL_CPF_NUMBER, FRANCE_TAX_IDENTIFICATION_NUMBER, GERMANY_TAX_IDENTIFICATION_NUMBER, SPAIN_NIE_NUMBER, SPAIN_NIF_NUMBER, SPAIN_TAX_IDENTIFICATION_NUMBER, UK_TAX_IDENTIFICATION_NUMBER, USA_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER
Vehicle identification number (VIN) VEHICLE_IDENTIFICATION_NUMBER