Analyzing encrypted S3 objects with Amazon Macie

When you enable Amazon Macie for your AWS account, Macie creates a service-linked role that grants Macie the permissions that it requires to call Amazon Simple Storage Service (Amazon S3) and other AWS services on your behalf. The permissions policy for this role (AWSServiceRoleForAmazonMacie) allows Macie to perform actions that include retrieving information about your S3 buckets and objects, and retrieving objects from your S3 buckets. If your account is the Macie administrator account for an organization, the policy also allows Macie to perform these actions for member accounts in your organization.

In most cases, the permissions policy for the service-linked role grants Macie the permissions that it requires to retrieve, decrypt, and analyze S3 objects to detect sensitive data. However, this depends on the type of encryption that’s used for an object.

Amazon S3 managed encryption (SSE-S3)

If an object is encrypted using server-side encryption with an Amazon S3 managed key, Macie can decrypt and analyze the object. To do this, Macie uses the AWSServiceRoleForAmazonMacie service-linked role for your account.

To learn more about this type of encryption, see Protecting data using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) in the Amazon Simple Storage Service User Guide.

AWS managed AWS KMS encryption (AWS-KMS)

If an object is encrypted using server-side encryption with an AWS managed, AWS KMS customer master key (CMK), Macie can decrypt and analyze the object. To do this, Macie uses the AWSServiceRoleForAmazonMacie service-linked role for your account.

To learn more about this type of encryption, see AWS managed CMKs in the AWS Key Management Service Developer Guide.

Client-side encryption

If an object is encrypted using client-side encryption, Macie can't decrypt and analyze the object. Macie can only store and report metadata for the object. For example, Macie can report the size of the object and the tags that are associated with the object.

To learn more about this type of encryption, see Protecting data using client-side encryption in the Amazon Simple Storage Service User Guide.

Customer managed AWS KMS encryption (SSE-KMS)

If an object is encrypted using server-side encryption with a customer managed, AWS KMS customer master key (CMK), Macie can decrypt and analyze the object only if you grant Macie permission to use the key. If you don't grant this permission, Macie can only store and report metadata for the object. To grant Macie permission to use a customer managed CMK, add the AWSServiceRoleForAmazonMacie service-linked role as a user of the key. To learn how to do this, see Allow key users to use a CMK in the AWS Key Management Service Developer Guide.

To learn more about this type of encryption, see Protecting data using server-side encryption with CMKs stored in AWS Key Management Service (SSE-KMS) in the Amazon Simple Storage Service User Guide.

Customer-provided server-side encryption (SSE-C)

If an object is encrypted using server-side encryption with a customer-provided key, Macie can't decrypt and analyze the object. Macie can only store and report metadata for the object.

To learn more about this type of encryption, see Protecting data using server-side encryption with customer-provided encryption keys (SSE-C) in the Amazon Simple Storage Service User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported file and storage formats

Storing and retaining sensitive data discovery results