Document history for the Amazon Macie User Guide - Amazon Macie

Document history for the Amazon Macie User Guide

The following table describes the important changes to the documentation since the last release of Amazon Macie. For notification about updates to this documentation, you can subscribe to an RSS feed.

Latest documentation update: February 20, 2024

ChangeDescriptionDate

New functionality

AWS Security Hub now provides security controls that check the status of Macie and automated sensitive data discovery for accounts. If these controls are enabled, Security Hub periodically runs security checks to determine whether Macie is enabled for an AWS account (Macie.1 control), and whether automated sensitive data discovery is enabled for a Macie account (Macie.2 control).

February 20, 2024

New functionality

Macie can now analyze Amazon S3 objects that are encrypted using dual-layer server-side encryption with AWS KMS keys (DSSE-KMS). These objects are now eligible for analysis when Macie performs automated sensitive data discovery or you run sensitive data discovery jobs. In addition, S3 buckets and objects that use DSSE-KMS encryption are now included in statistics and metadata that Macie provides about your Amazon S3 data.

January 17, 2024

New feature

You can now configure Macie to assume an AWS Identity and Access Management (IAM) role when you choose to retrieve and reveal samples of sensitive data that Macie reports in findings. The samples can help you verify the nature of the sensitive data that Macie found, and tailor your investigation of an affected Amazon S3 object and bucket.

November 16, 2023

New functionality

Macie now provides managed data identifiers that are designed to detect International Bank Account Numbers (IBANs) for 47 additional countries and regions. You can now use Macie to detect and report occurrences of IBANs for more than 50 countries and regions.

November 1, 2023

New functionality

Macie now provides managed data identifiers that are designed to detect the following types of sensitive data: Google Cloud API keys, Stripe API keys, and Aadhaar numbers, Permanent Account Numbers (PANs), and driver's license identification numbers for India.

September 25, 2023

New quotas

To help you verify the nature of sensitive data reported by findings, we increased the size quotas for retrieving and revealing sensitive data samples from Amazon S3 objects. You can now retrieve and reveal samples from S3 objects whose storage size exceeds 10 MB. For a list of the new quotas, see Amazon Macie quotas.

September 7, 2023

Regional availability

Macie is now available in the Israel (Tel Aviv) Region. For a complete list of AWS Regions where Macie is currently available, see Amazon Macie endpoints and quotas in the AWS General Reference.

August 28, 2023

Updated functionality

We implemented a new, dynamic set of default managed data identifiers for automated sensitive data discovery. The default set includes the managed data identifiers that we recommend for automated sensitive data discovery. It's designed to detect common categories and types of sensitive data while also optimizing your automated sensitive data discovery results.

August 2, 2023

Updated functionality

To help you locate occurrences of sensitive data that Macie reports in sensitive data findings and sensitive data discovery results, we changed the character limit from 20 to 240 for the names of JSON path elements in Record objects. This change affects new sensitive data findings and discovery results for Apache Avro object containers, Apache Parquet files, JSON files, and JSON Lines files.

July 24, 2023

Updated functionality

If you're the delegated Macie administrator for an organization in AWS Organizations, you can now manage Macie for up to 10,000 accounts in your organization.

June 30, 2023

New feature

You can now create and configure sensitive data discovery jobs to automatically use the set of managed data identifiers that we recommend for jobs. This recommended set of managed data identifiers is designed to detect common categories and types of sensitive data while also optimizing your job results.

June 28, 2023

New policy

We added a new AWS managed policy, the AmazonMacieReadOnlyAccess policy. This policy grants read-only permissions that allow an IAM identity (principal) to retrieve all Macie resources, data, and settings for their account.

June 15, 2023

New feature

To help you assess and monitor automated sensitive data discovery coverage of your Amazon S3 data, the Macie console now includes a Resource coverage page. The page provides a unified view of coverage statistics and data for all of your S3 buckets, including a rollup of analysis issues (if any) that recently occurred for each bucket. If issues occurred, the page also provides remediation guidance.

May 15, 2023

New feature

Macie integrates with AWS User Notifications, which is a new AWS service that acts as a central location for your AWS notifications on the AWS Management Console. With User Notifications, you can configure custom rules and delivery channels for generating and sending notifications about Amazon EventBridge events that Macie publishes for policy and sensitive data findings.

May 5, 2023

Updated content

Updated descriptions of statistics and metadata that Macie provides about default encryption settings for S3 buckets. Also updated the description of the Policy:IAMUser/S3BucketEncryptionDisabled policy finding. Amazon S3 now automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for objects that are added to new and existing buckets. For information about this change in Amazon S3, see Setting default server-side encryption behavior for S3 buckets in the Amazon Simple Storage Service User Guide.

February 27, 2023

New functionality

Macie can now generate an additional type of policy finding for an S3 bucket: Policy:IAMUser/S3BucketSharedWithCloudFront. This type of finding indicates that a bucket's policy was changed to allow the bucket to be shared with an Amazon CloudFront origin access identity (OAI), a CloudFront origin access control (OAC), or both. In addition, buckets that are shared with CloudFront OAIs or OACs are now considered to be shared externally in statistics and metadata that Macie provides about your Amazon S3 data.

February 24, 2023

New functionality

Macie now supports the Amazon S3 Glacier Instant Retrieval storage class for sensitive data discovery. S3 objects that use this storage class are now eligible for analysis when Macie performs automated sensitive data discovery or you run sensitive data discovery jobs. They're also considered classifiable objects in statistics and metadata that Macie provides about your Amazon S3 data.

December 21, 2022

New feature

You can now configure Macie to perform automated sensitive data discovery for your account or organization. With automated sensitive data discovery, Macie continually evaluates your Amazon S3 data and uses sampling techniques to identify, select, and analyze representative objects in your S3 buckets, inspecting the objects for sensitive data. You can evaluate analyses' results in statistics, findings, and other information that Macie provides about your Amazon S3 data.

November 28, 2022

New feature

You can now create and use allow lists to specify text and text patterns that you want Macie to ignore when it inspects Amazon S3 objects for sensitive data. By using allow lists, you can define sensitive data exceptions for your particular scenarios or environment—for example, the names of public representatives for your organization, specific phone numbers, or sample data that your organization uses for testing.

August 30, 2022

New feature

To verify the nature of sensitive data that Macie finds in S3 objects, you can now configure and use Macie to retrieve samples of sensitive data reported by findings.

July 26, 2022

Updated functionality

In the AmazonMacieFullAccess policy, we updated the Amazon Resource Name (ARN) of the Macie service-linked role (aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie).

June 30, 2022

Updated functionality

We updated the AmazonMacieServiceRolePolicy policy, which is the policy that's attached to the Macie service-linked role (AWSServiceRoleForAmazonMacie). The policy no longer specifies actions and resources for Amazon Macie Classic. Amazon Macie Classic has been discontinued and is no longer available.

May 20, 2022

New functionality

Macie now includes the OriginType field in sensitive data findings that it publishes to AWS Security Hub. The OriginType field specifies how Macie found the sensitive data that produced a finding.

May 11, 2022

Updated content

Clarified how keyword and maximum match distance settings work for custom data identifiers.

April 22, 2022

New functionality

Macie now provides managed data identifiers that are designed to detect HTTP Basic Authorization headers, HTTP cookies, and JSON Web Tokens.

April 21, 2022

New content

Added descriptions and definitions of key concepts and terms for Macie.

March 16, 2022

New functionality

To calculate and display estimated costs when you create and configure sensitive data discovery jobs, Macie now retrieves pricing data for your AWS account from AWS Billing and Cost Management. To support this functionality, we added a Billing and Cost Management action to the AmazonMacieFullAccess policy.

March 7, 2022

New functionality

Macie now includes the Sample field in findings that it publishes to AWS Security Hub. The Sample field specifies whether a finding is a sample finding.

February 24, 2022

New content

Added information about using Amazon Virtual Private Cloud to establish a private connection between your VPC and Macie.

January 19, 2022

New functionality

You can now use the Amazon Macie console to assign and manage tags for custom data identifiers, filter and suppression rules for findings, sensitive data discovery jobs, and, if you're the Macie administrator for an organization, member accounts in your organization. A tag is a label that you optionally define and assign to certain types of AWS resources.

January 12, 2022

New content

Added information about using AWS Identity and Access Management to manage access to Macie.

December 20, 2021

New feature

When you create a custom data identifier, you can now define severity settings for sensitive data findings that it produces. With these settings, you can specify which severity to assign to a finding based on the number of occurrences of text that match the custom data identifier's detection criteria.

November 4, 2021

New functionality

To learn about the different types of findings that Macie provides, you can generate sample findings. Sample findings use example data and placeholder values to demonstrate the kinds of information that Macie might include in each type of finding.

October 28, 2021

New functionality

Macie now includes the OwnerAccountId field in findings that it publishes to AWS Security Hub. This field specifies the account ID for the AWS account that owns the affected S3 bucket.

October 27, 2021

New content

Added information about centrally managing multiple Macie accounts. You can do this in two ways, by integrating Macie with AWS Organizations or by sending membership invitations from Macie.

October 13, 2021

New functionality

Your S3 bucket inventory now indicates if a bucket's permissions settings prevent Macie from retrieving information about the bucket or the bucket's objects and evaluating and monitoring the security and privacy of the bucket's data. In addition, we updated references to AWS KMS keys and customer managed keys to reflect current terminology.

October 5, 2021

New functionality

Macie now stores policy and sensitive data findings for 90 days instead of 30 days. If Macie created or updated a finding on or after August 31, 2021, you can access the finding for up to 90 days by using the Macie console or the Macie API. In certain AWS Regions, Macie began retaining findings for 90 days as early as September 27, 2021.

October 1, 2021

New feature

When you create a sensitive data discovery job, you can now specify which managed data identifiers you want the job to use when it analyzes S3 objects. With this feature, you can tailor a job's analysis to focus on certain types of sensitive data.

September 17, 2021

New functionality

Sensitive data findings now provide additional information to help you locate sensitive data in JSON and JSON Lines files.

July 6, 2021

Updated functionality

Macie now uses the AwsS3Bucket resource type in findings that it publishes to AWS Security Hub. (Macie previously set this value to AWS::S3::Bucket.) AwsS3Bucket is the resource type value that's used for S3 buckets in the AWS Security Finding Format (ASFF).

June 28, 2021

New feature

When you create a sensitive data discovery job, you can now define runtime criteria that determine which S3 buckets the job analyzes. With this feature, the scope of a job's analysis can dynamically adapt to changes to your bucket inventory.

May 15, 2021

New functionality

Your S3 bucket inventory and the Summary dashboard now provide encryption metadata and statistics indicating whether bucket policies require server-side encryption of new objects. In addition, you can now perform on-demand refreshes of object metadata for individual buckets in your bucket inventory.

April 30, 2021

New feature

You can now use Amazon CloudWatch Logs to monitor and analyze events that occur when you run sensitive data discovery jobs. To support this feature, we added CloudWatch Logs actions to the AWS managed policy for the Macie service-linked role.

April 14, 2021

Regional availability

Macie is now available in the AWS Asia Pacific (Osaka) Region.

April 5, 2021

New feature

You can now configure Macie to publish sensitive data findings to AWS Security Hub.

March 22, 2021

New content

Added information about monitoring and forecasting Macie costs and participating in the free trial.

February 26, 2021

Updated content

We replaced the term master account with the term administrator account. An administrator account is used to centrally manage multiple accounts.

February 12, 2021

New functionality

You can now refine the scope of sensitive data discovery jobs by using S3 object prefixes in custom include and exclude criteria.

February 2, 2021

Updated content

Macie now adheres to the finding type taxonomy of the AWS Security Finding Format (ASFF) when it publishes policy findings to AWS Security Hub.

January 28, 2021

New content

Added information about monitoring Amazon S3 data and assessing the security and privacy of that data.

January 8, 2021

Regional availability

Macie is now available in the AWS Africa (Cape Town) Region, the AWS Europe (Milan) Region, and the AWS Middle East (Bahrain) Region.

December 21, 2020

New functionality

If your account is a Macie administrator account, you can now create and run sensitive data discovery jobs that analyze data for as many as 1,000 buckets spanning as many as 1,000 accounts in your organization.

November 25, 2020

New functionality

Your S3 bucket inventory now indicates whether you've configured any one-time or periodic sensitive data discovery jobs to analyze data in a bucket. If you have, it also provides details about the job that ran most recently.

November 23, 2020

New content

Added information about filtering findings.

November 12, 2020

New functionality

Sensitive data findings now provide additional information to help you locate sensitive data in Apache Avro object containers, Apache Parquet files, and Microsoft Excel workbooks.

November 9, 2020

New feature

You can now use sensitive data findings to locate individual occurrences of sensitive data in S3 objects.

October 22, 2020

New feature

You can now pause and resume sensitive data discovery jobs.

October 16, 2020

New content

Added details about the severity scoring system for policy findings and sensitive data findings.

October 6, 2020

New features

You can now view statistics that indicate how much data Macie can analyze in individual S3 buckets when you run a sensitive data discovery job. In addition, you can now view the estimated cost of a job when you create a job.

September 3, 2020

New content

Added information about configuring, running, and managing sensitive data discovery jobs.

August 31, 2020

New functionality

Managed data identifiers can now detect certain types of personally identifiable information for Brazil.

July 31, 2020

Updated content

Added information about the supported syntax for regular expressions in custom data identifiers.

July 30, 2020

Updated content

Added keyword requirements for managed data identifiers, and increased the quota for the number of findings that each sensitive data discovery job can produce.

July 17, 2020

New content

Added information about using Amazon EventBridge and AWS Security Hub to monitor and process findings. This includes the EventBridge event schema for findings and event examples for policy and sensitive data findings.

June 22, 2020

New content

Added information about analyzing and suppressing findings.

June 17, 2020

New content

Added instructions for configuring Macie to store detailed discovery results in an S3 bucket.

June 2, 2020

New content

Added information about the types of sensitive data that Macie can detect, and encryption requirements for detecting sensitive data in Amazon S3 objects.

May 28, 2020

General availability

This is the initial public release of the Amazon Macie User Guide.

May 13, 2020