Retrieving sensitive data samples with Amazon Macie findings - Amazon Macie

Retrieving sensitive data samples with Amazon Macie findings

To verify the nature of sensitive data that Amazon Macie detects and reports in findings, you can optionally configure and use Macie to retrieve and reveal samples of sensitive data reported by individual findings. This includes sensitive data that Macie detects using managed data identifiers, and data that matches the criteria of custom data identifiers that you configure sensitive data discovery jobs to use. The samples can help you both verify the nature of the data that Macie found, and tailor your investigation of an affected Amazon Simple Storage Service (Amazon S3) object and bucket.

Each time you retrieve and reveal sensitive data samples for a finding, Macie performs the following general tasks:

  1. Verifies that the finding specifies the location of individual occurrences of sensitive data and the location of the corresponding sensitive data discovery result.

  2. Evaluates the corresponding sensitive data discovery result, checking the validity of both the metadata for the affected S3 object and the location data for individual occurrences of sensitive data in the affected object.

  3. By using data in the sensitive data discovery result, locates the first 1–10 occurrences of sensitive data reported by the finding, and extracts the first 1–128 characters of each occurrence from the affected S3 object. If the finding reports multiple types of sensitive data, Macie does this for up to 100 types.

  4. Encrypts the extracted data with an AWS Key Management Service (AWS KMS) key that you specify.

  5. Temporarily stores the encrypted data in a cache and displays the data for you to review. The data is encrypted at all times, both in transit and at rest.

  6. Soon after extraction and encryption, permanently deletes the data from the cache unless additional retention is temporarily required to resolve an operational issue.

Macie doesn't use the Macie service-linked role for your account to perform these tasks. Instead, you use your AWS Identity and Access Management (IAM) identity to locate, retrieve, encrypt, and reveal the samples. You can retrieve and reveal sensitive data samples for a finding if you're allowed to access the requisite resources and data, and you're allowed to perform the requisite actions. All the requisite actions are logged in AWS CloudTrail.

Important

We recommend that you restrict access to this functionality by using custom IAM policies. For additional access control, we recommend that you also create a dedicated AWS KMS key for encryption of sensitive data samples that are retrieved, and restrict use of the key to only those principals who must be allowed to retrieve and reveal sensitive data samples.

The topics in this section explain how to configure and use Macie to retrieve and reveal sensitive data samples for findings. You can perform these tasks in all the AWS Regions where Macie is currently available except the Asia Pacific (Osaka) Region.