Retrieving sensitive data samples with Amazon Macie findings - Amazon Macie

Retrieving sensitive data samples with Amazon Macie findings

To verify the nature of sensitive data that Amazon Macie detects and reports in findings, you can optionally configure and use Macie to retrieve and reveal samples of sensitive data reported by individual findings. This includes sensitive data that Macie detects using managed data identifiers, and data that matches the criteria of custom data identifiers. The samples can help you both verify the nature of the data that Macie found, and tailor your investigation of an affected Amazon Simple Storage Service (Amazon S3) object and bucket.

Each time you retrieve and reveal sensitive data samples for a finding, Macie performs the following general tasks:

  1. Verifies that the finding specifies the location of individual occurrences of sensitive data and the location of the corresponding sensitive data discovery result.

  2. Evaluates the corresponding sensitive data discovery result, checking the validity of both the metadata for the affected S3 object and the location data for individual occurrences of sensitive data in the affected object.

  3. By using data in the sensitive data discovery result, locates the first 1–10 occurrences of sensitive data reported by the finding, and extracts the first 1–128 characters of each occurrence from the affected S3 object. If the finding reports multiple types of sensitive data, Macie does this for up to 100 types.

  4. Encrypts the extracted data with an AWS Key Management Service (AWS KMS) key that you specify.

  5. Temporarily stores the encrypted data in a cache and displays the data for you to review. The data is encrypted at all times, both in transit and at rest.

  6. Soon after extraction and encryption, permanently deletes the data from the cache unless additional retention is temporarily required to resolve an operational issue.

Macie doesn't use the Macie service-linked role for your account to perform these tasks. Instead, you use your AWS Identity and Access Management (IAM) identity to locate, retrieve, encrypt, and reveal the samples. You can retrieve and reveal sensitive data samples for a finding if you're allowed to access the requisite resources and data, and you're allowed to perform the requisite actions. All the requisite actions are logged in AWS CloudTrail.

Important

We recommend that you restrict access to this functionality by using custom IAM policies. For additional access control, we recommend that you also create a dedicated AWS KMS key for encryption of sensitive data samples that are retrieved, and restrict use of the key to only those principals who must be allowed to retrieve and reveal sensitive data samples.

For recommendations and examples of policies that you might use to control access to this functionality, see the How to use Amazon Macie to preview sensitive data in S3 buckets blog post on the AWS Security Blog.

The topics in this section explain how to configure and use Macie to retrieve and reveal sensitive data samples for findings. You can perform these tasks in all the AWS Regions where Macie is currently available except the Asia Pacific (Osaka) Region.

Topics