Getting started with Amazon Macie - Amazon Macie

Getting started with Amazon Macie

This tutorial provides a hands-on introduction to Amazon Macie.

Before you begin

When you sign up for Amazon Web Services (AWS), your account is automatically signed up for all services in AWS, including Amazon Macie. However, to enable and use Macie, you have to first set up permissions that allow you to access the Amazon Macie console and API operations. You can do this by using the AWS Identity and Access Management (IAM) console to attach the AmazonMacieFullAccess managed policy to your IAM identity. To learn more, see Managed policies in the IAM User Guide.

Step 1: Enable Amazon Macie

After you set up the required permissions, you can enable Macie. Use the following procedure to enable Macie.

To enable Macie

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to enable Macie.

  3. Choose Get started.

  4. (Optional) When you enable Macie, Macie creates a service-linked role that grants Macie the permissions that it requires to call other AWS services on your behalf. To learn more about this role, see Service-linked roles.

  5. Choose Enable Macie.

Within minutes, Macie generates an inventory of the Amazon Simple Storage Service (Amazon S3) buckets for your account in the current AWS Region. Macie also begins monitoring the buckets for potential policy violations. If your account is the Macie administrator account for an organization, this includes buckets for associated member accounts.

To view your bucket inventory, choose S3 buckets in the navigation pane on the console. To then display details about a bucket, including the security and access control settings for a bucket, choose the bucket's name in the table. The details panel displays information about the bucket. To learn more about this data, see Analyzing your Amazon S3 security posture.

Step 2: Configure a repository for sensitive data discovery results

With Macie, you create and run sensitive data discovery jobs to analyze objects in S3 buckets and report any sensitive data in those objects. When Macie runs a job, it creates a sensitive data finding if it discovers sensitive data in an object. A sensitive data finding is a detailed report of sensitive data that Macie finds in an object.

Macie also creates a sensitive data discovery result for each object that you configure a job to analyze. A sensitive data discovery result is a record that logs details about the analysis of an object. This includes objects that don't contain sensitive data, and therefore don't produce a sensitive data finding, and objects that Macie can't analyze due to issues such as permission settings. If an object does contain sensitive data, the sensitive data discovery result includes data from the corresponding sensitive data finding. It provides additional information too.

Macie stores your sensitive data discovery results for 90 days. To access the results and enable long-term storage and retention of them, configure Macie to store the results in an S3 bucket. You must do this within 30 days of enabling Macie. After you do this, the S3 bucket can serve as a definitive, long-term repository for all of your discovery results.

To learn how to configure a repository for your discovery results, see Storing and retaining sensitive data discovery results.

Step 3: Create a job to discover sensitive data

In Macie, sensitive data discovery jobs analyze objects in S3 buckets to discover and report sensitive data. Each job uses the built-in, managed data identifiers that Macie provides and, optionally, custom data identifiers that you create. For information about the types of data that Macie can analyze, see Discovering sensitive data. For information about the types of sensitive data that Macie can detect, see Using managed data identifiers.

Use the following procedure to create and run a job with the default settings. To learn how to create and run a job with custom settings, see Creating a sensitive data discovery job.

To create a sensitive data discovery job

  1. In the navigation pane, choose Jobs.

  2. Choose Create job. Macie displays an inventory of all the S3 buckets for your account.

    If your account is the Macie administrator account for an organization, the inventory includes buckets for associated member accounts. To filter the inventory, use the filter bar above the table to enter filter criteria.

  3. For the Select S3 buckets step, select the check box for each bucket that you want the job to analyze. Then choose Next.

  4. For the Review S3 buckets step, review and verify your bucket selections. You can also review the total estimated cost (in US Dollars) of running the job once based on your bucket selections. When you finish, choose Next.

  5. For the Scope step, specify how often you want the job to run—once, or periodically on a daily, weekly, or monthly basis. Then choose Next.

  6. For the Custom data identifiers step, choose Next.

  7. For the Name and description step, enter a name and, optionally, a description of the job. Then choose Next.

  8. For the Review and create step, review the configuration settings for the job and verify that they're correct. You can also review the total estimated cost (in US Dollars) of running the job once based on your bucket selections.

  9. When you finish reviewing and verifying the settings, choose Submit.

If you configured the job to run once, on a daily basis, or on the current day of the week or month, Macie immediately starts running the job. Otherwise, Macie prepares to run the job on the specified day of the week or month. To monitor the job, you can check the status of the job.

Step 4: Review your findings

Macie monitors your S3 buckets and reports any potential policy violations as policy findings. If you create and run a sensitive data discovery job, Macie reports any sensitive data that it discovers as sensitive data findings. To learn about findings, see Analyzing findings.

Use the following procedure to view detailed information for your findings.

To view your findings

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. (Optional) To filter the findings by specific criteria, use the filter bar above the table to enter the criteria.

  4. To view the details of a specific finding, choose any field other than the check box for the finding. The details panel displays information for the finding.