Getting started with Amazon Macie - Amazon Macie

Getting started with Amazon Macie

This tutorial provides a hands-on introduction to Amazon Macie.

Before you begin

When you sign up for Amazon Web Services (AWS), your account is automatically signed up for all AWS services, including Amazon Macie. However, to enable and use Macie, you have to first set up permissions that allow you to access the Amazon Macie console and API operations. You can do this by using the AWS Identity and Access Management (IAM) console to attach the AmazonMacieFullAccess managed policy to your IAM identity. To learn more, see Managed policies in the IAM User Guide.

Step 1: Enable Amazon Macie

After you set up the required permissions, you can enable Macie. Follow these steps to enable Macie.

To enable Macie

  1. Open the Macie console at

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to enable Macie.

  3. Choose Get started.

  4. (Optional) When you enable Macie, Macie creates a service-linked role that grants Macie the permissions that it requires to call other AWS services on your behalf. To learn more about this role, see Service-linked roles for Amazon Macie.

  5. Choose Enable Macie.

Within minutes, Macie generates an inventory of the Amazon Simple Storage Service (Amazon S3) buckets for your account in the current Region. Macie also begins monitoring the buckets for security and access control.

To review your bucket inventory, choose S3 buckets in the navigation pane on the console. To then display details about a bucket, choose the bucket's name in the table. The details panel displays statistics and other information that provides insight into the security and privacy of the bucket’s data. To learn more about these details, see Reviewing your S3 bucket inventory.

Step 2: Configure a repository for sensitive data discovery results

With Macie, you detect sensitive data by creating and running sensitive data discovery jobs. A sensitive data discovery job analyzes objects in S3 buckets to determine whether the objects contain sensitive data. If Macie discovers sensitive data in an object, Macie creates a sensitive data finding. A sensitive data finding is a detailed report of sensitive data that Macie found in an object.

Macie also creates a sensitive data discovery result for each object that you configure a job to analyze. A sensitive data discovery result is a record that logs details about the analysis of an object. This includes objects that don't contain sensitive data, and therefore don't produce a sensitive data finding, and objects that Macie can't analyze due to issues such as permissions settings. If an object does contain sensitive data, the sensitive data discovery result includes data from the corresponding sensitive data finding. It provides additional information too.

Macie stores your sensitive data discovery results for 90 days. To access the results and enable long-term storage and retention of them, configure Macie to store the results in an S3 bucket. You must do this within 30 days of enabling Macie. After you do this, the S3 bucket can serve as a definitive, long-term repository for all of your discovery results.

To learn how to configure a repository for your discovery results, see Storing and retaining sensitive data discovery results.

Step 3: Create a job to discover sensitive data

In Macie, sensitive data discovery jobs analyze objects in S3 buckets to detect and report sensitive data in those objects. Each job can use the built-in, managed data identifiers that Macie provides and custom data identifiers that you create. For information about the types of data that Macie can analyze, see Discovering sensitive data. For information about the types of sensitive data that Macie can detect, see Using managed data identifiers.

Follow these steps to create a job that runs once, immediately after you create it, and uses default settings. To learn how to create a job that runs periodically or uses custom settings, see Creating a sensitive data discovery job.

To create a sensitive data discovery job

  1. Open the Macie console at

  2. In the navigation pane, choose Jobs.

  3. Choose Create job.

  4. For the Choose S3 buckets step, choose Select specific buckets.

    Macie displays a complete inventory of the S3 buckets for your account in the current Region.

  5. Select the check box for each bucket that you want the job to analyze.


    To find specific buckets more easily, you can enter filter criteria in the filter bar above the table. You can also sort the inventory by choosing a column heading in the table.

  6. When you finish selecting buckets, choose Next.

  7. For the Review S3 buckets step, review and verify your bucket selections. Then choose Next.

  8. For the Refine the scope step, choose One-time job, and then choose Next.

  9. For the Select managed data identifiers step, choose All, and then choose Next.

  10. For the Select custom data identifiers step, choose Next.

  11. For the Enter a name and description step, enter a name and, optionally, a description of the job. Then choose Next.

  12. For the Review and create step, review the job's configuration settings and verify that they're correct.

    You can also review the total estimated cost (in US Dollars) of running the job. To learn more about this estimate, see Forecasting the cost of a sensitive data discovery job.

  13. When you finish reviewing and verifying the job's settings, choose Submit.

Macie immediately starts running the job. You can then monitor and check the status of the job.

Step 4: Review your findings

Macie automatically monitors your S3 buckets for security and access control, and it creates policy findings to report any potential policy violations. If you create and run a sensitive data discovery job, Macie creates sensitive data findings to report any sensitive data that it discovers. To learn about findings, see Analyzing findings.

Follow these steps to review the details of your findings.

To review your findings

  1. Open the Macie console at

  2. In the navigation pane, choose Findings.

  3. (Optional) To filter the findings by specific criteria, enter the criteria in the filter bar above the table.

  4. To view the details of a specific finding, choose any field other than the check box for the finding. The details panel displays information for the finding.