Getting started with Amazon Macie - Amazon Macie

Getting started with Amazon Macie

This tutorial provides a hands-on introduction to Amazon Macie.

Before you begin

When you sign up for Amazon Web Services (AWS), your account is automatically signed up for all services in AWS, including Amazon Macie. However, to enable and use Macie, you have to first set up permissions that allow you to access the Amazon Macie console and API operations. You can do this by using the AWS Identity and Access Management (IAM) console to attach the AmazonMacieFullAccess managed policy to your IAM identity. To learn more, see Managed Policies in the IAM User Guide.

Step 1: Enable Amazon Macie

After you set up the required permissions, you can enable Macie. Use the following procedure to enable Macie.

To enable Macie

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. Choose Get started.

  3. (Optional) When you enable Macie, Macie creates a service-linked role that grants Macie the permissions that it requires to call other AWS services on your behalf. See Service-linked roles to learn more about this role.

  4. Choose Enable Macie.

Within minutes, Macie generates an inventory of the Amazon Simple Storage Service (Amazon S3) buckets for your account. Macie also begins monitoring the buckets for potential policy violations. If your account is the Macie master account for an organization, this includes buckets for associated member accounts.

To view your bucket inventory, choose S3 buckets in the navigation pane on the console. To display details about a bucket, including security and access control settings for a bucket, choose the bucket's name in the list. The details panel displays information about the bucket.

Step 2: Configure a repository for sensitive data discovery results

With Macie, you create and run sensitive data discovery jobs to analyze objects in S3 buckets and report any sensitive data in those objects. When Macie runs a job, it creates a sensitive data finding if it discovers sensitive data in an object. A sensitive data finding is a detailed report of sensitive data that Macie finds in an object.

Macie also creates a sensitive data discovery result for each object that you configure a job to analyze. A sensitive data discovery result is a record that logs details about the analysis of an object. This includes objects that don't contain sensitive data, and therefore don't produce a sensitive data finding, and objects that Macie can't analyze due to issues such as permission settings. If an object does contain sensitive data, the sensitive data discovery result includes data from the corresponding sensitive data finding. It provides additional information too.

Macie stores your sensitive data discovery results for only 90 days. To access the results and enable long-term storage and retention of them, configure Macie to store the results in an S3 bucket. You must do this within 30 days of enabling Macie. After you do this, the S3 bucket can serve as a definitive, long-term repository for all of your discovery results.

To learn how to configure a repository for your discovery results, see Storing and retaining sensitive data discovery results.

Step 3: Create a job to discover sensitive data

In Macie, a job analyzes objects in S3 buckets to discover and report sensitive data. Each job uses the built-in, managed data identifiers that Macie provides and, optionally, custom data identifiers that you create. For information about the types of data that Macie can analyze, see Discovering sensitive data.

Use the following procedure to create and run a job with the default settings. To learn how to create and run a job with custom settings, see Creating a sensitive data discovery job.

To create a sensitive data discovery job

  1. In the navigation pane, choose Jobs.

  2. Choose Create job. Macie displays an inventory of all the S3 buckets for your account.

    If your account is the Macie master account for an organization, the inventory includes buckets for associated member accounts. To filter the inventory, use the filter bar above the table to enter filter criteria.

  3. For the Select S3 buckets step, select the check box for each bucket that you want the job to analyze. Then choose Next.

  4. For the Review S3 buckets step, review and verify your bucket selections. You can also review the estimated cost of running the job once, based on your current bucket selections. When you finish, choose Next.

  5. For the Scope step, specify how often you want the job to run—once, or periodically on a daily, weekly, or monthly basis. Then choose Next.

  6. For the Custom data identifiers step, choose Next.

  7. For the Name and description step, enter a name and, optionally, a description of the job. Then choose Next.

  8. For the Review and create step, review the configuration settings for the job and verify that they're correct. You can also review the estimated cost of running the job once, based on your bucket selections.

  9. When you finish reviewing and verifying the settings, choose Submit.

If you configured the job to run once, on a daily basis, or on the current day of the week or month, Macie immediately starts running the job. Otherwise, Macie prepares to run the job on the specified day of the week or month. To monitor the job, you can check the status of the job.

Step 4: Review your findings

Macie monitors your S3 buckets and reports any potential policy violations as policy findings. If you create and run a sensitive data discovery job, Macie reports any sensitive data that it discovers as sensitive data findings. To learn about findings, see Analyzing findings.

Use the following procedure to view detailed information for your findings.

To view your findings

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose Findings.

  3. (Optional) To filter the findings by specific criteria, use the filter bar above the table to enter the criteria.

  4. To view the details of a specific finding, choose any field other than the check box for the finding. The details panel displays information for the finding.