Reviewing your S3 bucket inventory with Amazon Macie - Amazon Macie

Reviewing your S3 bucket inventory with Amazon Macie

On the Amazon Macie console, the S3 buckets page provides detailed insight into the security and privacy of your Amazon Simple Storage Service (Amazon S3) data. With this page, you can review and analyze a complete inventory of your S3 buckets in the current AWS Region, and review detailed information and statistics for individual buckets. You can also determine when Macie most recently retrieved both bucket and object metadata for your account as part of the daily refresh cycle. The Last updated field at the top of the page provides this information. For more information, see Data refreshes. If you're the Macie administrator for an organization, your inventory includes details and statistics for S3 buckets that are owned by member accounts in your organization.

If automated sensitive data discovery is enabled for your account, you can also use the S3 buckets page to review the results of automated sensitive data discovery activities that Macie has performed for your account or organization. For detailed information about those results, see Reviewing automated discovery statistics and results.

Note that most inventory data is limited to the buckets that Macie is allowed to access for your account. If a bucket's permissions settings prevent Macie from retrieving information about the bucket or the bucket's objects, Macie can only provide a subset of information about the bucket: the account ID for the AWS account that owns the bucket; the bucket's name, Amazon Resource Name (ARN), creation date, and Region; and, the date and time when Macie most recently retrieved both bucket and object metadata for the bucket as part of the daily refresh cycle. To investigate the issue, review the bucket’s policy and permissions settings in Amazon S3. For example, the bucket might have a restrictive bucket policy. For more information, see Allowing Macie to access S3 buckets and objects.

If you prefer to access and query your inventory data programmatically, you can use the DescribeBuckets operation of the Amazon Macie API.

Reviewing your S3 bucket inventory

The S3 buckets page on the Amazon Macie console provides information about your S3 buckets in the current AWS Region. On this page, a table displays summary information for each bucket in your inventory. To customize your view, you can sort and filter the table.

If you choose a bucket in the table, the details panel displays additional information about the bucket. This includes details and statistics for settings and metrics that provide insight into the security and privacy of the bucket’s data.

To review your S3 bucket inventory

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose S3 buckets. The S3 buckets page opens and displays the number of buckets in your inventory and a table of the buckets.

  3. At the top of the page, optionally choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ) to retrieve the latest bucket metadata from Amazon S3.

    If the information icon ( A blue circle with a blue, lowercase letter i in it ) appears next to any bucket names, we recommend that you do this. This icon indicates that a bucket was created during the past 24 hours, possibly after Macie last retrieved bucket and object metadata from Amazon S3 as part of the daily refresh cycle.

  4. On the S3 buckets page, use the table to review a subset of information about each bucket in your inventory:

    • Bucket – The name of the bucket.

    • Account – The account ID for the AWS account that owns the bucket.

    • Classifiable objects – The total number of objects that Macie can analyze to detect sensitive data in the bucket.

    • Classifiable size – The total storage size of all the objects that Macie can analyze to detect sensitive data in the bucket.

      Note that this value doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.

    • Monitored by job – Specifies whether any sensitive data discovery jobs are configured to periodically analyze objects in the bucket on a daily, weekly, or monthly basis.

      If the value for this field is Yes, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not Cancelled. Macie updates this data on a daily basis.

    • Latest job run – If any one-time or periodic sensitive data discovery jobs are configured to analyze objects in the bucket, the value for this field indicates when one of those jobs most recently started to run. Otherwise, this field is empty.

    In the preceding data, objects are classifiable if they use a supported Amazon S3 storage class and have a file name extension for a supported file or storage format. You can detect sensitive data in these objects by creating and running a sensitive data discovery job: select the check box for each bucket that contains objects to analyze, and then choose Create job. For more information, see Running sensitive data discovery jobs.

  5. To analyze your inventory by using the table, do any of the following:

    • To sort the table by a specific field, click the column heading for the field. To change the sort order, click the column heading again.

    • To filter the table and display only those buckets that have a specific value for a field, place your cursor in the filter bar, and then add a filter condition for the field. To further refine the results, add filter conditions for additional fields. For more information, see Filtering your S3 bucket inventory.

  6. To review details and statistics for a particular bucket, choose the bucket's name in the table, and then refer to the details panel.

    Tip

    You can pivot and drill down on many of the fields in the bucket details panel. To show buckets that have the same value for a field, choose A magnifying glass with a plus sign in the field. To show buckets that have other values for a field, choose A magnifying glass with a minus sign in the field.

Reviewing the details of S3 buckets

On the Amazon Macie console, you can use the details panel on the S3 buckets page to review statistics and other information about individual S3 buckets in your bucket inventory. This includes details and statistics for settings and metrics that provide insight into the security and privacy of a bucket’s data.

For example, you can review breakdowns of a bucket’s public access settings, and determine whether a bucket replicates objects or is shared with other AWS accounts. You can also determine whether any sensitive data discovery jobs are configured to inspect the bucket for sensitive data. If there are, you can access details about the job that ran most recently and then optionally display any findings that the job produced.

To review the details of an S3 bucket

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. In the navigation pane, choose S3 buckets.

  3. On the S3 buckets page, optionally choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ) to retrieve the latest bucket metadata from Amazon S3.

    If the information icon ( A blue circle with a blue, lowercase letter i in it ) appears next to any bucket names, we recommend that you do this. This icon indicates that a bucket was created during the past 24 hours, possibly after Macie last retrieved bucket and object metadata from Amazon S3 as part of the daily refresh cycle.

  4. In the S3 buckets table, choose the name of the bucket whose details you want to review. The details panel displays statistics and other information about the bucket.

In the bucket details panel, bucket statistics and information are organized into the following primary sections:

As you review the information in each section, you can optionally pivot and drill down on certain fields. To show buckets that have the same value for a field, choose A magnifying glass with a plus sign in the field. To show buckets that have other values for a field, choose A magnifying glass with a minus sign in the field.

Overview

This section provides general information about the bucket, such as the bucket’s name, when the bucket was created, and the account ID for the AWS account that owns the bucket. The Last updated field indicates when Macie most recently retrieved metadata from Amazon S3 for both the bucket and the bucket’s objects as part of the daily refresh cycle.

Of special note, the Shared access field indicates whether the bucket is shared with other AWS accounts and, if so, whether those accounts are internal to (part of) or external to (not part of) your organization. An organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation. To determine the value for this field, Macie analyzes the bucket policy and access control list (ACL) for the bucket. Note that this data is limited to bucket-level settings. It doesn’t reflect any object-level settings for sharing specific objects with another account.

If automated sensitive data discovery is enabled for your account, the Latest automated discovery run field indicates when Macie most recently analyzed objects in the bucket while performing automated discovery. If automated discovery is disabled for your account, a dash (–) appears in this field.

Object statistics

This section provides information about the objects in the bucket, starting with the total number of objects in the bucket, the total storage size of all those objects, and the total storage size of all the objects that are compressed (.gz, .gzip, or .zip) files. If versioning is enabled for the bucket, the size values are based on the size of the latest version of each object in the bucket.

If you recently created the bucket or made significant changes to the bucket's objects during the past 24 hours, optionally choose refresh ( The refresh button, which is a button that contains an empty, dark gray circle with an arrow ) to retrieve the latest metadata for the bucket's objects. Macie displays the information icon ( A blue circle with a blue, lowercase letter i in it ) to help you determine whether this might be the case. The refresh option is available if a bucket contains 30,000 or fewer objects.

Note

If you refresh object metadata for a bucket, Macie temporarily reports Unknown for encryption statistics that apply to the objects. Macie will re-evaluate and update the data for these statistics when it performs the next daily refresh of bucket and object metadata, which is within 24 hours.

Additional statistics in this section can help you assess how much data Macie can analyze to detect sensitive data in the bucket.

Classifiable objects

This section indicates the total number of objects that Macie can analyze to detect sensitive data and the total storage size of those objects. These objects use a supported Amazon S3 storage class (S3 Intelligent-Tiering, S3 One Zone-IA, S3 Standard, or S3 Standard-IA) and have a file name extension for a supported file or storage format. This means that you can detect sensitive data in the objects by creating and running a sensitive data discovery job. For more information, see Discovering sensitive data.

Note that the value in the Total storage size field doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.

Unclassifiable objects

This section indicates the total number of objects that Macie can’t analyze to detect sensitive data and the total storage size of those objects. These objects don’t use a supported Amazon S3 storage class (S3 Intelligent-Tiering, S3 One Zone-IA, S3 Standard, or S3 Standard-IA) or don’t have a file name extension for a supported file or storage format.

Note that the value in the Total storage size field doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each object in the bucket.

Unclassifiable objects: Storage class

This section provides a breakdown of the number and storage size of the objects that Macie can’t analyze because the objects don’t use a supported Amazon S3 storage class.

The value in the Storage size field doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each applicable object in the bucket.

Unclassifiable objects: File type

This section provides a breakdown of the number and storage size of the objects that Macie can’t analyze because the objects don’t have a file name extension for a supported file or storage format.

The value in the Storage size field doesn’t reflect the actual size of any compressed objects after they're decompressed. Also, if versioning is enabled for the bucket, this value is based on the storage size of the latest version of each applicable object in the bucket.

Objects by encryption type

This section provides a breakdown of the number of objects that use each type of encryption that Amazon S3 supports:

  • Customer managed – The number of objects that are encrypted with a customer-provided key. These objects use SSE-C encryption.

  • SSE-KMS managed – The number of objects that are encrypted with an AWS KMS key, either an AWS managed KMS key or a customer managed KMS key. These objects use SSE-KMS encryption.

  • SSE-S3 managed – The number of objects that are encrypted with an Amazon S3 managed key. These objects use SSE-S3 encryption.

  • No encryption – The number of objects that aren’t encrypted or use client-side encryption. (If an object is encrypted using client-side encryption, Macie can't access and report encryption data for the object.)

  • Unknown – The number of objects that Macie doesn't have current encryption metadata for. This typically occurs if you recently chose to manually refresh the metadata for the bucket's objects. Macie will update the encryption statistics when it performs the next daily refresh of bucket and object metadata, which is within 24 hours.

For information about each supported encryption type, see Protecting data using encryption in the Amazon Simple Storage Service User Guide.

Server-side encryption

This section provides insight into the server-side encryption settings for the bucket.

The Encryption required by bucket policy field indicates whether the bucket's policy requires server-side encryption of objects when objects are uploaded to the bucket:

  • No – The bucket doesn't have a bucket policy or the bucket's policy doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.

  • Yes – The bucket's policy requires server-side encryption of new objects. PutObject requests for the bucket must include a valid server-side encryption header. Otherwise, Amazon S3 denies the request.

  • Unknown – Macie wasn't able to evaluate the bucket policy to determine whether it requires server-side encryption of new objects.

For this assessment, valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256. For information about using bucket policies to require server-side encryption of new objects, see Protecting data using server-side encryption in the Amazon Simple Storage Service User Guide.

The Default encryption field indicates whether default encryption is enabled for the bucket and, if so, the type of server-side encryption that's used:

  • AES256 – New objects are encrypted automatically with an Amazon S3 managed key. Default encryption is enabled for the bucket and it uses SSE-S3 encryption.

  • aws:kms – New objects are encrypted automatically with an AWS KMS key, either an AWS managed KMS key or a customer managed KMS key. Default encryption is enabled for the bucket and it uses SSE-KMS encryption. The KMS key field shows the Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used.

  • None – New objects aren't encrypted automatically. Default encryption is disabled for the bucket.

For information about configuring default encryption settings, see Setting default server-side encryption behavior for S3 buckets in the Amazon Simple Storage Service User Guide.

Sensitive data discovery

This section indicates whether any periodic sensitive data discovery jobs are configured to inspect the bucket for sensitive data on a daily, weekly, or monthly basis. If the value for the Actively monitored by job field is Yes, the bucket is explicitly included in a periodic job or the bucket matched the criteria for a periodic job within the past 24 hours. In addition, the status of at least one of those jobs is not Cancelled. Macie updates this data on a daily basis.

If any type of sensitive data discovery job (either a periodic job or a one-time job) is configured to inspect the bucket, the Latest job field provides the unique identifier for the job that most recently started to run. The Latest job run field indicates when that job started to run.

Tip

To display all the sensitive data findings that the job produced, choose the link in the Latest job field. In the job details panel that appears, choose Show results at the top of the panel, and then choose Show findings.

Public access

This section indicates whether the bucket is publicly accessible, and it provides a breakdown of the various account- and bucket-level settings that determine whether the bucket is publicly accessible. The Effective permission field indicates the cumulative result of these settings:

  • Not public – The bucket isn’t publicly accessible.

  • Public – The bucket is publicly accessible.

  • Unknown – Macie wasn’t able to evaluate all the public access settings for the bucket.

Note that this data is limited to account- and bucket-level settings. It doesn’t reflect object-level settings that enable public access to specific objects in a bucket.

To learn about Amazon S3 settings for managing public access to buckets and bucket data, see Identity and access management in Amazon S3 and Blocking public access to your Amazon S3 storage in the Amazon Simple Storage Service User Guide.

Replication

In this section, the Replicated field indicates whether the bucket is configured to replicate objects to buckets that are owned by other AWS accounts. If the bucket is configured to do this, this section also lists the account IDs for those accounts.

The Replicated externally field indicates whether bucket objects are replicated to AWS accounts that are external to (aren’t part of) your organization. An organization is a set of Macie accounts that are centrally managed as a group of related accounts through AWS Organizations or by Macie invitation.

To learn about Amazon S3 options and settings for replicating bucket objects, see Replicating objects in the Amazon Simple Storage Service User Guide.

Tags

If tags are associated with the bucket, this section appears in the panel and lists those tags. Tags are labels that you can define and assign to certain types of AWS resources, including S3 buckets. Each tag consists of a required tag key and an optional tag value.

To learn about tagging buckets, see Using cost allocation S3 bucket tags in the Amazon Simple Storage Service User Guide.