Monitoring data security and privacy with Amazon Macie - Amazon Macie

Monitoring data security and privacy with Amazon Macie

When you enable Amazon Macie for your AWS account, Macie automatically generates and begins maintaining a complete inventory of your Amazon Simple Storage Service (Amazon S3) buckets in the current AWS Region. Macie also begins evaluating and monitoring the buckets for security and access control. If Macie detects an event that reduces the security or privacy of an S3 bucket, Macie creates a policy finding for you to review and remediate as necessary.

To also evaluate and monitor S3 buckets for the presence of sensitive data, you can create and run sensitive data discovery jobs. Sensitive data discovery jobs can perform incremental analysis of bucket objects on a daily, weekly, or monthly basis. Depending on your account settings, you can also configure Macie to perform automated sensitive data discovery for your buckets. Automated sensitive data discovery uses sampling techniques to continually identify, select, and analyze representative objects in your buckets. If Macie detects sensitive data in an S3 object, Macie creates a sensitive data finding to notify you of the sensitive data that Macie found. For more information, see Discovering sensitive data.

In addition to findings, Macie provides constant visibility into the security and privacy of your Amazon S3 data. To assess the security posture of your data and determine where to take action, you can use the Summary dashboard on the console. The dashboard provides a snapshot of aggregated statistics for your Amazon S3 data. The statistics include data for key security metrics such as the number of buckets that are publicly accessible or are shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the names of 1–5 buckets that have the most findings for the preceding seven days. You can drill down on each statistic to review its supporting data. If you prefer to query the statistics programmatically, you can use the GetBucketStatistics operation of the Amazon Macie API.

For deeper analysis and evaluation, Macie also provides detailed information and statistics for individual S3 buckets in your inventory. This includes breakdowns of each bucket’s public access and encryption settings, and the size and number of objects that Macie can analyze to detect sensitive data in the bucket. The inventory also indicates whether you configured any sensitive data discovery jobs to analyze objects in a bucket and, if so, when one of those jobs most recently ran. You can browse, sort, and filter the inventory by using the Amazon Macie console or the DescribeBuckets operation of the Amazon Macie API.

If you're the Macie administrator for an organization, you can access statistical and other data about S3 buckets that your member accounts own. You can also access policy findings that Macie creates for the buckets, and inspect the buckets for sensitive data. As a Macie administrator, you can use Macie to assess and monitor the overall security posture of your organization’s Amazon S3 data estate. For more information, see Managing multiple accounts.