Monitoring Amazon S3 data with Amazon Macie - Amazon Macie

Monitoring Amazon S3 data with Amazon Macie

When you enable Amazon Macie for your AWS account, Macie automatically generates and begins maintaining a complete inventory of your Amazon Simple Storage Service (Amazon S3) buckets in the current AWS Region. Macie also begins monitoring and evaluating the buckets for security and access control. If Macie detects an event that reduces the security or privacy of an S3 bucket, Macie creates a policy finding for you to review and remediate as necessary.

To also monitor S3 buckets for the presence of sensitive data, you can create and run sensitive data discovery jobs that analyze bucket objects on a daily, weekly, or monthly basis. If you do this and Macie detects sensitive data in an object, Macie creates a sensitive data finding to notify you of the sensitive data that Macie found.

In addition to findings, Macie provides constant visibility into the security and privacy of your Amazon S3 data. To assess the security posture of your data and determine where to take action, you can use the Summary dashboard on the console. This dashboard provides a snapshot of aggregated statistics for your Amazon S3 data. The statistics include data for key security metrics such as the number of buckets that are publicly accessible, don’t encrypt new objects by default, or are shared with other AWS accounts. The dashboard also displays groups of aggregated findings data for your account—for example, the names of 1–5 buckets that have the most findings for the preceding seven days. You can drill down on each statistic to view its supporting data. If you prefer to query the statistics programmatically, you can use the Amazon S3 Data Source Statistics resource of the Amazon Macie API.

For deeper analysis and evaluation, Macie also provides detailed information and statistics for individual buckets in your inventory. This includes breakdowns of each bucket’s public access and encryption settings, and the size and number of objects that Macie can analyze to detect sensitive data in the bucket. The inventory also indicates whether any sensitive data discovery jobs are configured to analyze objects in a bucket and, if so, when one of those jobs most recently ran. You can browse, sort, and filter the inventory by using the Amazon Macie console or the Amazon S3 Data Source resource of the Amazon Macie API.

If you're the Macie administrator for an organization, you can access statistical and other data for S3 buckets that are owned by member accounts in your organization. You can also access policy findings that Macie creates for the buckets, and create sensitive data discovery jobs to detect sensitive data in the buckets. This means that you can use Macie to evaluate and monitor your organization’s security posture across your Amazon S3 environment. For more information, see Managing multiple accounts.