Concepts and Terminology - Amazon Macie Classic

This is the user guide for Amazon Macie Classic. For information about the new Amazon Macie, see the Amazon Macie User Guide. To access the Macie Classic console, open the Macie console at, and then choose Macie Classic in the navigation pane.

Concepts and Terminology

As you get started with Amazon Macie Classic, you can benefit from learning about its key concepts.


A standard Amazon Web Services (AWS) account that contains your AWS resources. When you sign up for AWS, your account is automatically signed up for all services in AWS. The account that you used to sign in to AWS when you enabled Macie Classic is designated as the administrator account.

If you integrated other accounts with Macie Classic, these accounts are called member accounts.


No users of member accounts are granted access to the Macie Classic console. Only users of a Macie Classic administrator account have access to the Macie Classic console, where they can configure Macie Classic and monitor and protect the resources in both administrator and member accounts.


A notification about a potential security issue that Macie Classic discovers. Alerts appear on the Macie Classic console and provide a comprehensive narrative about all activity that occurred over the last 24 hours.

Macie Classic provides the following types of alerts:

  • Basic alerts – Alerts that are generated by the security checks that Macie Classic performs. There are two types of basic alerts in Macie Classic:

    • Managed (curated by Macie Classic) basic alerts that you can't modify. You can only enable or disable the existing managed basic alerts.

    • Custom basic alerts that you can create and modify to your exact specifications.

  • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie Classic continuously monitors IAM user and role activity in your AWS infrastructure and builds a model of the normal behavior. It then looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts. For example, a user uploading or downloading a large number of S3 objects in a day might trigger an alert if that user typically downloads one or two S3 objects in a week.

For more information about alerts, including alert categories and details about the contents of Macie Classic alerts, see Amazon Macie Classic Alerts.

Data source

The origin or location of a set of data. To classify and protect your data, Macie Classic analyzes and processes information from the following data sources:

AWS CloudTrail event logs, including Amazon S3 object-level API activity

AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. AWS CloudTrail also enables you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred. For more information, see What Is AWS CloudTrail?

For data classification purposes, Macie Classic uses the ability in CloudTrail to capture object-level API activity on S3 objects (data events). For more information, see Working with CloudTrail Log Files.

Amazon S3

In this release, Macie Classic analyzes and processes data stored in the Amazon S3 buckets. You can select the S3 buckets that contain objects that you want Macie Classic to classify and monitor.

Amazon Simple Storage Service (Amazon S3) is storage for the Internet. Amazon S3 stores data as objects in buckets. An object consists of a file and optionally any metadata that describes that file. To store an object in Amazon S3, you upload the file that you want to store to a bucket. Buckets are the containers for objects. For more information, see Getting started with Amazon Simple Storage Service.


In the context of Macie Classic, a user is the AWS Identity and Access Management (IAM) identity that makes the request. Macie Classic uses the CloudTrail userIdentity element to distinguish the following user types. For more information, see CloudTrail userIdentity Element.

  • Root – The request was made with your Amazon Web Services account credentials.

  • IAM user – The request was made with the credentials of an IAM user.

  • Assumed role – The request was made with temporary security credentials that were obtained with a role via a call to the AWS Security Token Service (AWS STS) AssumeRole API operation.

  • Federated user – The request was made with temporary security credentials that were obtained via a call to the AWS STS GetFederationToken API operation.

  • AWS account – The request was made by another Amazon Web Services account.

  • AWS service – The request was made by an account that belongs to an AWS service.

When specifying a user in the Macie Classic console, you must use a special Macie Classic format called macieUniqueId. Examples of specifying a user include searching for a user in the Users tab, constructing a query in the Research tab, and explicitly allowing a user in a basic alert with the index of CloudTrail data. The macieUniqueId is a combination of the IAM UserIdentity element and the recipientAccountId. For more information, see the preceding list of UserIdentity elements and the definition of recipientAccountId in the CloudTrail Record Contents. The following examples list various structures of macieUniqueId, depending on the user identity type:

  • 123456789012:root

  • 123456789012:user/Bob

  • 123456789012:assumed-role/Accounting-Role/Mary

For more detailed examples, see Analyzing Amazon Macie Classic–Monitored Data by User Activity.