Amazon Macie
User Guide

Concepts and Terminology

As you get started with Amazon Macie, you can benefit from learning about its key concepts.


A standard AWS account that contains your AWS resources. When you sign up for Amazon Web Services (AWS), your account is automatically signed up for all services in AWS, including Macie. The account that you use to sign in to AWS at the time when you first enable Macie is designated as the master account.

You can also integrate other accounts with Macie. These other accounts are called member accounts.


No users from the member accounts are granted access to the Macie console. Only the master account users have access to the Macie console, where they can configure Macie and monitor and protect the resources in both master and member accounts.


A notification about a potential security issue that Macie discovers. Alerts appear on the Macie console and provide a comprehensive narrative about all activity that occurred over the last 24 hours.

Macie provides the following types of alerts:

  • Basic alerts – Alerts that are generated by the security checks that Macie performs. There are two types of basic alerts in Macie:

    • Managed (curated by Macie) basic alerts that you can't modify. You can only enable or disable the existing managed basic alerts.

    • Custom basic alerts that you can create and modify to your exact specifications.

  • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie continuously monitors IAM user and role activity in your AWS infrastructure and builds a model of the normal behavior. It then looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts. For example, a user uploading or downloading a large number of S3 objects in a day might trigger an alert if that user typically downloads one or two S3 objects ina week.

For more information about alerts, including alert categories and details about the contents of Macie alerts, see Amazon Macie Alerts.

Data source

The origin or location of a set of data. To classify and protect your data, Macie analyzes and processes information from the following data sources:

AWS CloudTrail event logs, including Amazon S3 object-level API activity

AWS CloudTrail provides you with a history of AWS API calls for your account, including API calls made using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. AWS CloudTrail also enables you to identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address that the calls were made from, and when the calls occurred. For more information, see What Is AWS CloudTrail?

For data classification purposes, Macie uses the ability in CloudTrail to capture object-level API activity on S3 objects (data events). For more information, see Logging Data and Management Events for Trails.

Amazon S3

In this release, Macie analyzes and processes data stored in the Amazon S3 buckets. You can select the S3 buckets that contain objects that you want Macie to classify and monitor.

Amazon Simple Storage Service (Amazon S3) is storage for the Internet. Amazon S3 stores data as objects in buckets. An object consists of a file and optionally any metadata that describes that file. To store an object in Amazon S3, you upload the file that you want to store to a bucket. Buckets are the containers for objects. For more information, see Getting Started with Amazon Simple Storage Service.


In the context of Macie, a user is the AWS Identity and Access Management (IAM) identity that makes the request. Macie uses the CloudTrail userIdentity element to distinguish the following user types. For more information, see CloudTrail userIdentity Element.

  • Root – The request was made with your account credentials.

  • IAM user – The request was made with the credentials of an IAM user.

  • Assumed role – The request was made with temporary security credentials that were obtained with a role via a call to the AWS Security Token Service (AWS STS) AssumeRole API operation.

  • Federated user – The request was made with temporary security credentials that were obtained via a call to the AWS STS GetFederationToken API operation.

  • AWS account – The request was made by another account.

  • AWS service – The request was made by an account that belongs to an AWS service.

When specifying a user in the Macie console, you must use a special Macie format called macieUniqueId. Examples of specifying a user include searching for a user in the Users tab, constructing a query in the Research tab, and whitelisting a user in a basic alert with the index of CloudTrail data. The macieUniqueId is a combination of the IAM UserIdentity element and the recipientAccountId. For more information, see the preceding list of UserIdentity elements and the definition of recipientAccountId in the CloudTrail Record Contents. The following examples list various structures of macieUniqueId, depending on the user identity type:

  • 123456789012:root

  • 123456789012:user/Bob

  • 123456789012:assumed-role/Accounting-Role/Mary

For more detailed examples, see Analyzing Amazon Macie–Monitored Data by User Activity.