Amazon Macie Classic - Amazon Macie Classic

Amazon Macie Classic

Amazon Macie Classic has been discontinued and is no longer available.

A new Amazon Macie is now available with significant design improvements and additional features, at a lower price and in most AWS Regions. We encourage you to take advantage of the new and improved features, and benefit from the reduced cost. To learn about features and pricing for the new Amazon Macie, see Amazon Macie. To learn how to use the new Macie, see the Amazon Macie User Guide.

Deleting Macie Classic resources and collected data

If you previously used Macie Classic, we recommend that you assess the need for resources and data that the service created, used, and stored in other AWS services for you. When you disabled your Macie Classic account, the service deleted only the resources and data that it stored directly for your account.

As a best practice and to avoid unnecessary costs, assess the following resources and data:

  • AWS CloudTrail data events – Macie Classic created an AWS CloudTrail trail when it enabled Amazon S3 data events for the S3 buckets that it monitored. The new Amazon Macie uses a different architecture and doesn't require you to enable Amazon S3 data events. If you don't need this logging anymore, you can delete the trail that Macie Classic created: AWSMacieTrail-DO-NOT-EDIT. This prevents further CloudTrail billing charges for the trail. You can also archive or remove log data that Macie Classic stored in S3 buckets whose names include awsmacie or awsmacietrail.

  • Amazon CloudWatch Events – Macie Classic didn't delete Amazon CloudWatch Events that it generated for your account. Although the new Macie publishes events to Amazon EventBridge (formerly Amazon CloudWatch Events), the event data uses a different schema and is specific to your new Macie account. Therefore, you might choose to delete the events that Macie Classic generated.

  • Legacy IAM roles – If you used Macie Classic before June 21, 2018, your AWS account has two legacy AWS Identity and Access Management (IAM) roles that you don't need anymore. These roles are AmazonMacieServiceRole and AmazonMacieSetupRole. These roles allowed Macie Classic to call other AWS services on your behalf. The new Macie doesn't use these roles. You can, therefore, consider deleting them.

If you started using Macie Classic after June 21, 2018, the service created an AWSServiceRoleForAmazonMacie service-linked role on your behalf. This role allowed Macie Classic to discover and monitor sensitive data on your behalf. The new Amazon Macie uses the same service-linked role to perform similar tasks. For this reason, we recommend that you keep this role for use with your new Macie account.