Amazon Macie features

Amazon Macie continually evaluates your Amazon S3 environment and provides a summary of your data security posture across all of your accounts. You can search, filter, and sort S3 buckets by metadata variables, such as bucket names, tags, and security controls like encryption status or public accessibility. For any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in AWS Organizations, you can be alerted in order to take action. Macie then automatically samples and analyzes objects in your S3 buckets, inspecting them for sensitive data such as personally identifiable information (PII), builds an interactive data map of where your sensitive data in S3 resides across accounts, and provides sensitivity score for each bucket. The interactive data map can guide your decisions to perform deeper investigations of specific S3 buckets by running targeted, sensitive data discovery jobs with Macie.

Amazon Macie allows you to run one-time, daily, weekly, or monthly sensitive data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. For targeted sensitive data discovery jobs, Amazon Macie automatically tracks changes to the bucket and only evaluates new or modified objects over time.

Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI DSS, and HIPAA. These data types use various data detection techniques including machine learning and are continually added to and improved upon over time.

Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover proprietary or unique sensitive data for your business.

Macie reduces alert volume and speeds up triage by consolidating findings by object or bucket. Based on severity level, Macie findings are prioritized and each finding includes details, such as the sensitive data type, tags, public accessibility, and encryption status. Findings are retained for 30-days and are available in the AWS Management Console or through the API. The full sensitive data discovery details are automatically written to a customer-owned S3 bucket for long-term retention.

Macie allows for one-selection, temporary retrieval of up to 10 examples of sensitive data found in S3. This capability helps you more easily view and understand which contents of an S3 object were identified to be sensitive, so you can review, validate, and quickly take action as needed. All sensitive data examples captured are encrypted using customer-managed AWS Key Management Service (KMS) keys and are temporarily viewable within the Macie console after being retrieved.

Macie’s allow list feature can help you reduce alert volume due to data text or formats in your environment that do not require action. An allow list defines specific text or a text pattern that you want Macie to ignore when it inspects S3 objects for sensitive data. If text matches an entry or pattern in an allow list, Macie doesn’t report the text in sensitive data findings or sensitive data discovery results, even if the text matches the criteria of a managed data identifier or a custom data identifier.

In the multi-account configuration, a single Macie administrator account can manage all member accounts, including the creation and administration of sensitive data discovery jobs across accounts. Macie supports multiple accounts through AWS Organizations integration. Security and sensitive data discovery findings are aggregated in the Macie administrator account and sent to Amazon EventBridge. Now using one account, you can integrate with event management, workflow, and ticketing systems or use Macie findings with AWS Step Functions to automate remediation actions.