Last updated on January 18, 2024
Amazon Macie Cheat Sheet
- A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.
- Amazon Macie allows you to achieve the following:
- Identify and protect various data types, including PII, PHI, regulatory documents, API keys, and secret keys
- Verify compliance with automated logs that allow for instant auditing
- Identify changes to policies and access control lists
- Receive notifications when data and account credentials leave protected zones
- Detect when large quantities of business-critical documents are shared internally and externally
Concepts
-
- Data source is the origin or location of a set of data.Â
- AWS CloudTrail event logs and errors, including Amazon S3 object-level API activity. You can’t modify existing or add new CloudTrail events to the list that Macie manages. You can enable or disable the supported CloudTrail events, thus instructing Macie to either include or exclude them in its data security process.
- Amazon S3 objects. You can integrate Macie with your S3 buckets and/or specify S3 prefixes
- User, in the context of Macie, a user is the AWS Identity and Access Management (IAM) identity that makes the request.
- Data source is the origin or location of a set of data.Â
- There are certain file formats that Macie does not support, such as wav files.
- Once Macie begins monitoring your data, it uses several automatic content classification methods to identify and prioritize your sensitive and critical data and to accurately assign business value to your data. Each classification has a designated risk level between 1 and 10, with 10 being the highest risk and 1 being the lowest. These methods include:
- Content Type Classification – Macie uses an identifier that is embedded in the file header of your data objects. Macie can assign only one content type to an object. You can’t modify existing or add new content types. You can only enable or disable any existing content types, thus enabling or disabling Macie to assign them to your objects during the classification process.
- File Extension Classification – Macie offers a set of managed file extensions. Macie can assign only one file extension to an object. You can’t modify existing or add new file extensions. You can enable or disable any existing file extensions, thus enabling or disabling Macie to assign them to your objects during the classification process.
- Theme Classification – Object classification by theme is based on keywords that Macie searches for as it examines the contents of data objects. Macie can assign one or more themes to an object. You can’t modify existing or add new themes. You can enable or disable any existing themes, thus enabling or disabling Macie to assign them to your objects during the classification process.
- Regex Classification – Macie offers a set of managed regexes. Object classification by regex is based on specific data or data patterns that Macie searches for as it examines the contents of data objects. Macie can assign one or more regexes to an object. You can’t modify existing or add new regexes. You can enable or disable any existing regexes, thus enabling or disabling Macie to assign them to your objects during the classification process.
- PII Classification – Object classification by personally identifiable information (PII) is based on recognizing any personally identifiable artifacts based on industry standards such as NIST-80-122 and FIPS 199.
- Support Vector Machine–Based Classifier – It classifies content inside your S3 objects (text, token n-grams, and character n-grams) that Macie monitors and their metadata features (document length, extension, encoding, headers) to accurately classify documents based on content.
- You can use the Research tab in the Macie console to construct and run queries in the query parser and conduct in-depth investigative research of your data and activity that Macie monitors.
- If you disable Macie, the following actions occur:
- It no longer has access to the resources in the management account and all member accounts. You must add member accounts again if you decide to reenable Macie.
- It stops processing the resources in the management account and all member accounts. After Macie is disabled, the metadata that Macie collected while monitoring the data in your management and member accounts is deleted. Within 90 days from disabling Macie, all of this metadata is expired from the Macie system backups.
- Other Additional Features
- You can scan Amazon S3 buckets across multiple AWS accounts, and perform scoping of scans by object prefix.
- An estimation of the costs of these job runs is sent to you for review before you run them.
- Once a job is submitted, findings are generated in the Amazon Macie console and sent out through Amazon EventBridge where sensitive data location information is included in the findings. This allows for identification of sensitive data within objects using detail such as line numbers, page numbers, record index, or column and row numbers.
Amazon Macie Pricing
-
- You are charged based on the amount of content classified, and the amount of AWS CloudTrail events assessed by Amazon Macie for anomalies (both Management API activity and Amazon S3 object-level API activity).Â
- Amazon Macie stores the generated metadata of classified S3 objects for 30 days at no additional cost. Additional monthly fees will be incurred if you choose the optional Extended Data Retention feature.
Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.
Â
Amazon Macie Cheat Sheet References:
https://aws.amazon.com/macie/
https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html
https://aws.amazon.com/macie/faq/
https://www.youtube.com/watch?v=LCjX2rsQ2wA