Amazon Macie Cheat Sheet

• Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in Amazon S3.

  • Primary Focus: S3 Bucket security posture (Encryption/Public Access) and Sensitive Data Discovery (PII, PHI, Credentials).

  • Legacy Note: Macie Classic features (CloudTrail anomaly detection, user behavior analytics) have been removed. Use Amazon GuardDuty for threat detection and AWS CloudTrail Insights for anomaly detection.

Features

• Automated Sensitive Data Discovery
  • Continuous sampling of S3 objects to detect sensitive data.
  • Interactive heatmap showing buckets with sensitive data (e.g., credit cards, PII, PHI).
  • Cost-effective broad visibility by sampling representative data.
  • Supports DSSE-KMS encrypted objects for analysis.
  • Coverage for up to 10,000 S3 buckets per account.
• Targeted Sensitive Data Discovery Jobs
  • Deep scans of specific buckets with custom scope.
  • Filter by object prefix, tags, or file size.
  • Schedules: one-time or recurring (daily/weekly/monthly).
  • Use recommended or custom managed data identifiers for optimized detection.
• S3 Bucket Inventory & Assessment
  • Automatic evaluation of bucket security posture.
  • Detects unencrypted, publicly accessible, or externally shared buckets.
  • Generates policy findings for security misconfigurations.
• Managed & Custom Data Identifiers
  • Detects PII, PHI, credentials, and sensitive financial information.
  • Supports country-specific identifiers: Argentina, Chile, Colombia, Mexico national IDs, SUBE card numbers, IBANs for 50+ countries, Indian Aadhaar, PAN, driver’s licenses.
  • Custom identifiers via Regex for organization-specific data patterns.
• Allow Lists & Exceptions
  • Ignore specified text or patterns to reduce false positives.

• Findings & Analysis
  • Policy findings for bucket configuration issues.
  • Sensitive data findings with object location details (line, column).
  • Exportable to EventBridge and Security Hub for automation or centralized monitoring.
• Management & Multi-Account Support
  • AWS Organizations integration with delegated administrator capabilities.
  • Enable/disable automated discovery per account or per bucket.
  • Manage up to 10,000 accounts in an organization.
• Resource Coverage & Insights
  • Console shows coverage statistics, roll-up of analysis issues, and remediation guidance per bucket.
  • Tracks actively used container images and last-used timestamps (if applicable).
• Integrations & Compliance
  • Security Hub CSPM checks for Macie and automated discovery status.
  • API support for programmatic configuration and management of automated discovery.
• Additional Support
  • VPC Interface Endpoints & Endpoint Policies for secure connectivity.
  • S3 Glacier Instant Retrieval storage class now eligible for sensitive data discovery.
  • Enhanced quotas for sensitive data sample retrieval (>10 MB objects).
• Automatic cost estimation per account when creating/configuring sensitive data discovery jobs.
• Addition of a Billing and Cost Management action to the AmazonMacieFullAccess policy to support this functionality.

Concepts

Data Identifiers Macie uses “Identifiers” to recognize sensitive data. The old “Themes/Regex/SVM” terminology is largely retired in favor of:

• Managed Data Identifiers: A built-in library of patterns for PII (names, addresses), Financials (credit cards, bank accounts), and Credentials (AWS Secret Keys, Private Keys).

  • Includes: “Strict” vs. “High Confidence” variations to control false positives.

• Custom Data Identifiers: You define your own proprietary patterns using Regular Expressions (Regex). (e.g., specific Employee IDs: EMP-[0-9]{5}).

Allow Lists

• Exceptions: Defines specific text or patterns that Macie should ignore (e.g., “Sample Data” or public reference numbers that look like PII but aren’t).

Findings Macie generates two types of findings:

1. Policy Findings: Issues with bucket security (e.g., Policy:IAMUser/S3BucketPublic).

2. Sensitive Data Findings: Specific data detected inside an object (e.g., SensitiveData:S3Object/Personal).

   • Details: Includes the location of the data (line number, column) within the file.

Supported Data Sources

• Amazon S3 Only: Macie scans S3 objects. It supports various file formats including:

  • Text/Code: .txt, .csv, .json, .xml, .html, source code (Java, Python, etc.).

  • Documents: MS Office (.docx, .xlsx), PDF.

  • Archives: .zip, .tar, .gz (Macie unzips and scans the contents).

  • Big Data: Apache Parquet, Avro.

Management & Integration

• Multi-Account: Integrated with AWS Organizations. A Delegated Administrator account can manage Macie for all member accounts, viewing findings centrally.

• Findings Export: Findings are sent to Amazon EventBridge (for automation) and AWS Security Hub (for centralized posture management).

• Finding Retention: Findings are stored in Macie for 90 days. For long-term retention, you must export them to an S3 bucket.

Use Cases

• Regulatory Compliance: Discovering PII (GDPR/CCPA) or PHI (HIPAA) in S3 Data Lakes to ensure it is encrypted or removed.

• Data Migration Validation: Scanning data before migrating it to a lower-security environment.

• Credential Monitoring: Detecting accidental uploads of AWS Secret Keys or private certificates to S3 buckets.

Amazon Macie Pricing

• Cost Estimation: The console provides a usage estimator to predict job costs before you run them. Additional monthly fees will be incurred if you choose the optional Extended Data Retention feature.
• Macie pricing has three dimensions (Old CloudTrail pricing does not apply):

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

Amazon Macie Cheat Sheet References:

https://aws.amazon.com/macie/
https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html
https://aws.amazon.com/macie/faq/
https://www.youtube.com/watch?v=LCjX2rsQ2wA