What is Amazon Macie & How does it Protect Your Sensitive Data?
Amazon Macie is a fully managed data security service that uses machine learning and pattern matching to discover, classify, and protect sensitive data in Amazon S3. It automatically identifies PII, PHI, and other sensitive information while monitoring S3 bucket security posture to help you meet compliance regulations like GDPR, HIPAA, and PCI-DSS.
With the increasing number of security breaches experienced by both large and SMB companies, having a fully rounded security platform is important. Protecting valuable data like Personal Identifiable Information (PII) is an extremely high priority and with growing data stored in AWS Cloud, you need to automate sensitive data discovery so you don't have to manually classify data and its access controls.
Amazon Macie can play a part in making you aware of your data and the level of security you have. In this blog post, we look at what Amazon Macie is, how to set it up in the AWS Management Console, and more.
What is Amazon Macie?
Amazon Macie is a data security service that uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3. It intelligently identifies PII, Protected Health Information (PHI), and other sensitive data types while continuously monitoring S3 bucket security controls.
Macie can recognize any PII or Protected Health Information (PHI) that exists in your S3 buckets. Macie also monitors the S3 buckets themselves for security and access control. This all can help you meet regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR) or just continually achieve the security you require in the AWS Cloud environment.
In general, Macie helps you answer these questions about your data:
1. What data do I have in my S3 buckets?
2. Where is it located?
3. How is data being shared and stored – publicly or privately?
4. How can I classify data in near real-time?
5. What PII or PHI is possibly publicly exposed?
6. How do I build automated workflow remediation for security and compliance?
How does Macie work?
Within a few minutes after enabling Macie for your AWS account, Macie generates an S3 bucket list in the region where you enabled it. Macie immediately begins monitoring the security and access controls of your buckets. When it detects the risk of unauthorized access, misconfigurations, or potential data leakage, it generates detailed findings. Macie continuously samples S3 objects daily to assess sensitivity and builds an interactive data sensitivity map showing where your sensitive data resides across accounts.
Macie's main features:
1. Macie summary dashboard
The dashboard provides you with a summary that shows you how the data is accessed or moved. This dashboard gives you a view of the total number of buckets, the total number of objects, and the total number of S3 storage consumed.
It also breaks down S3 buckets by whether they are shared publicly, encrypted or not, and buckets shared inside and outside your AWS account or AWS Organization.
2. Macie Jobs
Create and run sensitive data discovery jobs to automatically discover, record, and report sensitive data in Amazon S3 buckets.
You can configure the job to run only once for on-demand analysis, or periodically for periodic analysis and monitoring. Macie intelligently tracks changes between job runs and only evaluates new or modified objects, optimizing performance and reducing costs. You can target specific buckets or object subsets rather than scanning your entire environment.
3. Macie Findings
A finding is a detailed report of potential policy violations for sensitive data in S3 buckets or S3 objects. Macie provides two types of findings: policy findings and sensitive data findings.
Macie can also send all findings to Amazon EventBridge so you can build custom remediation and alert management. Findings are retained for 90 days. For long-term compliance and audit purposes, full sensitive data discovery details are automatically stored in a customer-owned S3 bucket.
Examples of policy findings below
Examples of sensitive data findings below
In every Macie finding, you will find detailed info.
4. Macie automated data discovery
Automated data discovery is a feature of Amazon Macie that can automatically and continuously detects sensitive data and potential data security risks across bucket sets, aggregated at the AWS Organizations level.
By default, Macie automated data discovery is enabled for every new customer. However, current customers can instantly toggle this setting on or off by clicking a button in the AWS Management Console. There is a 30-day free trial, and you can always opt out at the administrator level.
When you enable automated data discovery in the AWS Management Console, Macie begins assessing the sensitivity of each S3 bucket (you can exclude buckets from the analysis) and highlights any data security risks. This reduces the cost of discovering S3 buckets containing sensitive data compared to the cost of a full data scan.
5. AWS Security Hub Integration
In AWS Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by AWS services, such as Amazon Macie, or by supported AWS Partner Network security solutions.
Achieve unrivaled security and compliance with the StormIT Cloud Check-Up. We perform a gap analysis with more than 600 Best Practice Checks to reduce risk, identify security vulnerabilities, and remediate compliance breaks in your AWS environment.
Macie benefits
Easy to set up
Macie is easy to set up with one click in the AWS Management Console and provides multi-account support using AWS Organizations, so you can enable Macie across all your accounts with a few clicks. This eliminates the need for IT teams to manually classify data and manage permissions.
Constant monitoring of S3 buckets
Macie continually evaluates your Amazon S3 environment and provides S3 bucket summaries across all accounts. It automatically tracks changes and only evaluates new or modified objects, reducing unnecessary analysis costs.
Macie allows you to run one-time, daily, weekly, or monthly data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. It also automatically tracks changes to the bucket and only evaluates new or modified objects over time.
Meet privacy regulations
Amazon Macie maintains a comprehensive list of sensitive data types including:
- Common PII (names, addresses, phone numbers, emails)
- Financial data (credit card numbers, bank account information)
- Healthcare data (insurance claims, medical records)
- Credentials (API keys, passwords)
- Country-specific identifiers.
This helps you meet regulations like GDPR, HIPAA, and PCI-DSS.
Custom-defined sensitive data types
Amazon Macie allows you to add custom-defined data types using regular expressions to discover organization-specific sensitive data patterns unique to your business.
Multi-account management
With AWS Organizations integration, a single Macie administrator account can manage all member accounts. Findings are aggregated in the administrator account and automatically sent to Amazon EventBridge for workflow automation.
Macie use cases
Simplify your data privacy and security
Macie allows you to simplify data privacy across your entire S3 environment, generating findings that enable quick response. Flexible scheduling (one-time, daily, weekly, monthly) lets you tailor discovery to your needs. Macie also gives you the flexibility to identify sensitive data residing in other data stores by temporarily moving it to S3.
Maintaining compliance
Macie provides different options to schedule your data analysis, such as one-time, daily, weekly, or monthly sensitive data discovery jobs to help you meet and maintain your data privacy and compliance requirements.
Discover sensitive data at scale
Macie uses machine learning and pattern matching to cost-efficiently discover sensitive data in the chosen region and works very well even in a complex S3 environment. Macie automatically detects a large and ever-increasing number of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.
Macie set up
The easiest way to set Macie up is by using the AWS Management Console:
- Sign in to the Macie Console. Choose the right AWS Region where you want to start.
- Choose "Get started".
- Choose "Enable" Macie.
- And then just click on “Get started” in the menu and select which “Job” you want to start.
Macie pricing
Free-tier of Macie includes:
- The 30-day free trial for each account with S3 buckets evaluation (breaks down S3 buckets by whether they are shared publicly, encrypted or not, and shared inside and outside your AWS account).
- And for the discovery of sensitive data, you get the first 1 GB per month for free.
Monthly cost breakdown:
S3 Bucket Evaluation: $0.10 per bucket per month (after 30-day free trial; same across all regions)
Sensitive Data Discovery: Cost varies by AWS Region based on GB of data analyzed (charged for automated discovery sampling and targeted discovery jobs)
Amazon Macie vs. Amazon GuardDuty
Amazon GuardDuty and Amazon Macie serve different purposes in your security strategy:
Amazon Macie:
- Focuses on data security and classification in S3 buckets
- Detects sensitive data exposure, misconfigurations, and access control issues
- Provides data sensitivity mapping and inventory
Amazon GuardDuty:
- Focuses on threat detection across your entire AWS environment
- Detects abnormal API activity, unauthorized deployments, and account compromise
- Uses Extended Threat Detection to identify multistage attacks
Learn more about GuardDuty in our blog post: What is Amazon GuardDuty? Definition, Pricing & Comparison.
Both services are complementary. Macie handles data protection while GuardDuty handles threat detection.
Integration with AWS Security Hub
Macie integrates with AWS Security Hub, providing a single place in AWS to aggregate, organize, and prioritize security alerts from multiple AWS security services. Macie findings are automatically correlated and enriched with critical context, enabling you to identify data security patterns and risks across your entire environment.
FAQs
Amazon Macie uses machine learning and pattern matching to discover and classify sensitive data (e.g., PII) in Amazon S3. It also evaluates S3 bucket configurations (policies/ACLs, public access, encryption) and generates actionable findings.
Macie discovers/classifies sensitive data in S3 and flags exposure or misconfiguration. GuardDuty detects threats by analyzing telemetry (e.g., S3, CloudTrail, VPC Flow Logs, DNS). They’re complementary, not overlapping.
Inspector identifies software vulnerabilities and runtime risks in EC2, ECR images, and Lambda. Macie inspects S3 objects for sensitive data and access risks – it doesn’t scan hosts or containers.
Macie analyzes Amazon S3 only. To evaluate other data, place it in S3 (or export to S3) for Macie to scan.
No. Pricing is pay-as-you-go, primarily based on S3 data inspected and usage of automated sensitive data discovery (plus regional rates). No long-term commitments; disable jobs/ASDD and the service per Region to stop charges.
Conclusion
Amazon Macie has evolved into a comprehensive data security platform that automatically discovers and classifies sensitive information at scale. With automated sensitive data discovery enabled by default, interactive data sensitivity mapping, and deep Security Hub integration, organizations can now achieve data protection and compliance without manual effort.
An AWS Solutions Architect with over 5 years of experience in designing, assessing, and optimizing AWS cloud architectures. At Stormit, he supports customers across the full cloud lifecycle — from pre-sales consulting and solution design to AWS funding programs such as AWS Activate, Proof of Concept (PoC), and the Migration Acceleration Program (MAP).
