What is Amazon Macie & How does it Protect Your Sensitive Data?
In this article you will learn:
- What is Amazon Macie?
- How does Macie work?
- Macie benefits
- Macie use cases
- Macie set up
- Macie pricing
- Amazon Macie vs. Amazon GuardDuty
- Integration with AWS Security Hub
With the increasing number of security breaches experienced by both large and SMB companies, having a fully rounded security platform is important. Protecting valuable data like Personal Identifiable Information (PII) is an extremely high priority and with growing data stored in AWS Cloud, you will feel that you need to automate findings so you don’t have to bother to manually classify data and its permissions.
Amazon Macie can play a part in making you aware of your data and the level of security you have. In this blog post, we look at what Amazon Macie is, how to set it up in the AWS Management Console, and more.
What is Amazon Macie?
Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud. It currently only supports Amazon Simple Storage Service (Amazon S3), but more AWS data stores are planned.
Macie can recognize any PII or Protected Health Information (PHI) that exists in your S3 buckets. Macie also monitors the S3 buckets themselves for security and access control. This all can help you meet regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR) or just continually achieve the security you require in the AWS Cloud environment.
In general, Macie helps you answer these questions about your data:
1. What data do I have in my S3 buckets?
2. Where is it located?
3. How is data being shared and stored – publicly or privately?
4. How can I classify data in near real-time?
5. What PII or PHI is possibly publicly exposed?
6. How do I build workflow remediation for my security and compliance needs?
How does Macie work?
Within a few minutes after enabling Macie for your AWS account, Macie will generate your S3 bucket list in the region where you enabled it. Macie will also begin to monitor the security and access control of the buckets. When it detects the risk of unauthorized access or any accidental data leakage, it generates detailed findings.
Macie has four main features:
1. Macie summary dashboard
The dashboard provides you with a summary that shows you how the data is accessed or moved. This dashboard gives you a view of the total number of buckets, the total number of objects, and the total number of S3 storage consumed.
It also breaks down S3 buckets by whether they are shared publicly, encrypted or not, and buckets shared inside and outside your AWS account or AWS Organization.
2. Macie Jobs
Create and run sensitive data discovery jobs to automatically discover, record, and report sensitive data in Amazon S3 buckets.
You can configure the job to run only once for on-demand analysis, or periodically for periodic analysis and monitoring.
3. Macie Findings
A finding is a detailed report of potential policy violations for sensitive data in S3 buckets or S3 objects. Macie provides two types of findings: policy findings and sensitive data findings.
Macie can also send all findings to Amazon CloudWatch Events so you can build custom remediation and alert management.
Examples of policy findings below
Examples of sensitive data findings below
In every Macie finding, you will find detailed info.
4. Macie automated data discovery (2022 update)
AWS announced on Re-Invent 2022 new Macie feature called automated data discovery, that can automatically and continuously detects sensitive data and potential data security risks across bucket sets, aggregated at the AWS Organizations level.
By default, Macie automated data discovery is enabled for every new customer. However, current customers can instantly toggle this setting on or off by clicking a button in the AWS Management Console.
When you enable automated data discovery in the AWS Management Console, Macie begins assessing the sensitivity of each S3 bucket (you can exclude buckets from the analysis) and highlights any data security risks. This reduces the cost of discovering S3 buckets containing sensitive data compared to the cost of a full data scan.
Achieve unrivaled security and compliance with the StormIT Cloud Check-Up. We perform a gap analysis with more than 600 Best Practice Checks to reduce risk, identify security vulnerabilities, and remediate compliance breaks in your AWS environment.Get a cloud check-up
Easy to set up
Macie is easy to set up with one click in the AWS Management Console and provides multi-account support using AWS Organizations, so you can enable Macie across all of your accounts with a few clicks. This mainly helps an organization maintain compliance, and eliminates the need for an IT team to manually classify data and permissions to it.
Constant monitoring of S3 buckets
Macie continually evaluates your Amazon S3 environment and provides an S3 buckets summary across all of your AWS accounts. Macie will detect and alert you about any unencrypted buckets, publicly accessible buckets, or buckets shared outside your AWS Organization.
Macie allows you to run one-time, daily, weekly, or monthly data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. It also automatically tracks changes to the bucket and only evaluates new or modified objects over time.
Meet privacy regulations
Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI-DSS, and HIPAA.
Custom-defined sensitive data types
Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover unique sensitive data for your business.
Macie use cases
Simplify your data privacy and security
Amazon Macie allows you to simplify data privacy across the entire Amazon S3 environment, generating findings that you can use to respond quickly when needed. Macie also gives you the flexibility to identify sensitive data residing in other data stores by temporarily moving it to S3.
Macie provides different options to schedule your data analysis, such as one-time, daily, weekly, or monthly sensitive data discovery jobs to help you meet and maintain your data privacy and compliance requirements.
Discover your sensitive data at scale
Macie uses machine learning and pattern matching to cost-efficiently discover sensitive data in the chosen region and works very well even in a complex S3 environment. Macie automatically detects a large and ever-increasing number of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.
Macie set up
The easiest way to set Macie up is by using the AWS Management Console:
1. Sign in to the Macie Console. Remember to choose the right AWS Region where you want to start.
2. Choose “Get started”.
3. Choose “Enable” Macie.
4. And then just click on “Get started” in the menu and select which “Job” you want to start.
Free-tier of Macie includes:
- The 30-day free trial for each account with S3 buckets evaluation (breaks down S3 buckets by whether they are shared publicly, encrypted or not, and shared inside and outside your AWS account).
- And for the discovery of sensitive data, you get the first 1 GB per month for free.
Macie monthly cost is based on:
The number of Amazon S3 buckets evaluated: cost is the same for every AWS Region.
- All buckets evaluated in the first 30-days are free
- After the first 30-days - $0.10 per S3 bucket and month
Amount of data processed for sensitive data discovery: cost varies by AWS Region.
Amazon Macie vs. Amazon GuardDuty
Amazon GuardDuty is different from Amazon Macie. Macie only looks into S3 buckets and intelligently classifies data to help you ensure the proper access controls are applied to those data.
Amazon GuardDuty uses intelligent and continuous threat detection of your AWS accounts, data stored in Amazon S3, and workloads to reduce risk.
- Abnormal API activity
- Attempts to disable AWS CloudTrail logging
- Potential unauthorized deployment and compromised instances
- S3 bucket compromise
Learn more about GuardDuty in our blog post:What is Amazon GuardDuty? Definition, Pricing & Comparison.
Integration with AWS Security Hub
Macie can be used with the AWS Security Hub. Security Hub provides a single place in the AWS environment to aggregate, organize, and prioritize security alerts and discoveries from multiple AWS security services.