Case study

CategoryArticles

What is Amazon Macie & How does it Protect Your Sensitive Data?

In this article you will learn:

With the increasing number of security breaches experienced by both large and SMB companies, having a fully rounded security platform is important. Protecting valuable data like Personal Identifiable Information (PII) is an extremely high priority and with growing data stored in AWS Cloud, you will feel that you need to automate findings so you don’t have to bother to manually classify data and its permissions.

Amazon Macie can play a part in making you aware of your data and the level of security you have. In this blog post, we look at what Amazon Macie is, how to set it up in the AWS Management Console, and more.

What is Amazon Macie?

Amazon Macie is a security service that uses machine learning to automatically discover, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud. It currently only supports Amazon Simple Storage Service (Amazon S3), but more AWS data stores are planned.

Macie can recognize any PII or Protected Health Information (PHI) that exists in your S3 buckets. Macie also monitors the S3 buckets themselves for security and access control. This all can help you meet regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Privacy Regulation (GDPR) or just continually achieve the security you require in the AWS Cloud environment.

In general, Macie helps you answer these questions about your data:

1. What data do I have in my S3 buckets?
2. Where is it located?
3. How is data being shared and stored – publicly or privately?
4. How can I classify data in near real-time?
5. What PII or PHI is possibly publicly exposed?
6. How do I build workflow remediation for my security and compliance needs?

How does Macie work?

Within a few minutes after enabling Macie for your AWS account, Macie will generate your S3 bucket list in the region where you enabled it. Macie will also begin to monitor the security and access control of the buckets. When it detects the risk of unauthorized access or any accidental data leakage, it generates detailed findings.

Macie has three main features:

1. Macie summary dashboard

The dashboard provides you with a summary that shows you how the data is accessed or moved. This dashboard gives you a view of the total number of buckets, the total number of objects, and the total number of S3 storage consumed.

It also breaks down S3 buckets by whether they are shared publicly, encrypted or not, and buckets shared inside and outside your AWS account or AWS Organization.

30_Macie-5.png

2. Macie Jobs

Create and run sensitive data discovery jobs to automatically discover, record, and report sensitive data in Amazon S3 buckets.

You can configure the job to run only once for on-demand analysis, or periodically for periodic analysis and monitoring.

3. Macie Findings

A finding is a detailed report of potential policy violations for sensitive data in S3 buckets or S3 objects. Macie provides two types of findings: policy findings and sensitive data findings.

Macie can also send all findings to Amazon CloudWatch Events so you can build custom remediation and alert management.

Examples of policy findings below

30_Macie-7.png

Examples of sensitive data findings below

30_Macie-10.png

In every Macie finding, you will find detailed info.

Achieve unrivaled security and compliance with the StormIT Cloud Check-Up. We perform a gap analysis with more than 600 Best Practice Checks to reduce risk, identify security vulnerabilities, and remediate compliance breaks in your AWS environment.

Get a cloud check-up

Macie benefits

Easy to set up

Macie is easy to set up with one click in the AWS Management Console and provides multi-account support using AWS Organizations, so you can enable Macie across all of your accounts with a few clicks. This mainly helps an organization maintain compliance, and eliminates the need for an IT team to manually classify data and permissions to it.

Constant monitoring of S3 buckets

Macie continually evaluates your Amazon S3 environment and provides an S3 buckets summary across all of your AWS accounts. Macie will detect and alert you about any unencrypted buckets, publicly accessible buckets, or buckets shared outside your AWS Organization.

Macie allows you to run one-time, daily, weekly, or monthly data discovery jobs for all, or a subset of objects in an Amazon S3 bucket. It also automatically tracks changes to the bucket and only evaluates new or modified objects over time.

Meet privacy regulations

Amazon Macie maintains a growing list of sensitive data types that include common personally identifiable information (PII) and other sensitive data types as defined by data privacy regulations, such as GDPR, PCI-DSS, and HIPAA.

Custom-defined sensitive data types

Amazon Macie provides you the ability to add custom-defined data types using regular expressions to enable Macie to discover unique sensitive data for your business.

Macie use cases

Simplify your data privacy and security

Amazon Macie allows you to simplify data privacy across the entire Amazon S3 environment, generating findings that you can use to respond quickly when needed. Macie also gives you the flexibility to identify sensitive data residing in other data stores by temporarily moving it to S3.

Maintaining compliance

Macie provides different options to schedule your data analysis, such as one-time, daily, weekly, or monthly sensitive data discovery jobs to help you meet and maintain your data privacy and compliance requirements.

Discover your sensitive data at scale

Macie uses machine learning and pattern matching to cost-efficiently discover sensitive data in the chosen region and works very well even in a complex S3 environment. Macie automatically detects a large and ever-increasing number of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.

Macie set up

The easiest way to set Macie up is by using the AWS Management Console:

1. Sign in to the Macie Console. Remember to choose the right AWS Region where you want to start.

2. Choose “Get started”.

3. Choose “Enable” Macie.

30_Macie-1.png

4. And then just click on “Get started” in the menu and select which “Job” you want to start.

30_Macie-3.png

Macie pricing

Free-tier of Macie includes:

  • The 30-day free trial for each account with S3 buckets evaluation (breaks down S3 buckets by whether they are shared publicly, encrypted or not, and shared inside and outside your AWS account).
  • And for the discovery of sensitive data, you get the first 1 GB per month for free.

Macie monthly cost is based on:

The number of Amazon S3 buckets evaluated: cost is the same for every AWS Region.

  • All buckets evaluated in the first 30-days are free
  • After the first 30-days - $0.10 per S3 bucket and month

Amount of data processed for sensitive data discovery: cost varies by AWS Region.

Amazon Macie vs. Amazon GuardDuty

Amazon GuardDuty is different from Amazon Macie. Macie only looks into S3 buckets and intelligently classifies data to help you ensure the proper access controls are applied to those data.

Amazon GuardDuty uses intelligent and continuous threat detection of your AWS accounts, data stored in Amazon S3, and workloads to reduce risk.

GuardDuty monitors:

  • Abnormal API activity
  • Attempts to disable AWS CloudTrail logging
  • Potential unauthorized deployment and compromised instances
  • S3 bucket compromise

Learn more about GuardDuty in our blog post: What is Amazon GuardDuty? Definition, Pricing & Comparison

Integration with AWS Security Hub

Macie can be used with the AWS Security Hub. Security Hub provides a single place in the AWS environment to aggregate, organize, and prioritize security alerts and discoveries from multiple AWS security services.

30_Macie-9.png

Are you ready to accelerate your business to the cloud?

Contact us

Similar blog posts

See all posts
CategoryCase Studies

InScope Choses StormIT and AWS for Deployment of their AML Solution

InScope chose to migrate its core technology platform to Amazon Web Services, a cloud leader in Infrastructure & Platform Services

Find out more
CategoryArticles

What is a Web Application Firewall (WAF) and Why Use it?

What is the difference between a firewall and a web application firewall (WAF) and what are the benefits of WAF. Learn more...

Find out more
CategoryArticles

AWS Instance Scheduler: Everything you Need to Know and Tutorial

What is the AWS Instance Scheduler? Deployment of the AWS Instance Scheduler solution. Learn more

Find out more
CategoryArticles

Scalability in Cloud Computing: Horizontal vs. Vertical Scaling

Look deeper into horizontal and vertical scaling and also into AWS scalability and which services you can use.

Find out more
CategoryArticles

Does Putting CloudFront in Front of API Gateway Make Sense?

Learn about API Gateway endpoint types and the difference between Edge-optimized API gateway and API Gateway with CloudFront distribution.

Find out more
CategoryCase Studies

Windy - The Extraordinary Tool for Weather Forecast Visualization

StormIT helps Windy optimize their Amazon CloudFront CDN costs to accommodate for the rapid growth.

Find out more