Security

Automated Sensitive Data Discovery in S3 with Amazon Macie - PII Detection and Security Posture Management

Learn about Macie's sensitive data discovery for S3 buckets, custom data identifiers, and Security Hub integration.

約 3 分で読めます

Overview of Macie

Macie is a data security service that automatically discovers and classifies sensitive data in S3 buckets. It automatically evaluates which S3 buckets contain sensitive data and whether their security settings are appropriate. With over 100 managed data identifiers, it detects PII and credit card numbers, and custom identifiers let you handle organization-specific sensitive data as well.

Data Discovery and Security Posture

Sensitive data discovery jobs scan objects in S3 buckets using sampling or full scans, detecting PII with managed data identifiers. Japanese names, addresses, phone numbers, and national ID numbers (My Number) are also supported. Custom data identifiers are defined by combining regular expressions (e.g., employee number patterns) with keywords (e.g., "confidential"). The S3 bucket inventory displays encryption settings, public access blocks, and sharing configurations for all buckets at a glance, helping you identify high-risk buckets.

Automated Discovery and Classification

Macie's automated sensitive data discovery continuously samples and scans all S3 buckets in your account to estimate the presence of sensitive data. It costs less than full scan jobs and is well-suited for understanding the distribution of sensitive data across your organization. Managed data identifiers detect over 100 sensitive data patterns including credit card numbers, social security numbers, passport numbers, and API keys. Custom data identifiers let you define regular expressions and keywords to detect organization-specific sensitive data such as employee numbers and customer codes. Allow lists suppress false positives by excluding test data and public information. To deepen your understanding of data security, specialized books on Amazon can also be useful.

Macie Pricing

Macie pricing consists of bucket evaluation (approximately $0.10 per bucket per month) and sensitive data discovery (based on scanned data volume, approximately $1 per GB). Automated sensitive data discovery is sampling-based and significantly cheaper than full scans. A 30-day free trial lets you assess actual costs. Manage costs by limiting scan targets to buckets likely to contain sensitive data, excluding log buckets and backup buckets. Findings are aggregated in Security Hub at no additional charge.

Summary

Start by enabling automated sensitive data discovery to sample-scan all S3 buckets across your account and understand the distribution of sensitive data. Prioritize full scans on high-risk buckets (publicly accessible, unencrypted), and build automated responses to findings via EventBridge integration (blocking public access, notifying the security team). Macie is especially valuable when organizations need to understand where personal data exists to comply with GDPR or data protection laws.

Related Services

Amazon MacieA service that uses machine learning to automatically discover and protect sensitive data in S3 bucketsAmazon S3A scalable object storage serviceAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practices

Related Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.Automated Sensitive Data Discovery with Amazon Macie - PII Scanning and Data Protection for S3 BucketsLearn how Amazon Macie automatically discovers sensitive data (PII, financial information, credentials) in S3 buckets and how to build a data protection strategy based on the findings.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Automated Sensitive Data Discovery with Amazon Macie - PII Scanning and Data Protection for S3 BucketsLearn how Amazon Macie automatically discovers sensitive data (PII, financial information, credentials) in S3 buckets and how to build a data protection strategy based on the findings.Amazon MacieA data security service that uses machine learning to automatically discover sensitive data like PII and credit card numbers in S3 bucketsData Privacy Protection - Automated Sensitive Data Discovery and Threat Defense with Amazon Macie and GuardDutyLearn practical data privacy protection techniques combining Amazon Macie's automated sensitive data discovery in S3 with Amazon GuardDuty's threat intelligence. This article covers comprehensive security measures from identifying personal information to real-time threat detection.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.