AWS Security & Identity Services

Amazon Macie

4 min read
Updated June 23, 2025
4,652 characters

Amazon Macie Cheat Sheet

What is Amazon Macie?

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie's primary focus is on identifying and securing sensitive data stored in Amazon S3.

It helps you answer critical questions like "What data do I have in S3?", "Where is my sensitive data located?", and "How can I ensure my S3 buckets are secure?".

How Macie Works

Macie provides two main capabilities that work together to protect your data in Amazon S3:

1. S3 Security Posture Management

This feature gives you a continuous, automated assessment of your S3 security posture at the bucket level.

  • Automated Inventory: Macie automatically discovers and maintains a complete inventory of all your S3 buckets.

  • Continuous Evaluation: It continuously evaluates bucket-level security controls, checking for things like:

    • Public accessibility

    • Encryption status

    • Bucket sharing and replication policies

  • Policy Findings: If a bucket deviates from security best practices (e.g., it becomes public), Macie generates a policy finding to alert you.

2. Sensitive Data Discovery

This is the core feature where Macie scans S3 objects to find sensitive information.

  • Discovery Jobs: You run sensitive data discovery jobs to perform a deep inspection of your S3 objects. These jobs can be one-time, scheduled, or triggered by specific events.

  • Intelligent Detection Methods: Macie uses a combination of techniques to find sensitive data:

    • Managed Data Identifiers: A large, continually updated library of criteria to detect common sensitive data types, including:

      • Personally Identifiable Information (PII): Names, addresses, national ID numbers, driver's licenses.

      • Financial Information: Credit card numbers, bank account numbers.

      • Credentials: AWS secret keys, private keys.

    • Custom Data Identifiers: You can define your own identifiers using regular expressions (regex) to detect proprietary data patterns unique to your organization (e.g., employee IDs, project codes).

  • Sensitive Data Findings: When a job finds sensitive data, it generates a detailed finding that pinpoints the exact location of the data within the object (e.g., line number, page number, or path in a JSON file).

Core Features & Benefits

  • Discover Sensitive Data at Scale: Provides visibility into where your PII, financial data, and other critical information resides across your entire S3 estate.

  • Multi-Account Management: Natively integrates with AWS Organizations. You can delegate a single administrator account to manage Macie, run discovery jobs, and view findings for all member accounts.

  • Targeted and Cost-Effective Scanning: Discovery jobs can be scoped to scan specific buckets or even objects with certain prefixes, allowing you to focus your efforts and control costs. Cost estimates are provided before you run a job.

  • Compliance and Auditing: Helps you meet compliance requirements for regulations like GDPR, HIPAA, and PCI-DSS by identifying and protecting regulated data.

  • Actionable Findings & Automation:

    • All findings are sent to Amazon EventBridge, enabling you to build automated remediation workflows (e.g., trigger a Lambda function to restrict access to a bucket).

    • Findings are also integrated with AWS Security Hub, giving you a single pane of glass for all your AWS security alerts.

Use Cases

  • Preventing Data Leaks: Identify and secure sensitive data in S3 buckets that are accidentally made public.

  • Regulatory Compliance: Demonstrate compliance by showing auditors where sensitive data is stored and how it is protected.

  • Protecting Intellectual Property: Use custom data identifiers to discover and monitor proprietary business data.

  • Data Privacy Audits: Quickly respond to data privacy requests by knowing exactly where an individual's data is located.

Pricing

Macie's pricing model has two components, and it includes a free trial.

  • S3 Bucket Evaluation: A monthly fee based on the total number of S3 buckets evaluated for security posture.

  • Sensitive Data Discovery: A fee based on the amount of data (per GB) processed by sensitive data discovery jobs.

  • 30-Day Free Trial: New accounts receive a 30-day free trial that includes a free tier for bucket evaluation and a complimentary amount of data processing for sensitive data discovery.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All