AWS Macie
AWS Macie is a data security service that discovers sensitive data in Amazon S3 using machine learning and pattern matching, providing visibility into data security risks and enabling automated protection.
Overview
Macie provides:
- Sensitive Data Discovery: Automatically discovers PII, financial data, credentials, and other sensitive information
- S3 Bucket Inventory: Comprehensive inventory of S3 buckets with security and access control evaluation
- Policy Findings: Detects security issues like publicly accessible buckets, disabled encryption, external sharing
- Sensitive Data Findings: Reports discovered sensitive data including location and data type
- Multi-account Coverage: Monitors S3 data across all accounts in the AWS Organization
Key Features
| Feature | Description |
|---|---|
| Data Discovery | ML-based detection of PII, PHI, financial data, and credentials |
| Bucket Monitoring | Continuous evaluation of bucket security posture |
| Custom Identifiers | Define custom patterns for sensitive data detection |
| Security Hub Integration | Findings published to AWS Security Hub |
| EventBridge Integration | Findings published to EventBridge for automation |
Architecture
Deployment
Macie uses a 3-step delegated administrator deployment model.
Step 1: Deploy to Delegated Administrator Account
# core-ue1-security
components:
terraform:
aws-macie/delegated-administrator:
metadata:
component: macie
vars:
enabled: true
delegated_administrator_account_name: core-security
environment: ue1
region: us-east-1
# Not yet delegated - creates Macie account only
admin_delegated: false
atmos terraform apply aws-macie/delegated-administrator -s core-ue1-security
Step 2: Deploy to Organization Management Account
Root Access Required:
This step requires root account access (such as with the managers profile).
# core-ue1-root
components:
terraform:
aws-macie/root:
metadata:
component: macie
backend:
s3:
role_arn: null
vars:
enabled: true
delegated_administrator_account_name: core-security
environment: ue1
region: us-east-1
privileged: true
atmos terraform apply aws-macie/root -s core-ue1-root
Step 3: Deploy Organization Settings
# core-ue1-security
components:
terraform:
aws-macie/org-settings:
metadata:
component: macie
vars:
enabled: true
delegated_administrator_account_name: core-security
environment: ue1
region: us-east-1
admin_delegated: true
finding_publishing_frequency: FIFTEEN_MINUTES
atmos terraform apply aws-macie/org-settings -s core-ue1-security
Multi-Region Deployment
Macie is a regional service. Deploy to each region where you have S3 buckets:
# us-east-1
atmos terraform apply aws-macie/delegated-administrator -s core-ue1-security
atmos terraform apply aws-macie/root -s core-ue1-root
atmos terraform apply aws-macie/org-settings -s core-ue1-security
# us-west-2
atmos terraform apply aws-macie/delegated-administrator -s core-uw2-security
atmos terraform apply aws-macie/root -s core-uw2-root
atmos terraform apply aws-macie/org-settings -s core-uw2-security
Finding Publishing Frequency
Configure how often Macie publishes findings to Security Hub and EventBridge:
| Value | Description |
|---|---|
FIFTEEN_MINUTES | Publish every 15 minutes (default, recommended) |
ONE_HOUR | Publish every hour |
SIX_HOURS | Publish every 6 hours |
Key Variables
| Variable | Description | Default |
|---|---|---|
admin_delegated | Set to true after delegation is complete | false |
finding_publishing_frequency | How often to publish findings | FIFTEEN_MINUTES |
member_accounts | List of member account names to enable | [] |
Sensitive Data Types
Macie can detect:
- PII: Names, addresses, phone numbers, SSN, passport numbers
- Financial: Credit card numbers, bank account numbers
- Health: PHI, medical record numbers
- Credentials: API keys, passwords, private keys
- Custom: User-defined patterns using regex
See Also
- AWS Security Hub - Aggregates Macie findings
- AWS Config - Monitors S3 bucket configurations
- Setup Guide - Complete deployment instructions