Ensure that Amazon Macie service is currently in use in order to classify and protect sensitive information such as credit cards, financial records or Personally Identifiable Information (PII), available in your AWS account. AWS Macie is a data security service that utilizes machine learning to automatically discover, classify and protect critical data within AWS cloud. Once enabled and configured, Macie will scan your S3 buckets to identify sensitive information, bring this data to your attention and analyze access patterns and user behavior to prevent any data leakage. Macie can also help you with governance, compliance and audit standards. For example, the service can enable you to comply with General Data Protection Regulation (GDPR)regulations around encryption and pseudonymization of data as it recognizes Personally Identifiable Information (PII).
The main features of the AWS Macie service are:
Data security automation – analyzes, classifies and processes data to understand access patterns, recorded user authentications, data access locations and times of access.
Data visibility – reveal useful data storage insights and provide immediate data protection without the need for manual input.
Data security and monitoring – continuously monitors usage log data to detect anomalies and automatically reports issues using AWS CloudWatch Events and/or AWS Lambda.
Data research and reporting – allows administrative configuration for reporting and alert management.
IMPORTANT: When Amazon Macie makes the first initial scan of your data it will generate a big first time one-off charge. Based on this behavior, Cloud Conformity strongly recommends that you consult the AWS Macie pricing guide, evaluate the size of your data, and do the necessary calculations to estimate the initial cost before you enable the service.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With Amazon Macie you can classify and safeguard your sensitive data, automate compliance (including GDPR compliance), detect unauthorized user access and avoid inadvertent data leaks through customizable alerts.
Audit
To determine if AWS Macie service is currently enabled in your AWS account, perform the following:
Note: Checking Amazon Macie service status using the AWS API via Command Line Interface (CLI) is not currently supported.Remediation / Resolution
To enable and configure AWS Macie, you need to perform the following actions:
Note 1: Currently, Macie is supported in the following regions: US East (N. Virginia) and US West (Oregon).Note 2: Enabling and configuring Amazon Macie service using the AWS API via Command Line Interface (CLI) is not currently supported.