As you put more and more data in the cloud, you need to rely on security automation to keep it safe. Many data breaches are not caused by malicious actions of unauthorized users, but by mistakes of authorized users. To monitor and manage the security of sensitive data, you first need to be able to identify it. AWS launched Amazon Macie, a fully managed data security and data privacy service that uses machine learning and pattern matching to help you detect, classify, and better protect sensitive data stored in the AWS cloud. 

How Macie Works

Macie applies machine learning and pattern matching technology to S3 buckets you select to identify sensitive data and alert you, such as personally identifiable information (PII). You can search and filter Macie alerts or findings in the AWS Management Console and send them to Amazon EventBridge (formerly Amazon CloudWatch Events) for easy integration with existing workflows or event management systems, or use with AWS services like AWS Step Functions to perform automated remediation actions. This can help you meet regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Privacy Regulation (GDPR).

Macie Use Cases

Identifying Sensitive Data During Data Migration

When migrating large amounts of data to AWS, you can set up a secure Amazon S3 environment to use as an initial staging area for discovering sensitive data with Macie. You can also extract files from applications (such as email, file sharing, collaboration tools) and transfer them to S3 for Macie evaluation. The evaluation results can help you understand where migrated data should be stored and what security controls (such as encryption and resource tagging) need to be applied. Using Macie findings, you can automatically configure data protection and role-based access policies as data migrates to AWS.

Assessing Your Data Privacy and Security

An important aspect of maintaining the right level of data security is being able to continuously identify sensitive data and evaluate security and access controls. Amazon Macie lets you do this across your entire Amazon S3 environment, generating actionable findings for quick response when needed. With Macie, you can also flexibly identify sensitive data residing in other data stores by temporarily moving it to S3. For example, you can launch Amazon Relational Database Service (RDS) or Amazon Aurora snapshots, export data from these services to Amazon S3, where you can use Macie to evaluate sensitive data. This allows you to leverage Macie to help you maintain data privacy and security.

Maintaining Compliance

Compliance teams need to monitor where sensitive data is located, protect it appropriately, and provide evidence that they are implementing data security and privacy protection to meet compliance requirements. Amazon Macie offers different data analysis plan options, such as one-time, daily, weekly, or monthly sensitive data discovery jobs to help you meet and maintain data privacy and compliance requirements. Macie automatically sends the output of all sensitive data discovery jobs (including findings, evaluation results, timestamps, and a history of all buckets and objects scanned for sensitive data) to an S3 bucket you own. These sensitive data discovery detailed reports can be used for data privacy and protection audits and long-term retention.

Macie Pricing

Macie charges based on the number of Amazon S3 buckets evaluated for bucket-level security and access control, and the amount of data processed for sensitive data discovery. Macie only charges for bytes processed in supported object types it examines.

As part of Macie sensitive data discovery jobs, standard Amazon S3 charges for GET and LIST requests will also apply.

Taking the Ohio region as an example:

Pricing Example

Macie is enabled in an account that has 15 Amazon S3 buckets. You submit a sensitive data discovery job for the buckets, with 1,000,000 objects in S3 Standard storage, resulting in 100GB of data processed.

• 15 Amazon S3 buckets
• 100GB of data processed for sensitive data discovery
• 1,000,000 objects, all supported object types

Macie cost = 15 * $0.10 ($0.10 per S3 bucket per month) + 1 * $0.00 (first 1GB per month) + 99 * $1.00 (up to 50,000GB after the first 1GB per month) = $1.50 + $0.00 + $99.00 = $100.50 Macie cost

S3 cost = $0.005 (1,000 S3 LIST requests returning 1,000 objects, cost per 1,000 requests is $0.005) + $0.0004 * 1,000 (1,000,000 objects, cost per 1,000 S3 GET requests is $0.0004) = $0.005 + $0.4 = $0.405 S3 cost