AWS Macie – Purpose-built for sensitive data discovery

AWS, Cloud, Cloud Computing, Cyber Security, Data Discovery, Data First, Data Security, Serverless Computing 4 Minutes

In today’s world, a lot of digital information is collected and stored in different places. Sometimes, this information can accidentally or purposely end up in the wrong hands. We call this a “data leak.” It’s a big problem because it can hurt people, businesses, and groups. It can lead to losing money and people not trusting anymore.

So, it’s essential to be careful with sensitive information and have suitable protection. That way, we can keep our data safe and avoid these problems.

What is AWS offering?

AWS Macie is one of the offerings from AWS, among other data security offerings, that specializes in discovering, classifying, and protecting sensitive data. It utilizes advanced machine learning to automatically identify and safeguard various types of sensitive information. Organizations also have to comply with standards that are framed to protect customers data and AWS Macie comes in handy to validate all the data everytime as per the requirements and needs.

What are the different types of data that will be identified and protected?

Amazon Macie can identify and protect a wide range of data types, including:

  • Credentials: AWS secret access keys, private keys, other AWS credentials, and other types of credentials used to access cloud resources and applications.
  • Financial information: Credit card numbers, bank account numbers, Social Security numbers, taxpayer identification numbers, and other types of financial information.
  • Personally identifiable information (PII): Names, addresses, phone numbers, email addresses, passport numbers, driver’s license numbers, and other types of information that can be used to identify an individual.
  • Personal health information (PHI): Medical records, health insurance information, and other types of information related to an individual’s health.
  • Other sensitive data: Intellectual property, trade secrets, and other sensitive data types important to your organization.

Macie can also be used to create custom data identifiers to detect specific types of sensitive data that are important to your organization. For example, you could create a custom data identifier to detect proprietary data formats or specific types of sensitive information.

What are the different data formats supported?
Amazon Macie supports a wide range of data formats, including:

  • Big data: Apache Avro object containers and Apache Parquet files
  • Compression or archive: GNU Zip compressed archives, TAR archives, and ZIP compressed archives
  • Document: Adobe Portable Document Format (PDF) files, Microsoft Excel workbooks, and Microsoft Word documents
  • Email: Electronic mail files whose contents comply with the requirements specified by an IETF RFC for electronic mail messages
  • Text: Plain text files, HTML files, and XML files

Macie doesn’t analyze data in images, audio, video, and other types of multimedia content.

An unclassifiable object is an object that doesn’t use a supported Amazon S3 storage class or a supported file or storage format. Macie analyzes only those objects that use a supported file or storage format.

What languages are supported?

The AWS Macie documentation does not provide general information on the supported languages for sensitive data discovery. However, other services in AWS can be used and the text can be translated to English to allow for sensitive data discovery through AWS Macie.

Which different data sources can be scanned within AWS?

For sensitive data discovery, Amazon Macie supports the following Amazon S3 storage classes:

  • Reduced Redundancy (RRS)
  • S3 Glacier Instant Retrieval
  • S3 Intelligent‐Tiering
  • S3 One Zone‐Infrequent Access (S3 One Zone‐IA)
  • S3 Standard
  • S3 Standard‐Infrequent Access (S3 Standard‐IA)

Macie doesn’t analyze S3 objects that use other Amazon S3 storage classes, such as S3 Glacier Deep Archive.

What type of roles and permissions are needed by AWS Macie?

When AWS Macie is enabled, it automatically generates the AWSServiceRoleForAmazonMacie role. This role gives Macie the required permissions to perform tasks such as gathering information about the data held in your Amazon S3, monitoring and managing the security and access controls of your S3 buckets, and identifying and reporting sensitive data within those buckets.

What are the key features?
AWS Macie offers several key features that make it a powerful tool for data security and privacy:

Sensitive Data Discovery: AWS Macie uses machine learning algorithms to automatically detect and classify sensitive data. It can identify a wide range of data types, including credit card numbers, social security numbers, and sensitive intellectual property.

Content Scanning and Monitoring: It continuously monitors data in Amazon S3 buckets, ensuring that any newly added or modified content is checked for sensitive information.

Contextual Analysis: Macie doesn’t just stop at identifying sensitive data. It also provides context to the findings, which helps in understanding the potential risks and impact associated with each discovery.

Alerting and Reporting: Macie can generate alerts for policy violations and can provide comprehensive reports, making it easier for security teams to take necessary actions.

Customizable Policies: Users can define custom data policies to suit their specific compliance requirements and business needs.

Integration with AWS Services: AWS Macie seamlessly integrates with other AWS services like AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), and AWS Lambda, enhancing the overall security posture

What are the key benefits?

  1. Automated Compliance: AWS Macie aids in achieving and maintaining compliance with various data privacy regulations like GDPR, HIPAA, and CCPA.
  2. Reduced Risk of Data Breaches: By proactively identifying and protecting sensitive data, Macie significantly reduces the risk of data breaches and associated legal and financial liabilities.
  3. Time and Cost Savings: The automated nature of Macie means that it requires minimal manual intervention, allowing teams to focus on other critical tasks.
  4. Enhanced Trust and Reputation: Demonstrating a commitment to data security can enhance customer trust and bolster an organization’s reputation.
  5. Granular Control: With customizable policies, organizations have fine-grained control over how their data is classified and protected.

What are some common use cases?

  1. Compliance and Regulatory Requirements: Organizations subject to strict data protection regulations can use AWS Macie to ensure compliance.
  2. Intellectual Property Protection: Companies with valuable intellectual property assets can employ Macie to safeguard their proprietary information.
  3. Sensitive Data Protection: Businesses handling personal or financial information can use Macie to prevent unauthorized access and potential breaches.
AWS Macie – Sensitive Data Discovery – High level components

Share how your organization is using AWS Macie to protect sensitive data.

Happy learning!

Published by Shankar Kumarasamy

Digital leader and technology enthusiast with experience in varied functional areas specializing in mobility and cloud backend. Areas of specialization include: 1) Solutions architecture - Enterprise-scale solution consulting to determine major IT investments, 2) Technical architecture - End-to-end system and integration architecture including hardware and software, 3) Applications architecture - Multi-cloud native server-less application architecture, 4) Data architecture - Canonical data architecture and design including support to multi-tenancy data models, 5) Identity architecture - Different LoB identity management solutions involving SSO for customer 360 experience, 6) Security architecture - Eliminate digital risk by designing the flow of data between people, systems, and things with granular and only the needed access

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.