Amazon Macie

 

• A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.
• Amazon Macie allows you to achieve the following:
  • Identify and protect various data types, including PII, PHI, regulatory documents, API keys, and secret keys
  • Verify compliance with automated logs that allow for instant auditing
  • Identify changes to policies and access control lists
  • Observe changes in user behavior and receive actionable alerts
  • Receive notifications when data and account credentials leave protected zones
  • Detect when large quantities of business-critical documents are shared internally and externally

Concepts

• • An Alert is a notification about a potential security issue that Macie discovers. Alerts appear on the Macie console and provide a comprehensive narrative about all activity that occurred over the last 24 hours.
    • Basic alerts – Alerts that are generated by the security checks that Macie performs. There are two types of basic alerts in Macie:
      • Managed (curated by Macie) basic alerts that you can’t modify. You can only enable or disable the existing managed basic alerts.
      • Custom basic alerts that you can create and modify to your exact specifications.
    • Predictive alerts – Automatic alerts based on activity in your AWS infrastructure that deviates from the established normal activity baseline. More specifically, Macie continuously monitors IAM user and role activity in your AWS infrastructure and builds a model of the normal behavior. It then looks for deviations from that normal baseline, and when it detects such activity, it generates automatic predictive alerts.
  • Data source is the origin or location of a set of data. 
    • AWS CloudTrail event logs and errors, including Amazon S3 object-level API activity. You can’t modify existing or add new CloudTrail events to the list that Macie manages. You can enable or disable the supported CloudTrail events, thus instructing Macie to either include or exclude them in its data security process.
    • Amazon S3 objects. You can integrate Macie with your S3 buckets and/or specify S3 prefixes
  • User, in the context of Macie, a user is the AWS Identity and Access Management (IAM) identity that makes the request.
• There are certain file formats that Macie does not support, such as wav files.
• Once Macie begins monitoring your data, it uses several automatic content classification methods to identify and prioritize your sensitive and critical data and to accurately assign business value to your data. Each classification has a designated risk level between 1 and 10, with 10 being the highest risk and 1 being the lowest. These methods include:
  • Content Type Classification – Macie uses an identifier that is embedded in the file header of your data objects. Macie can assign only one content type to an object. You can’t modify existing or add new content types. You can only enable or disable any existing content types, thus enabling or disabling Macie to assign them to your objects during the classification process.
  • File Extension Classification – Macie offers a set of managed file extensions. Macie can assign only one file extension to an object. You can’t modify existing or add new file extensions. You can enable or disable any existing file extensions, thus enabling or disabling Macie to assign them to your objects during the classification process.
  • Theme Classification – Object classification by theme is based on keywords that Macie searches for as it examines the contents of data objects. Macie can assign one or more themes to an object. You can’t modify existing or add new themes. You can enable or disable any existing themes, thus enabling or disabling Macie to assign them to your objects during the classification process.
  • Regex Classification – Macie offers a set of managed regexes. Object classification by regex is based on specific data or data patterns that Macie searches for as it examines the contents of data objects. Macie can assign one or more regexes to an object. You can’t modify existing or add new regexes. You can enable or disable any existing regexes, thus enabling or disabling Macie to assign them to your objects during the classification process.
  • PII Classification – Object classification by personally identifiable information (PII) is based on recognizing any personally identifiable artifacts based on industry standards such as NIST-80-122 and FIPS 199.
  • Support Vector Machine–Based Classifier – It classifies content inside your S3 objects (text, token n-grams, and character n-grams) that Macie monitors and their metadata features (document length, extension, encoding, headers) to accurately classify documents based on content.
• You can use the Research tab in the Macie console to construct and run queries in the query parser and conduct in-depth investigative research of your data and activity that Macie monitors.
• If you disable Macie, the following actions occur:
  • It no longer has access to the resources in the management account and all member accounts. You must add member accounts again if you decide to reenable Macie.
  • It stops processing the resources in the management account and all member accounts. After Macie is disabled, the metadata that Macie collected while monitoring the data in your management and member accounts is deleted. Within 90 days from disabling Macie, all of this metadata is expired from the Macie system backups.
• Other Additional Features
  • You can scan Amazon S3 buckets across multiple AWS accounts, and perform scoping of scans by object prefix.
  • An estimation of the costs of these job runs is sent to you for review before you run them.
  • Once a job is submitted, findings are generated in the Amazon Macie console and sent out through Amazon EventBridge where sensitive data location information is included in the findings. This allows for identification of sensitive data within objects using detail such as line numbers, page numbers, record index, or column and row numbers.