Profile Applicability:

Level 2

Description:

Amazon S3 can store sensitive or regulated data, which should be:
Discovered (Identified automatically)
Monitored (Tracked for changes)
Classified (Labelled as sensitive or non-sensitive)
Protected (Secured against unauthorized access)

Rationale:

  • Prevents data leaks by automatically detecting sensitive data.

  • Improves compliance with GDPR, HIPAA, PCI-DSS, and other frameworks.

  • Reduces human error through automated classification and monitoring.

  • Alerts security teams to sensitive data exposure before a breach occurs.

Impact:

  • Amazon Macie has a cost based on scanned data volume.

  • Enabling Macie can increase AWS billing if analyzing large datasets.

  • May require additional IAM permissions for monitoring and classification.

  • Third-party data classification tools may have licensing fees.

Default Value:

  • Amazon Macie is NOT enabled.

  • No built-in S3 discovery or classification runs automatically.

  • S3 objects are stored without automatic classification.

Pre-Requisites:

  1. IAM permissions to enable Amazon Macie

    • macie2:EnableMacie, macie2:CreateClassificationJob, s3:ListAllMyBuckets

  2. AWS CLI installed (for automation)

  3. Billing permissions (Macie is a paid service)

  4. IAM role for Macie to access S3 bucket

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS Console → Open Macie Console: Macie Console

  2. In the left-hand pane, click "By job" under Findings.

           

  1. Confirm that a data classification job exists for your S3 buckets

  2. If no jobs are configured, remediation is required.

Using AWS CLI

Step 1: Check if Macie is enabled

aws macie2 get-macie-session

Example Output (Macie Enabled)

{
    "status": "ENABLED",
    "findingPublishingFrequency": "FIFTEEN_MINUTES",
    "serviceRole": "arn:aws:iam::123456789012:role/AWSServiceRoleForAmazonMacie"
}

Example Output (Macie NOT Enabled)

{
    "status": "PAUSED"
}

Step 2: Check Existing Macie Jobs for S3 Scanning

aws macie2 list-classification-jobs

Example Output (Macie Jobs Exist)

{
    "jobs": [
        {
            "jobId": "12345678-abcd-efgh-ijkl-987654321000",
            "name": "S3-Sensitive-Data-Scan",
            "status": "RUNNING"
        }
    ]
}

Implementation Steps:

Using AWS Console

  1. Log in to the Macie Console.

  2. Click "Get Started", then click "Enable Macie".

             

  1. Configure Data Discovery Results:

    • Under Settings → Discovery results, create an S3 bucket to store results.

    • Enable KMS encryption for added security.

             

  1. Create a Macie Classification Job:

    • Go to "S3 Buckets" and select buckets to scan.               

                         

  • Click "Create Job" → Quick Create → Enter a job name.                      

  • Click "Next" → "Submit".

                             

  1. Monitor Findings:

    • Go to "Findings" in Macie to review sensitive data alerts.

                 

Using AWS CLI

Step 1: Enable Macie

aws macie2 enable-macie

Step 2: Create an S3 Data Classification Job

aws macie2 create-classification-job \
    --job-type ONE_TIME \
    --name "S3-Sensitive-Data-Scan" \
    --s3-job-definition bucketDefinitions=[{bucketName="my-secure-bucket"}]


Backout Plan:

If Macie costs become too high or false positives impact operations, follow these steps:

Step 1: Disable Macieaws macie2 disable-macie

Step 2: Delete Unused Macie Jobs

aws macie2 delete-classification-job --job-id <job_id>

References: