1. What is Macie?

Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect sensitive data stored in Amazon S3.

Core Concept Macie = sensitive data discovery for S3. It automatically scans your S3 buckets and identifies sensitive data: PII (names, addresses, SSN, passport numbers), financial data (credit card numbers, bank accounts), credentials (API keys, private keys), and custom data types you define.

2. What Macie Detects

3. Key Features

  1. Automatic S3 bucket inventory: monitors all buckets for encryption, public access, and shared status
  2. Sensitive data discovery jobs: scheduled or one-time scans of S3 objects
  3. Custom data identifiers: define your own regex or keyword patterns
  4. Managed data identifiers: 100+ built-in patterns for common sensitive data
  5. Findings: severity-rated, sent to Macie Console, Security Hub, EventBridge
  6. Multi-account via Organizations (delegated administrator)
  7. Allow lists: exclude known-safe patterns from generating findings (e.g., test data)

4. Macie Automation

Macie Automation Pattern:

Macie Finding: "S3 bucket contains credit card numbers"
  → EventBridge Rule
    → Lambda Function
      → Remediate:
         - Enable SSE-KMS encryption on the bucket
         - Block public access
         - Quarantine the object in a secure bucket
         - Notify compliance team via SNS

5. When to use

When to Use: Amazon Macie

Use Macie when you need to automatically discover, classify, and protect sensitive data stored in S3.

Key exam triggers:

  1. "sensitive data in S3"
  2. "PII detection"
  3. "Find credit card numbers."
  4. "classify data"
  5. "data privacy"
  6. "GDPR / HIPAA data discovery"

Common scenarios:

  1. Find PII (names, addresses, SSNs, passport numbers) in S3 buckets.
  2. Detect financial data (credit card numbers, bank accounts) in stored files.
  3. Compliance — prove you know where sensitive data lives.
  4. Monitor S3 bucket security posture (public access, unencrypted buckets).
  5. Automated alerts when sensitive data is found.


Exam Tip Macie: "Discover PII in S3" = Macie. "Find credit card numbers in S3" = Macie. "S3 sensitive data scanning" = Macie. S3 ONLY (not EC2, not RDS). Uses ML + pattern matching. Custom data identifiers for your own patterns. Findings → Security Hub + EventBridge for automation. "Scan for vulnerabilities" = Inspector (NOT Macie). Macie = data classification.