Ensure all data in Amazon S3 has been discovered, classified and secured when required.

Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.

Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.62
Category: Storage


S3Bucket should have macieInformation.jobDetails.isMonitoredByJob='TRUE'


From Portal

  1. Log on to the Macie console at https://console.aws.amazon.com/macie/
  2. Click Get started.
  3. Click Enable Macie.

A) Setup a repository for sensitive data discovery results

  1. In the Left pane, under Settings, click Discovery results.
  2. Make sure Create bucket is selected.
  3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
  4. Click on Advanced.
  5. Block all public access, make sure Yes is selected.
  6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
  7. Click on Save

B) Create a job to discover sensitive data

  1. In the left pane, click S3 buckets. Macie displays a list of all the S3 buckets for your account.
  2. Select the check box for each bucket that you want Macie to analyze as part of the job
  3. Click Create job.
  4. Click Quick create.
  5. For the Name and description step, enter a name and, optionally, a description of the job.
  6. Then click Next.
  7. For the Review and create step, click Submit.

C) Review your findings

  1. In the left pane, click Findings.
  2. To view the details of a specific finding, choose any field other than the check box for the finding.

If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.

From Command Line

  1. If Amazon Macie is not enabled, run enable-macie command to enable the service for a given AWS region.
aws macie2 enable-macie --region REGION --finding-publishing-frequency FREQUENCY --status ENABLED
  1. Setup a repository for sensitive data discovery results. Run put-classification-export-configuration command to update the configuration settings for storing Macie data discovery results and configure the Amazon S3 bucket.
aws macie2 put-classification-export-configuration --region us-east-1  --configuration "s3Destination={bucketName=discovery-results-repository,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd}"
  1. Create a job to discover sensitive data.
    i. Create the required data discovery job definition and save the definition to a JSON file named macie-job-definition.json. The data discovery job definition contains the names of the S3 buckets to analyze for sensitive data, the ID of the AWS account that owns the buckets, and the scope of the analysis.
    ii. To create a new Amazon Macie data discovery job in the selected AWS region, run create-classification-job command using the job definition json file.
aws macie2 create-classification-job --job-type ONE_TIME --name cc-s3-data-discovery-job --s3-job-definition file://macie-job-definition.json


  1. https://workbench.cisecurity.org/sections/615828/recommendations/1082816
  2. https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/macie2/create-classification-job.html

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu

Compliance Frameworks

  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5