April 20, 2018

By Jim L.

AWS Macie was released as a new managed security service in August, 2017 to help identify and protect sensitive data stored in S3 from breaches, data leaks, and unauthorized access. The ActioNet AWS Test Lab was used to create a 200 MB data lake of simulated organizational files and AWS CloudTrail event data representative of a business entity in order to evaluate the functionality of Macie as a new ActioNetCyberTM Cloud service offering. Macie uses machine learning to automatically discover, classify, and protect sensitive data and we found that it does a good job of recognizing sensitive data such as personally identifiable information (PII) and intellectual property. It also identifies and alerts for possible security threats based on environmental events and security policy non-compliance. Macie continuously analyzes the activity of users, applications, and service accounts associated with sensitive data that may be a risk to the business, such as inadvertent exposure of data, insider threats, or targeted attacks.

Capture of Potential Amazon Macie Dashboard

A capture of the Amazon Macie Dashboard

The preconfigured dashboard is a powerful visualization tool for monitoring assets, events, user sessions and access patterns. A couple of nice features are the Research page which enables you to construct and run queries for a forensic view of the data and for customers with a large number of accounts, the ability to establish a primary Macie account and link member accounts so that a single Macie interface is used within each region. Macie enables you to be proactive with security compliance and achieve preventive security using these key features:

  • Identify and protect various data types, including PII, PHI, regulatory documents, API keys, and secret keys
  • Verify compliance with automated logs that allow for instant auditing
  • Identify changes to policies and access control lists
  • Observe changes in user behavior and receive actionable alerts
  • Receive notifications when data and account credentials leave protected zones
  • Detect when large quantities of business-critical documents are shared internally and externally
Example of Amazon Macie Alerts Dash

An example of the Amazon Macie Alerts screen

There have been several data breeches because of misconfigured storage in the past few months, most notably at United States Army Intelligence and Security Command (INSCOM)Experian, VerizonDow Jones, and FedEx. Had any of these organizations been using Macie, the rules based security compliance engine would have generated a security alert on the public S3 bucket. The public bucket permission was simulated during testing and an alert was generated but, unbeknownst to me, a few days later another user account was testing S3 permissions with AWS CloudFront and a security alert was generated on the public S3 public and immediate response and remediation was possible! Amazon Macie is a powerful security services we can provide our customers and another innovative tool in our ActioNetCloudTM offering.