AWS has robust security offerings and I personally think security offering is also one of the key factors why amazon is the leader in the cloud domain for so long. Amazon Macie is also one such security service by AWS which you can’t ignore. In this article, I am going to walk you through some of its amazing features and use cases in the cloud security domain. Read along…
Content of the Article
- What is Macie?
- Key Features
- How does this work?
- Some of the use cases
- Alternatives and competitors
- Final Thoughts
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie uses machine learning and pattern matching technique to automate the discovery of sensitive data such as PII (personally identifiable information), Financial Data to provide a better understanding of the data that your organization stores in Amazon S3 (Simple Storage Service). It also identifies and reports an overly permissive or unencrypted bucket.
In cloud security, it’s the business that is ultimately responsible for securing its data, not the cloud provider.
If your organization deals in highly sensitive data such as PII, Financial Data, or health-related data then it is compulsory for your organization to comply with some regulatory such as FINRA (Financial Industry Regulatory Authority) FFIEC(Federal Financial Institutions Examination Council), GDPR (General Data Protection Right) and HIPAA (Health Insurance Portability and Accountability Act).
Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events, for easy integration with existing workflow or with SIEM solutions or also to automated remediations functions.
Key Features of Macie –
Continual evaluation of Amazon S3 environment
Amazon Macie provides an S3 resource summary across all of your accounts by continually evaluating Amazon S3 environment. It also enables you to search, filter, and sort buckets by metadata variables, such as bucket names, tags, and security controls like encryption status or public accessibility. You can also be alerted in order to take action for any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside in terms of agreement with your manage service providers or vendors.
Scale and Automate the discovery of sensitive data
With Macie, you can create and run sensitive data discovery jobs and also automate that job. What Macie does by this job is that it analyses objects in S3 bucket and determines whether they contain sensitive data. Using its machine learning and pattern matching If Macie detects any such finding, it creates the finding summary for you. By using machine learning and pattern matching technique, Macie also discovers a variety of sensitive data such as PII, Financial Data, and Personal Health Data. You can automate the job
Fully Managed and Customized sensitive data type
Amazon Macie not only supports the growing list of sensitive data type such as PII, GDPR, PCI-DSS and HIPAA but it also provides you the ability to add custom defined data types using regular expressions to help defined your unique sensitive data type for your business need.
Review and Analyse Macie Findings centrally
Finding pages on Macie Dashboard can be used for a detailed report of sensitive data in an S3 object or a potential policy-related issue with the security or privacy of an S3 bucket for all your AWS accounts if in case our organization has multiple accounts.
Each finding also comes with its severity rating, when and how this affected resource was found by Macie.
Monitor and process findings with other services and systems
Macie publishes its finding to AWS Security Hub and EventBridge. EventBridge is a serverless service that can route findings data to targets such as AWS Lambda functions or Amazon SNS (Simple Notification Service). While SecurityHub is another service from AWS which gives the complete posture analysis of your AWS infrastructure.
Develop and Manage resources using API
Amazon Macie provides API access to your AWS accounts and resources by which you can manage your resources programmatically. AWS also provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET
How it works –
Some of the use cases of Macie
Your responsibility to secure the data also varies based on the types of data your organization deals with within the cloud. I work very closely in the financial and investment sectors where there are some strict regulations that financial organizations must comply with. One such technology/tool used in this sector is called AML (Anti-Money Laundering) tool. This tool contains a huge amount of PII and Financial data of investors and partners. If such tools are hosted in the cloud then it becomes imperative to use services like Macie to help you protect the sensitive data.
some of the use cases can be listed below.
Identifying sensitive data in data migrations
if you enable Macie while migrating your on-premise data to an S3 bucket in the cloud, it can help you identify the buckets containing the sensitive data. You can also extract files from applications such as email, file share, collaboration tools, and transfer to S3 for evaluation by Macie
Maintaining regulatory compliance
Macie will help not only gaining the trust of your partners, customers but also it’s will fulfill your regulatory requirements. Macie’s finding report can be stored into S3 for compliance requirements. These sensitive data discovery detail reports can be used in data privacy and protection audits and for long term retention.
Assessing your data privacy and security
If you are able to assess the sensitive nature of your data and where they reside, then you are already half way through in securing those data. Macie gives that flexibility to identify the sensitive data and where they reside so that you can incorporate the proper least privilege or RBAC control as and when required.
Macie alternatives and competitors
You must be wondering why am I talking about Macie alternative when AWS has already native robust solution for securing the sensitive? You are absolutely right! There is a point worth mentioning here and that is cost of Amazon Macie. Amazon Macie comes with 30 days free trial and you can check the details at Amazon Macie Pricing page. I have not done POC and implementation of any other alternative of Macie however some tool claims that they can do similar tasks what Macie can do however by reducing the cost up to 99%. If they are robust as good as AWS Macie and they also reduce the cost by 99%, it’s a win-win for decision-makers.
Securing sensitive data is one of the key requirements today when resources are put in the cloud and it’s your responsibility as data owner to do so. If you practice well, you can gain trust with your customers, partners and you can also abide by different regulatory compliances. The question is should you incorporate Macie into your AWS organization? If you ask me, I will say Yes! However there is a cost vs. risk trade-off that every leader and decision-maker has to go through, I will leave that for you to decide because you very well know what kind of data your organization deal with within their cloud domain. Chaos!