Amazon Macie Revamped Adds ML Models, Pricing Modifications Amazon Web Services (AWS), has made some important changes to Macie, their machine-learning-powered security tool for Amazon S3. AWS blogs this week claim that Macie is now more capable of detecting sensitive data due to new machine learning models that can detect personally identifiable information (PII). Macie has also introduced a tiered pricing model that promises to lower costs up to 80 percent. Users pay based on the number of Amazon S3 buckets they scan and the volume of sensitive data that is scanned. AWS stated that you can lower your costs by scanning larger volumes. Macie was launched in the autumn of 2017, amid a series of data security incidents that saw millions of users’ sensitive information exposed by misconfigured Amazon S3 buckets. Machine learning is used to identify sensitive data stored on S3, their level of security, and normal user behavior related to accessing that data. It flags irregular behavior as security breaches. AWS stated that the new Macie incorporates feedback received from users. AWS added machine learning models to the Macie, as well as a simpler pricing structure. Other Macie features include support of multiple AWS accounts via AWS Organizations, an improved user experience, and “[f]ull access API coverage for programmatic usage of the service with AWS SDKs (CLI) and AWS Command Line Interface(CLI). AWS has also improved integration between Amazon S3 (Macie) and AWS Command Line Interface (CLI). AWS cites two key benefits from this:

  • Further reducing overall costs, enabling S3 data events in AWS CloudTrail no longer is a requirement.
  • Security findings are now issued for all buckets. They include public buckets, unencrypted buckets, as well as buckets that have been shared with or replicated to AWS accounts outside of your Organization.

Macie was originally designed to scan Amazon S3 data. However, the AWS blog highlighted that Macie can be extended to non-S3 data by users temporarily storing data in S3 that Macie can access. AWS stated that “[A]nything that you can get into S3 permanently or temporarily, and in an object format supported Macie can be scanned to identify sensitive data.” This allows you to extend the coverage to data that is not in S3. You can pull data from custom applications, databases, or third-party services, place it temporarily in S3, and use Amazon Macie for sensitive data identification.