Amazon Macie concepts and terminology - Amazon Macie
accountadministrator accountallow listautomated sensitive data discoveryAWS Security Finding Format (ASFF)classifiable bytes or sizeclassifiable objectcustom data identifierfilter rulefindingfinding eventjobmanaged data identifiermember accountorganizationpolicy findingsample findingsensitive data findingsensitive data discovery jobsensitive data discovery resultstandalone accountsuppressed findingsuppression ruleunclassifiable bytes or sizeunclassifiable object

Amazon Macie concepts and terminology

In Amazon Macie, we build on common AWS concepts and terminology and use these additional terms.

account

A standard AWS account that contains your AWS resources and the identities that can access those resources.

To use Macie, you sign in to AWS with your AWS account credentials, select the AWS Region in which you want to use Macie, and then enable Macie for your AWS account in that Region. For more information, see Getting started with Amazon Macie.

There are three types of accounts in Macie:

  • Administrator account – This type of account manages Macie accounts for an organization. An organization is a set of Macie accounts that are associated with each other and centrally managed as a group of related accounts in a specific AWS Region.

  • Member account – This type of account is associated with and managed by the Macie administrator account for an organization.

  • Standalone account – This type of account is neither an administrator nor a member account. It isn’t part of an organization.

You can add Macie accounts to an organization in two ways: by integrating Macie with AWS Organizations or by sending and accepting Macie membership invitations. For more information, see Managing multiple accounts.

administrator account

In Macie, an account that manages Macie accounts for an organization. An organization is a set of Macie accounts that are associated with each other and centrally managed as a group of related accounts in a specific AWS Region.

Users of a Macie administrator account have access to Amazon Simple Storage Service (Amazon S3) inventory data, policy findings, and certain Macie settings and resources for all the accounts in their organization. They can also perform automated sensitive data discovery and run sensitive data discovery jobs to detect sensitive data in S3 buckets that the accounts own. Depending on how an account is designated as an administrator account, they may also be able to perform additional tasks for other accounts in their organization.

For more information, see Managing multiple accounts.

allow list

In Macie, an allow list specifies text or a text pattern that you want Macie to ignore when it inspects S3 objects for sensitive data.

You can create two types of allow lists in Macie: a plaintext file that lists specific words and other kinds of character sequences to ignore, or a regular expression (regex) that defines a text pattern to ignore. If an object contains text that matches an entry or pattern in an allow list, Macie doesn't report the text in sensitive data findings, statistics, and other types of results, even if the text matches the criteria of a managed data identifier or a custom data identifier.

For more information, see Defining sensitive data exceptions with allow lists.

automated sensitive data discovery

A series of automated analysis activities that Macie continually performs to identify and select representative objects from S3 buckets, and inspect the selected objects for sensitive data.

As the analyses progress, Macie produces records of the sensitive data that it finds (sensitive data findings) and the analysis that it performs (sensitive data discovery results). Macie also updates statistics and other information that it provides about Amazon S3 data.

For more information, see Performing automated sensitive data discovery.

AWS Security Finding Format (ASFF)

A standardized JSON format for the contents of findings that are published to or generated by AWS Security Hub. The ASFF includes details about the source of a security issue, the affected resources, and the status of a finding.

For information about ASFF, see AWS Security Finding Format (ASFF) in the AWS Security Hub User Guide. For information about publishing Macie findings to Security Hub, see Amazon Macie integration with AWS Security Hub.

classifiable bytes or size

In the S3 bucket statistics that Macie provides, the total storage size of all the classifiable objects in an S3 bucket.

If versioning is enabled for a bucket, this value is based on the storage size of the latest version of each classifiable object in the bucket. If an object is a compressed file, this value doesn’t reflect the actual size of the file’s contents after the file is decompressed.

For more information, see Reviewing your S3 bucket inventory and Assessing your Amazon S3 security posture.

classifiable object

An S3 object that Macie can analyze to detect sensitive data.

When calculating S3 bucket statistics, Macie determines that an object is classifiable based on the object’s storage class and file name extension. An object is classifiable if it uses a supported Amazon S3 storage class and has a file name extension for a supported file or storage format.

For more information, see Reviewing your S3 bucket inventory and Assessing your Amazon S3 security posture.

For sensitive data discovery, Macie determines that an object is classifiable based on the object’s storage class, file name extension, and contents. An object is classifiable if: it uses a supported Amazon S3 storage class, it has a file name extension for a supported file or storage format, and Macie verified that it can extract and analyze data from the object.

For more information, see Discovering sensitive data and Forecasting and monitoring costs.

custom data identifier

A set of criteria that you define to detect sensitive data.

The criteria consist of a regular expression (regex) that defines a text pattern to match and, optionally, character sequences and a proximity rule that refine the results. The character sequences can be:

  • Keywords, which are words or phrases that must be in proximity of text that matches the regex, or

  • Ignore words, which are words or phrases to exclude from the results.

In addition to detection criteria, you can define custom severity settings for the sensitive data findings that a custom data identifier produces.

For more information, see Building custom data identifiers.

filter rule

A set of attribute-based filter criteria that you create and save to analyze findings on the Amazon Macie console. Filter rules can help you perform consistent analysis of findings that have specific characteristics, such as all high-severity findings that report a specific type of sensitive data.

For more information, see Creating and managing filter rules for findings.

finding

A detailed report of sensitive data that Macie found in an S3 object or a potential issue with the security or privacy of an S3 general purpose bucket. Each finding provides details such as a severity rating, information about the affected resource, and when Macie found the data or issue.

Macie generates two categories of findings: sensitive data findings, for sensitive data that Macie detects in S3 objects, and policy findings, for potential issues that Macie detects with the security and access control settings for S3 buckets. Within each category, there are specific types of findings.

For more information, see Types of Amazon Macie findings.

finding event

An Amazon EventBridge event that contains the details of a sensitive data finding or policy finding.

Macie automatically publishes sensitive data findings and policy findings to Amazon EventBridge as events. An event is a JSON object that conforms to the EventBridge schema for AWS events. You can use these events to monitor, process, and act upon findings by using other applications, services, and systems.

For more information, see Amazon Macie integration with Amazon EventBridge and Amazon EventBridge event schema for Amazon Macie findings.

job

See sensitive data discovery job.

managed data identifier

A set of built-in criteria and techniques that are designed to detect a specific type of sensitive data. Examples of sensitive data include credit card numbers, AWS secret access keys, or passport numbers for a particular country or region. These identifiers can detect a large and growing list of sensitive data types for many countries and regions.

For more information, see Using managed data identifiers.

member account

A Macie account that’s managed by the designated Macie administrator account for an organization. An organization is a set of Macie accounts that are associated with each other and centrally managed as a group of related accounts in a specific AWS Region.

An account can become a member account in two ways: by integrating Macie with the account’s organization in AWS Organizations or by accepting a Macie membership invitation.

If you have a member account, your Macie administrator has access to Amazon S3 inventory data, policy findings, and certain Macie settings and resources for your account. Your administrator can also perform automated sensitive data discovery and run sensitive data discovery jobs to detect sensitive data in your S3 buckets. They may also be able to perform additional tasks for your account, depending on how your account became a member account.

For more information, see Managing multiple accounts.

organization

A set of Macie accounts that are associated with each other and centrally managed as a group of related accounts in a specific AWS Region.

Each organization consists of a designated Macie administrator account and one or more associated member accounts. The administrator account can access certain Macie settings, data, and resources for member accounts. You can create an organization in two ways: by integrating Macie with AWS Organizations or by sending and accepting membership invitations in Macie.

For more information, see Managing multiple accounts.

policy finding

A detailed report of a potential policy violation or issue with the security and access control settings for an S3 general purpose bucket. The details include a severity rating, information about the affected resource, and when Macie found the issue.

Macie generates policy findings when the policies or settings for an S3 general purpose bucket are changed in a way that reduces the security or privacy of the bucket and the bucket's objects. Macie generates these findings as part of its ongoing monitoring activities for your Amazon S3 data. Macie can generate several types of policy findings.

For more information, see Types of Amazon Macie findings and Monitoring data security and privacy.

sample finding

A finding that uses example data and placeholder values to demonstrate the kinds of information that a finding might contain.

For more information, see Working with sample findings.

sensitive data finding

A detailed report of sensitive data that Macie found in an S3 object. The details include a severity rating, information about the affected resource, the type and number of occurrences of the sensitive data that Macie found, and when Macie found the sensitive data.

Macie generates sensitive data findings if it detects sensitive data in S3 objects that it analyzes when you run sensitive data discovery jobs or it performs automated sensitive data discovery. Macie can generate several types of sensitive data findings.

For more information, see Types of Amazon Macie findings and Discovering sensitive data.

sensitive data discovery job

Also referred to as a job, a series of automated processing and analysis tasks that Macie performs to detect and report sensitive data in S3 objects. When you create a job, you specify how often you want the job to run, and you define the scope and nature of the job’s analysis.

When a job runs, Macie produces records of the sensitive data that it finds (sensitive data findings) and the analysis that it performs (sensitive data discovery results). Macie also publishes logging data to Amazon CloudWatch Logs.

For more information, see Running sensitive data discovery jobs.

sensitive data discovery result

A record that logs details about the analysis that Macie performed on an S3 object to determine whether the object contains sensitive data. Macie generates and writes these records to JSON Lines (.jsonl) files, which it encrypts and stores in an S3 bucket that you specify. The records adhere to a standardized schema.

When you run a sensitive data discovery job or Macie performs automated sensitive data discovery, Macie creates a sensitive data discovery result for each object that's included in the scope of the analysis. This includes:

  • Objects that Macie finds sensitive data in, and therefore also produce sensitive data findings.

  • Objects that Macie doesn’t find sensitive data in, and therefore don’t produce sensitive data findings.

  • Objects that Macie can’t analyze due to errors or issues such as permissions settings or use of an unsupported file or storage format.

For more information, see Storing and retaining sensitive data discovery results.

standalone account

A Macie account that’s neither an administrator nor a member account in an organization. The account isn’t part of an organization.

suppressed finding

A finding that was archived automatically by a suppression rule. That is to say, Macie automatically changed the status of the finding to archived because the finding matched the criteria of a suppression rule when Macie generated the finding.

For more information, see Suppressing findings.

suppression rule

A set of attribute-based filter criteria that you create and save to archive (suppress) findings automatically. Suppression rules are helpful in situations where you've reviewed a class of findings and don't want to be notified of them again.

If you suppress findings with a suppression rule, Macie continues to generate findings that match the rule's criteria. However, Macie automatically changes the status of the findings to archived. This means that the findings don't appear by default on the Amazon Macie console and Macie doesn’t publish them to other AWS services.

For more information, see Suppressing findings.

unclassifiable bytes or size

In the S3 bucket statistics that Macie provides, the total storage size of all the unclassifiable objects in an S3 bucket.

If versioning is enabled for a bucket, this value is based on the storage size of the latest version of each unclassifiable object in the bucket. If an object is a compressed file, this value doesn’t reflect the actual size of the file’s contents after the file is decompressed.

For more information, see Reviewing your S3 bucket inventory and Assessing your Amazon S3 security posture.

unclassifiable object

An S3 object that Macie can’t analyze to detect sensitive data.

When calculating S3 bucket statistics, Macie determines that an object is unclassifiable based on the object’s storage class and file name extension. An object is unclassifiable if it doesn’t use a supported Amazon S3 storage class or doesn’t have a file name extension for a supported file or storage format.

For more information, see Reviewing your S3 bucket inventory and Assessing your Amazon S3 security posture.

For sensitive data discovery, Macie determines that an object is unclassifiable based on the object’s storage class, file name extension, and contents. An object is unclassifiable if: it doesn’t use a supported Amazon S3 storage class, it doesn’t have a file name extension for a supported file or storage format, or Macie wasn’t able to extract and analyze data from the object. For example, the object is a malformed file.

For more information, see Discovering sensitive data and Forecasting and monitoring costs.