AWSGlossary

Amazon Macie: What It Is and When to Use It

Definition

Amazon Macie is a fully managed data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect sensitive data in Amazon Simple Storage Service (Amazon S3). It helps organizations meet compliance regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) by identifying where sensitive data such as Personally Identifiable Information (PII), financial data, and credentials reside.

How It Works

Amazon Macie works by creating an inventory of your S3 buckets and continuously evaluating them for security and access control. When enabled, either for a single account or across an entire AWS Organization, Macie immediately begins to build this inventory and monitor for potential issues like publicly accessible buckets or unencrypted data, generating policy findings for review.

Macie's core functionality is divided into two main discovery methods:

  1. Automated Sensitive Data Discovery: This feature continuously and cost-effectively samples objects across your S3 estate. It uses intelligent sampling to provide broad visibility into where sensitive data might exist, creating an interactive data map and assigning a sensitivity score to each bucket without requiring you to manually configure scan jobs. This is the default mode and provides a baseline understanding of your data posture.

  2. Sensitive Data Discovery Jobs: For deeper, more targeted analysis, you can create specific discovery jobs. These jobs allow you to define the scope (specific buckets), schedule (one-time or recurring), and depth of the scan. This is ideal for compliance audits, incident response, or detailed inspection of critical datasets.

To detect sensitive data, Macie uses a combination of managed data identifiers (built-in criteria for common sensitive data types like credit card numbers and AWS secret keys) and custom data identifiers (regular expressions you define for proprietary or unique data patterns). Findings are generated with severity ratings and can be reviewed in the Macie console or routed to Amazon EventBridge and AWS Security Hub for automated remediation and centralized monitoring.

Key Features and Limits

  • Multi-Account Management: Integrates with AWS Organizations, allowing a single delegated administrator account to manage Macie across all member accounts.
  • Broad Data Type Support: Identifies a wide range of sensitive data, including PII (names, addresses), financial data (credit card numbers), health information (PHI), and credentials.
  • Custom Data Identifiers: Allows you to define custom patterns using regular expressions to find sensitive data specific to your organization.
  • Allow Lists: You can configure Macie to ignore specific text or patterns, reducing false positives from known, non-sensitive data.
  • S3 Security Posture Monitoring: Continuously evaluates S3 buckets for public accessibility, encryption status, and sharing policies, generating findings for misconfigurations.
  • Findings and Reporting: Provides detailed findings that can be aggregated in AWS Security Hub and sent to Amazon EventBridge to trigger automated remediation workflows, such as invoking an AWS Lambda function.
  • Regional Service: Macie is a regional service and must be enabled in each AWS Region where you want to monitor S3 buckets.

Service Quotas (as of 2026):

  • Custom Data Identifiers: 10,000 per account per Region.
  • S3 Buckets per Job: A single sensitive data discovery job can target up to 1,000 buckets.
  • Monthly Job Analysis: 5 TB of data can be analyzed by sensitive data discovery jobs per account per month.
  • File Size Limits: Macie has maximum size limits for individual files it can analyze, which vary by file type (e.g., 8 GB for Parquet, 1,024 MB for PDF).

Common Use Cases

  • Compliance and Auditing: Automatically discover and report on the location of data subject to regulations like GDPR, HIPAA, PCI-DSS, and CCPA to demonstrate compliance.
  • Data Leakage Prevention: Identify and receive alerts when sensitive data is stored in S3 buckets that are publicly accessible or have other risky configurations.
  • Improving Security Posture: Gain continuous visibility into your S3 data estate, understand where sensitive data resides, and prioritize remediation efforts for misconfigured buckets.
  • Data Migration Validation: Scan S3 buckets before, during, and after data migrations to ensure sensitive data is not inadvertently exposed or moved to a less secure environment.
  • Incident Response: In the event of a potential security incident, run targeted discovery jobs to quickly assess which S3 buckets contain sensitive data and determine the scope of the incident.

Pricing Model

Amazon Macie's pricing is based on several dimensions, and it includes a 30-day free trial for new accounts.

  1. S3 Bucket Evaluation: A per-bucket, per-month fee for continuously monitoring inventory and security posture (e.g., public access, encryption).
  2. Automated Sensitive Data Discovery: Charged based on the quantity of data inspected via intelligent sampling.
  3. Targeted Sensitive Data Discovery: Charged per gigabyte (GB) of data inspected by sensitive data discovery jobs.

There is a perpetual free tier that includes 1 GB of sensitive data discovery processing per month. Standard Amazon S3 GET and LIST request costs may also apply when Macie scans objects. For detailed and current pricing, refer to the official Amazon Macie pricing page and use the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Fully Managed and Scalable: No infrastructure to manage; Macie scales automatically as your data in S3 grows.
  • Automated and Continuous: The automated discovery feature provides continuous visibility with minimal configuration.
  • Rich Set of Identifiers: Comes with a large, managed library of patterns for common sensitive data types.
  • Strong Integration: Natively integrates with AWS Organizations, AWS Security Hub, and Amazon EventBridge for centralized management and automated remediation.
  • Ease of Use: Can be enabled with a single click in the AWS Management Console across an entire organization.

Cons:

  • S3-Specific: Macie's data discovery capabilities are limited to Amazon S3 only; it does not scan other AWS data stores like Amazon RDS or DynamoDB.
  • Potential Cost: Scanning very large volumes of data with targeted discovery jobs can become expensive. Careful scoping of jobs is required to manage costs.
  • Regional Scope: Must be enabled and configured in each AWS Region separately.

Comparison with Alternatives

  • Amazon GuardDuty: GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across your AWS environment (analyzing VPC Flow Logs, DNS logs, and AWS CloudTrail events). Macie focuses on data classification within S3 (what the data is and if it's sensitive), while GuardDuty focuses on threat detection (unusual API calls, potential instance compromises). The two services are complementary and often used together; for example, GuardDuty can detect suspicious access patterns to an S3 bucket that Macie has identified as containing sensitive data.

  • AWS Security Hub: Security Hub is a cloud security posture management (CSPM) service that provides a comprehensive view of your security alerts and compliance status across your AWS accounts. It aggregates findings from various AWS services, including Macie, GuardDuty, and Amazon Inspector. Security Hub acts as a central dashboard and aggregation point, while Macie is a source of findings specifically related to data security and privacy in S3.

  • Amazon Inspector: Inspector is a vulnerability management service that scans AWS workloads (like Amazon EC2 instances, container images in Amazon ECR, and Lambda functions) for software vulnerabilities and unintended network exposure. Macie scans the content of S3 objects for sensitive data, whereas Inspector scans the workloads themselves for security vulnerabilities.

Exam Relevance

Amazon Macie is a key topic in security-focused AWS certifications.

  • AWS Certified Security - Specialty (SCS-C02): Expect questions on Macie's role in data protection strategies, compliance, identifying PII, and automating responses to findings. You should know how it differs from GuardDuty and Inspector.
  • AWS Certified Solutions Architect - Associate (SAA-C03) & Professional (SAP-C02): Questions may cover Macie as the appropriate service for discovering sensitive data in S3 as part of a broader security or compliance architecture. Key exam triggers include phrases like "discover PII in S3," "scan for credit card numbers," or "ensure GDPR compliance for data at rest."

For exams, remember that Macie is for data classification in S3 only.

Frequently Asked Questions

Q: What data formats and storage classes does Amazon Macie support?

A: Macie supports various Amazon S3 storage classes, including S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. It can analyze numerous file formats, such as JSON, CSV, Avro, Parquet, Microsoft Office files, and PDF documents. It does not support scanning data in S3 Glacier storage classes directly.

Q: How does Macie handle encrypted data in S3?

A: Amazon Macie can analyze objects that are encrypted using server-side encryption with keys managed by either S3 (SSE-S3) or AWS Key Management Service (SSE-KMS). To analyze objects encrypted with a customer-managed KMS key, the Macie service role must be granted permission to use the key for decryption.

Q: What is the difference between automated discovery and a sensitive data discovery job?

A: Automated discovery is a continuous, sampling-based approach that provides broad visibility across all your S3 buckets with minimal configuration. A sensitive data discovery job is a targeted, deep scan that you configure to run on specific buckets on a one-time or recurring schedule. Automated discovery helps you identify where to focus your efforts, while jobs are used for in-depth analysis and compliance reporting.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/22/2026 / Updated: 5/23/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

AWS IAM Identity Center (SSO): How It Works & Benefits

AWS IAM Identity Center (SSO) simplifies user access to AWS accounts & apps. Centralize workforce identities for unified access. Learn its benefits.

View all Security terms →