Start course
1h 9m

Amazon Macie was launched in the summer of 2017, much to the delight of cloud security engineers. Amazon Macie is a powerful security and compliance service that provides an automatic method to detect, identify, and classify data within your AWS account. Macie currently supports Amazon S3 storage, however additional support for other storage systems will be developed and added over time. Backed by machine learning, Macie can actively review your data as different actions are taken within your AWS account. Machine learning spots access patterns and analyzes user behaviour using CloudTrail event data to alert against any unusual or irregular activity. Any findings are presented within a dashboard which can trigger alerts allowing you to quickly resolve any potential threat of exposure or compromise to your data.

This course will dive into all elements of the service, discussing its many different features and customizable elements allowing you to gain the maximum potential of its ability.

Learning Objectives

By the end of this course you will be able to:

  • Provide an understanding and awareness of what Amazon Macie is and what it’s used for
  • Provide an explanation of each configurable component of the service to allow you to gain maximum benefit from Macie’s capabilities
  • Understand how the service can provide a customizable approach to maintaining compliance
  • Understand how through automation and machine learning Amazon Mazie detects and categorizes S3 content to detect potential security threats and exposures

Intended Audience

The content of this course is centered around security and compliance. As a result, this course is beneficial to those who are in the roles or their equivalent of:

  • Cloud Security Architects
  • Compliance Managers
  • Cloud Administrators
  • Cloud Support & Operations


As a prerequisite of this course you should have an understanding and awareness of:

  • Amazon S3
  • AWS CloudTrail



Lecture Transcript

Hello and welcome to this lecture where I am going to be looking at the Amazon Macie dashboard. The Amazon Macie dashboard is the central hub of information that is collated, monitored, and classified through Amazon CloudTrail logs and any services associated to Macie, such as Amazon S3. The dashboard is accessed via the Amazon Macie console, which will look something like this. 

Let's start by looking at the four metric boxes at the top of the page and what they mean, starting with critical assets. This metric defines as a percentage how many of your assets have been identified as high-risk, which is anything with a risk value of eight, nine, or 10. These values are assigned to your assets in two ways, either by data classification made by Macie monitoring S3 data, or from specific API calls detected in your CloudTrail logs that have been marked with a set risk value. If the risk value has been classified based on S3 data, then the following categories are used to define its risk. The content type. Examples of this are plaintext, document, or source code. File extensions. Examples are .bat, .dmg, .sql. Themes. Examples of themes include financial keywords and social security keywords. And finally, regex configurations, which are regular expressions used to search for data patterns. More on these classification types and the methods behind it will be covered in the classifying and protecting data lecture later in this course. If the risk relates to an API call relating to your AWS infrastructure in some way, then the CloudTrail events in CloudTrail errors risk management will determine their value. Again, more on this will be discussed in that same lecture. 

Next is the total event occurrences metric. This relates to your Amazon CloudTrail logs and calculates the number of API calls that Amazon Macie has monitored as a part of the security analysis of your infrastructure. The total user sessions metric is a count of user sessions which Macie has processed. A user session is defined by a five-minute aggregate of CloudTrail data. This metric provides its count from when Amazon Macie was first enabled in your AWS account. Finally, the total users metric, which shows the number of users that have been identified by CloudTrail data, which are then are then categorized into Platinum, Gold, Silver, or Bronze, depending on which API calls those users have been requesting and initiating, will relate to their perceived risk level, Platinum being high-risk, Bronze being low-risk. More on Amazon Macie users will be covered in the next lecture.

Let me now move on to the bottom half of the dashboard. So the bottom half of the dashboard screen is used to present a number of different views of graphs, charts, and statistics that Amazon Macie has detected and monitored through its sources. They are accessed via the following icons, and these icons represent the following. S3 objects for selected time range, S3 objects, S3 objects by PII, S3 objects by ACL, high-risk CloudTrail events and associated users, high-risk CloudTrail errors and associated users, activity location, CloudTrail events, activity ISPs, and CloudTrail user identity types. Let's have a quick look at what each of these filter against starting with:

 S3 objects for selected time range. This metric includes a slider bar which defines the objects that are visualized in the graph. The value of the slider goes between one to 10 and represents the minimum risk value of the object to be included. For example, if the slider is set to five, all objects represented in the graph will have a risk value of five or greater. The graph also shows when the object was last modified using the time ranges of zero to six months ago and beyond six months from the date Macie was enabled. 

S3 objects. This metric shows your monitored S3 objects grouped together by Amazon Macie themes. The complete list of themes can be found under Settings > Themes from within the Macie console. For each theme identified in this view, a percentage will be shown which indicates how much of your total objects are categorized to that particular theme. In addition to this, it'll also provide a count number of the objects within that theme. More on themes will be discussed in the later lecture Classifying and Protecting Data. 

S3 objects by PII, personally identifiable information. The third metric relating to S3 is split into two sections, S3 objects by PII priority and S3 objects by PII types. S3 objects by PII priority displays the objects that have been classified by Amazon Macie as having PII-related data associated with them, such as names, email addresses, credit card numbers, et cetera. These objects are then split out into different priority levels ranging between none, low, moderate, and high, depending on the quantity of PII data detected. Again, each of these priority classifications also have a percentage showing how much of your total objects are categorized within that PII priority value as well as a total count of objects in that priority. S3 objects by PII types metric displays the PII objects by their type classification. For example, here you can see the type of IPV4 and name where Amazon Macie has detected this data within my S3 objects. Again, the percentage and count values also exist per PII type. 

S3 objects by ACL, access control list. The final metric relating to S3 displays three graphs relating to your access control list. The first graph is S3 objects by ACL URIs, uniform resource identifiers, which is used to define the object's location. This shows how many URIs appear in your S3 access control list that your objects are associated to. The usual percentage and count statistics are also applied. Next we have S3 objects by ACL display names, which simply shows the different ACL display names that are associated to your objects along with the percentage of objects relating to each ACL name and its count of objects. Lastly, S3 objects by ACL permissions. This metric looks at the different level of access control list permissions, such as full control, read, write, et cetera. In this example, we can see that within the current set of ACLs used and associated to objects, the only permission given is full control to all objects. 

High-risk CloudTrail events and associated users. This is the first of the metrics that relate to AWS CloudTrail. Much like the first S3 metric discussed earlier, this also provides a slider representing risk values from one to 10, which will affect the results displayed in two different charts. The first chart relates to the top 20 high-risk CloudTrail events detected in the last 60 days. These are events that have been captured through analysis of CloudTrail logs where Amazon Macie has classified specific API calls at a certain risk level. These APIs are then visualized on the bar chart displayed. The chart has date depicted along the x-axis and the API count on the y-axis. There is also a key provided for API identification, and you can also view this data as either a daily count or weekly. The second chart relates to the different users detected within the CloudTrail logs, and they're presented in the same format as the previous graph, again showing the count, date, and key for easy identification of users. 

High-risk CloudTrail errors and associated users. This focuses on any AWS CloudTrail errors detected, and those are errors resulting from API actions detected in the CloudTrail logs. Similarly to the previous metric, two charts are used again. The first relates to the top 20 high-risk CloudTrail errors detected in the last 60 days, and these errors are then visualized on the bar chart display. The second chart, again represented in the same way, displays the CloudTrail users who made the API calls that resulted in these errors. 

Activity location. This represents a global map showing the locations of activity of actions that Amazon Macie is monitoring and analyzing. The map is interactive, allowing you to zoom in and out and also change the date range from the past 15, 30, or 90 days or the past year. 

CloudTrail events. This metric identifies all of the CloudTrail events that Amazon Macie is monitoring and capturing. As with the other metrics, there is a count, and this count represents the number of user sessions for the API that was recorded. The percentage represents the occurrence of that API in the total list of events. 

Activity ISPs. This metric simply records the ISPs that have been used when actions have been monitored in CloudTrail. 

CloudTrail user identity types. This final metric indicates which user type has been used when calling APIs based on your CloudTrail logs. As you can see from this image, the majority of events recorded have been made by an account that belongs to a service indicated by the AWS Service user type. 

That has now brought me to the end of this lecture covering the AWS dashboard. Coming up next, I will be looking at Amazon Macie users.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.