Amazon Macie
ML-powered discovery of sensitive data in S3.
❓ What is it?
A data-security service that continuously inventories S3 and uses machine learning plus pattern matching to find sensitive data — PII, credentials, financial records — and flag risky bucket configurations.
💡 Why does it exist?
You cannot protect (or lawfully train on) data you do not know you have. Before a dataset feeds a model or a RAG index, you need to know whether personal data is hiding inside it.
⏱️ When should you use it?
Run it before using S3 data for training/RAG, for continuous compliance monitoring (GDPR/HIPAA-adjacent), and after data migrations into the lake.
🗺️ Where does it fit?
Watching the storage layer: findings publish to EventBridge and Security Hub, where they can trigger remediation (quarantine, redaction with Comprehend) before pipelines consume the data.
🔌 How do you integrate it?
Enable Macie, run automated discovery or targeted jobs on buckets/prefixes, review findings by severity, and automate responses via EventBridge rules.
🧩 Commonly integrated with
🎯 Exam angle (AIF-C01)
- "Discover PII/sensitive data in S3" → Macie. Comprehend DETECTS PII in text you pass it; Macie SCANS storage at scale.
- It is the pre-training data-governance answer for datasets of unknown provenance.