Amazon Macie

ML-powered discovery of sensitive data in S3.

📖 Official AWS documentation ↗📰 Official AWS blog ↗

What is it?

A data-security service that continuously inventories S3 and uses machine learning plus pattern matching to find sensitive data — PII, credentials, financial records — and flag risky bucket configurations.

💡 Why does it exist?

You cannot protect (or lawfully train on) data you do not know you have. Before a dataset feeds a model or a RAG index, you need to know whether personal data is hiding inside it.

⏱️ When should you use it?

Run it before using S3 data for training/RAG, for continuous compliance monitoring (GDPR/HIPAA-adjacent), and after data migrations into the lake.

🗺️ Where does it fit?

Watching the storage layer: findings publish to EventBridge and Security Hub, where they can trigger remediation (quarantine, redaction with Comprehend) before pipelines consume the data.

🔌 How do you integrate it?

Enable Macie, run automated discovery or targeted jobs on buckets/prefixes, review findings by severity, and automate responses via EventBridge rules.

🧩 Commonly integrated with

Amazon S3Amazon EventBridgeAWS Security HubAWS KMS

🎯 Exam angle (AIF-C01)

📚 Study it in a learning path

SCS-C03Security Engineering on AWSFlashcards, notes & quizzes covering this service →AIF-C01AWS AI PractitionerFlashcards, notes & quizzes covering this service →

More in Security & Governance

AWS IAMAWS KMSAWS CloudTrailAmazon CloudWatch