iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Amazon Macie is enabled in all active AWS regions. Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data stored in Amazon S3. It helps detect personally identifiable information (PII), financial records, and other sensitive content, reducing the risk of data leaks and ensuring compliance with privacy regulations.

Rationale:
Enabling Amazon Macie helps organizations continuously monitor and identify sensitive data within S3 buckets. It provides detailed dashboards and alerts when unencrypted or publicly accessible data is detected. This aligns with security best practices and supports compliance with frameworks such as GDPR, HIPAA, SOC 2, and ISO 27001. Without Macie, organizations lack visibility into where sensitive data is stored and how it is protected.

Impact:
Positive Impact:

• Improves visibility and control over sensitive data in S3.

• Detects potential data exposure and misconfigurations automatically.

• Enhances compliance readiness for privacy and data protection frameworks.
  Negative Impact:

• Additional costs incurred based on the volume of data analyzed and the number of S3 objects classified.
  
  

Default Value:
By default, Amazon Macie is disabled in all AWS regions. It must be explicitly enabled per region or organization-wide.

Pre-Requisite:

• IAM permissions required: macie2:EnableMacie, macie2:GetMacieSession, macie2:ListAccounts, and organizations:ListAccounts (for organization-level deployment).

• AWS Organizations setup (optional, for centralized management).
  
  

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon Macie → Dashboard.

3. If Macie is enabled, you will see the dashboard displaying data classification metrics, findings, and statistics.

4. If Macie is not enabled, the console will display an option to “Enable Macie.”

5. Use the region selector at the top-right of the console to check all active AWS regions.

6. Ensure Macie is enabled in every region that contains active S3 buckets.
   
   

Implementation Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon Macie → Dashboard.

3. Click Enable Macie.

4. Review and accept any required IAM permissions or service-linked role creation prompts.

5. (Optional) For multi-account environments:

   • In the Macie administrator account, go to Settings → Accounts.

   • Choose Enable Macie for all member accounts or manually add accounts to be managed under the organization.

6. Once enabled, configure:

   • S3 bucket coverage to monitor specific or all buckets.

   • Classification jobs to identify PII or other sensitive data types.

7. (Optional) Integrate Macie findings with Amazon Security Hub or AWS EventBridge for centralized alerting.
   
   

Backout Plan:

1. To disable Amazon Macie (for testing or cost control):

   • Navigate to Amazon Macie → Settings.

   • Choose Disable Macie.

   • Confirm the action to stop all data classification jobs and disable the dashboard.

2. Note: Disabling Macie removes its findings and stops data scanning but does not delete the service-linked role.
   
   

References:

• Amazon Macie User Guide

• AWS Macie Pricing

• CIS AWS Foundations Benchmark v2.0.0 – Control 3.36

• AWS Security Best Practices Whitepaper

Suggested Tags: