Ensure that the Amazon Macie service is configured to store data discovery results in an Amazon S3 bucket to discover, classify, and protect sensitive data within AWS cloud. Amazon Macie will scan your S3 buckets to identify sensitive information, store the results to a repository bucket, and bring this data to your attention in order to analyze access patterns and user behavior, and prevent data leakage.
This rule resolution is part of the Cloud Conformity solution
To access the sensitive data discovery results generated by Amazon Macie and enable long-term storage and retention of these results, an Amazon S3 bucket must be configured as a data repository within 30 days of enabling Amazon Macie. To follow AWS security best practices, the Amazon S3 bucket configured as a data repository must be encrypted using an AWS KMS key. Once the repository bucket is configured, Macie writes your sensitive data discovery results to JSON Lines (.jsonl) files, which it adds to the S3 bucket as GNU Zip (.gz) files. The configured S3 bucket can then serve as a definitive, long-term repository for all of your Macie data discovery results.
To determine if the Amazon Macie service has been configured to store data discovery results in an S3 bucket (also known as Macie data repository), perform the following operations:
Remediation / Resolution
To ensure long-term retention of sensitive data discovery results, an Amazon S3 bucket must be configured as a data repository within Amazon Macie. To create and configure the data repository bucket, perform the following operations:
- AWS Documentation
- What Is Amazon Macie Classic?
- Concepts and Terminology
- Getting started with Amazon Macie
- Storing and retaining sensitive data discovery results with Amazon Macie
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Amazon Macie Sensitive Data Repository
Risk level: Medium