AWS Enhances ML-Powered 'Macie' Data Security, Privacy Service

Amazon Web Services (AWS) has enhanced its Macie machine learning-powered security and privacy service with several new features, including updated ML models for more accurate detection of Personally Identifiable Information (PII), support for customer-defined data types, and native multi-account management with the AWS Organizations tool.

"Over time, Macie customers told us what they liked, and what they didn't," said AWS Chief Evangelist Danilo Poccia, in a blog post. "The service team has worked hard to address this feedback."

With this release, AWS also implemented a new tiered pricing model for Macie. "Virtually every customer we talk to says they can benefit from having more complete visibility into their sensitive data," said Dan Plastina, VP for External Security Services at AWS, in a statement, "but it's currently expensive and time-consuming to discover and catalog this information on their own. Customers have consistently told us that Amazon Macie solves this challenge much better than other tools, but that it needed to be more cost-effective to use at the scale they wanted. Today's launch culminates a year of rearchitecting work to make Macie 80% to over 90% less expensive, giving far more customers around the world the ability to use Macie to protect their sensitive data at scale and effectively meet compliance requirements like GDPR."

The latest version of Macie also comes with full API coverage for programmatic use of the service with AWS SDKs and AWS Command Line Interface (CLI), as well as improved the integration between Amazon S3 and Macie. This improved integration provides two key benefits, according to AWS:

  • Enabling S3 data events in AWS CloudTrail is no longer a requirement, further reducing overall costs.
  • There is now a continual evaluation of all buckets, issuing security findings for any public bucket, unencrypted buckets, and for buckets shared with (or replicated to) an AWS account outside of your Organization.

Though Macie was designed to scan Amazon S3 data, the Poccia pointed out that users can easily expand Macie's utility to non-S3 data simply by temporarily storing outside data in S3 for Macie to access.

"[A]nything you can get into S3, permanently or temporarily, in an object format supported by Macie, can be scanned for sensitive data," he said. "This allows you to expand the coverage to data residing outside of S3 by pulling data out of custom applications, databases, and third-party services, temporarily placing it in S3, and using Amazon Macie to identify sensitive data."

Macie was first launched in the fall of 2017 amid a spate of data security incidents in which millions of users' sensitive information was exposed due to misconfigured Amazon S3 buckets. The service uses machine learning to identify sensitive data stored in S3, its level of security, and normal user behaviors related to accessing that data. It then flags irregular behaviors as potential security breaches.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.