Enable Macie Automated Sensitive Data Discovery

Overview

This check verifies that Amazon Macie's automated sensitive data discovery feature is enabled for your AWS account. This feature continuously scans your S3 buckets to identify and classify sensitive data such as personally identifiable information (PII), financial data, and credentials.

Risk

Without automated sensitive data discovery:

• Sensitive data in S3 buckets may go undetected and unclassified
• Publicly accessible or overly permissive data can persist without your knowledge
• Data breaches may occur without timely detection
• Compliance with regulations like PCI-DSS and KISA-ISMS-P may be compromised
• Forensic investigation efforts are hindered when incidents occur

Remediation Steps

Prerequisites

• AWS account access with permissions to manage Amazon Macie
• Macie must already be enabled in your account (if not, you will enable it as part of these steps)

AWS Console Method

1. Open the Amazon Macie console
2. Ensure you are in the us-east-1 region (or your target region) using the region selector in the top-right corner
3. If Macie is not yet enabled, click Get started and then Enable Macie
4. In the left navigation pane, click Settings
5. Click Automated sensitive data discovery
6. Under Status, click Edit
7. Select Enable (if prompted, select "My account" for a standalone account)
8. Click Save

For AWS Organizations: If you are the Macie administrator, you can also configure whether new member accounts automatically have automated discovery enabled.

AWS CLI Method

Check current status:

aws macie2 get-automated-discovery-configuration \
  --region us-east-1

Enable automated sensitive data discovery:

aws macie2 update-automated-discovery-configuration \
  --status ENABLED \
  --region us-east-1

For AWS Organizations (administrator account):

To automatically enable for all member accounts:

aws macie2 update-automated-discovery-configuration \
  --status ENABLED \
  --auto-enable-organization-members ALL \
  --region us-east-1

Available options for --auto-enable-organization-members:

• ALL - Enable for all existing and new member accounts
• NEW - Enable only for new member accounts
• NONE - Do not automatically enable for any accounts

CloudFormation / Terraform Notes

Important: As of the current AWS CloudFormation and Terraform provider versions, automated sensitive data discovery cannot be configured directly through infrastructure-as-code resources.

CloudFormation: The AWS::Macie::Session resource enables Macie but does not expose a property for automated discovery configuration. The AutomatedDiscoveryStatus is a read-only attribute.

Terraform: The aws_macie2_account resource supports finding_publishing_frequency and status but does not have an argument for automated discovery.

Workaround: Use a post-deployment script or AWS Lambda custom resource to call the UpdateAutomatedDiscoveryConfiguration API after Macie is enabled.

Example Terraform with a null_resource provisioner:

resource "aws_macie2_account" "main" {
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  status                       = "ENABLED"
}

resource "null_resource" "enable_automated_discovery" {
  depends_on = [aws_macie2_account.main]

  provisioner "local-exec" {
    command = <<-EOT
      aws macie2 update-automated-discovery-configuration \
        --status ENABLED \
        --region us-east-1
    EOT
  }
}

Note: This approach requires the AWS CLI to be available in your deployment environment with appropriate credentials.

Verification

After enabling automated sensitive data discovery:

1. Return to the Macie console > Settings > Automated sensitive data discovery
2. Confirm the Status shows Enabled
3. Wait 24-48 hours for initial discovery results to appear in the S3 buckets and Findings sections

CLI Verification

aws macie2 get-automated-discovery-configuration \
  --region us-east-1 \
  --query 'status' \
  --output text

Expected output: ENABLED

Additional Resources

• Amazon Macie User Guide - Automated sensitive data discovery
• Configuring automated sensitive data discovery
• Amazon Macie pricing (automated discovery has associated costs)
• Prowler Check Documentation

Notes

• Cost consideration: Automated sensitive data discovery incurs charges based on the amount of data analyzed. Review Macie pricing before enabling.
• Regional service: Macie operates on a per-region basis. You must enable automated discovery in each region where you want to monitor S3 buckets.
• Discovery scope: By default, automated discovery analyzes all S3 buckets in the region. You can configure classification scopes and sensitivity inspection templates to fine-tune what data is analyzed.
• Initial results: It may take 24-48 hours after enabling for the first discovery results to appear.
• Organizations: If using AWS Organizations, the delegated Macie administrator can manage automated discovery settings for all member accounts centrally.