Amazon Macie is Enabled

Overview

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in Amazon S3. This check verifies that Macie is enabled and actively running in your AWS regions where S3 buckets exist.

Think of Macie as a watchdog for your S3 data. It continuously scans your buckets to find sensitive information like personally identifiable information (PII), financial data, or credentials that may have been accidentally uploaded.

Risk

If Macie is not enabled:

Sensitive data goes undetected: Credit card numbers, social security numbers, API keys, and other sensitive data in your S3 buckets remain unclassified and potentially exposed.
Misconfigurations are missed: Public buckets or overly permissive access policies may go unnoticed.
Compliance gaps: Without automated data discovery, meeting regulatory requirements (GDPR, HIPAA, PCI-DSS) becomes much harder.
Data exfiltration risk: Attackers who gain access to your environment can more easily find and steal valuable data.

Severity: Medium

Remediation Steps

Prerequisites

You need:

AWS Console access with permissions to enable Macie (typically macie2:EnableMacie)
Access to each AWS region where you have S3 buckets

Required IAM permissions

To enable Macie, your IAM user or role needs at minimum:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "macie2:EnableMacie",
        "macie2:GetMacieSession",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    }
  ]
}

The iam:CreateServiceLinkedRole permission is needed because Macie creates a service-linked role on first enablement.

AWS Console Method

Sign in to the AWS Management Console.
Make sure you are in the us-east-1 region (or your target region). You can check this in the top-right corner of the console.
In the search bar at the top, type Macie and select Amazon Macie from the results.
You will see one of the following:
- "Get started" button: Macie has never been enabled. Click Get started, then click Enable Macie.
- "Resume" button: Macie was previously suspended. Click Resume Macie to reactivate it.
- Dashboard view: Macie is already enabled and running.
Repeat for each region where you have S3 buckets. Use the region selector in the top-right corner to switch regions.

Note: Macie is a regional service. You must enable it separately in each region where you want to monitor S3 data.

AWS CLI (optional)

Enable Macie via CLI

To enable Macie in us-east-1:

aws macie2 enable-macie --region us-east-1

To enable Macie with a custom finding publishing frequency (how often findings are sent to Security Hub and EventBridge):

aws macie2 enable-macie \
  --region us-east-1 \
  --finding-publishing-frequency FIFTEEN_MINUTES

Available frequencies: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS

Resume a suspended Macie session

If Macie was previously suspended (paused), you need to update its status:

aws macie2 enable-macie \
  --region us-east-1 \
  --status ENABLED

Enable Macie in multiple regions

To enable Macie across all regions where you have S3 buckets:

# List of regions to enable (customize as needed)
REGIONS="us-east-1 us-west-2 eu-west-1"

for region in $REGIONS; do
  echo "Enabling Macie in $region..."
  aws macie2 enable-macie --region "$region" 2>&1
done

CloudFormation (optional)

CloudFormation Template

This template enables Amazon Macie for the account in the region where the stack is deployed.

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Amazon Macie for the AWS account

Resources:
  MacieSession:
    Type: AWS::Macie::Session
    Properties:
      FindingPublishingFrequency: FIFTEEN_MINUTES
      Status: ENABLED

Outputs:
  MacieStatus:
    Description: Status of Amazon Macie
    Value: ENABLED

Deploying the template

Save the template as macie-enable.yaml and deploy:

aws cloudformation create-stack \
  --stack-name enable-macie \
  --template-body file://macie-enable.yaml \
  --region us-east-1

Multi-region deployment with StackSets

To enable Macie across multiple regions, use CloudFormation StackSets:

# Create a StackSet
aws cloudformation create-stack-set \
  --stack-set-name enable-macie-all-regions \
  --template-body file://macie-enable.yaml \
  --permission-model SELF_MANAGED

# Deploy to multiple regions
aws cloudformation create-stack-instances \
  --stack-set-name enable-macie-all-regions \
  --accounts <your-account-id> \
  --regions us-east-1 us-west-2 eu-west-1

Terraform (optional)

Terraform Configuration

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_macie2_account" "main" {
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  status                       = "ENABLED"
}

Applying the configuration

terraform init
terraform plan
terraform apply

Multi-region deployment

To enable Macie in multiple regions, use provider aliases:

provider "aws" {
  alias  = "us_east_1"
  region = "us-east-1"
}

provider "aws" {
  alias  = "us_west_2"
  region = "us-west-2"
}

provider "aws" {
  alias  = "eu_west_1"
  region = "eu-west-1"
}

resource "aws_macie2_account" "us_east_1" {
  provider                     = aws.us_east_1
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  status                       = "ENABLED"
}

resource "aws_macie2_account" "us_west_2" {
  provider                     = aws.us_west_2
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  status                       = "ENABLED"
}

resource "aws_macie2_account" "eu_west_1" {
  provider                     = aws.eu_west_1
  finding_publishing_frequency = "FIFTEEN_MINUTES"
  status                       = "ENABLED"
}

Verification

After enabling Macie, verify it is running:

Go to the Amazon Macie console.
You should see the Macie dashboard with a Summary section showing the account status as Enabled.
Check that no banner appears saying Macie is suspended or paused.

CLI verification

aws macie2 get-macie-session --region us-east-1

Expected output for an enabled account:

{
    "createdAt": "2024-01-15T10:30:00Z",
    "findingPublishingFrequency": "FIFTEEN_MINUTES",
    "serviceRole": "arn:aws:iam::123456789012:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie",
    "status": "ENABLED",
    "updatedAt": "2024-01-15T10:30:00Z"
}

If status shows PAUSED, Macie needs to be resumed.

Check all regions

for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  status=$(aws macie2 get-macie-session --region "$region" --query 'status' --output text 2>/dev/null || echo "NOT_ENABLED")
  echo "$region: $status"
done

Additional Resources

Notes

Pricing: Macie has costs based on the volume of S3 objects scanned and sensitive data discovery jobs. Review the pricing page before enabling at scale.
Regional service: Macie must be enabled separately in each AWS region. It only monitors S3 buckets in the region where it is enabled.
Service-linked role: When you enable Macie for the first time, AWS automatically creates a service-linked role (AWSServiceRoleForAmazonMacie) that grants Macie the permissions it needs.
Organization deployment: If you use AWS Organizations, you can enable Macie centrally using a delegated administrator account. This simplifies management across multiple accounts.
30-day free trial: New Macie accounts get a 30-day free trial for S3 bucket inventory and evaluation of bucket-level security.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Enable Macie via CLI​

Resume a suspended Macie session​

Enable Macie in multiple regions​

CloudFormation Template​

Deploying the template​

Multi-region deployment with StackSets​

Terraform Configuration​

Applying the configuration​

Multi-region deployment​

Verification​

Check all regions​

Additional Resources​

Notes​