What is Personally Identifiable Information (PII) and Why Should it be Monitored?
PII is information or data that can be used to identify an individual such as birthdays, emails, credit card numbers, addresses, and names.
PII should be monitored to maintain data compliance when providing a product that may handle personally identifiable information, it may be a requirement to reach certain compliance standards to have a monitoring solution that will catch potentially sensitive data that is stored in your cloud environment. If your solution stores large sums of data, it may be labor intensive to scan this manually and an automated solution that aggregates relevant data is a necessity.
How to Identify PII Within Your AWS Account’s Data
Macie is a security service that can scan for sensitive data by using machine learning and can enable automated protection against those findings.
Macie specifically can scan S3 buckets for this sensitive information. It can provide information on whether or not a bucket is encrypted, if public access is enabled, or if object level access is enabled. With Amazon Macie, you have the option to create jobs that scan individual buckets or groups of buckets with a schedule frequency of either daily, weekly, monthly, or a one-time job.
Sampling Depth and How Amazon Macie Allows You to Configure it
Sampling depth is the percentage that Amazon Macie scans within your specified buckets. When you specify a percentage less than 100, Macie will scan at random the percentage of sampling depth you have specified. For example, if you specify 50%, Macie will scan 50% of your bucket by randomly selecting objects.
Macie Set Up
To set up Macie:
- Open the AWS Management Console and navigate to the Macie dashboard.
- Click the “Get Started” button to begin the setup process.
- Choose the AWS account(s) and region(s) that you want to monitor.
- Configure the S3 buckets that you want Macie to monitor for sensitive data.
- Review the Macie pricing and confirm your setup.
After you have completed these steps, Macie will start analyzing your S3 buckets for sensitive data. You can view the Macie dashboard to see where sensitive data is stored, and it will generate alerts when it detects unusual or unauthorized access to this data.
Pricing
Macie is automatically enrolled in a 30 day free trial when it is first set up. The free trial does not include running discovery jobs to find and report sensitive data in S3 objects. After the 30 day free trial Macie will charge for the following things:
- The number of S3 buckets evaluated for bucket inventory and monitoring
- The number of S3 objects monitored for automated data discovery
- The quantity of data inspected for automated and targeted sensitive data discovery
Macie is a powerful tool for discovering, classifying, and protecting sensitive data in your AWS environment. By following the steps outlined above and implementing best practices such as monitoring multiple AWS accounts and regions, configuring custom data identifiers and regularly reviewing alerts, you can effectively protect sensitive data in your AWS environment with Macie.
Interested in more AWS security services? Check out this article on how GuardDuty identifies and protects your AWS account from threats!
