Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Macie

Macie.1: Sensitive data in S3 is not being discovered

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Macie.1 check?

Macie.1 raises the account-level finding when Amazon Macie is not enabled. Macie does two jobs — a continuous inventory of S3 bucket security posture (public access, encryption, external sharing) and on-demand sensitive-data discovery that inspects object contents for PII, financial data, and credentials.

Why does Macie.1 matter?

Without Macie (or an equivalent) you have no maintained inventory of where personal or sensitive data lives, which every regulated framework expects and which does not survive an audit or a breach. The bigger gap is shadow PII — SSNs in error messages, card numbers in stack traces, session tokens in request bodies — sitting in buckets the team thought held only logs. Macie is the tool that catches the difference between what teams think they store and what they actually do.

How do I fix Macie.1?

  1. Enable Macie in the account (and delegate a Macie administrator in the organisation).
  2. Let the no-cost bucket-security inventory run to surface public, unencrypted, and externally shared buckets.
  3. Run sensitive-data discovery jobs against your highest-risk buckets to map where regulated data lives.

Remediation script · bash

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES

Full walkthrough (console steps, edge cases and verification) in the lesson Enable threat detection and vulnerability scanning.

Full lesson Enable threat detection and vulnerability scanning Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Macie controls ↗ Check your own account for Macie.1 →
Part of the learning path See what's happening

More Macie controls

  • Macie.2 Macie automated sensitive data discovery is off