Macie.2: Macie automated sensitive data discovery is off

What does AWS Security Hub Macie.2 check?

Macie.2 checks whether automated sensitive data discovery is enabled for a Macie administrator account. It fails when the feature is off — which is its default, since discovery carries a per-object analysis cost and AWS does not opt you in automatically.

Why does Macie.2 matter?

Having Macie on (Macie.1) only watches bucket configuration; it never looks inside your objects. Without discovery, Macie knows a bucket is public but has no idea whether it holds vacation photos or 40,000 social-security numbers. Discovery samples your estate daily, inspects representative objects, and builds a map of where PII, payment data, and credentials actually reside — turning every are-we-exposed question from a manual investigation into a query.

How do I fix Macie.2?

1. From the Macie administrator account, enable automated sensitive data discovery for the organisation.
2. Scope or exclude buckets to manage the per-object analysis cost.
3. Review the resulting sensitivity scores and findings, and route high-sensitivity buckets into remediation.

# Enable the GuardDuty base detector in every Region (run from the delegated admin account).
for region in $(aws ec2 describe-regions --query 'Regions[].RegionName' --output text); do
  existing=$(aws guardduty list-detectors --region "$region" --query 'DetectorIds[0]' --output text)
  if [ "$existing" = "None" ]; then
    aws guardduty create-detector --enable \
      --finding-publishing-frequency FIFTEEN_MINUTES --region "$region"
    echo "$region: GuardDuty detector created"
  fi
done

# Turn on Inspector EC2/ECR/Lambda scanning for this account and Region.
aws inspector2 enable --resource-types EC2 ECR LAMBDA

# Enable Macie (free bucket inventory clears Macie.1; discovery jobs are scoped separately by risk).
aws macie2 enable-macie --status ENABLED --finding-publishing-frequency FIFTEEN_MINUTES