Macie automated sensitive data discovery is enabled
macie_automated_sensitive_data_discovery_enabled
Amazon Macie administrator account has automated sensitive data discovery enabled for S3 data. The evaluation confirms the feature's status for the account in each Region.
Risk
Without continuous discovery, sensitive S3 objects remain unclassified and unnoticed, weakening confidentiality. Over-permissive or public access can persist undetected, enabling data exfiltration and delaying containment and forensic response.
prowler aws --checks macie_automated_sensitive_data_discovery_enabled
Recommendation
Enable and maintain automated sensitive data discovery for the Macie administrator across required Regions. Include relevant buckets, tune identifiers and allow lists to reduce noise, and route findings to monitoring. Complement with least privilege on S3 and defense in depth for data protection.
Remediation
aws macie2 update-automated-discovery-configuration --status ENABLED --region <REGION>
- In the AWS Console, open Amazon Macie
- Select the correct Region from the Region selector
- Go to Settings > Automated sensitive data discovery
- Click Enable under Status (choose My account if prompted)
- Repeat in other Regions where Macie is enabled if needed
Source Code
Resource Type
Other