Macie can be used to analyze S3 buckets and CloudTrail logs. In this recipe, we configured Macie to analyze and classify data in an S3 bucket. We enabled Macie in the us-east-1 region, as we had created the S3 bucket in the us-east-1 region. At the time of writing, Macie is available only in US East (North Virginia) and US West (Oregon). While enabling this, Macie also asked for some permissions, mostly permissions for CloudTrail and S3 actions. We went to the INTEGRATIONS page and added our S3 bucket. We configured the option to classify the existing objects as well. The configuration page also shows us the tentative cost for analyzing the contents of the bucket. The calculations may not be present or accurate for newly created buckets.

After integrating the S3 bucket, we could see the risks within our dashboard at a certain time. We clicked on Critical assets and Total event occurrences from the top of the dashboard, which took us to the RESEARCH page with a prepopulated query. We could also have clicked on Total user sessions. Macie assigns a risk value of between 1 and 10 for the risks it detects. Macie queries within the RESEARCH tab, following the Apache Lucene query parser syntax. We can then run advanced queries to filter out the results we want in the RESEARCH tab. 

We saw the additional information available for an event of the S3 object type in the recipe. This additional information includes fields such as Type, Last modified, Account ID, Bucket name, Bucket owner, Path prefix or folder, Object key, Object risk level, Object PII details, and so on. Similarly, for a CloudTrail event type, we can get additional information, such as Type, Timestamp, Account ID, Macie unique ID, User identity type, Source ARN, Event type, Count of unique event names, Event name by error code, Error code, Event source, and so on.