Skip to content

Macie Session

Note: This documentation is also available in a rendered format here.

Configures an Amazon Macie session for the account, enabling automated sensitive data discovery and classification with configurable finding publishing frequency. Use this module when you need to scan your S3 data for personally identifiable information (PII) and other sensitive data to meet data privacy and compliance requirements.

⚠️ Account-Level Module — This module can only be deployed once per AWS account. A second deployment to the same account will fail. See Account-Level Modules for details.

Deployed Resources

This module deploys and integrates the following resources:

Macie Session - Account-level Macie session with configurable finding publishing frequency and status control.

MacieSession

  • Data Lake — Enable Macie sensitive data discovery on data lake S3 buckets

Security/Compliance Details

This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.

  • Compliance:
    • Macie provides automated sensitive data discovery and classification, supporting data privacy and compliance requirements
    • Finding publishing frequency controls how often sensitive data findings are reported

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

macie-session: # Module Name can be customized
  module_path: '@aws-mdaa/macie-session' # Must match module NPM package name
  module_configs:
    - ./macie-session.yaml # Filename/path can be customized

Module Config Samples and Variants

Copy the contents of the relevant sample config below into the ./macie-session.yaml file referenced in the MDAA config snippet above.

Minimal Configuration

Required properties only — a Macie session with finding publishing frequency. Start here for enabling Macie sensitive data discovery in a single account.

sample-config-minimal.yaml

# Contents available via above link
# Minimal Macie Session module configuration.
# Contains only required properties for a Macie session.

session:
  # Frequency at which Macie publishes finding updates
  # (enum: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS)
  findingPublishingFrequency: SIX_HOURS

Comprehensive Configuration

Enables Amazon Macie for automated sensitive data discovery, PII detection, and data security monitoring, covering all enum variants for findingPublishingFrequency and status. Start here when evaluating all available options for publishing frequency and session status configurations.

sample-config-comprehensive.yaml

# Contents available via above link
# Comprehensive sample config for the Macie Session module.
# Exercises ALL compatible non-excluded properties at full depth.
# Covers all enum variants for findingPublishingFrequency and status.
#
# Enables Amazon Macie for automated sensitive data discovery,
# PII detection, and data security monitoring.

# Macie session settings (required)
session:
  # How often Macie publishes findings about sensitive data discovery.
  # (required, enum: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS)
  findingPublishingFrequency: FIFTEEN_MINUTES
  # Whether the Macie session is actively monitoring or paused.
  # (optional, enum: ENABLED | PAUSED, default: ENABLED)
  status: ENABLED

Config Schema Docs