Cyscale
Back to controls

Ensure all data in Amazon S3 has been discovered, classified and secured when required

### Overview

Category

Controls

Low

Applies to

General guidance

Coverage

Reference entry

Asset types

Not specified

Overview

Overview

+Amazon S3 buckets can contain sensitive data that should be continuously discovered, classified, and protected. Amazon Macie and equivalent third-party solutions can help automate this process.

Remediation guidance

Perform the steps below to enable and configure Amazon Macie From Console

  1. Log on to the Macie console at https://console.aws.amazon.com/macie/
  2. Click Get started.
  3. Click Enable Macie.

Setup a repository for sensitive data discovery results

  1. In the Left pane, under Settings, click Discovery results.
  2. Make sure Create bucket is selected.
  3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
  4. Click on Advanced.5. Block all public access, make sure Yes is selected.
  5. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
  6. Click on Save

Create a job to discover sensitive data

  1. In the left pane, click S3 buckets. Macie displays a list of all the S3 buckets for your account.
  2. Select the check box for each bucket that you want Macie to analyze as part of the job
  3. Click Create job.
  4. Click Quick create.
  5. For the Name and description step, enter a name and, optionally, a description of the job.
  6. Then click Next.
  7. For the Review and create step, click Submit.

Review your findings

  1. In the left pane, click Findings.
  2. To view the details of a specific finding, choose any field other than the check box for the finding.

If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Platform

Use the provider or platform baseline, preventive policy, and IaC modules to enforce this setting consistently when many resources are affected.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

No stored query bodies are attached to this entry.

Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon