Ensure all data in Amazon S3 has been discovered, classified and secured when required

Perform the steps below to enable and configure Amazon Macie From Console

1. Log on to the Macie console at https://console.aws.amazon.com/macie/
2. Click Get started.
3. Click Enable Macie.

Setup a repository for sensitive data discovery results

1. In the Left pane, under Settings, click Discovery results.
2. Make sure Create bucket is selected.
3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
4. Click on Advanced.5. Block all public access, make sure Yes is selected.
5. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
6. Click on Save

Create a job to discover sensitive data

1. In the left pane, click S3 buckets. Macie displays a list of all the S3 buckets for your account.
2. Select the check box for each bucket that you want Macie to analyze as part of the job
3. Click Create job.
4. Click Quick create.
5. For the Name and description step, enter a name and, optionally, a description of the job.
6. Then click Next.
7. For the Review and create step, click Submit.

Review your findings

1. In the left pane, click Findings.
2. To view the details of a specific finding, choose any field other than the check box for the finding.

If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.