Home › Forums › AWS › AWS Certified Solutions Architect Professional › Amazon Macie
-
Hi all,
Was going through the following question: “The system is using a MySQL RDS instance to store the deliveries and transactions of the system. To ensure business continuity, you are instructed to set up a disaster recovery system in which the RTO must be less than 3 hours and the RPO is 15 minutes when a system outage occurs. A system should also be implemented that can automatically discover, classify, and protect any personally identifiable information (PII) or intellectual property in your data store.”
The answer indicated that Macie should be used to detect PII however from my understanding, Macie only works on data stored in S3. Is this right? There does seem to be a pattern where data is extracted out of RDS and into S3, but I suspect this is outside of the scope of the question?
Please advise.
Thank you!
-
Hi ibiarea0,
Thanks for the feedback.
The answer indicated that Macie should be used to detect PII however from my understanding, Macie only works on data stored in S3. Is this right?
> Yes, you are correct. Amazon Macie scans data/documents/texts on Amazon S3 to detect any PII information.
There does seem to be a pattern where data is extracted out of RDS and into S3, but I suspect this is outside of the scope of the question?
> Yes, this is not in scope for the answer, because there is no native service to do this yet on AWS.
This question highlights Amazon Macie in combination with RDS backups that send to an S3 bucket in another region and require a specific RTO and RPO to another region.
Amazon Macie reads the RDS data on the S3 bucket to scan for PII information. But it can’t read actual snapshots of RDS databases.
However, Macie can read (non-binary) plain text files and gzip format files. For example, if you save database dumps like .sql or .sql.gz files which are just plain text files on Amazon S3, then Macie can scan these files for PII data.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
Correct, Amazon Macie will not process RDS DDBB snapshots, some plain text dump to S3 is required. Note current proposed solution to enable this, using DMS service: https://aws.amazon.com/blogs/security/enabling-data-classification-for-amazon-rds-database-with-amazon-macie/
Log in to reply.