Data Classification & Compliance
Key concepts
Amazon Macie for sensitive data
AWS Config for compliance
Data residency requirements
Tagging for classification
Compliance programs (HIPAA, PCI)
Overview
Data classification is the process of organizing data into categories that make it easier to apply appropriate security controls, meet compliance requirements, and manage data throughout its lifecycle. AWS provides services and features to help discover, classify, and protect sensitive data.
Understanding data classification is important for the SAA-C03 exam because it connects security controls to business and regulatory requirements. You need to know how to use Amazon Macie for sensitive data discovery, AWS Config for compliance monitoring, and how to implement classification through tagging and policies.
Classification Drives Controls
Data classification drives security controls. Highly sensitive data (PII, PHI, financial) requires stronger encryption, access controls, and audit logging than general business data.
Focus on Amazon Macie for discovering sensitive data in S3, AWS Config for compliance rules, data residency considerations, and how classification integrates with other AWS security services.
Key Concepts
Data Classification Levels

Classification Levels
Organizations typically use four classification levels:
Data Classification Levels
| Level | Description | Examples | Required Controls |
|---|---|---|---|
| Public | No restrictions | Marketing materials, public docs | Basic access controls |
| Internal | Business use only | Internal policies, procedures | Authentication required |
| Confidential | Restricted access | Financial reports, contracts | Encryption + access control |
| Restricted | Highly sensitive | PII, PHI, payment card data | Encryption + audit + MFA |
Amazon Macie
Amazon Macie is a fully managed data security service that uses machine learning to automatically discover, classify, and protect sensitive data in S3.
Amazon Macie Capabilities
Amazon Macie:
├── Automatic Discovery
│ ├── Scans S3 buckets continuously
│ ├── Uses ML + pattern matching
│ └── Identifies sensitive data types
│
├── Sensitive Data Types
│ ├── Personal Identifiable Information (PII)
│ │ ├── Names, addresses, phone numbers
│ │ ├── Social Security Numbers
│ │ └── Email addresses
│ │
│ ├── Financial Data
│ │ ├── Credit card numbers
│ │ ├── Bank account numbers
│ │ └── Financial statements
│ │
│ └── Protected Health Information (PHI)
│ ├── Medical records
│ ├── Health insurance info
│ └── Prescription data
│
└── Custom Data Identifiers
├── Define your own patterns
├── Regex-based detection
└── Organization-specific dataAWS Config for Compliance
AWS Config enables continuous compliance monitoring with rules that evaluate resource configurations:
AWS Config Compliance Rules
Security & Encryption Rules:
├── s3-bucket-server-side-encryption-enabled
├── s3-bucket-ssl-requests-only
├── encrypted-volumes
├── rds-storage-encrypted
├── kms-cmk-not-scheduled-for-deletion
└── acm-certificate-expiration-check
Access Control Rules:
├── s3-bucket-public-read-prohibited
├── s3-bucket-public-write-prohibited
├── iam-user-mfa-enabled
├── iam-root-access-key-check
└── restricted-ssh
Data Protection Rules:
├── s3-bucket-versioning-enabled
├── dynamodb-pitr-enabled
├── rds-multi-az-support
└── backup-plan-min-frequency-and-min-retention-checkData Residency & Sovereignty

Data Residency Solutions
| Requirement | AWS Solution |
|---|---|
| Data must stay in specific country | Select appropriate AWS Region |
| Data must not leave region | S3 bucket policies, SCP restrictions |
| Backup copies must be co-located | Same-region replication only |
| Cross-border transfer controls | AWS Config + SCPs to prevent replication |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonEURegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"eu-west-2",
"eu-central-1"
]
}
}
}
]
}How It Works
Macie Discovery Process

1. ENABLE MACIE
└── Enable for AWS account
└── Configure S3 buckets to scan
2. AUTOMATED DISCOVERY
└── Macie samples objects from buckets
└── Uses ML classifiers + regex patterns
└── Runs continuously (daily by default)
3. SENSITIVE DATA FINDINGS
└── Generates findings for sensitive data
└── Classifies by type (PII, financial, etc.)
└── Includes location and severity
4. ACTIONS
└── Send findings to Security Hub
└── Trigger EventBridge rules
└── Integrate with SIEM/alerting
5. REMEDIATION
└── Review and remediate findings
└── Apply encryption, access controls
└── Update data handling proceduresTagging for Classification
Classification Tagging Strategy
Tags enable classification metadata on AWS resources:
Recommended Tags:
├── DataClassification: Public | Internal | Confidential | Restricted
├── DataOwner: team-name or owner-email
├── ComplianceScope: HIPAA | PCI-DSS | SOC2 | GDPR
├── RetentionPeriod: 1-year | 3-year | 7-year | indefinite
└── CostCenter: department-code
Example S3 Bucket Tags:
{
"DataClassification": "Restricted",
"DataOwner": "security-team@company.com",
"ComplianceScope": "PCI-DSS",
"RetentionPeriod": "7-year",
"Environment": "production"
}
Enforce with Tag Policies (AWS Organizations):
├── Require specific tags on resources
├── Enforce allowed values
└── Prevent resource creation without tagsAWS Security Hub Integration

Security Hub
Security Hub provides a comprehensive view of security and compliance:
Built-in Standards:
├── AWS Foundational Security Best Practices
├── CIS AWS Foundations Benchmark
├── PCI DSS v3.2.1
└── NIST SP 800-53
Integrations:
├── Amazon Macie (sensitive data)
├── Amazon GuardDuty (threat detection)
├── AWS Config (configuration compliance)
├── Amazon Inspector (vulnerability assessment)
├── IAM Access Analyzer (access findings)
└── AWS Firewall Manager (security policy)
Compliance Score:
├── Per-standard compliance percentage
├── Failed controls tracking
├── Prioritized findings by severity
└── Trend analysis over timeCompliance Programs
HIPAA (Healthcare)
HIPAA Requirements
| Requirement | AWS Implementation |
|---|---|
| PHI encryption at rest | SSE-KMS for S3, encrypted EBS/RDS |
| PHI encryption in transit | TLS 1.2+ enforced |
| Access controls | IAM, resource policies, MFA |
| Audit logging | CloudTrail, VPC Flow Logs |
| Business Associate Agreement | Sign AWS BAA |
PCI-DSS (Payment Cards)
PCI-DSS Requirements
| Requirement | AWS Implementation |
|---|---|
| Cardholder data encryption | KMS customer managed keys |
| Network segmentation | VPCs, security groups, NACLs |
| Access logging | CloudTrail, S3 access logs |
| Vulnerability scanning | Amazon Inspector |
| Key rotation | KMS automatic rotation |
GDPR (EU Data Protection)
GDPR Requirements
| Requirement | AWS Implementation |
|---|---|
| Data residency | EU regions only |
| Right to erasure | S3 lifecycle, data deletion |
| Data portability | S3 export capabilities |
| Breach notification | Security Hub, CloudWatch alerts |
| Consent management | Application-level implementation |
Use Cases
Use Case 1: Discover PII in S3
Scenario: Company needs to identify all S3 buckets containing PII for GDPR compliance.
Solution:
- Enable Amazon Macie
- Configure automated sensitive data discovery
- Review findings for PII detections
- Apply appropriate encryption and access controls
Use Case 2: Enforce Encryption Compliance
Scenario: Ensure all S3 buckets and EBS volumes are encrypted.
Solution:
- Enable AWS Config rules:
s3-bucket-server-side-encryption-enabledencrypted-volumes
- Set up auto-remediation with SSM Automation
- Report compliance status to Security Hub
Use Case 3: Data Residency for EU Customers
Scenario: EU customer data must remain in EU regions.
Solution:
- Use AWS Organizations SCPs to restrict regions
- Configure S3 bucket policies to deny cross-region replication
- Enable AWS Config rule to monitor region compliance
- Tag resources with geographic classification
Use Case 4: Classification-Based Access Control
Scenario: Only authorized users should access Restricted data.
Solution:
- Implement resource tagging for classification
- Use ABAC (Attribute-Based Access Control) with IAM
- Tag condition in IAM policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/DataClassification": "${aws:PrincipalTag/ClearanceLevel}"
}
}
}
]
}Best Practices
Data Classification Best Practices
-
Define classification scheme early
- Establish levels before data collection
- Document handling requirements per level
- Train teams on classification criteria
-
Automate discovery
- Use Macie for continuous S3 scanning
- Custom data identifiers for business-specific data
- Regular review of findings
-
Tag consistently
- Enforce tagging through SCPs
- Use AWS Tag Policies for consistency
- Automate tagging where possible
-
Map controls to classification
- Higher classification = stronger controls
- Document control requirements
- Audit compliance regularly
Compliance Best Practices
-
Enable Security Hub
- Aggregate findings from all services
- Enable relevant compliance standards
- Set up automated notifications
-
Use AWS Config rules
- Enable managed rules for common checks
- Create custom rules for organization needs
- Configure auto-remediation
-
Maintain audit trails
- CloudTrail in all regions
- S3 access logging for sensitive buckets
- Centralized log analysis
-
Regular compliance reviews
- Scheduled compliance assessments
- Update controls as requirements change
- Document compliance evidence
Common Exam Scenarios
Exam Scenarios
| Scenario | Solution | Why |
|---|---|---|
| Discover PII in S3 buckets | Amazon Macie | ML-based sensitive data discovery |
| Monitor encryption compliance | AWS Config rules | Continuous configuration monitoring |
| Restrict data to specific region | SCPs + bucket policies | Prevent cross-region access |
| Aggregate security findings | AWS Security Hub | Central compliance dashboard |
| Classify resources by sensitivity | Resource tagging | Enables ABAC and reporting |
| Enforce compliance rules | AWS Config + auto-remediation | Automated compliance enforcement |
| HIPAA compliance validation | Security Hub + HIPAA controls | Built-in compliance standard |
| Detect credit card numbers in S3 | Amazon Macie | Financial data detection |
Common Pitfalls
Pitfall 1: Manual Classification Only
Mistake: Relying solely on manual data classification.
Why it fails: Humans miss sensitive data; doesn't scale
Correct Approach: Use Macie for automated discovery with manual review
Pitfall 2: Classification Without Controls
Mistake: Classifying data but not implementing corresponding controls.
Why it fails: Classification alone doesn't protect data
Correct Approach: Map each classification level to specific security controls
Pitfall 3: Ignoring Data Residency
Mistake: Not considering where data is physically stored.
Why it fails: May violate regulatory requirements
Correct Approach: Use SCPs and policies to enforce geographic boundaries
Pitfall 4: Inconsistent Tagging
Mistake: Optional or inconsistent resource tagging.
Why it fails: Cannot report or enforce policies based on classification
Correct Approach: Enforce required tags through SCPs and Tag Policies
Pitfall 5: Point-in-Time Compliance
Mistake: Treating compliance as a one-time audit.
Why it fails: Compliance drift as configurations change
Correct Approach: Continuous monitoring with AWS Config and Security Hub
Related Services
Quick Reference
Macie Pricing
Macie Pricing
| Component | Cost |
|---|---|
| Automated sensitive data discovery | $1.25 per account/month |
| S3 object evaluation | $1.00 per GB (first 50K GB) |
| Custom data identifiers | Included |
AWS Config Pricing
AWS Config Pricing
| Component | Cost |
|---|---|
| Configuration item recorded | $0.003 each |
| Config rule evaluations | $0.001 per evaluation |
| Conformance pack evaluations | $0.001 per evaluation |
Macie Data Identifiers
Personal Information:
├── Name, Address, Phone, Email
├── Social Security Number (SSN)
├── Date of Birth
├── Driver License Number
└── Passport Number
Financial Data:
├── Credit Card Number (PAN)
├── CVV/CVC
├── Bank Account Number
├── IBAN, SWIFT Code
└── Financial Statement
Credentials:
├── AWS Access Keys
├── API Keys
├── Passwords in plaintext
├── SSH Private Keys
└── PGP Private Keys
Healthcare (PHI):
├── Health Insurance ID
├── Medical Record Number
├── Drug Names
└── Healthcare Provider NumbersCLI Commands
# Enable Macie
aws macie2 enable-macie
# Create Macie classification job
aws macie2 create-classification-job \
--job-type ONE_TIME \
--s3-job-definition '{"bucketDefinitions":[{"accountId":"123456789012","buckets":["my-bucket"]}]}'
# List Macie findings
aws macie2 list-findings
# Enable AWS Config
aws configservice put-configuration-recorder \
--configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role
# Put Config rule
aws configservice put-config-rule \
--config-rule file://s3-encryption-rule.json
# Check compliance
aws configservice describe-compliance-by-config-ruleTest Your Knowledge
A company needs to automatically discover and classify sensitive data stored in S3 buckets. Which AWS service should they use?
Which AWS service provides continuous compliance monitoring against industry standards like CIS Benchmarks and PCI-DSS?
A company must ensure all data stays within EU regions. What is the most effective way to enforce this?
How can a company automatically remediate non-compliant S3 buckets that don't have encryption enabled?