Reading20 min read·Module 1

Data Classification & Compliance

Key concepts

  • Amazon Macie for sensitive data

  • AWS Config for compliance

  • Data residency requirements

  • Tagging for classification

  • Compliance programs (HIPAA, PCI)

Overview

Data classification is the process of organizing data into categories that make it easier to apply appropriate security controls, meet compliance requirements, and manage data throughout its lifecycle. AWS provides services and features to help discover, classify, and protect sensitive data.

Understanding data classification is important for the SAA-C03 exam because it connects security controls to business and regulatory requirements. You need to know how to use Amazon Macie for sensitive data discovery, AWS Config for compliance monitoring, and how to implement classification through tagging and policies.

Classification Drives Controls

Data classification drives security controls. Highly sensitive data (PII, PHI, financial) requires stronger encryption, access controls, and audit logging than general business data.

Exam Tip

Focus on Amazon Macie for discovering sensitive data in S3, AWS Config for compliance rules, data residency considerations, and how classification integrates with other AWS security services.


Key Concepts

Data Classification Levels

Data Classification Levels
Figure 1: Common classification scheme from public to restricted

Classification Levels

Organizations typically use four classification levels:

Data Classification Levels

LevelDescriptionExamplesRequired Controls
PublicNo restrictionsMarketing materials, public docsBasic access controls
InternalBusiness use onlyInternal policies, proceduresAuthentication required
ConfidentialRestricted accessFinancial reports, contractsEncryption + access control
RestrictedHighly sensitivePII, PHI, payment card dataEncryption + audit + MFA

Amazon Macie

Amazon Macie is a fully managed data security service that uses machine learning to automatically discover, classify, and protect sensitive data in S3.

Amazon Macie Capabilities

TEXTMacie Capabilities
Amazon Macie:
├── Automatic Discovery
│   ├── Scans S3 buckets continuously
│   ├── Uses ML + pattern matching
│   └── Identifies sensitive data types
│
├── Sensitive Data Types
│   ├── Personal Identifiable Information (PII)
│   │   ├── Names, addresses, phone numbers
│   │   ├── Social Security Numbers
│   │   └── Email addresses
│   │
│   ├── Financial Data
│   │   ├── Credit card numbers
│   │   ├── Bank account numbers
│   │   └── Financial statements
│   │
│   └── Protected Health Information (PHI)
│       ├── Medical records
│       ├── Health insurance info
│       └── Prescription data
│
└── Custom Data Identifiers
    ├── Define your own patterns
    ├── Regex-based detection
    └── Organization-specific data

AWS Config for Compliance

AWS Config enables continuous compliance monitoring with rules that evaluate resource configurations:

AWS Config Compliance Rules

TEXTAWS Config Compliance Rules
Security & Encryption Rules:
├── s3-bucket-server-side-encryption-enabled
├── s3-bucket-ssl-requests-only
├── encrypted-volumes
├── rds-storage-encrypted
├── kms-cmk-not-scheduled-for-deletion
└── acm-certificate-expiration-check

Access Control Rules:
├── s3-bucket-public-read-prohibited
├── s3-bucket-public-write-prohibited
├── iam-user-mfa-enabled
├── iam-root-access-key-check
└── restricted-ssh

Data Protection Rules:
├── s3-bucket-versioning-enabled
├── dynamodb-pitr-enabled
├── rds-multi-az-support
└── backup-plan-min-frequency-and-min-retention-check

Data Residency & Sovereignty

Data Residency
Figure 2: Data residency controls keep data within geographic boundaries

Data Residency Solutions

RequirementAWS Solution
Data must stay in specific countrySelect appropriate AWS Region
Data must not leave regionS3 bucket policies, SCP restrictions
Backup copies must be co-locatedSame-region replication only
Cross-border transfer controlsAWS Config + SCPs to prevent replication
JSONSCP to Restrict Regions
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyNonEURegions",
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "eu-west-1",
            "eu-west-2",
            "eu-central-1"
          ]
        }
      }
    }
  ]
}

How It Works

Macie Discovery Process

Macie Discovery Flow
Figure 3: Macie automatically discovers and classifies sensitive data in S3
TEXTMacie Discovery Flow
1. ENABLE MACIE
   └── Enable for AWS account
   └── Configure S3 buckets to scan

2. AUTOMATED DISCOVERY
   └── Macie samples objects from buckets
   └── Uses ML classifiers + regex patterns
   └── Runs continuously (daily by default)

3. SENSITIVE DATA FINDINGS
   └── Generates findings for sensitive data
   └── Classifies by type (PII, financial, etc.)
   └── Includes location and severity

4. ACTIONS
   └── Send findings to Security Hub
   └── Trigger EventBridge rules
   └── Integrate with SIEM/alerting

5. REMEDIATION
   └── Review and remediate findings
   └── Apply encryption, access controls
   └── Update data handling procedures

Tagging for Classification

Classification Tagging Strategy

Tags enable classification metadata on AWS resources:

TEXTClassification Tagging Strategy
Recommended Tags:
├── DataClassification: Public | Internal | Confidential | Restricted
├── DataOwner: team-name or owner-email
├── ComplianceScope: HIPAA | PCI-DSS | SOC2 | GDPR
├── RetentionPeriod: 1-year | 3-year | 7-year | indefinite
└── CostCenter: department-code

Example S3 Bucket Tags:
{
  "DataClassification": "Restricted",
  "DataOwner": "security-team@company.com",
  "ComplianceScope": "PCI-DSS",
  "RetentionPeriod": "7-year",
  "Environment": "production"
}

Enforce with Tag Policies (AWS Organizations):
├── Require specific tags on resources
├── Enforce allowed values
└── Prevent resource creation without tags

AWS Security Hub Integration

Security Hub Compliance
Figure 4: Security Hub aggregates compliance findings from multiple services

Security Hub

Security Hub provides a comprehensive view of security and compliance:

TEXTSecurity Hub Compliance Standards
Built-in Standards:
├── AWS Foundational Security Best Practices
├── CIS AWS Foundations Benchmark
├── PCI DSS v3.2.1
└── NIST SP 800-53

Integrations:
├── Amazon Macie (sensitive data)
├── Amazon GuardDuty (threat detection)
├── AWS Config (configuration compliance)
├── Amazon Inspector (vulnerability assessment)
├── IAM Access Analyzer (access findings)
└── AWS Firewall Manager (security policy)

Compliance Score:
├── Per-standard compliance percentage
├── Failed controls tracking
├── Prioritized findings by severity
└── Trend analysis over time

Compliance Programs

HIPAA (Healthcare)

HIPAA Requirements

RequirementAWS Implementation
PHI encryption at restSSE-KMS for S3, encrypted EBS/RDS
PHI encryption in transitTLS 1.2+ enforced
Access controlsIAM, resource policies, MFA
Audit loggingCloudTrail, VPC Flow Logs
Business Associate AgreementSign AWS BAA

PCI-DSS (Payment Cards)

PCI-DSS Requirements

RequirementAWS Implementation
Cardholder data encryptionKMS customer managed keys
Network segmentationVPCs, security groups, NACLs
Access loggingCloudTrail, S3 access logs
Vulnerability scanningAmazon Inspector
Key rotationKMS automatic rotation

GDPR (EU Data Protection)

GDPR Requirements

RequirementAWS Implementation
Data residencyEU regions only
Right to erasureS3 lifecycle, data deletion
Data portabilityS3 export capabilities
Breach notificationSecurity Hub, CloudWatch alerts
Consent managementApplication-level implementation

Use Cases

Use Case 1: Discover PII in S3

Scenario: Company needs to identify all S3 buckets containing PII for GDPR compliance.

Solution:

  • Enable Amazon Macie
  • Configure automated sensitive data discovery
  • Review findings for PII detections
  • Apply appropriate encryption and access controls

Use Case 2: Enforce Encryption Compliance

Scenario: Ensure all S3 buckets and EBS volumes are encrypted.

Solution:

  • Enable AWS Config rules:
    • s3-bucket-server-side-encryption-enabled
    • encrypted-volumes
  • Set up auto-remediation with SSM Automation
  • Report compliance status to Security Hub

Use Case 3: Data Residency for EU Customers

Scenario: EU customer data must remain in EU regions.

Solution:

  • Use AWS Organizations SCPs to restrict regions
  • Configure S3 bucket policies to deny cross-region replication
  • Enable AWS Config rule to monitor region compliance
  • Tag resources with geographic classification

Use Case 4: Classification-Based Access Control

Scenario: Only authorized users should access Restricted data.

Solution:

  • Implement resource tagging for classification
  • Use ABAC (Attribute-Based Access Control) with IAM
  • Tag condition in IAM policies:
JSONABAC Policy for Classified Data
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::*/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/DataClassification": "${aws:PrincipalTag/ClearanceLevel}"
        }
      }
    }
  ]
}

Best Practices

Data Classification Best Practices

  1. Define classification scheme early

    • Establish levels before data collection
    • Document handling requirements per level
    • Train teams on classification criteria
  2. Automate discovery

    • Use Macie for continuous S3 scanning
    • Custom data identifiers for business-specific data
    • Regular review of findings
  3. Tag consistently

    • Enforce tagging through SCPs
    • Use AWS Tag Policies for consistency
    • Automate tagging where possible
  4. Map controls to classification

    • Higher classification = stronger controls
    • Document control requirements
    • Audit compliance regularly

Compliance Best Practices

  1. Enable Security Hub

    • Aggregate findings from all services
    • Enable relevant compliance standards
    • Set up automated notifications
  2. Use AWS Config rules

    • Enable managed rules for common checks
    • Create custom rules for organization needs
    • Configure auto-remediation
  3. Maintain audit trails

    • CloudTrail in all regions
    • S3 access logging for sensitive buckets
    • Centralized log analysis
  4. Regular compliance reviews

    • Scheduled compliance assessments
    • Update controls as requirements change
    • Document compliance evidence

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
Discover PII in S3 bucketsAmazon MacieML-based sensitive data discovery
Monitor encryption complianceAWS Config rulesContinuous configuration monitoring
Restrict data to specific regionSCPs + bucket policiesPrevent cross-region access
Aggregate security findingsAWS Security HubCentral compliance dashboard
Classify resources by sensitivityResource taggingEnables ABAC and reporting
Enforce compliance rulesAWS Config + auto-remediationAutomated compliance enforcement
HIPAA compliance validationSecurity Hub + HIPAA controlsBuilt-in compliance standard
Detect credit card numbers in S3Amazon MacieFinancial data detection

Common Pitfalls

Pitfall 1: Manual Classification Only

Mistake: Relying solely on manual data classification.

Why it fails: Humans miss sensitive data; doesn't scale

Correct Approach: Use Macie for automated discovery with manual review

Pitfall 2: Classification Without Controls

Mistake: Classifying data but not implementing corresponding controls.

Why it fails: Classification alone doesn't protect data

Correct Approach: Map each classification level to specific security controls

Pitfall 3: Ignoring Data Residency

Mistake: Not considering where data is physically stored.

Why it fails: May violate regulatory requirements

Correct Approach: Use SCPs and policies to enforce geographic boundaries

Pitfall 4: Inconsistent Tagging

Mistake: Optional or inconsistent resource tagging.

Why it fails: Cannot report or enforce policies based on classification

Correct Approach: Enforce required tags through SCPs and Tag Policies

Pitfall 5: Point-in-Time Compliance

Mistake: Treating compliance as a one-time audit.

Why it fails: Compliance drift as configurations change

Correct Approach: Continuous monitoring with AWS Config and Security Hub



Quick Reference

Macie Pricing

Macie Pricing

ComponentCost
Automated sensitive data discovery$1.25 per account/month
S3 object evaluation$1.00 per GB (first 50K GB)
Custom data identifiersIncluded

AWS Config Pricing

AWS Config Pricing

ComponentCost
Configuration item recorded$0.003 each
Config rule evaluations$0.001 per evaluation
Conformance pack evaluations$0.001 per evaluation

Macie Data Identifiers

TEXTBuilt-in Macie Identifiers
Personal Information:
├── Name, Address, Phone, Email
├── Social Security Number (SSN)
├── Date of Birth
├── Driver License Number
└── Passport Number

Financial Data:
├── Credit Card Number (PAN)
├── CVV/CVC
├── Bank Account Number
├── IBAN, SWIFT Code
└── Financial Statement

Credentials:
├── AWS Access Keys
├── API Keys
├── Passwords in plaintext
├── SSH Private Keys
└── PGP Private Keys

Healthcare (PHI):
├── Health Insurance ID
├── Medical Record Number
├── Drug Names
└── Healthcare Provider Numbers

CLI Commands

SHMacie and Config CLI
# Enable Macie
aws macie2 enable-macie

# Create Macie classification job
aws macie2 create-classification-job \
  --job-type ONE_TIME \
  --s3-job-definition '{"bucketDefinitions":[{"accountId":"123456789012","buckets":["my-bucket"]}]}'

# List Macie findings
aws macie2 list-findings

# Enable AWS Config
aws configservice put-configuration-recorder \
  --configuration-recorder name=default,roleARN=arn:aws:iam::123456789012:role/config-role

# Put Config rule
aws configservice put-config-rule \
  --config-rule file://s3-encryption-rule.json

# Check compliance
aws configservice describe-compliance-by-config-rule

Test Your Knowledge

Q

A company needs to automatically discover and classify sensitive data stored in S3 buckets. Which AWS service should they use?

AAWS Config
BAmazon GuardDuty
CAmazon Macie
DAWS Security Hub
Q

Which AWS service provides continuous compliance monitoring against industry standards like CIS Benchmarks and PCI-DSS?

AAmazon Macie
BAWS Config
CAWS Security Hub
DAmazon Inspector
Q

A company must ensure all data stays within EU regions. What is the most effective way to enforce this?

AIAM policies on users
BS3 bucket policies
CService Control Policies (SCPs)
DVPC endpoint policies
Q

How can a company automatically remediate non-compliant S3 buckets that don't have encryption enabled?

AAmazon Macie auto-remediation
BAWS Config rules with SSM Automation
CAWS Security Hub remediation
DS3 event notifications

Further Reading

Related services

MacieConfigSecurity Hub