How To Export Your Data from Amazon Macie Classic

You may have received an email from Amazon with the subject line:

[Action required] An outdated version of Amazon Macie is still in use and incurring charges in one of your accounts

Or when you sign into your AWS account and visit the Macie service, you may see this banner (e.g. on https://mt.us-east-1.macie.aws.amazon.com/dashboard):

You’re using Macie Classic, an earlier version of this service. You can benefit from significant improvements at a lower cost by using the new Macie for sensitive data detection and GuardDuty for threat detection.

Make sure you read the "Moving to the New Amazon Macie" article, especially the "Which encryption key?" section under "Before You Begin". This will show you the required policy for your KMS key.

This is one of those cases where you cannot afford to skim over the documentation and guides, and you should carefully read through the entire guide before beginning the migration. Otherwise you will run into KMS key permission errors, as described below.

I wanted to export all of my data from Macie Classic and save it in an S3 bucket before disabling Macie Classic and switching to the new Macie. However, I ran into some problems with their "Export data" feature, and I couldn't figure out how to set the correct permissions for the KMS key:

I left the Bucket field blank, so that the Macie Classic export tool would automatically create a new bucket. I created a new KMS key, and then pasted the ARN into the KMS key ARN field.

However, after clicking the Export Data button, I would see an error message: "Error found in writing to the bucket using the given kms key."

I couldn't find any way to resolve this error, so I contacted AWS support. The answer is that I needed to modify the KMS key policy to allow the service "macie.amazonaws.com" access to the key.

Here is the policy snippet that is required for the KMS key:

{
    "Sid": "Allow Macie Classic to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "macie.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

Note: If you've run into this permission error, you should visit the S3 service and delete any empty S3 buckets that have been created. (Search for "macie".)

After setting the correct policy for your KMS key, the export will start successfully:

After the export is complete, the banner will change to say: "Export done, disable Macie Classic."

However, I checked the S3 bucket, and it appears to be empty (apart from some JOB_START_TOKEN and JOB_END_TOKEN objects.)

So I will follow up with AWS support about this, since I don't want to lose any historical logs or events in case I need to review these in the future.

It would be nice if I could also leave the KMS key ARN blank, and a new key would be automatically created with the correct policy. But for now, make sure you carefully read through the "Moving to the New Amazon Macie" article.