
Macie: Automatically Discover, Classify, and Secure Content at Scale - forrestbrazeal
https://aws.amazon.com/blogs/aws/launch-amazon-macie-securing-your-s3-buckets/
======
avip
Dear aws,

Could you guys take it easy for a moment with spawning new weird services like
horny hamsters, reflect on the ~372 you already have, and fix some aspects of
them?

    
    
      How about letting me add basic auth to S3 or CloudFront?
      How about non-expiring signed s3 urls?
      How about restricted access to api-gateway?
      Hey, how about fixing Athena to stop throwing random errors, and actually support the fully featured presto syntax?
    
    

I could extend this list with 64 items more without even opening my dedicated
aws complains notebook.

~~~
alexbilbie
You can implement basic auth using Lambda@Edge.

You could also implement your own non-expiring signed URLs with Lambda@Edge
too.

~~~
spaceseaman
_rolls eyes_

Is there some reason programmers feel this need to bring up workarounds when
I'm looking for an actual solution? If I could count how many answers on
StackOverflow are just "well if you use JQuery..." or "Well if you use
Boost...".

Address the point the person you're responding to is making, and answer only
the questions they are asking. Making assumptions just wastes people's time. I
understand you're just trying to help, but it comes across as really
condescending.

"You _should_ be doing this you pleb!"

is how I always read these types of responses in my head, and it's really
frustrating because often-times I'm already aware of whatever workaround
you've mentioned, have already tried it, and know it's not suitable. It's
doubly frustrating when you're specifically looking for the solution that's
not the workaround.

~~~
IanCal
There's no need to be like that.

> Is there some reason programmers feel this need to bring up workarounds when
> I'm looking for an actual solution?

It _is_ a solution! It's not the same solution you want, but it's an _actual
solution to the problem you described_.

> Address the point the person you're responding to is making, and answer only
> the questions they are asking.

They are addressing the point, and " answer only the questions they are
asking." is a dreadful idea to me. So often people are asking how to solve a
problem in a specific way, but there's no good reason to be limiting
themselves in that way. Given that they currently can't easily solve their
problem in that specific way, it suggests that if there is a nice solution
they are likely looking in the wrong place.

> Making assumptions just wastes people's time.

I feel like _not_ sharing a solution because you think that the person you're
trying to help has some unexpected extra

> is how I always read these types of responses in my head, and it's really
> frustrating because often-times I'm already aware of whatever workaround
> you've mentioned, have already tried it, and know it's not suitable. It's
> doubly frustrating when you're specifically looking for the solution that's
> not the workaround.

Then you should make it more explicit what you've already tried. We're not
inside your head, and many people _haven 't_ tried these things before. This
is a good guide: [http://www.catb.org/esr/faqs/smart-
questions.html](http://www.catb.org/esr/faqs/smart-questions.html)

I didn't realise lambda@edge was a thing, or that I could use it to solve
these problems. If I'd asked the question, these would have helped me. Why
should someone refrain from writing a concise and polite response helping me
purely because they think I may have tried that before and it will annoy me?

> "You should be doing this you pleb!" is how I always read these types of
> responses in my head,

Then you may benefit from trying to work on this. Their reply has none of this
snark or rudeness at all, and is simply listing some ways of solving the
problem. You are the one that added this mentally, and then it annoys you. You
are adding something yourself which then annoys you.

Go back and read what they said. They very simply explained that AWS let you
do those things using lambda@edge. There was absolutely no reason to reply so
rudely.

~~~
mseebach
So, I totally agree with you on the tone of the GP, and that workarounds are
worthwhile to share, but I feel like they have a point.

I feel the problem is more pronounced in the Javascript/webdev community
(caveat: I'm recently dabbling in web front end development after a good
number of years in Java-land) - the willingness to throw a poorly understood
workaround or npm-incantation out there ("it usually works if I.."), rather
than trying to actually get at the root of the problem is frustrating. I don't
just want to make it work, I want to understand why it didn't before. It
seems, from still shallow observation, that the community (such as a singular
community exists) has an ethos of doing whatever to make it work and moving
on.

Sometimes the root of the issue is a fundamental limitation that you need to
work around, and workarounds are definitely useful in those cases, but they
are definitely frustrating when they aren't accompanied by reasonably precise
diagnosis of the problem they are working around.

------
pavel_lishin
> _once your data has been classified by Macie, it assigns each data item a
> business value_

... and a thousand startup founders started the process, looked at the
results, put their heads down on their desks, and wept quietly.

~~~
koolba
I don't get it. Are they crying because they have a ton of unsecured PII or
because all their data is worthless?

~~~
kevinr
Yes.

~~~
abrookewood
Would you like Coffee or Tea? Yes.

~~~
ben_jones
Whiskey or Vodka?

------
SadWebDeveloper
Is there an actual use for this? seems like its another useless service from
the aws team instead on focusing on improving their interfaces, api's and
pricing options.

~~~
openasocket
Data Loss Prevention (DLP) and related things, mostly. Like alerting you that
you just wrote a bunch of private customer data to a world-readable bucket. Or
that some random employee is downloading all of your privileged and
confidential reports, which could mean their credentials have been
compromised. Very very nice if you have data stored in S3 that you really want
to keep secure.

DISCLAIMER: work for AWS, have met and talked with the Macie team on several
occasions. Opinions on here are my own

~~~
SadWebDeveloper
Still this seems like a poorly managed enterprise, probably a lazy cto or lack
of a ciso, personally m kinda spektic that these services actually offer value
in a well managed enterprise, specially if you work under the assumption that
everything that it's on the internet or well "the cloud" it's by nature
inherently insecure. Let's see how long those "valley people" keep milking the
"AI", "Deep learning", "Machine Learning" hype.

------
QUFB
Not cheap:
[https://aws.amazon.com/macie/pricing/](https://aws.amazon.com/macie/pricing/)

After first GB, $5 per GB processed by the content classification engine

~~~
abrookewood
That's $5 once for each GB, not $5 per GB per month. Seems reasonable to me
compared to the cost of implementing a DLP solution.

------
sah2ed
> When Jeff and I heard about this service, we both were curious on the
> meaning of the name Macie. Of course, Jeff being a great researcher looked
> up the name Macie and found that the name Macie has two meanings.

I somehow initially parsed the author's mention of Jeff as Jeff Bezos but soon
realized she was referring to Jeff Bar, chief evangelist of AWS.

------
tucif
I don't think their svm classifier would work over encrypted data, so if a
service stores data encrypted at rest is this useful at all?

~~~
eropple
Most people using S3 are encrypting their data with KMS. Haven't looked, but
if it's like every other S3 consumer, you can write a trust policy for Macie.

------
dfc
_> The first meaning of Macie that was found, said that that name meant
“weapon”._

Is macie a french word for weapon? I'm familiar with the English word "mace"
that is a weapon but not macie.

------
leastangle
I ask myself how many people are storing _potential_ sensitive information
without application level encryption so that AWS decides to build such tool...
slightly distressing.

------
porker
I don't get it. In what scenarios would this be useful?

------
sandGorgon
how do people train and build a service like this ?

