If there's a hole in your S3 bucket, data thieves will be sprayed by Macie

Crazy. Hacking gets more and more like actual real life infiltration every day; now you have to act natural and blend in to avoid detection. It's not enough to just get into the system anymore.

Behavioral modeling sounds nice in theory.

The problem in reality so far is the huge volume of false alerts.

Conversely, cutting down the volume of false alerts increases the likelihood of actual bad behavior occurring.

Then there's the rampup problem: behavioral models require a set of existing data to build upon. The longer/greater this data set, the more "effective" the detection of real problems (and minimizing false alerts). However, the entire point of the cloud is rapid rampup and down.

If the customer is a SNAP, the behaviors of SNAP's flagship product spread across thousands of instances is fairly uniform.

If the customer is a small company, however, it isn't going to be. And staffing changes won't help either. And then there's the dreaded SuperUser: multiple staff using a single superuser or other account to perform their collective work.

Who actually gets alerts from Macie? How well does the product work?

Time will tell.

Trusteer Rapport

Once upon a time I logged onto a customer's router only to be confronted with an alert from Rapport informing me that I had entered a sensitive keyword. I quizzed the customer about this and he told me that he used the same password for on-line banking. Glossing over the prudence of sharing passwords for the purposes of this comment, knowing this idiosyncracy meant that a hacker would know that the Rapport icon in any browser is a great invitation to run a dictionary attack. I would hope that that vulnerability has now been fixed.

Err .. but

Don't you have to enable CloudTrail first and a whole raft of other stuff to get Macie to work? Might be a lot quicker to follow the very simple to use guide to creating proper permissions and bucket policies instead.