PII in S3, before it lands in the wrong bucket.

An education platform discovered student PII in three S3 buckets that hadn’t been intended to hold it — uncovered by a junior engineer running an ad-hoc Athena query for an unrelated reason. We rolled out Macie across the org and built a DLP pipeline that catches new PII drops before they’re queryable.

INDUSTRY

Education platform

DOMAIN

SECURITY

DELIVERED

2025

STACK

AMAZON MACIE·S3·EVENTBRIDGE·SECURITY HUB·LAMBDA·KMS

RESULTS

What changed, by the numbers.

BUCKETS SCANNED

441

ACROSS 12 ACCOUNTS

PII OBJECTS FOUND

2.3K

IN UNINTENDED LOCATIONS

TIME TO QUARANTINE

< 5m

AUTOMATED

RECURRENCE

120 DAYS POST-ROLLOUT

HOW IT WENT

The discovery conversation was tense and useful. Nothing had been exfiltrated. But the company had told customers (and regulators) that PII was confined to two specific buckets, and now there were six. The trust deficit was real.

We enrolled the org in Macie via the delegated administrator pattern, scoped the discovery jobs by data classification importance, and routed every finding through EventBridge into a Lambda quarantine handler — move the offending object to a locked bucket, alert the owning team, log to Security Hub.

The first month surfaced the historical buildup. Subsequent months show roughly two findings per week, all caught and quarantined inside five minutes. The team’s incident channel renamed from "macie-findings" to "macie-prevented-incidents."

RELATED · SAME DOMAIN

Other engagements in this space.

ARCO · 2026

Retired eighty IAM users in three weeks.

80 → 0IAM USERS RETIRED

FOSTER · 2025

Two million users migrated, no password resets.

0PASSWORD RESETS REQUIRED

PREVIOUSSABLE — Configuration drift, caught before audit found it.NEXT CINDER — Account baselines that stay applied.

READY WHEN YOU ARE

Let's get your AWS bill (and architecture) in order.

The discovery call is free. You walk away with at least one concrete idea — even if we never work together.

Or email directly →