Amazon Macie 2

2024/06/14 - Amazon Macie 2 - 2 new4 updated api methods

Changes  This release adds support for managing the status of automated sensitive data discovery for individual accounts in an organization, and determining whether individual S3 buckets are included in the scope of the analyses.

ListAutomatedDiscoveryAccounts (new) Link ¶

Retrieves the status of automated sensitive data discovery for one or more accounts.

See also: AWS API Documentation

Request Syntax

client.list_automated_discovery_accounts(
    accountIds=[
        'string',
    ],
    maxResults=123,
    nextToken='string'
)
type accountIds:

list

param accountIds:

The Amazon Web Services account ID for each account, for as many as 50 accounts. To retrieve the status for multiple accounts, append the accountIds parameter and argument for each account, separated by an ampersand (&). To retrieve the status for all the accounts in an organization, omit this parameter.

  • (string) --

type maxResults:

integer

param maxResults:

The maximum number of items to include in each page of a paginated response.

type nextToken:

string

param nextToken:

The nextToken string that specifies which page of results to return in a paginated response.

rtype:

dict

returns:

Response Syntax

{
    'items': [
        {
            'accountId': 'string',
            'status': 'ENABLED'|'DISABLED'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The request succeeded.

    • items (list) --

      An array of objects, one for each account specified in the request. Each object specifies the Amazon Web Services account ID for an account and the current status of automated sensitive data discovery for that account.

      • (dict) --

        Provides information about the status of automated sensitive data discovery for an Amazon Macie account.

        • accountId (string) --

          The Amazon Web Services account ID for the account.

        • status (string) --

          The current status of automated sensitive data discovery for the account. Possible values are: ENABLED, perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.

    • nextToken (string) --

      The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

BatchUpdateAutomatedDiscoveryAccounts (new) Link ¶

Changes the status of automated sensitive data discovery for one or more accounts.

See also: AWS API Documentation

Request Syntax

client.batch_update_automated_discovery_accounts(
    accounts=[
        {
            'accountId': 'string',
            'status': 'ENABLED'|'DISABLED'
        },
    ]
)
type accounts:

list

param accounts:

An array of objects, one for each account to change the status of automated sensitive data discovery for. Each object specifies the Amazon Web Services account ID for an account and a new status for that account.

  • (dict) --

    Changes the status of automated sensitive data discovery for an Amazon Macie account.

    • accountId (string) --

      The Amazon Web Services account ID for the account.

    • status (string) --

      The new status of automated sensitive data discovery for the account. Valid values are: ENABLED, perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.

rtype:

dict

returns:

Response Syntax

{
    'errors': [
        {
            'accountId': 'string',
            'errorCode': 'ACCOUNT_PAUSED'|'ACCOUNT_NOT_FOUND'
        },
    ]
}

Response Structure

  • (dict) --

    The request succeeded. However, the update might have failed for one or more accounts.

    • errors (list) --

      An array of objects, one for each account whose status wasn’t changed. Each object identifies the account and explains why the status of automated sensitive data discovery wasn’t changed for the account. This value is null if the request succeeded for all specified accounts.

      • (dict) --

        Provides information about a request that failed to change the status of automated sensitive data discovery for an Amazon Macie account.

        • accountId (string) --

          The Amazon Web Services account ID for the account that the request applied to.

        • errorCode (string) --

          The error code for the error that caused the request to fail for the account (accountId). Possible values are: ACCOUNT_NOT_FOUND, the account doesn’t exist or you're not the Amazon Macie administrator for the account; and, ACCOUNT_PAUSED, Macie isn’t enabled for the account in the current Amazon Web Services Region.

DescribeBuckets (updated) Link ¶
Changes (response)
{'buckets': {'automatedDiscoveryMonitoringStatus': 'MONITORED | NOT_MONITORED'}}

Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account.

See also: AWS API Documentation

Request Syntax

client.describe_buckets(
    criteria={
        'string': {
            'eq': [
                'string',
            ],
            'gt': 123,
            'gte': 123,
            'lt': 123,
            'lte': 123,
            'neq': [
                'string',
            ],
            'prefix': 'string'
        }
    },
    maxResults=123,
    nextToken='string',
    sortCriteria={
        'attributeName': 'string',
        'orderBy': 'ASC'|'DESC'
    }
)
type criteria:

dict

param criteria:

The criteria to use to filter the query results.

  • (string) --

    • (dict) --

      Specifies the operator to use in a property-based condition that filters the results of a query for information about S3 buckets.

      • eq (list) --

        The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

        • (string) --

      • gt (integer) --

        The value for the property is greater than the specified value.

      • gte (integer) --

        The value for the property is greater than or equal to the specified value.

      • lt (integer) --

        The value for the property is less than the specified value.

      • lte (integer) --

        The value for the property is less than or equal to the specified value.

      • neq (list) --

        The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.

        • (string) --

      • prefix (string) --

        The name of the bucket begins with the specified value.

type maxResults:

integer

param maxResults:

The maximum number of items to include in each page of the response. The default value is 50.

type nextToken:

string

param nextToken:

The nextToken string that specifies which page of results to return in a paginated response.

type sortCriteria:

dict

param sortCriteria:

The criteria to use to sort the query results.

  • attributeName (string) --

    The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.

  • orderBy (string) --

    The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.

rtype:

dict

returns:

Response Syntax

{
    'buckets': [
        {
            'accountId': 'string',
            'allowsUnencryptedObjectUploads': 'TRUE'|'FALSE'|'UNKNOWN',
            'automatedDiscoveryMonitoringStatus': 'MONITORED'|'NOT_MONITORED',
            'bucketArn': 'string',
            'bucketCreatedAt': datetime(2015, 1, 1),
            'bucketName': 'string',
            'classifiableObjectCount': 123,
            'classifiableSizeInBytes': 123,
            'errorCode': 'ACCESS_DENIED',
            'errorMessage': 'string',
            'jobDetails': {
                'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
                'lastJobId': 'string',
                'lastJobRunTime': datetime(2015, 1, 1)
            },
            'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
            'lastUpdated': datetime(2015, 1, 1),
            'objectCount': 123,
            'objectCountByEncryptionType': {
                'customerManaged': 123,
                'kmsManaged': 123,
                's3Managed': 123,
                'unencrypted': 123,
                'unknown': 123
            },
            'publicAccess': {
                'effectivePermission': 'PUBLIC'|'NOT_PUBLIC'|'UNKNOWN',
                'permissionConfiguration': {
                    'accountLevelPermissions': {
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        }
                    },
                    'bucketLevelPermissions': {
                        'accessControlList': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        },
                        'blockPublicAccess': {
                            'blockPublicAcls': True|False,
                            'blockPublicPolicy': True|False,
                            'ignorePublicAcls': True|False,
                            'restrictPublicBuckets': True|False
                        },
                        'bucketPolicy': {
                            'allowsPublicReadAccess': True|False,
                            'allowsPublicWriteAccess': True|False
                        }
                    }
                }
            },
            'region': 'string',
            'replicationDetails': {
                'replicated': True|False,
                'replicatedExternally': True|False,
                'replicationAccounts': [
                    'string',
                ]
            },
            'sensitivityScore': 123,
            'serverSideEncryption': {
                'kmsMasterKeyId': 'string',
                'type': 'NONE'|'AES256'|'aws:kms'|'aws:kms:dsse'
            },
            'sharedAccess': 'EXTERNAL'|'INTERNAL'|'NOT_SHARED'|'UNKNOWN',
            'sizeInBytes': 123,
            'sizeInBytesCompressed': 123,
            'tags': [
                {
                    'key': 'string',
                    'value': 'string'
                },
            ],
            'unclassifiableObjectCount': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'unclassifiableObjectSizeInBytes': {
                'fileType': 123,
                'storageClass': 123,
                'total': 123
            },
            'versioning': True|False
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The request succeeded.

    • buckets (list) --

      An array of objects, one for each bucket that matches the filter criteria specified in the request.

      • (dict) --

        Provides statistical data and other information about an S3 bucket that Amazon Macie monitors and analyzes for your account. By default, object count and storage size values include data for object parts that are the result of incomplete multipart uploads. For more information, see How Macie monitors Amazon S3 data security in the Amazon Macie User Guide.

        If an error occurs when Macie attempts to retrieve and process metadata from Amazon S3 for the bucket or the bucket's objects, the value for the versioning property is false and the value for most other properties is null. Key exceptions are accountId, bucketArn, bucketCreatedAt, bucketName, lastUpdated, and region. To identify the cause of the error, refer to the errorCode and errorMessage values.

        • accountId (string) --

          The unique identifier for the Amazon Web Services account that owns the bucket.

        • allowsUnencryptedObjectUploads (string) --

          Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are:

          • FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.

          • TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.

          • UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.

          Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.

        • automatedDiscoveryMonitoringStatus (string) --

          Specifies whether automated sensitive data discovery is currently configured to analyze objects in the bucket. Possible values are: MONITORED, the bucket is included in analyses; and, NOT_MONITORED, the bucket is excluded from analyses. If automated sensitive data discovery is disabled for your account, this value is NOT_MONITORED.

        • bucketArn (string) --

          The Amazon Resource Name (ARN) of the bucket.

        • bucketCreatedAt (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.

        • bucketName (string) --

          The name of the bucket.

        • classifiableObjectCount (integer) --

          The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

        • classifiableSizeInBytes (integer) --

          The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

          If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

        • errorCode (string) --

          The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.

        • errorMessage (string) --

          A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.

        • jobDetails (dict) --

          Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.

          • isDefinedInJob (string) --

            Specifies whether any one-time or recurring jobs are configured to analyze objects in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.

            • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.

            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

          • isMonitoredByJob (string) --

            Specifies whether any recurring jobs are configured to analyze objects in the bucket. Possible values are:

            • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.

            • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn't match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.

            • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

          • lastJobId (string) --

            The unique identifier for the job that ran most recently and is configured to analyze objects in the bucket, either the latest run of a recurring job or the only run of a one-time job.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

          • lastJobRunTime (datetime) --

            The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.

            This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

        • lastAutomatedDiscoveryTime (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. This value is null if automated sensitive data discovery is disabled for your account.

        • lastUpdated (datetime) --

          The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.

        • objectCount (integer) --

          The total number of objects in the bucket.

        • objectCountByEncryptionType (dict) --

          The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.

          • customerManaged (integer) --

            The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).

          • kmsManaged (integer) --

            The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).

          • s3Managed (integer) --

            The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).

          • unencrypted (integer) --

            The total number of objects that use client-side encryption or aren't encrypted.

          • unknown (integer) --

            The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

        • publicAccess (dict) --

          Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.

          • effectivePermission (string) --

            Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:

            • NOT_PUBLIC - The bucket isn't publicly accessible.

            • PUBLIC - The bucket is publicly accessible.

            • UNKNOWN - Amazon Macie can't determine whether the bucket is publicly accessible.

          • permissionConfiguration (dict) --

            The account-level and bucket-level permissions settings for the bucket.

            • accountLevelPermissions (dict) --

              The account-level permissions settings that apply to the bucket.

              • blockPublicAccess (dict) --

                The block public access settings for the Amazon Web Services account that owns the bucket.

                • blockPublicAcls (boolean) --

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) --

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) --

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) --

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

            • bucketLevelPermissions (dict) --

              The bucket-level permissions settings for the bucket.

              • accessControlList (dict) --

                The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.

                • allowsPublicReadAccess (boolean) --

                  Specifies whether the ACL grants the general public with read access permissions for the bucket.

                • allowsPublicWriteAccess (boolean) --

                  Specifies whether the ACL grants the general public with write access permissions for the bucket.

              • blockPublicAccess (dict) --

                The block public access settings for the bucket.

                • blockPublicAcls (boolean) --

                  Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.

                • blockPublicPolicy (boolean) --

                  Specifies whether Amazon S3 blocks public bucket policies for the bucket.

                • ignorePublicAcls (boolean) --

                  Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.

                • restrictPublicBuckets (boolean) --

                  Specifies whether Amazon S3 restricts public bucket policies for the bucket.

              • bucketPolicy (dict) --

                The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.

                • allowsPublicReadAccess (boolean) --

                  Specifies whether the bucket policy allows the general public to have read access to the bucket.

                • allowsPublicWriteAccess (boolean) --

                  Specifies whether the bucket policy allows the general public to have write access to the bucket.

        • region (string) --

          The Amazon Web Services Region that hosts the bucket.

        • replicationDetails (dict) --

          Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.

          • replicated (boolean) --

            Specifies whether the bucket is configured to replicate one or more objects to any destination.

          • replicatedExternally (boolean) --

            Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

          • replicationAccounts (list) --

            An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.

            • (string) --

        • sensitivityScore (integer) --

          The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive).

          If automated sensitive data discovery has never been enabled for your account or it’s been disabled for your organization or your standalone account for more than 30 days, possible values are: 1, the bucket is empty; or, 50, the bucket stores objects but it’s been excluded from recent analyses.

        • serverSideEncryption (dict) --

          The default server-side encryption settings for the bucket.

          • kmsMasterKeyId (string) --

            The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket is configured to use an Amazon S3 managed key to encrypt new objects.

          • type (string) --

            The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:

            • AES256 - New objects use SSE-S3 encryption. They're encrypted with an Amazon S3 managed key.

            • aws:kms - New objects use SSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.

            • aws:kms:dsse - New objects use DSSE-KMS encryption. They're encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key.

            • NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.

        • sharedAccess (string) --

          Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:

          • EXTERNAL - The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an Amazon Web Services account that isn't part of your Amazon Macie organization.

          • INTERNAL - The bucket is shared with one or more Amazon Web Services accounts that are part of your Amazon Macie organization. It isn't shared with a CloudFront OAI or OAC.

          • NOT_SHARED - The bucket isn't shared with another Amazon Web Services account, a CloudFront OAI, or a CloudFront OAC.

          • UNKNOWN - Amazon Macie wasn't able to evaluate the shared access settings for the bucket.

          An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.

        • sizeInBytes (integer) --

          The total storage size, in bytes, of the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.

        • sizeInBytesCompressed (integer) --

          The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

          If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

        • tags (list) --

          An array that specifies the tags (keys and values) that are associated with the bucket.

          • (dict) --

            Provides information about the tags that are associated with an S3 bucket or object. Each tag consists of a required tag key and an associated tag value.

            • key (string) --

              One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.

            • value (string) --

              One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.

        • unclassifiableObjectCount (dict) --

          The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

          • fileType (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

          • storageClass (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

          • total (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

        • unclassifiableObjectSizeInBytes (dict) --

          The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

          • fileType (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

          • storageClass (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

          • total (integer) --

            The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

        • versioning (boolean) --

          Specifies whether versioning is enabled for the bucket.

    • nextToken (string) --

      The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

GetAutomatedDiscoveryConfiguration (updated) Link ¶
Changes (response)
{'autoEnableOrganizationMembers': 'ALL | NEW | NONE'}

Retrieves the configuration settings and status of automated sensitive data discovery for an organization or standalone account.

See also: AWS API Documentation

Request Syntax

client.get_automated_discovery_configuration()
rtype:

dict

returns:

Response Syntax

{
    'autoEnableOrganizationMembers': 'ALL'|'NEW'|'NONE',
    'classificationScopeId': 'string',
    'disabledAt': datetime(2015, 1, 1),
    'firstEnabledAt': datetime(2015, 1, 1),
    'lastUpdatedAt': datetime(2015, 1, 1),
    'sensitivityInspectionTemplateId': 'string',
    'status': 'ENABLED'|'DISABLED'
}

Response Structure

  • (dict) --

    The request succeeded.

    • autoEnableOrganizationMembers (string) --

      Specifies whether automated sensitive data discovery is enabled automatically for accounts in the organization. Possible values are: ALL, enable it for all existing accounts and new member accounts; NEW, enable it only for new member accounts; and, NONE, don't enable it for any accounts.

    • classificationScopeId (string) --

      The unique identifier for the classification scope that's used when performing automated sensitive data discovery. The classification scope specifies S3 buckets to exclude from analyses.

    • disabledAt (datetime) --

      The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently disabled. This value is null if automated sensitive data discovery is currently enabled.

    • firstEnabledAt (datetime) --

      The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was initially enabled. This value is null if automated sensitive data discovery has never been enabled.

    • lastUpdatedAt (datetime) --

      The date and time, in UTC and extended ISO 8601 format, when the configuration settings or status of automated sensitive data discovery was most recently changed.

    • sensitivityInspectionTemplateId (string) --

      The unique identifier for the sensitivity inspection template that's used when performing automated sensitive data discovery. The template specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data.

    • status (string) --

      The current status of automated sensitive data discovery for the organization or account. Possible values are: ENABLED, use the specified settings to perform automated sensitive data discovery activities; and, DISABLED, don't perform automated sensitive data discovery activities.

SearchResources (updated) Link ¶
Changes (request, response)
Request
{'bucketCriteria': {'excludes': {'and': {'simpleCriterion': {'key': {'AUTOMATED_DISCOVERY_MONITORING_STATUS'}}}},
                    'includes': {'and': {'simpleCriterion': {'key': {'AUTOMATED_DISCOVERY_MONITORING_STATUS'}}}}}}
Response
{'matchingResources': {'matchingBucket': {'automatedDiscoveryMonitoringStatus': 'MONITORED '
                                                                                '| '
                                                                                'NOT_MONITORED'}}}

Retrieves (queries) statistical data and other information about Amazon Web Services resources that Amazon Macie monitors and analyzes.

See also: AWS API Documentation

Request Syntax

client.search_resources(
    bucketCriteria={
        'excludes': {
            'and': [
                {
                    'simpleCriterion': {
                        'comparator': 'EQ'|'NE',
                        'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS'|'AUTOMATED_DISCOVERY_MONITORING_STATUS',
                        'values': [
                            'string',
                        ]
                    },
                    'tagCriterion': {
                        'comparator': 'EQ'|'NE',
                        'tagValues': [
                            {
                                'key': 'string',
                                'value': 'string'
                            },
                        ]
                    }
                },
            ]
        },
        'includes': {
            'and': [
                {
                    'simpleCriterion': {
                        'comparator': 'EQ'|'NE',
                        'key': 'ACCOUNT_ID'|'S3_BUCKET_NAME'|'S3_BUCKET_EFFECTIVE_PERMISSION'|'S3_BUCKET_SHARED_ACCESS'|'AUTOMATED_DISCOVERY_MONITORING_STATUS',
                        'values': [
                            'string',
                        ]
                    },
                    'tagCriterion': {
                        'comparator': 'EQ'|'NE',
                        'tagValues': [
                            {
                                'key': 'string',
                                'value': 'string'
                            },
                        ]
                    }
                },
            ]
        }
    },
    maxResults=123,
    nextToken='string',
    sortCriteria={
        'attributeName': 'ACCOUNT_ID'|'RESOURCE_NAME'|'S3_CLASSIFIABLE_OBJECT_COUNT'|'S3_CLASSIFIABLE_SIZE_IN_BYTES',
        'orderBy': 'ASC'|'DESC'
    }
)
type bucketCriteria:

dict

param bucketCriteria:

The filter conditions that determine which S3 buckets to include or exclude from the query results.

  • excludes (dict) --

    The property- and tag-based conditions that determine which buckets to exclude from the results.

    • and (list) --

      An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.

      • (dict) --

        Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.

        • simpleCriterion (dict) --

          A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.

          • comparator (string) --

            The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).

          • key (string) --

            The property to use in the condition.

          • values (list) --

            An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:

            • ACCOUNT_ID - A string that represents the unique identifier for the Amazon Web Services account that owns the resource.

            • AUTOMATED_DISCOVERY_MONITORING_STATUS - A string that represents an enumerated value that Macie defines for the BucketMetadata.automatedDiscoveryMonitoringStatus property of an S3 bucket.

            • S3_BUCKET_EFFECTIVE_PERMISSION - A string that represents an enumerated value that Macie defines for the BucketPublicAccess.effectivePermission property of an S3 bucket.

            • S3_BUCKET_NAME - A string that represents the name of an S3 bucket.

            • S3_BUCKET_SHARED_ACCESS - A string that represents an enumerated value that Macie defines for the BucketMetadata.sharedAccess property of an S3 bucket.

            Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.

            • (string) --

        • tagCriterion (dict) --

          A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.

          • comparator (string) --

            The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).

          • tagValues (list) --

            The tag keys, tag values, or tag key and value pairs to use in the condition.

            • (dict) --

              Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.

              • key (string) --

                The value for the tag key to use in the condition.

              • value (string) --

                The tag value to use in the condition.

  • includes (dict) --

    The property- and tag-based conditions that determine which buckets to include in the results.

    • and (list) --

      An array of objects, one for each property- or tag-based condition that includes or excludes resources from the query results. If you specify more than one condition, Amazon Macie uses AND logic to join the conditions.

      • (dict) --

        Specifies a property- or tag-based filter condition for including or excluding Amazon Web Services resources from the query results.

        • simpleCriterion (dict) --

          A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.

          • comparator (string) --

            The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).

          • key (string) --

            The property to use in the condition.

          • values (list) --

            An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:

            • ACCOUNT_ID - A string that represents the unique identifier for the Amazon Web Services account that owns the resource.

            • AUTOMATED_DISCOVERY_MONITORING_STATUS - A string that represents an enumerated value that Macie defines for the BucketMetadata.automatedDiscoveryMonitoringStatus property of an S3 bucket.

            • S3_BUCKET_EFFECTIVE_PERMISSION - A string that represents an enumerated value that Macie defines for the BucketPublicAccess.effectivePermission property of an S3 bucket.

            • S3_BUCKET_NAME - A string that represents the name of an S3 bucket.

            • S3_BUCKET_SHARED_ACCESS - A string that represents an enumerated value that Macie defines for the BucketMetadata.sharedAccess property of an S3 bucket.

            Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.

            • (string) --

        • tagCriterion (dict) --

          A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.

          • comparator (string) --

            The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).

          • tagValues (list) --

            The tag keys, tag values, or tag key and value pairs to use in the condition.

            • (dict) --

              Specifies a tag key, a tag value, or a tag key and value (as a pair) to use in a tag-based filter condition for a query. Tag keys and values are case sensitive. Also, Amazon Macie doesn't support use of partial values or wildcard characters in tag-based filter conditions.

              • key (string) --

                The value for the tag key to use in the condition.

              • value (string) --

                The tag value to use in the condition.

type maxResults:

integer

param maxResults:

The maximum number of items to include in each page of the response. The default value is 50.

type nextToken:

string

param nextToken:

The nextToken string that specifies which page of results to return in a paginated response.

type sortCriteria:

dict

param sortCriteria:

The criteria to use to sort the results.

  • attributeName (string) --

    The property to sort the results by.

  • orderBy (string) --

    The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.

rtype:

dict

returns:

Response Syntax

{
    'matchingResources': [
        {
            'matchingBucket': {
                'accountId': 'string',
                'automatedDiscoveryMonitoringStatus': 'MONITORED'|'NOT_MONITORED',
                'bucketName': 'string',
                'classifiableObjectCount': 123,
                'classifiableSizeInBytes': 123,
                'errorCode': 'ACCESS_DENIED',
                'errorMessage': 'string',
                'jobDetails': {
                    'isDefinedInJob': 'TRUE'|'FALSE'|'UNKNOWN',
                    'isMonitoredByJob': 'TRUE'|'FALSE'|'UNKNOWN',
                    'lastJobId': 'string',
                    'lastJobRunTime': datetime(2015, 1, 1)
                },
                'lastAutomatedDiscoveryTime': datetime(2015, 1, 1),
                'objectCount': 123,
                'objectCountByEncryptionType': {
                    'customerManaged': 123,
                    'kmsManaged': 123,
                    's3Managed': 123,
                    'unencrypted': 123,
                    'unknown': 123
                },
                'sensitivityScore': 123,
                'sizeInBytes': 123,
                'sizeInBytesCompressed': 123,
                'unclassifiableObjectCount': {
                    'fileType': 123,
                    'storageClass': 123,
                    'total': 123
                },
                'unclassifiableObjectSizeInBytes': {
                    'fileType': 123,
                    'storageClass': 123,
                    'total': 123
                }
            }
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The request succeeded.

    • matchingResources (list) --

      An array of objects, one for each resource that matches the filter criteria specified in the request.

      • (dict) --

        Provides statistical data and other information about an Amazon Web Services resource that Amazon Macie monitors and analyzes for your account.

        • matchingBucket (dict) --

          The details of an S3 bucket that Amazon Macie monitors and analyzes.

          • accountId (string) --

            The unique identifier for the Amazon Web Services account that owns the bucket.

          • automatedDiscoveryMonitoringStatus (string) --

            Specifies whether automated sensitive data discovery is currently configured to analyze objects in the bucket. Possible values are: MONITORED, the bucket is included in analyses; and, NOT_MONITORED, the bucket is excluded from analyses. If automated sensitive data discovery is disabled for your account, this value is NOT_MONITORED.

          • bucketName (string) --

            The name of the bucket.

          • classifiableObjectCount (integer) --

            The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

          • classifiableSizeInBytes (integer) --

            The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.

            If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

          • errorCode (string) --

            The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.

          • errorMessage (string) --

            A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.

          • jobDetails (dict) --

            Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.

            • isDefinedInJob (string) --

              Specifies whether any one-time or recurring jobs are configured to analyze objects in the bucket. Possible values are:

              • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.

              • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.

              • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

            • isMonitoredByJob (string) --

              Specifies whether any recurring jobs are configured to analyze objects in the bucket. Possible values are:

              • TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.

              • FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn't match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.

              • UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.

            • lastJobId (string) --

              The unique identifier for the job that ran most recently and is configured to analyze objects in the bucket, either the latest run of a recurring job or the only run of a one-time job.

              This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

            • lastJobRunTime (datetime) --

              The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.

              This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.

          • lastAutomatedDiscoveryTime (datetime) --

            The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed objects in the bucket while performing automated sensitive data discovery. This value is null if automated sensitive data discovery is disabled for your account.

          • objectCount (integer) --

            The total number of objects in the bucket.

          • objectCountByEncryptionType (dict) --

            The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.

            • customerManaged (integer) --

              The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).

            • kmsManaged (integer) --

              The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).

            • s3Managed (integer) --

              The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).

            • unencrypted (integer) --

              The total number of objects that use client-side encryption or aren't encrypted.

            • unknown (integer) --

              The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

          • sensitivityScore (integer) --

            The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive).

            If automated sensitive data discovery has never been enabled for your account or it’s been disabled for your organization or your standalone account for more than 30 days, possible values are: 1, the bucket is empty; or, 50, the bucket stores objects but it’s been excluded from recent analyses.

          • sizeInBytes (integer) --

            The total storage size, in bytes, of the bucket.

            If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.

          • sizeInBytesCompressed (integer) --

            The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

            If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

          • unclassifiableObjectCount (dict) --

            The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

            • fileType (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

            • storageClass (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

            • total (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

          • unclassifiableObjectSizeInBytes (dict) --

            The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.

            • fileType (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

            • storageClass (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.

            • total (integer) --

              The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.

    • nextToken (string) --

      The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.

UpdateAutomatedDiscoveryConfiguration (updated) Link ¶
Changes (request)
{'autoEnableOrganizationMembers': 'ALL | NEW | NONE'}

Changes the configuration settings and status of automated sensitive data discovery for an organization or standalone account.

See also: AWS API Documentation

Request Syntax

client.update_automated_discovery_configuration(
    autoEnableOrganizationMembers='ALL'|'NEW'|'NONE',
    status='ENABLED'|'DISABLED'
)
type autoEnableOrganizationMembers:

string

param autoEnableOrganizationMembers:

Specifies whether to automatically enable automated sensitive data discovery for accounts in the organization. Valid values are: ALL (default), enable it for all existing accounts and new member accounts; NEW, enable it only for new member accounts; and, NONE, don't enable it for any accounts.

If you specify NEW or NONE, automated sensitive data discovery continues to be enabled for any existing accounts that it's currently enabled for. To enable or disable it for individual member accounts, specify NEW or NONE, and then enable or disable it for each account by using the BatchUpdateAutomatedDiscoveryAccounts operation.

type status:

string

param status:

[REQUIRED]

The new status of automated sensitive data discovery for the organization or account. Valid values are: ENABLED, start or resume all automated sensitive data discovery activities; and, DISABLED, stop performing all automated sensitive data discovery activities.

If you specify DISABLED for an administrator account, you also disable automated sensitive data discovery for all member accounts in the organization.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

    The request succeeded. The status was updated and there isn't any content to include in the body of the response (No Content).