String administratorAccountId
The Amazon Web Services account ID for the account that sent the invitation.
String invitationId
The unique identifier for the invitation to accept.
String masterAccount
(Deprecated) The Amazon Web Services account ID for the account that sent the invitation. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
Boolean allowsPublicReadAccess
Specifies whether the ACL grants the general public with read access permissions for the bucket.
Boolean allowsPublicWriteAccess
Specifies whether the ACL grants the general public with write access permissions for the bucket.
BlockPublicAccess blockPublicAccess
The block public access settings for the Amazon Web Services account that owns the bucket.
String regex
The regular expression (regex) that defines the text pattern to ignore. The expression can contain as many as 512 characters.
S3WordsList s3WordsList
The location and name of the S3 object that lists specific text to ignore.
String code
The current status of the allow list. If the list's criteria specify a regular expression (regex), this value is typically OK. Amazon Macie can compile the expression.
If the list's criteria specify an S3 object, possible values are:
OK - Macie can retrieve and parse the contents of the object.
S3_OBJECT_ACCESS_DENIED - Macie isn't allowed to access the object or the object is encrypted with a customer managed KMS key that Macie isn't allowed to use. Check the bucket policy and other permissions settings for the bucket and the object. If the object is encrypted, also ensure that it's encrypted with a key that Macie is allowed to use.
S3_OBJECT_EMPTY - Macie can retrieve the object but the object doesn't contain any content. Ensure that the object contains the correct entries. Also ensure that the list's criteria specify the correct bucket and object names.
S3_OBJECT_NOT_FOUND - The object doesn't exist in Amazon S3. Ensure that the list's criteria specify the correct bucket and object names.
S3_OBJECT_OVERSIZE - Macie can retrieve the object. However, the object contains too many entries or its storage size exceeds the quota for an allow list. Try breaking the list into multiple files and ensure that each file doesn't exceed any quotas. Then configure list settings in Macie for each file.
S3_THROTTLED - Amazon S3 throttled the request to retrieve the object. Wait a few minutes and then try again.
S3_USER_ACCESS_DENIED - Amazon S3 denied the request to retrieve the object. If the specified object exists, you're not allowed to access it or it's encrypted with an KMS key that you're not allowed to use. Work with your Amazon Web Services administrator to ensure that the list's criteria specify the correct bucket and object names, and you have read access to the bucket and the object. If the object is encrypted, also ensure that it's encrypted with a key that you're allowed to use.
UNKNOWN_ERROR - A transient or internal error occurred when Macie attempted to retrieve or parse the object. Wait a few minutes and then try again. A list can also have this status if it's encrypted with a key that Amazon S3 and Macie can't access or use.
String description
A brief description of the status of the allow list. Amazon Macie uses this value to provide additional information about an error that occurred when Macie tried to access and use the list's criteria.
String arn
The Amazon Resource Name (ARN) of the allow list.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.
String description
The custom description of the allow list.
String id
The unique identifier for the allow list.
String name
The custom name of the allow list.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.
String api
The name of the operation that was invoked most recently and produced the finding.
String apiServiceName
The URL of the Amazon Web Service that provides the operation, for example: s3.amazonaws.com.
Date firstSeen
The first date and time, in UTC and extended ISO 8601 format, when any operation was invoked and produced the finding.
Date lastSeen
The most recent date and time, in UTC and extended ISO 8601 format, when the specified operation (api) was invoked and produced the finding.
String accessKeyId
The Amazon Web Services access key ID that identifies the credentials.
String accountId
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
String arn
The Amazon Resource Name (ARN) of the entity that was used to get the credentials.
String principalId
The unique identifier for the entity that was used to get the credentials.
SessionContext sessionContext
The details of the session that was created for the credentials, including the entity that issued the session.
String invokedBy
The name of the Amazon Web Service that performed the action.
List<E> customDataIdentifiers
An array of objects, one for each custom data identifier that matches the criteria specified in the request.
List<E> notFoundIdentifierIds
An array of custom data identifier IDs, one for each custom data identifier that was specified in the request but doesn't correlate to an existing custom data identifier.
String arn
The Amazon Resource Name (ARN) of the custom data identifier.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
Boolean deleted
Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.
String description
The custom description of the custom data identifier.
String id
The unique identifier for the custom data identifier.
String name
The custom name of the custom data identifier.
Boolean blockPublicAcls
Specifies whether Amazon S3 blocks public access control lists (ACLs) for the bucket and objects in the bucket.
Boolean blockPublicPolicy
Specifies whether Amazon S3 blocks public bucket policies for the bucket.
Boolean ignorePublicAcls
Specifies whether Amazon S3 ignores public ACLs for the bucket and objects in the bucket.
Boolean restrictPublicBuckets
Specifies whether Amazon S3 restricts public bucket policies for the bucket.
Long publiclyAccessible
The total number of buckets that allow the general public to have read or write access to the bucket.
Long publiclyReadable
The total number of buckets that allow the general public to have read access to the bucket.
Long publiclyWritable
The total number of buckets that allow the general public to have write access to the bucket.
Long unknown
The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.
Long kmsManaged
The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon Web Services managed KMS key or a customer managed KMS key. By default, these buckets encrypt new objects automatically using SSE-KMS encryption.
Long s3Managed
The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon S3 managed key. By default, these buckets encrypt new objects automatically using SSE-S3 encryption.
Long unencrypted
The total number of buckets that don't specify default server-side encryption behavior for new objects. Default encryption settings aren't configured for these buckets.
Long unknown
The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.
Long external
The total number of buckets that are shared with one or more of the following or any combination of the following: an Amazon CloudFront OAI, a CloudFront OAC, or an Amazon Web Services account that isn't in the same Amazon Macie organization.
Long internal
The total number of buckets that are shared with one or more Amazon Web Services accounts in the same Amazon Macie organization. These buckets aren't shared with Amazon CloudFront OAIs or OACs.
Long notShared
The total number of buckets that aren't shared with other Amazon Web Services accounts, Amazon CloudFront OAIs, or CloudFront OACs.
Long unknown
The total number of buckets that Amazon Macie wasn't able to evaluate shared access settings for. Macie can't determine whether these buckets are shared with other Amazon Web Services accounts, Amazon CloudFront OAIs, or CloudFront OACs.
Long allowsUnencryptedObjectUploads
The total number of buckets that don't have a bucket policy or have a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, the policy doesn't require PutObject requests to include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.
Long deniesUnencryptedObjectUploads
The total number of buckets whose bucket policies require server-side encryption of new objects. PutObject requests for these buckets must include a valid server-side encryption header: the x-amz-server-side-encryption header with a value of AES256 or aws:kms, or the x-amz-server-side-encryption-customer-algorithm header with a value of AES256.
Long unknown
The total number of buckets that Amazon Macie wasn't able to evaluate server-side encryption requirements for. Macie can't determine whether the bucket policies for these buckets require server-side encryption of new objects.
List<E> eq
The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
Long gt
The value for the property is greater than the specified value.
Long gte
The value for the property is greater than or equal to the specified value.
Long lt
The value for the property is less than the specified value.
Long lte
The value for the property is less than or equal to the specified value.
List<E> neq
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
String prefix
The name of the bucket begins with the specified value.
AccessControlList accessControlList
The permissions settings of the access control list (ACL) for the bucket. This value is null if an ACL hasn't been defined for the bucket.
BlockPublicAccess blockPublicAccess
The block public access settings for the bucket.
BucketPolicy bucketPolicy
The permissions settings of the bucket policy for the bucket. This value is null if a bucket policy hasn't been defined for the bucket.
String accountId
The unique identifier for the Amazon Web Services account that owns the bucket.
String allowsUnencryptedObjectUploads
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are:
FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.
TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.
UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
String bucketArn
The Amazon Resource Name (ARN) of the bucket.
Date bucketCreatedAt
The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket.
String bucketName
The name of the bucket.
Long classifiableObjectCount
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
Long classifiableSizeInBytes
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
String errorCode
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
String errorMessage
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
JobDetails jobDetails
Specifies whether any one-time or recurring classification jobs are configured to analyze data in the bucket, and, if so, the details of the job that ran most recently.
Date lastAutomatedDiscoveryTime
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
Date lastUpdated
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the bucket.
Long objectCount
The total number of objects in the bucket.
ObjectCountByEncryptionType objectCountByEncryptionType
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
BucketPublicAccess publicAccess
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket, and provides information about those settings.
String region
The Amazon Web Services Region that hosts the bucket.
ReplicationDetails replicationDetails
Specifies whether the bucket is configured to replicate one or more objects to buckets for other Amazon Web Services accounts and, if so, which accounts.
Integer sensitivityScore
The sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
BucketServerSideEncryption serverSideEncryption
The default server-side encryption settings for the bucket.
String sharedAccess
Specifies whether the bucket is shared with another Amazon Web Services account, an Amazon CloudFront origin access identity (OAI), or a CloudFront origin access control (OAC). Possible values are:
EXTERNAL - The bucket is shared with one or more of the following or any combination of the following: a CloudFront OAI, a CloudFront OAC, or an Amazon Web Services account that isn't part of your Amazon Macie organization.
INTERNAL - The bucket is shared with one or more Amazon Web Services accounts that are part of your Amazon Macie organization. It isn't shared with a CloudFront OAI or OAC.
NOT_SHARED - The bucket isn't shared with another Amazon Web Services account, a CloudFront OAI, or a CloudFront OAC.
UNKNOWN - Amazon Macie wasn't able to evaluate the shared access settings for the bucket.
An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
Long sizeInBytes
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
Long sizeInBytesCompressed
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
List<E> tags
An array that specifies the tags (keys and values) that are associated with the bucket.
ObjectLevelStatistics unclassifiableObjectCount
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
ObjectLevelStatistics unclassifiableObjectSizeInBytes
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
Boolean versioning
Specifies whether versioning is enabled for the bucket.
AccountLevelPermissions accountLevelPermissions
The account-level permissions settings that apply to the bucket.
BucketLevelPermissions bucketLevelPermissions
The bucket-level permissions settings for the bucket.
Boolean allowsPublicReadAccess
Specifies whether the bucket policy allows the general public to have read access to the bucket.
Boolean allowsPublicWriteAccess
Specifies whether the bucket policy allows the general public to have write access to the bucket.
String effectivePermission
Specifies whether the bucket is publicly accessible due to the combination of permissions settings that apply to the bucket. Possible values are:
NOT_PUBLIC - The bucket isn't publicly accessible.
PUBLIC - The bucket is publicly accessible.
UNKNOWN - Amazon Macie can't determine whether the bucket is publicly accessible.
BucketPermissionConfiguration permissionConfiguration
The account-level and bucket-level permissions settings for the bucket.
String kmsMasterKeyId
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used by default to encrypt objects that are added to the bucket. This value is null if the bucket is configured to use an Amazon S3 managed key to encrypt new objects.
String type
The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:
AES256 - New objects are encrypted with an Amazon S3 managed key. They use SSE-S3 encryption.
aws:kms - New objects are encrypted with an KMS key (kmsMasterKeyId), either an Amazon Web Services managed key or a customer managed key. They use SSE-KMS encryption.
NONE - The bucket's default encryption settings don't specify server-side encryption behavior for new objects.
String attributeName
The name of the bucket property to sort the results by. This value can be one of the following properties that Amazon Macie defines as bucket metadata: accountId, bucketName, classifiableObjectCount, classifiableSizeInBytes, objectCount, sensitivityScore, or sizeInBytes.
String orderBy
The sort order to apply to the results, based on the value specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
SensitivityAggregations classificationError
The aggregated statistical data for all buckets that have a sensitivity score of -1.
SensitivityAggregations notClassified
The aggregated statistical data for all buckets that have a sensitivity score of 50.
SensitivityAggregations notSensitive
The aggregated statistical data for all buckets that have a sensitivity score of 1-49.
SensitivityAggregations sensitive
The aggregated statistical data for all buckets that have a sensitivity score of 51-100.
String cellReference
The location of the cell, as an absolute cell reference, that contains the sensitive data, for example Sheet2!C5 for cell C5 on Sheet2 in a Microsoft Excel workbook. This value is null for CSV and TSV files.
Long column
The column number of the column that contains the sensitive data. For a Microsoft Excel workbook, this value correlates to the alphabetical character(s) for a column identifier, for example: 1 for column A, 2 for column B, and so on.
String columnName
The name of the column that contains the sensitive data, if available.
Long row
The row number of the row that contains the sensitive data.
String detailedResultsLocation
The path to the folder or file in Amazon S3 that contains the corresponding sensitive data discovery result for the finding. If a finding applies to a large archive or compressed file, this value is the path to a folder. Otherwise, this value is the path to a file.
String jobArn
The Amazon Resource Name (ARN) of the classification job that produced the finding. This value is null if the origin of the finding (originType) is AUTOMATED_SENSITIVE_DATA_DISCOVERY.
String jobId
The unique identifier for the classification job that produced the finding. This value is null if the origin of the finding (originType) is AUTOMATED_SENSITIVE_DATA_DISCOVERY.
String originType
Specifies how Amazon Macie found the sensitive data that produced the finding. Possible values are: SENSITIVE_DATA_DISCOVERY_JOB, for a classification job; and, AUTOMATED_SENSITIVE_DATA_DISCOVERY, for automated sensitive data discovery.
ClassificationResult result
The status and other details of the finding.
S3Destination s3Destination
The S3 bucket to store data classification results in, and the encryption settings to use when storing results in that bucket.
Boolean additionalOccurrences
Specifies whether Amazon Macie detected additional occurrences of sensitive data in the S3 object. A finding includes location data for a maximum of 15 occurrences of sensitive data.
This value can help you determine whether to investigate additional occurrences of sensitive data in an object. You can do this by referring to the corresponding sensitive data discovery result for the finding (classificationDetails.detailedResultsLocation).
CustomDataIdentifiers customDataIdentifiers
The custom data identifiers that detected the sensitive data and the number of occurrences of the data that they detected.
String mimeType
The type of content, as a MIME type, that the finding applies to. For example, application/gzip, for a GNU Gzip compressed archive file, or application/pdf, for an Adobe Portable Document Format file.
List<E> sensitiveData
The category, types, and number of occurrences of the sensitive data that produced the finding.
Long sizeClassified
The total size, in bytes, of the data that the finding applies to.
ClassificationResultStatus status
The status of the finding.
String code
The status of the finding. Possible values are:
COMPLETE - Amazon Macie successfully completed its analysis of the S3 object that the finding applies to.
PARTIAL - Macie analyzed only a subset of the data in the S3 object that the finding applies to. For example, the object is an archive file that contains files in an unsupported format.
SKIPPED - Macie wasn't able to analyze the S3 object that the finding applies to. For example, the object is a file that uses an unsupported format.
String reason
A brief description of the status of the finding. This value is null if the status (code) of the finding is COMPLETE.
Amazon Macie uses this value to notify you of any errors, warnings, or considerations that might impact your analysis of the finding and the affected S3 object. Possible values are:
ARCHIVE_CONTAINS_UNPROCESSED_FILES - The object is an archive file and Macie extracted and analyzed only some or none of the files in the archive. To determine which files Macie analyzed, if any, refer to the corresponding sensitive data discovery result for the finding (classificationDetails.detailedResultsLocation).
ARCHIVE_EXCEEDS_SIZE_LIMIT - The object is an archive file whose total storage size exceeds the size quota for this type of archive.
ARCHIVE_NESTING_LEVEL_OVER_LIMIT - The object is an archive file whose nested depth exceeds the quota for the maximum number of nested levels that Macie analyzes for this type of archive.
ARCHIVE_TOTAL_BYTES_EXTRACTED_OVER_LIMIT - The object is an archive file that exceeds the quota for the maximum amount of data that Macie extracts and analyzes for this type of archive.
ARCHIVE_TOTAL_DOCUMENTS_PROCESSED_OVER_LIMIT - The object is an archive file that contains more than the maximum number of files that Macie extracts and analyzes for this type of archive.
FILE_EXCEEDS_SIZE_LIMIT - The storage size of the object exceeds the size quota for this type of file.
INVALID_ENCRYPTION - The object is encrypted using server-side encryption but Macie isn't allowed to use the key. Macie can't decrypt and analyze the object.
INVALID_KMS_KEY - The object is encrypted with an KMS key that was disabled or is being deleted. Macie can't decrypt and analyze the object.
INVALID_OBJECT_STATE - The object doesn't use a supported Amazon S3 storage class.
JSON_NESTING_LEVEL_OVER_LIMIT - The object contains JSON data and the nested depth of the data exceeds the quota for the number of nested levels that Macie analyzes for this type of file.
MALFORMED_FILE - The object is a malformed or corrupted file. An error occurred when Macie attempted to detect the file's type or extract data from the file.
MALFORMED_OR_FILE_SIZE_EXCEEDS_LIMIT - The object is a Microsoft Office file that is malformed or exceeds the size quota for this type of file. If the file is malformed, an error occurred when Macie attempted to extract data from the file.
NO_SUCH_BUCKET_AVAILABLE - The object was in a bucket that was deleted shortly before or when Macie attempted to analyze the object.
OBJECT_VERSION_MISMATCH - The object was changed while Macie was analyzing it.
OOXML_UNCOMPRESSED_RATIO_EXCEEDS_LIMIT - The object is an Office Open XML file whose compression ratio exceeds the compression quota for this type of file.
OOXML_UNCOMPRESSED_SIZE_EXCEEDS_LIMIT - The object is an Office Open XML file that exceeds the size quota for this type of file.
PERMISSION_DENIED - Macie isn't allowed to access the object. The object's permissions settings prevent Macie from analyzing the object.
SOURCE_OBJECT_NO_LONGER_AVAILABLE - The object was deleted shortly before or when Macie attempted to analyze it.
TIME_CUT_OFF_REACHED - Macie started analyzing the object but additional analysis would exceed the time quota for analyzing an object.
UNABLE_TO_PARSE_FILE - The object is a file that contains structured data and an error occurred when Macie attempted to parse the data.
UNSUPPORTED_FILE_TYPE_EXCEPTION - The object is a file that uses an unsupported file or storage format.
For information about quotas, supported storage classes, and supported file and storage formats, see Quotas and Supported storage classes and formats in the Amazon Macie User Guide.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
AllowListCriteria criteria
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.
String description
A custom description of the allow list. The description can contain as many as 512 characters.
String name
A custom name for the allow list. The name can contain as many as 128 characters.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the allow list.
An allow list can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
List<E> allowListIds
An array of unique identifiers, one for each allow list for the job to use when it analyzes data.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
List<E> customDataIdentifierIds
An array of unique identifiers, one for each custom data identifier for the job to use when it analyzes data. To use only managed data identifiers, don't specify a value for this property and specify a value other than NONE for the managedDataIdentifierSelector property.
String description
A custom description of the job. The description can contain as many as 200 characters.
Boolean initialRun
For a recurring job, specifies whether to analyze all existing, eligible objects immediately after the job is created (true). To analyze only those objects that are created or changed after you create the job and before the job's first scheduled run, set this value to false.
If you configure the job to run only once, don't specify a value for this property.
String jobType
The schedule for running the job. Valid values are:
ONE_TIME - Run the job only once. If you specify this value, don't specify a value for the scheduleFrequency property.
SCHEDULED - Run the job on a daily, weekly, or monthly basis. If you specify this value, use the scheduleFrequency property to define the recurrence pattern for the job.
List<E> managedDataIdentifierIds
An array of unique identifiers, one for each managed data identifier for the job to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type that you specify for the job (managedDataIdentifierSelector).
To retrieve a list of valid values for this property, use the ListManagedDataIdentifiers operation.
String managedDataIdentifierSelector
The selection type to apply when determining which managed data identifiers the job uses to analyze data. Valid values are:
ALL - Use all managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.
EXCLUDE - Use all managed data identifiers except the ones specified by the managedDataIdentifierIds property.
INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.
NONE - Don't use any managed data identifiers. If you specify this value, specify at least one value for the customDataIdentifierIds property and don't specify any values for the managedDataIdentifierIds property.
RECOMMENDED (default) - Use the recommended set of managed data identifiers. If you specify this value, don't specify any values for the managedDataIdentifierIds property.
If you don't specify a value for this property, the job uses the recommended set of managed data identifiers.
If the job is a recurring job and you specify ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If you don't specify a value for this property or you specify RECOMMENDED for a recurring job, each job run automatically uses all the managed data identifiers that are in the recommended set when the run starts.
For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.
String name
A custom name for the job. The name can contain as many as 500 characters.
S3JobDefinition s3JobDefinition
The S3 buckets that contain the objects to analyze, and the scope of that analysis.
Integer samplingPercentage
The sampling depth, as a percentage, for the job to apply when processing objects. This value determines the percentage of eligible objects that the job analyzes. If this value is less than 100, Amazon Macie selects the objects to analyze at random, up to the specified percentage, and analyzes all the data in those objects.
JobScheduleFrequency scheduleFrequency
The recurrence pattern for running the job. To run the job only once, don't specify a value for this property and set the value for the jobType property to ONE_TIME.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the job.
A job can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
String description
A custom description of the custom data identifier. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a custom data identifier. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
List<E> ignoreWords
An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
List<E> keywords
An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
Integer maximumMatchDistance
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. The distance can be 1-300 characters. The default value is 50.
String name
A custom name for the custom data identifier. The name can contain as many as 128 characters.
We strongly recommend that you avoid including any sensitive data in the name of a custom data identifier. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
String regex
The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.
List<E> severityLevels
The severity to assign to findings that the custom data identifier produces, based on the number of occurrences of text that match the custom data identifier's detection criteria. You can specify as many as three SeverityLevel objects in this array, one for each severity: LOW, MEDIUM, or HIGH. If you specify more than one, the occurrences thresholds must be in ascending order by severity, moving from LOW to HIGH. For example, 1 for LOW, 50 for MEDIUM, and 100 for HIGH. If an S3 object contains fewer occurrences than the lowest specified threshold, Amazon Macie doesn't create a finding.
If you don't specify any values for this array, Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the custom data identifier.
A custom data identifier can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
String customDataIdentifierId
The unique identifier for the custom data identifier that was created.
String action
The action to perform on findings that match the filter criteria (findingCriteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
String description
A custom description of the filter. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a filter. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
FindingCriteria findingCriteria
The criteria to use to filter findings.
String name
A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters.
We strongly recommend that you avoid including any sensitive data in the name of a filter. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
Integer position
The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the filter.
A findings filter can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
List<E> accountIds
An array that lists Amazon Web Services account IDs, one for each account to send the invitation to.
Boolean disableEmailNotification
Specifies whether to send the invitation as an email message. If this value is false, Amazon Macie sends the invitation (as an email message) to the email address that you specified for the recipient's account when you associated the account with your account. The default value is false.
String message
Custom text to include in the email message that contains the invitation. The text can contain as many as 80 alphanumeric characters.
AccountDetail account
The details of the account to associate with the administrator account.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.
An account can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
String arn
The Amazon Resource Name (ARN) of the account that was associated with the administrator account.
SimpleCriterionForJob simpleCriterion
A property-based condition that defines a property, operator, and one or more values for including or excluding buckets from the job.
TagCriterionForJob tagCriterion
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding buckets from the job.
List<E> eq
The value for the property matches (equals) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
List<E> eqExactMatch
The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
You can use this operator with the following properties: customDataIdentifiers.detections.arn, customDataIdentifiers.detections.name, resourcesAffected.s3Bucket.tags.key, resourcesAffected.s3Bucket.tags.value, resourcesAffected.s3Object.tags.key, resourcesAffected.s3Object.tags.value, sensitiveData.category, and sensitiveData.detections.type.
Long gt
The value for the property is greater than the specified value.
Long gte
The value for the property is greater than or equal to the specified value.
Long lt
The value for the property is less than the specified value.
Long lte
The value for the property is less than or equal to the specified value.
List<E> neq
The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Macie uses OR logic to join the values.
List<E> detections
The custom data identifiers that detected the data, and the number of occurrences of the data that each identifier detected.
Long totalCount
The total number of occurrences of the data that was detected by the custom data identifiers and produced the finding.
String arn
The Amazon Resource Name (ARN) of the custom data identifier.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
String description
The custom description of the custom data identifier.
String id
The unique identifier for the custom data identifier.
String name
The custom name of the custom data identifier.
String arn
The unique identifier for the custom data identifier.
Long count
The total number of occurrences of the sensitive data that the custom data identifier detected.
String name
The name of the custom data identifier.
Occurrences occurrences
The location of 1-15 occurrences of the sensitive data that the custom data identifier detected. A finding includes location data for a maximum of 15 occurrences of sensitive data.
Long count
The total number of occurrences of the type of sensitive data that was detected.
Occurrences occurrences
The location of 1-15 occurrences of the sensitive data that was detected. A finding includes location data for a maximum of 15 occurrences of sensitive data.
String type
The type of sensitive data that was detected. For example, AWS_CREDENTIALS, PHONE_NUMBER, or ADDRESS.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String ignoreJobChecks
Specifies whether to force deletion of the allow list, even if active classification jobs are configured to use the list.
When you try to delete an allow list, Amazon Macie checks for classification jobs that use the list and have a status other than COMPLETE or CANCELLED. By default, Macie rejects your request if any jobs meet these criteria. To skip these checks and delete the list, set this value to true. To delete the list only if no active jobs are configured to use it, set this value to false.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
Map<K,V> criteria
The criteria to use to filter the query results.
Integer maxResults
The maximum number of items to include in each page of the response. The default value is 50.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
BucketSortCriteria sortCriteria
The criteria to use to sort the query results.
List<E> buckets
An array of objects, one for each bucket that matches the filter criteria specified in the request.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
String jobId
The unique identifier for the classification job.
List<E> allowListIds
An array of unique identifiers, one for each allow list that the job uses when it analyzes data.
String clientToken
The token that was provided to ensure the idempotency of the request to create the job.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the job was created.
List<E> customDataIdentifierIds
An array of unique identifiers, one for each custom data identifier that the job uses when it analyzes data. This value is null if the job uses only managed data identifiers to analyze data.
String description
The custom description of the job.
Boolean initialRun
For a recurring job, specifies whether you configured the job to analyze all existing, eligible objects immediately after the job was created (true). If you configured the job to analyze only those objects that were created or changed after the job was created and before the job's first scheduled run, this value is false. This value is also false for a one-time job.
String jobArn
The Amazon Resource Name (ARN) of the job.
String jobId
The unique identifier for the job.
String jobStatus
The current status of the job. Possible values are:
CANCELLED - You cancelled the job or, if it's a one-time job, you paused the job and didn't resume it within 30 days.
COMPLETE - For a one-time job, Amazon Macie finished processing the data specified for the job. This value doesn't apply to recurring jobs.
IDLE - For a recurring job, the previous scheduled run is complete and the next scheduled run is pending. This value doesn't apply to one-time jobs.
PAUSED - Macie started running the job but additional processing would exceed the monthly sensitive data discovery quota for your account or one or more member accounts that the job analyzes data for.
RUNNING - For a one-time job, the job is in progress. For a recurring job, a scheduled run is in progress.
USER_PAUSED - You paused the job. If you paused the job while it had a status of RUNNING and you don't resume it within 30 days of pausing it, the job or job run will expire and be cancelled, depending on the job's type. To check the expiration date, refer to the UserPausedDetails.jobExpiresAt property.
String jobType
The schedule for running the job. Possible values are:
ONE_TIME - The job runs only once.
SCHEDULED - The job runs on a daily, weekly, or monthly basis. The scheduleFrequency property indicates the recurrence pattern for the job.
LastRunErrorStatus lastRunErrorStatus
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.
Date lastRunTime
The date and time, in UTC and extended ISO 8601 format, when the job started. If the job is a recurring job, this value indicates when the most recent run started or, if the job hasn't run yet, when the job was created.
List<E> managedDataIdentifierIds
An array of unique identifiers, one for each managed data identifier that the job is explicitly configured to include (use) or exclude (not use) when it analyzes data. Inclusion or exclusion depends on the managed data identifier selection type specified for the job (managedDataIdentifierSelector).
This value is null if the job's managed data identifier selection type is ALL, NONE, or RECOMMENDED.
String managedDataIdentifierSelector
The selection type that determines which managed data identifiers the job uses when it analyzes data. Possible values are:
ALL - Use all managed data identifiers.
EXCLUDE - Use all managed data identifiers except the ones specified by the managedDataIdentifierIds property.
INCLUDE - Use only the managed data identifiers specified by the managedDataIdentifierIds property.
NONE - Don't use any managed data identifiers. Use only custom data identifiers (customDataIdentifierIds).
RECOMMENDED (default) - Use the recommended set of managed data identifiers.
If this value is null, the job uses the recommended set of managed data identifiers.
If the job is a recurring job and this value is ALL or EXCLUDE, each job run automatically uses new managed data identifiers that are released. If this value is null or RECOMMENDED for a recurring job, each job run uses all the managed data identifiers that are in the recommended set when the run starts.
For information about individual managed data identifiers or to determine which ones are in the recommended set, see Using managed data identifiers and Recommended managed data identifiers in the Amazon Macie User Guide.
String name
The custom name of the job.
S3JobDefinition s3JobDefinition
The S3 buckets that contain the objects to analyze, and the scope of that analysis.
Integer samplingPercentage
The sampling depth, as a percentage, that determines the percentage of eligible objects that the job analyzes.
JobScheduleFrequency scheduleFrequency
The recurrence pattern for running the job. This value is null if the job is configured to run only once.
Statistics statistics
The number of times that the job has run and processing statistics for the job's current run.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the classification job.
UserPausedDetails userPausedDetails
If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.
String value
An occurrence of the specified type of sensitive data. Each occurrence contains 1-128 characters.
String arn
If the sensitive data was detected by a custom data identifier, the Amazon Resource Name (ARN) of the custom data identifier that detected the data. Otherwise, this value is null.
Long count
The total number of occurrences of the sensitive data.
String id
The unique identifier for the custom data identifier or managed data identifier that detected the sensitive data. For additional details about a specified managed data identifier, see Using managed data identifiers in the Amazon Macie User Guide.
String name
The name of the custom data identifier or managed data identifier that detected the sensitive data. For a managed data identifier, this value is the same as the unique identifier (id).
Boolean suppressed
Specifies whether occurrences of this type of sensitive data are excluded (true) or included (false) in the bucket's sensitivity score.
String type
The type of data identifier that detected the sensitive data. Possible values are: CUSTOM, for a custom data identifier; and, MANAGED, for a managed data identifier.
String adminAccountId
The Amazon Web Services account ID of the delegated Amazon Macie administrator account.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String domainName
The name of the domain.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
String findingPublishingFrequency
Specifies how often to publish updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).
String status
Specifies the new status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED.
String accessKeyId
The Amazon Web Services access key ID that identifies the credentials.
String accountId
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
String arn
The Amazon Resource Name (ARN) of the entity that was used to get the credentials.
String principalId
The unique identifier for the entity that was used to get the credentials.
SessionContext sessionContext
The details of the session that was created for the credentials, including the entity that issued the session.
String accountId
The unique identifier for the Amazon Web Services account that the finding applies to. This is typically the account that owns the affected resource.
Boolean archived
Specifies whether the finding is archived (suppressed).
String category
The category of the finding. Possible values are: CLASSIFICATION, for a sensitive data finding; and, POLICY, for a policy finding.
ClassificationDetails classificationDetails
The details of a sensitive data finding. This value is null for a policy finding.
Long count
The total number of occurrences of the finding. For sensitive data findings, this value is always 1. All sensitive data findings are considered unique.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie created the finding.
String description
The description of the finding.
String id
The unique identifier for the finding. This is a random string that Amazon Macie generates and assigns to a finding when it creates the finding.
String partition
The Amazon Web Services partition that Amazon Macie created the finding in.
PolicyDetails policyDetails
The details of a policy finding. This value is null for a sensitive data finding.
String region
The Amazon Web Services Region that Amazon Macie created the finding in.
ResourcesAffected resourcesAffected
The resources that the finding applies to.
Boolean sample
Specifies whether the finding is a sample finding. A sample finding is a finding that uses example data to demonstrate what a finding might contain.
String schemaVersion
The version of the schema that was used to define the data structures in the finding.
Severity severity
The severity level and score for the finding.
String title
The brief description of the finding.
String type
The type of the finding.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie last updated the finding. For sensitive data findings, this value is the same as the value for the createdAt property. All sensitive data findings are considered new.
String actionType
The type of action that occurred for the affected resource. This value is typically AWS_API_CALL, which indicates that an entity invoked an API operation for the resource.
ApiCallDetails apiCallDetails
The invocation details of the API operation that an entity invoked for the affected resource, if the value for the actionType property is AWS_API_CALL.
DomainDetails domainDetails
The domain name of the device that the entity used to perform the action on the affected resource.
IpAddressDetails ipAddressDetails
The IP address of the device that the entity used to perform the action on the affected resource. This object also provides information such as the owner and geographic location for the IP address.
UserIdentity userIdentity
The type and other characteristics of the entity that performed the action on the affected resource.
String action
The action that's performed on findings that match the filter criteria. Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
String arn
The Amazon Resource Name (ARN) of the filter.
String id
The unique identifier for the filter.
String name
The custom name of the filter.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.
String attributeName
The grouping to sort the results by. Valid values are: count, sort the results by the number of findings in each group of results; and, groupKey, sort the results by the name of each group of results.
String orderBy
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
Invitation administrator
The Amazon Web Services account ID for the administrator account. If the accounts are associated by an Amazon Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String arn
The Amazon Resource Name (ARN) of the allow list.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the allow list was created in Amazon Macie.
AllowListCriteria criteria
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression (regex) that defines a text pattern to ignore.
String description
The custom description of the allow list.
String id
The unique identifier for the allow list.
String name
The custom name of the allow list.
AllowListStatus status
The current status of the allow list, which indicates whether Amazon Macie can access and use the list's criteria.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the allow list.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, when the allow list's settings were most recently changed in Amazon Macie.
String classificationScopeId
The unique identifier for the classification scope that's used when performing automated sensitive data discovery for the account. The classification scope specifies S3 buckets to exclude from automated sensitive data discovery.
Date disabledAt
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently disabled for the account. This value is null if automated sensitive data discovery wasn't enabled and subsequently disabled for the account.
Date firstEnabledAt
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was initially enabled for the account. This value is null if automated sensitive data discovery has never been enabled for the account.
Date lastUpdatedAt
The date and time, in UTC and extended ISO 8601 format, when automated sensitive data discovery was most recently enabled or disabled for the account.
String sensitivityInspectionTemplateId
The unique identifier for the sensitivity inspection template that's used when performing automated sensitive data discovery for the account. The template specifies which allow lists, custom data identifiers, and managed data identifiers to use when analyzing data.
String status
The current status of the automated sensitive data discovery configuration for the account. Possible values are: ENABLED, use the specified settings to perform automated sensitive data discovery activities for the account; and, DISABLED, don't perform automated sensitive data discovery activities for the account.
String accountId
The unique identifier for the Amazon Web Services account.
Long bucketCount
The total number of buckets.
BucketCountByEffectivePermission bucketCountByEffectivePermission
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
BucketCountByEncryptionType bucketCountByEncryptionType
The total number of buckets whose settings do or don't specify default server-side encryption behavior for objects that are added to the buckets.
BucketCountPolicyAllowsUnencryptedObjectUploads bucketCountByObjectEncryptionRequirement
The total number of buckets whose bucket policies do or don't require server-side encryption of objects when objects are added to the buckets.
BucketCountBySharedAccessType bucketCountBySharedAccessType
The total number of buckets that are or aren't shared with other Amazon Web Services accounts, Amazon CloudFront origin access identities (OAIs), or CloudFront origin access controls (OACs).
BucketStatisticsBySensitivity bucketStatisticsBySensitivity
The aggregated sensitive data discovery statistics for the buckets. If automated sensitive data discovery is currently disabled for your account, the value for each statistic is 0.
Long classifiableObjectCount
The total number of objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
Long classifiableSizeInBytes
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
Date lastUpdated
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently retrieved bucket or object metadata from Amazon S3 for the buckets.
Long objectCount
The total number of objects in the buckets.
Long sizeInBytes
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
Long sizeInBytesCompressed
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of the applicable objects in the buckets.
ObjectLevelStatistics unclassifiableObjectCount
The total number of objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
ObjectLevelStatistics unclassifiableObjectSizeInBytes
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the buckets. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
ClassificationExportConfiguration configuration
The location where data classification results are stored, and the encryption settings that are used when storing results in that location.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String id
The unique identifier for the classification scope.
String name
The name of the classification scope: automated-sensitive-data-discovery.
S3ClassificationScope s3
The S3 buckets that are excluded from automated sensitive data discovery.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String arn
The Amazon Resource Name (ARN) of the custom data identifier.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the custom data identifier was created.
Boolean deleted
Specifies whether the custom data identifier was deleted. If you delete a custom data identifier, Amazon Macie doesn't delete it permanently. Instead, it soft deletes the identifier.
String description
The custom description of the custom data identifier.
String id
The unique identifier for the custom data identifier.
List<E> ignoreWords
An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. Ignore words are case sensitive.
List<E> keywords
An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. Keywords aren't case sensitive.
Integer maximumMatchDistance
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. Otherwise, Macie excludes the result.
String name
The custom name of the custom data identifier.
String regex
The regular expression (regex) that defines the pattern to match.
List<E> severityLevels
Specifies the severity that's assigned to findings that the custom data identifier produces, based on the number of occurrences of text that match the custom data identifier's detection criteria. By default, Amazon Macie creates findings for S3 objects that contain at least one occurrence of text that matches the detection criteria, and Macie assigns the MEDIUM severity to those findings.
Map<K,V> tags
A map of key-value pairs that identifies the tags (keys and values) that are associated with the custom data identifier.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String action
The action that's performed on findings that match the filter criteria (findingCriteria). Possible values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
String arn
The Amazon Resource Name (ARN) of the filter.
String description
The custom description of the filter.
FindingCriteria findingCriteria
The criteria that's used to filter findings.
String id
The unique identifier for the filter.
String name
The custom name of the filter.
Integer position
The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the filter.
SecurityHubConfiguration securityHubConfiguration
The configuration settings that determine which findings are published to Security Hub.
List<E> findingIds
An array of strings that lists the unique identifiers for the findings to retrieve. You can specify as many as 50 unique identifiers in this array.
SortCriteria sortCriteria
The criteria for sorting the results of the request.
FindingCriteria findingCriteria
The criteria to use to filter the query results.
String groupBy
The finding property to use to group the query results. Valid values are:
classificationDetails.jobId - The unique identifier for the classification job that produced the finding.
resourcesAffected.s3Bucket.name - The name of the S3 bucket that the finding applies to.
severity.description - The severity level of the finding, such as High or Medium.
type - The type of finding, such as Policy:IAMUser/S3BucketPublic and SensitiveData:S3Object/Personal.
Integer size
The maximum number of items to include in each page of the response.
FindingStatisticsSortCriteria sortCriteria
The criteria to use to sort the query results.
Long invitationsCount
The total number of invitations that were received by the account, not including the currently accepted invitation.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie account was created.
String findingPublishingFrequency
The frequency with which Amazon Macie publishes updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).
String serviceRole
The Amazon Resource Name (ARN) of the service-linked role that allows Amazon Macie to monitor and analyze data in Amazon Web Services resources for the account.
String status
The current status of the Amazon Macie account. Possible values are: PAUSED, the account is enabled but all Macie activities are suspended (paused) for the account; and, ENABLED, the account is enabled and all Macie activities are enabled for the account.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status or configuration settings for the Amazon Macie account.
Invitation master
(Deprecated) The Amazon Web Services account ID for the administrator account. If the accounts are associated by a Macie membership invitation, this object also provides details about the invitation that was sent to establish the relationship between the accounts.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String accountId
The Amazon Web Services account ID for the account.
String administratorAccountId
The Amazon Web Services account ID for the administrator account.
String arn
The Amazon Resource Name (ARN) of the account.
String email
The email address for the account. This value is null if the account is associated with the administrator account through Organizations.
Date invitedAt
The date and time, in UTC and extended ISO 8601 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie membership invitation hasn't been sent to the account.
String masterAccountId
(Deprecated) The Amazon Web Services account ID for the administrator account. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
String relationshipStatus
The current status of the relationship between the account and the administrator account.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the account in Amazon Macie.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the relationship between the account and the administrator account.
String resourceArn
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
Date profileUpdatedAt
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently recalculated sensitive data discovery statistics and details for the bucket. If the bucket's sensitivity score is calculated automatically, this includes the score.
Integer sensitivityScore
The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). By default, this score is calculated automatically based on the amount of data that Amazon Macie has analyzed in the bucket and the amount of sensitive data that Macie has found in the bucket.
Boolean sensitivityScoreOverridden
Specifies whether the bucket's current sensitivity score was set manually. If this value is true, the score was manually changed to 100. If this value is false, the score was calculated automatically by Amazon Macie.
ResourceStatistics statistics
The sensitive data discovery statistics for the bucket. The statistics capture the results of automated sensitive data discovery activities that Amazon Macie has performed for the bucket.
RevealConfiguration configuration
The KMS key that's used to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.
RetrievalConfiguration retrievalConfiguration
The access method and settings that are used to retrieve the sensitive data.
String findingId
The unique identifier for the finding.
String code
Specifies whether occurrences of sensitive data can be retrieved for the finding. Possible values are: AVAILABLE, the sensitive data can be retrieved; and, UNAVAILABLE, the sensitive data can't be retrieved. If this value is UNAVAILABLE, the reasons array indicates why the data can't be retrieved.
List<E> reasons
Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:
ACCOUNT_NOT_IN_ORGANIZATION - The affected account isn't currently part of your organization. Or the account is part of your organization but Macie isn't currently enabled for the account. You're not allowed to access the affected S3 object by using Macie.
INVALID_CLASSIFICATION_RESULT - There isn't a corresponding sensitive data discovery result for the finding. Or the corresponding sensitive data discovery result isn't available, is malformed or corrupted, or uses an unsupported storage format. Macie can't verify the location of the sensitive data to retrieve.
INVALID_RESULT_SIGNATURE - The corresponding sensitive data discovery result is stored in an S3 object that wasn't signed by Macie. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
MEMBER_ROLE_TOO_PERMISSIVE - The affected member account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Or the role's trust policy doesn't specify the correct external ID. Macie can't assume the role to retrieve the sensitive data.
MISSING_GET_MEMBER_PERMISSION - You're not allowed to retrieve information about the association between your account and the affected account. Macie can't determine whether you’re allowed to access the affected S3 object as the delegated Macie administrator for the affected account.
OBJECT_EXCEEDS_SIZE_QUOTA - The storage size of the affected S3 object exceeds the size quota for retrieving occurrences of sensitive data from this type of file.
OBJECT_UNAVAILABLE - The affected S3 object isn't available. The object was renamed, moved, or deleted. Or the object was changed after Macie created the finding.
RESULT_NOT_SIGNED - The corresponding sensitive data discovery result is stored in an S3 object that hasn't been signed. Macie can't verify the integrity and authenticity of the sensitive data discovery result. Therefore, Macie can't verify the location of the sensitive data to retrieve.
ROLE_TOO_PERMISSIVE - Your account is configured to retrieve occurrences of sensitive data by using an IAM role whose trust or permissions policy doesn't meet Macie requirements for restricting access to the role. Macie can’t assume the role to retrieve the sensitive data.
UNSUPPORTED_FINDING_TYPE - The specified finding isn't a sensitive data finding.
UNSUPPORTED_OBJECT_TYPE - The affected S3 object uses a file or storage format that Macie doesn't support for retrieving occurrences of sensitive data.
This value is null if sensitive data can be retrieved for the finding.
String findingId
The unique identifier for the finding.
String error
If an error occurred when Amazon Macie attempted to retrieve occurrences of sensitive data reported by the finding, a description of the error that occurred. This value is null if the status (status) of the request is PROCESSING or SUCCESS.
Map<K,V> sensitiveDataOccurrences
A map that specifies 1-100 types of sensitive data reported by the finding and, for each type, 1-10 occurrences of sensitive data.
String status
The status of the request to retrieve occurrences of sensitive data reported by the finding. Possible values are:
ERROR - An error occurred when Amazon Macie attempted to locate, retrieve, or encrypt the sensitive data. The error value indicates the nature of the error that occurred.
PROCESSING - Macie is processing the request.
SUCCESS - Macie successfully located, retrieved, and encrypted the sensitive data.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String description
The custom description of the template.
SensitivityInspectionTemplateExcludes excludes
The managed data identifiers that are explicitly excluded (not used) when analyzing data.
SensitivityInspectionTemplateIncludes includes
The allow lists, custom data identifiers, and managed data identifiers that are explicitly included (used) when analyzing data.
String name
The name of the template: automated-sensitive-data-discovery.
String sensitivityInspectionTemplateId
The unique identifier for the template.
List<E> filterBy
An array of objects, one for each condition to use to filter the query results. If you specify more than one condition, Amazon Macie uses an AND operator to join the conditions.
Integer maxResults
The maximum number of items to include in each page of the response.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
UsageStatisticsSortBy sortBy
The criteria to use to sort the query results.
String timeRange
The inclusive time period to query usage data for. Valid values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days. If you don't specify a value, Amazon Macie provides usage data for the preceding 30 days.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
List<E> records
An array of objects that contains the results of the query. Each object contains the data for an account that matches the filter criteria specified in the request.
String timeRange
The inclusive time period that the usage data applies to. Possible values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days.
String timeRange
The inclusive time period to retrieve the data for. Valid values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days. If you don't specify a value for this parameter, Amazon Macie provides aggregated usage data for the preceding 30 days.
String timeRange
The inclusive time period that the usage data applies to. Possible values are: MONTH_TO_DATE, for the current calendar month to date; and, PAST_30_DAYS, for the preceding 30 days.
List<E> usageTotals
An array of objects that contains the results of the query. Each object contains the data for a specific usage metric.
String accountId
The unique identifier for the Amazon Web Services account that's associated with the IAM user who performed the action.
String arn
The Amazon Resource Name (ARN) of the principal that performed the action. The last section of the ARN contains the name of the user who performed the action.
String principalId
The unique identifier for the IAM user who performed the action.
String userName
The username of the IAM user who performed the action.
String accountId
The Amazon Web Services account ID for the account that sent the invitation.
String invitationId
The unique identifier for the invitation.
Date invitedAt
The date and time, in UTC and extended ISO 8601 format, when the invitation was sent.
String relationshipStatus
The status of the relationship between the account that sent the invitation and the account that received the invitation.
String ipAddressV4
The Internet Protocol version 4 (IPv4) address of the device.
IpCity ipCity
The city that the IP address originated from.
IpCountry ipCountry
The country that the IP address originated from.
IpGeoLocation ipGeoLocation
The geographic coordinates of the location that the IP address originated from.
IpOwner ipOwner
The registered owner of the IP address.
String name
The name of the city.
String asn
The autonomous system number (ASN) for the autonomous system that included the IP address.
String asnOrg
The organization identifier that's associated with the autonomous system number (ASN) for the autonomous system that included the IP address.
String isp
The name of the internet service provider (ISP) that owned the IP address.
String org
The name of the organization that owned the IP address.
String isDefinedInJob
Specifies whether any one-time or recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more jobs and at least one of those jobs has a status other than CANCELLED. Or the bucket matched the bucket criteria (S3BucketCriteriaForJob) for at least one job that previously ran.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any jobs, all the jobs that explicitly include the bucket in their bucket definitions have a status of CANCELLED, or the bucket didn't match the bucket criteria (S3BucketCriteriaForJob) for any jobs that previously ran.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
String isMonitoredByJob
Specifies whether any recurring jobs are configured to analyze data in the bucket. Possible values are:
TRUE - The bucket is explicitly included in the bucket definition (S3BucketDefinitionForJob) for one or more recurring jobs or the bucket matches the bucket criteria (S3BucketCriteriaForJob) for one or more recurring jobs. At least one of those jobs has a status other than CANCELLED.
FALSE - The bucket isn't explicitly included in the bucket definition (S3BucketDefinitionForJob) for any recurring jobs, the bucket doesn't match the bucket criteria (S3BucketCriteriaForJob) for any recurring jobs, or all the recurring jobs that are configured to analyze data in the bucket have a status of CANCELLED.
UNKNOWN - An exception occurred when Amazon Macie attempted to retrieve job data for the bucket.
String lastJobId
The unique identifier for the job that ran most recently and is configured to analyze data in the bucket, either the latest run of a recurring job or the only run of a one-time job.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
Date lastJobRunTime
The date and time, in UTC and extended ISO 8601 format, when the job (lastJobId) started. If the job is a recurring job, this value indicates when the most recent run started.
This value is typically null if the value for the isDefinedInJob property is FALSE or UNKNOWN.
DailySchedule dailySchedule
Specifies a daily recurrence pattern for running the job.
MonthlySchedule monthlySchedule
Specifies a monthly recurrence pattern for running the job.
WeeklySchedule weeklySchedule
Specifies a weekly recurrence pattern for running the job.
SimpleScopeTerm simpleScopeTerm
A property-based condition that defines a property, operator, and one or more values for including or excluding objects from the job.
TagScopeTerm tagScopeTerm
A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding objects from the job.
S3BucketCriteriaForJob bucketCriteria
The property- and tag-based conditions that determine which S3 buckets are included or excluded from the job's analysis. Each time the job runs, the job uses these criteria to determine which buckets to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
List<E> bucketDefinitions
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets for the job to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the job was created.
String jobId
The unique identifier for the job.
String jobStatus
The current status of the job. Possible values are:
CANCELLED - You cancelled the job or, if it's a one-time job, you paused the job and didn't resume it within 30 days.
COMPLETE - For a one-time job, Amazon Macie finished processing the data specified for the job. This value doesn't apply to recurring jobs.
IDLE - For a recurring job, the previous scheduled run is complete and the next scheduled run is pending. This value doesn't apply to one-time jobs.
PAUSED - Macie started running the job but additional processing would exceed the monthly sensitive data discovery quota for your account or one or more member accounts that the job analyzes data for.
RUNNING - For a one-time job, the job is in progress. For a recurring job, a scheduled run is in progress.
USER_PAUSED - You paused the job. If you paused the job while it had a status of RUNNING and you don't resume it within 30 days of pausing it, the job or job run will expire and be cancelled, depending on the job's type. To check the expiration date, refer to the UserPausedDetails.jobExpiresAt property.
String jobType
The schedule for running the job. Possible values are:
ONE_TIME - The job runs only once.
SCHEDULED - The job runs on a daily, weekly, or monthly basis.
LastRunErrorStatus lastRunErrorStatus
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run.
String name
The custom name of the job.
UserPausedDetails userPausedDetails
If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for jobStatus is USER_PAUSED.
String key
One part of a key-value pair that comprises a tag. A tag key is a general label that acts as a category for more specific tag values.
String value
One part of a key-value pair that comprises a tag. A tag value acts as a descriptor for a tag key. A tag value can be an empty string.
String code
Specifies whether any account- or bucket-level access errors occurred when the job ran. For a recurring job, this value indicates the error status of the job's most recent run. Possible values are:
ERROR - One or more errors occurred. Amazon Macie didn't process all the data specified for the job.
NONE - No errors occurred. Macie processed all the data specified for the job.
ListJobsFilterCriteria filterCriteria
The criteria to use to filter the results.
Integer maxResults
The maximum number of items to include in each page of the response.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
ListJobsSortCriteria sortCriteria
The criteria to use to sort the results.
List<E> classificationScopes
An array that specifies the unique identifier and name of the classification scope for the account.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
List<E> findingsFilterListItems
An array of objects, one for each filter that's associated with the account.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
FindingCriteria findingCriteria
The criteria to use to filter the results.
Integer maxResults
The maximum number of items to include in each page of the response.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
SortCriteria sortCriteria
The criteria to use to sort the results.
List<E> findingIds
An array of strings, where each string is the unique identifier for a finding that matches the filter criteria specified in the request.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
String attributeName
The property to sort the results by.
String orderBy
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
Integer maxResults
The maximum number of items to include in each page of a paginated response.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
String onlyAssociated
Specifies which accounts to include in the response, based on the status of an account's relationship with the administrator account. By default, the response includes only current member accounts. To include all accounts, set this value to false.
List<E> members
An array of objects, one for each account that's associated with the administrator account and matches the criteria specified in the request.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
List<E> adminAccounts
An array of objects, one for each delegated Amazon Macie administrator account for the organization. Only one of these accounts can have a status of ENABLED.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
List<E> artifacts
An array of objects, one for each of 1-100 S3 objects that Amazon Macie selected for analysis.
If Macie has analyzed more than 100 objects in the bucket, Macie populates the array based on the value for the ResourceProfileArtifact.sensitive field for an object: true (sensitive), followed by false (not sensitive). Macie then populates any remaining items in the array with information about objects where the value for the ResourceProfileArtifact.classificationResultStatus field is SKIPPED.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
Integer maxResults
The maximum number of items to include in each page of a paginated response.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
String resourceArn
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
List<E> detections
An array of objects, one for each type of sensitive data that Amazon Macie found in the bucket. Each object reports the number of occurrences of the specified type and provides information about the custom data identifier or managed data identifier that detected the data.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
List<E> sensitivityInspectionTemplates
An array that specifies the unique identifier and name of the sensitivity inspection template for the account.
String resourceArn
The Amazon Resource Name (ARN) of the resource.
String category
The category of sensitive data that the managed data identifier detects: CREDENTIALS, for credentials data such as private keys or Amazon Web Services secret access keys; FINANCIAL_INFORMATION, for financial data such as credit card numbers; or, PERSONAL_INFORMATION, for personal health information, such as health insurance identification numbers, or personally identifiable information, such as passport numbers.
String id
The unique identifier for the managed data identifier. This is a string that describes the type of sensitive data that the managed data identifier detects. For example: OPENSSH_PRIVATE_KEY for OpenSSH private keys, CREDIT_CARD_NUMBER for credit card numbers, or USA_PASSPORT_NUMBER for US passport numbers.
String accountId
The unique identifier for the Amazon Web Services account that owns the bucket.
String bucketName
The name of the bucket.
Long classifiableObjectCount
The total number of objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
Long classifiableSizeInBytes
The total storage size, in bytes, of the objects that Amazon Macie can analyze in the bucket. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for the bucket, Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
String errorCode
The error code for an error that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. If this value is ACCESS_DENIED, Macie doesn't have permission to retrieve the information. For example, the bucket has a restrictive bucket policy and Amazon S3 denied the request. If this value is null, Macie was able to retrieve and process the information.
String errorMessage
A brief description of the error (errorCode) that prevented Amazon Macie from retrieving and processing information about the bucket and the bucket's objects. This value is null if Macie was able to retrieve and process the information.
JobDetails jobDetails
Specifies whether any one-time or recurring classification jobs are configured to analyze objects in the bucket, and, if so, the details of the job that ran most recently.
Date lastAutomatedDiscoveryTime
The date and time, in UTC and extended ISO 8601 format, when Amazon Macie most recently analyzed data in the bucket while performing automated sensitive data discovery for your account. This value is null if automated sensitive data discovery is currently disabled for your account.
Long objectCount
The total number of objects in the bucket.
ObjectCountByEncryptionType objectCountByEncryptionType
The total number of objects in the bucket, grouped by server-side encryption type. This includes a grouping that reports the total number of objects that aren't encrypted or use client-side encryption.
Integer sensitivityScore
The current sensitivity score for the bucket, ranging from -1 (classification error) to 100 (sensitive). This value is null if automated sensitive data discovery is currently disabled for your account.
Long sizeInBytes
The total storage size, in bytes, of the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.
Long sizeInBytesCompressed
The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.
If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.
ObjectLevelStatistics unclassifiableObjectCount
The total number of objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
ObjectLevelStatistics unclassifiableObjectSizeInBytes
The total storage size, in bytes, of the objects that Amazon Macie can't analyze in the bucket. These objects don't use a supported storage class or don't have a file name extension for a supported file or storage format.
MatchingBucket matchingBucket
The details of an S3 bucket that Amazon Macie monitors and analyzes.
String accountId
The Amazon Web Services account ID for the account.
String administratorAccountId
The Amazon Web Services account ID for the administrator account.
String arn
The Amazon Resource Name (ARN) of the account.
String email
The email address for the account. This value is null if the account is associated with the administrator account through Organizations.
Date invitedAt
The date and time, in UTC and extended ISO 8601 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie membership invitation hasn't been sent to the account.
String masterAccountId
(Deprecated) The Amazon Web Services account ID for the administrator account. This property has been replaced by the administratorAccountId property and is retained only for backward compatibility.
String relationshipStatus
The current status of the relationship between the account and the administrator account.
Map<K,V> tags
A map of key-value pairs that specifies which tags (keys and values) are associated with the account in Amazon Macie.
Date updatedAt
The date and time, in UTC and extended ISO 8601 format, of the most recent change to the status of the relationship between the account and the administrator account.
Integer dayOfMonth
The numeric day of the month when Amazon Macie runs the job. This value can be an integer from 1 through 31.
If this value exceeds the number of days in a certain month, Macie doesn't run the job that month. Macie runs the job only during months that have the specified day. For example, if this value is 31 and a month has only 30 days, Macie doesn't run the job that month. To run the job every month, specify a value that's less than 29.
Long customerManaged
The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).
Long kmsManaged
The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).
Long s3Managed
The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).
Long unencrypted
The total number of objects that use client-side encryption or aren't encrypted.
Long unknown
The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.
Long fileType
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.
Long storageClass
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class.
Long total
The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects use an unsupported storage class or don't have a file name extension for a supported file or storage format.
List<E> cells
An array of objects, one for each occurrence of sensitive data in a Microsoft Excel workbook, CSV file, or TSV file. This value is null for all other types of files.
Each Cell object specifies a cell or field that contains the sensitive data.
List<E> lineRanges
An array of objects, one for each occurrence of sensitive data in an email message or a non-binary text file such as an HTML, TXT, or XML file. Each Range object specifies a line or inclusive range of lines that contains the sensitive data, and the position of the data on the specified line or lines.
This value is often null for file types that are supported by Cell, Page, or Record objects. Exceptions are the location of sensitive data in: unstructured sections of an otherwise structured file, such as a comment in a file; a malformed file that Amazon Macie analyzes as plain text; and, a CSV or TSV file that has any column names that contain sensitive data.
List<E> offsetRanges
Reserved for future use.
List<E> pages
An array of objects, one for each occurrence of sensitive data in an Adobe Portable Document Format file. This value is null for all other types of files.
Each Page object specifies a page that contains the sensitive data.
List<E> records
An array of objects, one for each occurrence of sensitive data in an Apache Avro object container, Apache Parquet file, JSON file, or JSON Lines file. This value is null for all other types of files.
For an Avro object container or Parquet file, each Record object specifies a record index and the path to a field in a record that contains the sensitive data. For a JSON or JSON Lines file, each Record object specifies the path to a field or array that contains the sensitive data. For a JSON Lines file, it also specifies the index of the line that contains the data.
FindingAction action
The action that produced the finding.
FindingActor actor
The entity that performed the action that produced the finding.
ClassificationExportConfiguration configuration
The location to store data classification results in, and the encryption settings to use when storing results in that location.
ClassificationExportConfiguration configuration
The location where the data classification results are stored, and the encryption settings that are used when storing results in that location.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
SecurityHubConfiguration securityHubConfiguration
The configuration settings that determine which findings to publish to Security Hub.
Long end
The number of lines from the beginning of the file to the end of the sensitive data.
Long start
The number of lines from the beginning of the file to the beginning of the sensitive data.
Long startColumn
The number of characters, with spaces and starting from 1, from the beginning of the first line that contains the sensitive data (start) to the beginning of the sensitive data.
String jsonPath
The path, as a JSONPath expression, to the sensitive data. For an Avro object container or Parquet file, this is the path to the field in the record (recordIndex) that contains the data. For a JSON or JSON Lines file, this is the path to the field or array that contains the data. If the data is a value in an array, the path also indicates which value contains the data.
If Amazon Macie detects sensitive data in the name of any element in the path, Macie omits this field. If the name of an element exceeds 240 characters, Macie truncates the name by removing characters from the beginning of the name. If the resulting full path exceeds 250 characters, Macie also truncates the path, starting with the first element in the path, until the path contains 250 or fewer characters.
Long recordIndex
For an Avro object container or Parquet file, the record index, starting from 0, for the record that contains the sensitive data. For a JSON Lines file, the line index, starting from 0, for the line that contains the sensitive data. This value is always 0 for JSON files.
Boolean replicated
Specifies whether the bucket is configured to replicate one or more objects to any destination.
Boolean replicatedExternally
Specifies whether the bucket is configured to replicate one or more objects to a bucket for an Amazon Web Services account that isn't part of your Amazon Macie organization. An Amazon Macie organization is a set of Macie accounts that are centrally managed as a group of related accounts through Organizations or by Macie invitation.
List<E> replicationAccounts
An array of Amazon Web Services account IDs, one for each Amazon Web Services account that owns a bucket that the bucket is configured to replicate one or more objects to.
String arn
The Amazon Resource Name (ARN) of the object.
String classificationResultStatus
The status of the analysis. Possible values are:
COMPLETE - Amazon Macie successfully completed its analysis of the object.
PARTIAL - Macie analyzed only a subset of data in the object. For example, the object is an archive file that contains files in an unsupported format.
SKIPPED - Macie wasn't able to analyze the object. For example, the object is a malformed file.
Boolean sensitive
Specifies whether Amazon Macie found sensitive data in the object.
Long totalBytesClassified
The total amount of data, in bytes, that Amazon Macie has analyzed in the bucket.
Long totalDetections
The total number of occurrences of sensitive data that Amazon Macie has found in the bucket's objects. This includes occurrences that are currently suppressed by the sensitivity scoring settings for the bucket (totalDetectionsSuppressed).
Long totalDetectionsSuppressed
The total number of occurrences of sensitive data that are currently suppressed by the sensitivity scoring settings for the bucket. These represent occurrences of sensitive data that Amazon Macie found in the bucket's objects, but the occurrences were manually suppressed. By default, suppressed occurrences are excluded from the bucket's sensitivity score.
Long totalItemsClassified
The total number of objects that Amazon Macie has analyzed in the bucket.
Long totalItemsSensitive
The total number of the bucket's objects that Amazon Macie has found sensitive data in.
Long totalItemsSkipped
The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to an object-level issue or error. For example, an object is a malformed file. This value includes objects that Macie wasn't able to analyze for reasons reported by other statistics in the ResourceStatistics object.
Long totalItemsSkippedInvalidEncryption
The total number of objects that Amazon Macie wasn't able to analyze in the bucket because the objects are encrypted with a key that Macie can't access. The objects use server-side encryption with customer-provided keys (SSE-C).
Long totalItemsSkippedInvalidKms
The total number of objects that Amazon Macie wasn't able to analyze in the bucket because the objects are encrypted with KMS keys that were disabled, are scheduled for deletion, or were deleted.
Long totalItemsSkippedPermissionDenied
The total number of objects that Amazon Macie wasn't able to analyze in the bucket due to the permissions settings for the objects or the permissions settings for the keys that were used to encrypt the objects.
String externalId
The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.
This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.
String retrievalMode
The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.
String roleName
The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.
String kmsKeyId
The Amazon Resource Name (ARN), ID, or alias of the KMS key to use to encrypt sensitive data that's retrieved. The key must be an existing, customer managed, symmetric encryption key that's enabled in the same Amazon Web Services Region as the Amazon Macie account.
If this value specifies an alias, it must include the following prefix: alias/. If this value specifies a key that's owned by another Amazon Web Services account, it must specify the ARN of the key or the ARN of the key's alias.
String status
The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.
String allowsUnencryptedObjectUploads
Specifies whether the bucket policy for the bucket requires server-side encryption of objects when objects are added to the bucket. Possible values are:
FALSE - The bucket policy requires server-side encryption of new objects. PutObject requests must include a valid server-side encryption header.
TRUE - The bucket doesn't have a bucket policy or it has a bucket policy that doesn't require server-side encryption of new objects. If a bucket policy exists, it doesn't require PutObject requests to include a valid server-side encryption header.
UNKNOWN - Amazon Macie can't determine whether the bucket policy requires server-side encryption of new objects.
Valid server-side encryption headers are: x-amz-server-side-encryption with a value of AES256 or aws:kms, and x-amz-server-side-encryption-customer-algorithm with a value of AES256.
String arn
The Amazon Resource Name (ARN) of the bucket.
Date createdAt
The date and time, in UTC and extended ISO 8601 format, when the bucket was created. This value can also indicate when changes such as edits to the bucket's policy were most recently made to the bucket, relative to when the finding was created or last updated.
ServerSideEncryption defaultServerSideEncryption
The default server-side encryption settings for the bucket.
String name
The name of the bucket.
S3BucketOwner owner
The display name and canonical user ID for the Amazon Web Services account that owns the bucket.
BucketPublicAccess publicAccess
The permissions settings that determine whether the bucket is publicly accessible.
List<E> tags
The tags that are associated with the bucket.
CriteriaBlockForJob excludes
The property- and tag-based conditions that determine which buckets to exclude from the job.
CriteriaBlockForJob includes
The property- and tag-based conditions that determine which buckets to include in the job.
S3ClassificationScopeExclusion excludes
The S3 buckets that are excluded.
List<E> bucketNames
Depending on the value specified for the update operation (ClassificationScopeUpdateOperation), an array of strings that: lists the names of buckets to add or remove from the list, or specifies a new set of bucket names that overwrites all existing names in the list. Each string must be the full name of an S3 bucket. Values are case sensitive.
String operation
Specifies how to apply the changes to the exclusion list. Valid values are:
ADD - Append the specified bucket names to the current list.
REMOVE - Remove the specified bucket names from the current list.
REPLACE - Overwrite the current list with the specified list of bucket names. If you specify this value, Amazon Macie removes all existing names from the list and adds all the specified names to the list.
S3ClassificationScopeExclusionUpdate excludes
The names of the S3 buckets to add or remove from the list.
String bucketName
The name of the bucket.
String keyPrefix
The path prefix to use in the path to the location in the bucket. This prefix specifies where to store classification results in the bucket.
String kmsKeyArn
The Amazon Resource Name (ARN) of the customer managed KMS key to use for encryption of the results. This must be the ARN of an existing, symmetric encryption KMS key that's enabled in the same Amazon Web Services Region as the bucket.
S3BucketCriteriaForJob bucketCriteria
The property- and tag-based conditions that determine which S3 buckets to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which buckets contain objects to analyze. A job's definition can contain a bucketCriteria object or a bucketDefinitions array, not both.
List<E> bucketDefinitions
An array of objects, one for each Amazon Web Services account that owns specific S3 buckets to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for that account. A job's definition can contain a bucketDefinitions array or a bucketCriteria object, not both.
Scoping scoping
The property- and tag-based conditions that determine which S3 objects to include or exclude from the analysis. Each time the job runs, the job uses these criteria to determine which objects to analyze.
String bucketArn
The Amazon Resource Name (ARN) of the bucket that contains the object.
String eTag
The entity tag (ETag) that identifies the affected version of the object. If the object was overwritten or changed after Amazon Macie produced the finding, this value might be different from the current ETag for the object.
String extension
The file name extension of the object. If the object doesn't have a file name extension, this value is "".
String key
The full name (key) of the object, including the object's prefix if applicable.
Date lastModified
The date and time, in UTC and extended ISO 8601 format, when the object was last modified.
String path
The full path to the affected object, including the name of the affected bucket and the object's name (key).
Boolean publicAccess
Specifies whether the object is publicly accessible due to the combination of permissions settings that apply to the object.
ServerSideEncryption serverSideEncryption
The type of server-side encryption that was used to encrypt the object.
Long size
The total storage size, in bytes, of the object.
String storageClass
The storage class of the object.
List<E> tags
The tags that are associated with the object.
String versionId
The identifier for the affected version of the object.
JobScopingBlock excludes
The property- and tag-based conditions that determine which objects to exclude from the analysis.
JobScopingBlock includes
The property- and tag-based conditions that determine which objects to include in the analysis.
SearchResourcesCriteriaBlock excludes
The property- and tag-based conditions that determine which buckets to exclude from the results.
SearchResourcesCriteriaBlock includes
The property- and tag-based conditions that determine which buckets to include in the results.
SearchResourcesSimpleCriterion simpleCriterion
A property-based condition that defines a property, operator, and one or more values for including or excluding resources from the results.
SearchResourcesTagCriterion tagCriterion
A tag-based condition that defines an operator and tag keys, tag values, or tag key and value pairs for including or excluding resources from the results.
SearchResourcesBucketCriteria bucketCriteria
The filter conditions that determine which S3 buckets to include or exclude from the query results.
Integer maxResults
The maximum number of items to include in each page of the response. The default value is 50.
String nextToken
The nextToken string that specifies which page of results to return in a paginated response.
SearchResourcesSortCriteria sortCriteria
The criteria to use to sort the results.
List<E> matchingResources
An array of objects, one for each resource that matches the filter criteria specified in the request.
String nextToken
The string to use in a subsequent request to get the next page of results in a paginated response. This value is null if there are no additional pages.
String comparator
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
String key
The property to use in the condition.
List<E> values
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
ACCOUNT_ID - A string that represents the unique identifier for the Amazon Web Services account that owns the resource.
S3_BUCKET_EFFECTIVE_PERMISSION - A string that represents an enumerated value that Macie defines for the BucketPublicAccess.effectivePermission property of an S3 bucket.
S3_BUCKET_NAME - A string that represents the name of an S3 bucket.
S3_BUCKET_SHARED_ACCESS - A string that represents an enumerated value that Macie defines for the BucketMetadata.sharedAccess property of an S3 bucket.
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in values.
String attributeName
The property to sort the results by.
String orderBy
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
Boolean publishClassificationFindings
Specifies whether to publish sensitive data findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all sensitive data findings that weren't suppressed by a findings filter. The default value is false.
Boolean publishPolicyFindings
Specifies whether to publish policy findings to Security Hub. If you set this value to true, Amazon Macie automatically publishes all new and updated policy findings that weren't suppressed by a findings filter. The default value is true.
String category
The category of sensitive data that was detected. For example: CREDENTIALS, for credentials data such as private keys or Amazon Web Services secret access keys; FINANCIAL_INFORMATION, for financial data such as credit card numbers; or, PERSONAL_INFORMATION, for personal health information, such as health insurance identification numbers, or personally identifiable information, such as passport numbers.
List<E> detections
An array of objects, one for each type of sensitive data that was detected. Each object reports the number of occurrences of a specific type of sensitive data that was detected, and the location of up to 15 of those occurrences.
Long totalCount
The total number of occurrences of the sensitive data that was detected.
Long classifiableSizeInBytes
The total storage size, in bytes, of all the objects that Amazon Macie can analyze in the buckets. These objects use a supported storage class and have a file name extension for a supported file or storage format.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each applicable object in the buckets. This value doesn't reflect the storage size of all versions of all applicable objects in the buckets.
Long publiclyAccessibleCount
The total number of buckets that are publicly accessible due to a combination of permissions settings for each bucket.
Long totalCount
The total number of buckets.
Long totalSizeInBytes
The total storage size, in bytes, of the buckets.
If versioning is enabled for any of the buckets, this value is based on the size of the latest version of each object in the buckets. This value doesn't reflect the storage size of all versions of the objects in the buckets.
List<E> allowListIds
An array of unique identifiers, one for each allow list to include.
List<E> customDataIdentifierIds
An array of unique identifiers, one for each custom data identifier to include.
List<E> managedDataIdentifierIds
An array of unique identifiers, one for each managed data identifier to include.
Amazon Macie uses these managed data identifiers in addition to managed data identifiers that are subsequently released and recommended for automated sensitive data discovery. To retrieve a list of valid values for the managed data identifiers that are currently available, use the ListManagedDataIdentifiers operation.
String encryptionType
The server-side encryption algorithm that's used when storing data in the bucket or object. If default encryption settings aren't configured for the bucket or the object isn't encrypted using server-side encryption, this value is NONE.
String kmsMasterKeyId
The Amazon Resource Name (ARN) or unique identifier (key ID) for the KMS key that's used to encrypt data in the bucket or the object. This value is null if an KMS key isn't used to encrypt the data.
Boolean isServiceLimited
Specifies whether the account has met the quota that corresponds to the metric specified by the UsageByAccount.type field in the response.
String unit
The unit of measurement for the value specified by the value field.
Long value
The value for the metric specified by the UsageByAccount.type field in the response.
SessionContextAttributes attributes
The date and time when the credentials were issued, and whether the credentials were authenticated with a multi-factor authentication (MFA) device.
SessionIssuer sessionIssuer
The source and type of credentials that were issued to the entity.
String accountId
The unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.
String arn
The Amazon Resource Name (ARN) of the source account, Identity and Access Management (IAM) user, or role that was used to get the credentials.
String principalId
The unique identifier for the entity that was used to get the credentials.
String type
The source of the temporary security credentials, such as Root, IAMUser, or Role.
String userName
The name or alias of the user or role that issued the session. This value is null if the credentials were obtained from a root account that doesn't have an alias.
Long occurrencesThreshold
The minimum number of occurrences of text that must match the custom data identifier's detection criteria in order to produce a finding with the specified severity (severity).
String severity
The severity to assign to a finding: if the number of occurrences is greater than or equal to the specified threshold (occurrencesThreshold); and, if applicable, the number of occurrences is less than the threshold for the next consecutive severity level for the custom data identifier, moving from LOW to HIGH.
String comparator
The operator to use in the condition. Valid values are EQ (equals) and NE (not equals).
String key
The property to use in the condition.
List<E> values
An array that lists one or more values to use in the condition. If you specify multiple values, Amazon Macie uses OR logic to join the values. Valid values for each supported property (key) are:
ACCOUNT_ID - A string that represents the unique identifier for the Amazon Web Services account that owns the bucket.
S3_BUCKET_EFFECTIVE_PERMISSION - A string that represents an enumerated value that Macie defines for the BucketPublicAccess.effectivePermission property of a bucket.
S3_BUCKET_NAME - A string that represents the name of a bucket.
S3_BUCKET_SHARED_ACCESS - A string that represents an enumerated value that Macie defines for the BucketMetadata.sharedAccess property of a bucket.
Values are case sensitive. Also, Macie doesn't support use of partial values or wildcard characters in these values.
String comparator
The operator to use in the condition. Valid values for each supported property (key) are:
OBJECT_EXTENSION - EQ (equals) or NE (not equals)
OBJECT_KEY - STARTS_WITH
OBJECT_LAST_MODIFIED_DATE - EQ (equals), GT (greater than), GTE (greater than or equals), LT (less than), LTE (less than or equals), or NE (not equals)
OBJECT_SIZE - EQ (equals), GT (greater than), GTE (greater than or equals), LT (less than), LTE (less than or equals), or NE (not equals)
String key
The object property to use in the condition.
List<E> values
An array that lists the values to use in the condition. If the value for the key property is OBJECT_EXTENSION or OBJECT_KEY, this array can specify multiple values and Amazon Macie uses OR logic to join the values. Otherwise, this array can specify only one value.
Valid values for each supported property (key) are:
OBJECT_EXTENSION - A string that represents the file name extension of an object. For example: docx or pdf
OBJECT_KEY - A string that represents the key prefix (folder name or path) of an object. For example: logs or awslogs/eventlogs. This value applies a condition to objects whose keys (names) begin with the specified value.
OBJECT_LAST_MODIFIED_DATE - The date and time (in UTC and extended ISO 8601 format) when an object was created or last changed, whichever is latest. For example: 2023-09-24T14:31:13Z
OBJECT_SIZE - An integer that represents the storage size (in bytes) of an object.
Macie doesn't support use of wildcard characters in these values. Also, string values are case sensitive.
String attributeName
The name of the property to sort the results by. Valid values are: count, createdAt, policyDetails.action.apiCallDetails.firstSeen, policyDetails.action.apiCallDetails.lastSeen, resourcesAffected, severity.score, type, and updatedAt.
String orderBy
The sort order to apply to the results, based on the value for the property specified by the attributeName property. Valid values are: ASC, sort the results in ascending order; and, DESC, sort the results in descending order.
String id
The unique identifier for the custom data identifier or managed data identifier that detected the type of sensitive data to exclude or include in the score.
String type
The type of data identifier that detected the sensitive data. Possible values are: CUSTOM, for a custom data identifier; and, MANAGED, for a managed data identifier.
String resourceArn
The Amazon Resource Name (ARN) of the resource.
Map<K,V> tags
A map of key-value pairs that specifies the tags to associate with the resource.
A resource can have a maximum of 50 tags. Each tag consists of a tag key and an associated tag value. The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.
String comparator
The operator to use in the condition. Valid values are EQ (equals) or NE (not equals).
String key
The object property to use in the condition. The only valid value is TAG.
List<E> tagValues
The tag keys or tag key and value pairs to use in the condition. To specify only tag keys in a condition, specify the keys in this array and set the value for each associated tag value to an empty string.
String target
The type of object to apply the condition to.
List<E> ignoreWords
An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression contains any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4-90 UTF-8 characters. Ignore words are case sensitive.
List<E> keywords
An array that lists specific character sequences (keywords), one of which must precede and be within proximity (maximumMatchDistance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3-90 UTF-8 characters. Keywords aren't case sensitive.
Integer maximumMatchDistance
The maximum number of characters that can exist between the end of at least one complete character sequence specified by the keywords array and the end of the text that matches the regex pattern. If a complete keyword precedes all the text that matches the pattern and the keyword is within the specified distance, Amazon Macie includes the result. The distance can be 1-300 characters. The default value is 50.
String regex
The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.
String sampleText
The sample text to inspect by using the custom data identifier. The text can contain as many as 1,000 characters.
Integer matchCount
The number of occurrences of sample text that matched the criteria specified by the custom data identifier.
AllowListCriteria criteria
The criteria that specify the text or text pattern to ignore. The criteria can be the location and name of an S3 object that lists specific text to ignore (s3WordsList), or a regular expression that defines a text pattern to ignore (regex).
You can change a list's underlying criteria, such as the name of the S3 object or the regular expression to use. However, you can't change the type from s3WordsList to regex or the other way around.
String description
A custom description of the allow list. The description can contain as many as 512 characters.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String name
A custom name for the allow list. The name can contain as many as 128 characters.
String status
The new status of automated sensitive data discovery for the account. Valid values are: ENABLED, start or resume automated sensitive data discovery activities for the account; and, DISABLED, stop performing automated sensitive data discovery activities for the account.
When you enable automated sensitive data discovery for the first time, Amazon Macie uses default configuration settings to determine which data sources to analyze and which managed data identifiers to use. To change these settings, use the UpdateClassificationScope and UpdateSensitivityInspectionTemplate operations, respectively. If you change the settings and subsequently disable the configuration, Amazon Macie retains your changes.
String jobId
The unique identifier for the classification job.
String jobStatus
The new status for the job. Valid values are:
CANCELLED - Stops the job permanently and cancels it. This value is valid only if the job's current status is IDLE, PAUSED, RUNNING, or USER_PAUSED.
If you specify this value and the job's current status is RUNNING, Amazon Macie immediately begins to stop all processing tasks for the job. You can't resume or restart a job after you cancel it.
RUNNING - Resumes the job. This value is valid only if the job's current status is USER_PAUSED.
If you paused the job while it was actively running and you specify this value less than 30 days after you paused the job, Macie immediately resumes processing from the point where you paused the job. Otherwise, Macie resumes the job according to the schedule and other settings for the job.
USER_PAUSED - Pauses the job temporarily. This value is valid only if the job's current status is IDLE, PAUSED, or RUNNING. If you specify this value and the job's current status is RUNNING, Macie immediately begins to pause all processing tasks for the job.
If you pause a one-time job and you don't resume it within 30 days, the job expires and Macie cancels the job. If you pause a recurring job when its status is RUNNING and you don't resume it within 30 days, the job run expires and Macie cancels the run. To check the expiration date, refer to the UserPausedDetails.jobExpiresAt property.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
S3ClassificationScopeUpdate s3
The S3 buckets to add or remove from the exclusion list defined by the classification scope.
String action
The action to perform on findings that match the filter criteria (findingCriteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
String clientToken
A unique, case-sensitive token that you provide to ensure the idempotency of the request.
String description
A custom description of the filter. The description can contain as many as 512 characters.
We strongly recommend that you avoid including any sensitive data in the description of a filter. Other users of your account might be able to see this description, depending on the actions that they're allowed to perform in Amazon Macie.
FindingCriteria findingCriteria
The criteria to use to filter findings.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
String name
A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters.
We strongly recommend that you avoid including any sensitive data in the name of a filter. Other users of your account might be able to see this name, depending on the actions that they're allowed to perform in Amazon Macie.
Integer position
The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.
String findingPublishingFrequency
Specifies how often to publish updates to policy findings for the account. This includes publishing updates to Security Hub and Amazon EventBridge (formerly Amazon CloudWatch Events).
String status
Specifies a new status for the account. Valid values are: ENABLED, resume all Amazon Macie activities for the account; and, PAUSED, suspend all Macie activities for the account.
Boolean autoEnable
Specifies whether to enable Amazon Macie automatically for an account when the account is added to the organization in Organizations.
String resourceArn
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
List<E> suppressDataIdentifiers
An array of objects, one for each custom data identifier or managed data identifier that detected the type of sensitive data to start excluding or including in the bucket's score. To start including all sensitive data types in the score, don't specify any values for this array.
String resourceArn
The Amazon Resource Name (ARN) of the S3 bucket that the request applies to.
Integer sensitivityScoreOverride
The new sensitivity score for the bucket. Valid values are: 100, assign the maximum score and apply the Sensitive label to the bucket; and, null (empty), assign a score that Amazon Macie calculates automatically after you submit the request.
String retrievalMode
The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).
If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.
String roleName
The name of the IAM role that is in the affected Amazon Web Services account and Amazon Macie is allowed to assume when retrieving sensitive data from affected S3 objects for the account. The trust and permissions policies for the role must meet all requirements for Macie to assume the role.
RevealConfiguration configuration
The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.
UpdateRetrievalConfiguration retrievalConfiguration
The access method and settings to use to retrieve the sensitive data.
RevealConfiguration configuration
The KMS key to use to encrypt the sensitive data, and the status of the configuration for the Amazon Macie account.
RetrievalConfiguration retrievalConfiguration
The access method and settings to use to retrieve the sensitive data.
String description
A custom description of the template. The description can contain as many as 200 characters.
SensitivityInspectionTemplateExcludes excludes
The managed data identifiers to explicitly exclude (not use) when analyzing data.
To exclude an allow list or custom data identifier that's currently included by the template, update the values for the SensitivityInspectionTemplateIncludes.allowListIds and SensitivityInspectionTemplateIncludes.customDataIdentifierIds properties, respectively.
String id
The unique identifier for the Amazon Macie resource that the request applies to.
SensitivityInspectionTemplateIncludes includes
The allow lists, custom data identifiers, and managed data identifiers to explicitly include (use) when analyzing data.
String currency
The type of currency that the value for the metric (estimatedCost) is reported in.
String estimatedCost
The estimated value for the metric.
ServiceLimit serviceLimit
The current value for the quota that corresponds to the metric specified by the type field.
String type
The name of the metric. Possible values are: AUTOMATED_OBJECT_MONITORING, to monitor S3 objects for automated sensitive data discovery; AUTOMATED_SENSITIVE_DATA_DISCOVERY, to analyze S3 objects for automated sensitive data discovery; DATA_INVENTORY_EVALUATION, to monitor S3 buckets; and, SENSITIVE_DATA_DISCOVERY, to run classification jobs.
String accountId
The unique identifier for the Amazon Web Services account that the data applies to.
Date automatedDiscoveryFreeTrialStartDate
The date and time, in UTC and extended ISO 8601 format, when the free trial of automated sensitive data discovery started for the account. If the account is a member account in an organization, this value is the same as the value for the organization's Amazon Macie administrator account.
Date freeTrialStartDate
The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie free trial started for the account.
List<E> usage
An array of objects that contains usage data and quotas for the account. Each object contains the data for a specific usage metric and the corresponding quota.
String comparator
The operator to use in the condition. If the value for the key property is accountId, this value must be CONTAINS. If the value for the key property is any other supported field, this value can be EQ, GT, GTE, LT, LTE, or NE.
String key
The field to use in the condition.
List<E> values
An array that lists values to use in the condition, based on the value for the field specified by the key property. If the value for the key property is accountId, this array can specify multiple values. Otherwise, this array can specify only one value.
Valid values for each supported field are:
accountId - The unique identifier for an Amazon Web Services account.
freeTrialStartDate - The date and time, in UTC and extended ISO 8601 format, when the Amazon Macie free trial started for an account.
serviceLimit - A Boolean (true or false) value that indicates whether an account has reached its monthly quota.
total - A string that represents the current estimated cost for an account.
String currency
The type of currency that the value for the metric (estimatedCost) is reported in.
String estimatedCost
The estimated value for the metric.
String type
The name of the metric. Possible values are: AUTOMATED_OBJECT_MONITORING, to monitor S3 objects for automated sensitive data discovery; AUTOMATED_SENSITIVE_DATA_DISCOVERY, to analyze S3 objects for automated sensitive data discovery; DATA_INVENTORY_EVALUATION, to monitor S3 buckets; and, SENSITIVE_DATA_DISCOVERY, to run classification jobs.
AssumedRole assumedRole
If the action was performed with temporary security credentials that were obtained using the AssumeRole operation of the Security Token Service (STS) API, the identifiers, session context, and other details about the identity.
AwsAccount awsAccount
If the action was performed using the credentials for another Amazon Web Services account, the details of that account.
AwsService awsService
If the action was performed by an Amazon Web Services account that belongs to an Amazon Web Service, the name of the service.
FederatedUser federatedUser
If the action was performed with temporary security credentials that were obtained using the GetFederationToken operation of the Security Token Service (STS) API, the identifiers, session context, and other details about the identity.
IamUser iamUser
If the action was performed using the credentials for an Identity and Access Management (IAM) user, the name and other details about the user.
UserIdentityRoot root
If the action was performed using the credentials for your Amazon Web Services account, the details of your account.
String type
The type of entity that performed the action.
String accountId
The unique identifier for the Amazon Web Services account.
String arn
The Amazon Resource Name (ARN) of the principal that performed the action. The last section of the ARN contains the name of the user or role that performed the action.
String principalId
The unique identifier for the entity that performed the action.
Date jobExpiresAt
The date and time, in UTC and extended ISO 8601 format, when the job or job run will expire and be cancelled if you don't resume it first.
String jobImminentExpirationHealthEventArn
The Amazon Resource Name (ARN) of the Health event that Amazon Macie sent to notify you of the job or job run's pending expiration and cancellation. This value is null if a job has been paused for less than 23 days.
Date jobPausedAt
The date and time, in UTC and extended ISO 8601 format, when you paused the job.
String dayOfWeek
The day of the week when Amazon Macie runs the job.
Copyright © 2024. All rights reserved.